Infection SVCHOST.EXE
Résolug3n-h@ckm@n -
J'ai un problème similaire à celui décrit par Elisiss le 25/02/2012 sur ce forum:
- Le PC est soudainement devenu très lent (20 minutes mini pour le démarage et l'arrêt).
- D est inaccessible (Le disque D est physiquement différent du disque C)
- Plus de laison réseau (mails et internet)
- La plupart des applications ne repondent plus ou bien partiellement.
- le bouton "démarrer" est inerte, le menu n'apparait plus.
Malheureusement, les explications données par Loumax91 pour le dépannage de Elisiss ne m'ont pas permis de faire redémarrer correctement la machine.
Petites indications :
- j'ai réussi, avec beaucoup de patience, à lancer Avast après avoir fait un démarrage sans echec. Avast a mouliné pendant 2 heures. La barre de progression est restée sur 0%. La première (et unique) ligne apparue sur le scan d'Avast me parait louche :
SVC: wudfsvc>C:WINDOWS\SYSTEM32\SVCHOST.EXE
- J'ai également lancé Malwarebytes qui, à priori, a fonctionné correctement. Cependant, le scan n'a rien detecté de suspect.
Voilà le triste tableau !
Merci pour votre aide
90 réponses
- 1
- 2
- 3
- 4
- 5
Un PC sous Windows 7 présente des lenteurs extrêmes et des défaillances système généralisées: démarrage et arrêt très longs, l’accès au lecteur D bloqué, la liaison réseau perdue et de nombreuses applications qui ne répondent plus, le bouton Démarrer restant inopérant.
Des indices techniques apparaissent: Avast en démarrage sans échec affiche une ligne suspecte “SVC: wudfsvc>C:\WINDOWS\SYSTEM32\SVCHOST.EXE”, et le scan reste bloqué à 0% après plusieurs heures.
Malwarebytes ne détecte rien de suspect malgré les symptômes, et les échanges évoquent l’utilisation de pré-scans et d’outils comme Pre_Scan, ZHPDiag et ComboFix pour diagnostiquer et nettoyer le système.
Les discussions se concentrent sur les procédures à suivre et les précautions à prendre avec ces outils, sans qu’une solution concluant soit décrite.
-
-
Bonsoir,
Pas de soucis, on va débloquer le pc puis le traiter:
http://www.security-helpzone.com/Thread-Pre-Scan-Mode-nettoyage
A faire stp,
-
Merci de te pencher sur mon douloureux cas.
J'ai d'ores et dejà une info à donner. Il est ipossible d'installer ZHPDiag sur le poste infecté. Lorsque je le lance, le message suivant s'affiche :
L'assistant d'installation n'a pas pu créer le dossier
"C:\User\AppData\Local\Temp\is-DTQI?tm"
Erreur 5 : Accès refusé -
-
-
-
-
-
salut je suis le concepteur de pre_scan
as-tu possibilité de reactiver la rstauration systeme ?
¤¤¤¤¤¤¤¤¤¤ Pre_Scan_Concept ¤¤¤¤¤¤¤¤¤¤ -
Bonjour g3n-h@ckm@n,
Peux-tu préciser ta question ?
Quelle serait la manip à réaliser ? -
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question -
Bonjour,
Pour ta ligne aucun soucis,
Vire ton Pre_Scan et re-télécharge le nouveau sur le lien donné plus haut, puis lance-le en mode sans échec.
-
Bonjour Saachaa,
Mes problèmes ne s'arrangent pas.
J'ai ouvert une session administrateur (utilisateur habituel) en mode sans echec et j'ai pu installer Winlogon (version 2). voici le resultat :
- Fonction CMD : OK
- Fonction RECEDIT : OK
- Fonction SERVICES : OK
- Fonction SCRIPT : Aucune réaction
- Fonction DIAG : le scan est resté bloqué à la ligne "C:\WINDOWS\SYSTEM 32\WUDFDd.SYS"
- J'ai néanmois réussis à faire tourner entièrement la fonction CHK.SCV dont le rapport est joint ci-dessous.
Ensuite, je ne sais pas si j'ai fais une connerie ou pas (utilisation de la fonction KILL), mais toujours est-il que maintenant, le clavier ne répond plus sous la session Administrateur. Donc, impossible de saisir le mot de passe pour ouvrir la session.
J'ai donc basculé vers la session Invité qui n'est pas protégé par mot de passe. C'est grace à cela que j'ai pu copier le rapport de CHK.SCV sur un CD, car cette opération était irréalisable sous la session Adminitrateur.
D'autre part, l'ordi semble fonctionner un peu mieux lorsqu'il est ouvert sous Invité (?). Le bouton démarrer fait bien appraitre le menu, la vitesse est nettement meilleure, mais les problèmes décrits précedement perdurent. Quelques trucs bizarres tout de même, en session Invité :
- Impossible de lancer Winlogon
- Impossible d'ouvrir le gestionnaire des taches
- Sans aucune application en fonctionnement, le gadget de bureau m'indique le prosseceur à 55% de charge
Rapport CHK.SCV ci-dessous
-----------------------------------------------------------------------------------------------
¤¤¤¤¤¤¤¤¤¤ | BFE
[HKLM\System\Currentcontrolset\Services\BFE]|[DisplayName] : @%SystemRoot%\system32\bfe.dll,-1001
[HKLM\System\Currentcontrolset\Services\BFE]|[Group] : NetworkProvider
[HKLM\System\Currentcontrolset\Services\BFE]|[ImagePath] : %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork
[HKLM\System\Currentcontrolset\Services\BFE]|[Description] : @%SystemRoot%\system32\bfe.dll,-1002
[HKLM\System\Currentcontrolset\Services\BFE]|[ObjectName] : NT AUTHORITY\LocalService
[HKLM\System\Currentcontrolset\Services\BFE]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\BFE]|[Start] : 4
[HKLM\System\Currentcontrolset\Services\BFE]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\BFE]|[DependOnService] : RpcSs
[HKLM\System\Currentcontrolset\Services\BFE]|[ServiceSidType] : 3
[HKLM\System\Currentcontrolset\Services\BFE]|[RequiredPrivileges] : SeAuditPrivilege
[HKLM\System\Currentcontrolset\Services\BFE]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
[HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceDll] : %SystemRoot%\System32\bfe.dll
[HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceMain] : BfeServiceMain
¤¤¤¤¤¤¤¤¤¤ | BITS
[HKLM\System\Currentcontrolset\Services\BITS]|[DisplayName] : @%SystemRoot%\system32\qmgr.dll,-1000
[HKLM\System\Currentcontrolset\Services\BITS]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k netsvcs
[HKLM\System\Currentcontrolset\Services\BITS]|[Description] : @%SystemRoot%\system32\qmgr.dll,-1001
[HKLM\System\Currentcontrolset\Services\BITS]|[ObjectName] : LocalSystem
[HKLM\System\Currentcontrolset\Services\BITS]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\BITS]|[Start] : 4
[HKLM\System\Currentcontrolset\Services\BITS]|[DelayedAutoStart] : 1
[HKLM\System\Currentcontrolset\Services\BITS]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\BITS]|[DependOnService] : RpcSs
EventSystem
[HKLM\System\Currentcontrolset\Services\BITS]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\BITS]|[RequiredPrivileges] : SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeIncreaseQuotaPrivilege
[HKLM\System\Currentcontrolset\Services\BITS]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000001000000C0D401000000000000000000
[HKLM\System\Currentcontrolset\Services\BITS\Parameters]|[ServiceDll] : %SystemRoot%\System32\qmgr.dll
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Library] : bitsperf.dll
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Open] : PerfMon_Open
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Collect] : PerfMon_Collect
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Close] : PerfMon_Close
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[InstallType] : 1
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[PerfIniFile] : bitsctrs.ini
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[First Counter] : 2156
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Last Counter] : 2172
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[First Help] : 2157
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Last Help] : 2173
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Object List] : 2156
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[PerfMMFileName] : Global\MMF_BITS_s
[HKLM\System\Currentcontrolset\Services\BITS\Security]|[Security] : 0x0100148090000000A00000001400000034000000020020000100000002C0180000000C000102000000000005200000002002000002005C000400000000021400FF010F0001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D010200010100000000000504000000000014008D0102000101000000000005060000000102000000000005200000002002000001020000000000052000000020020000
¤¤¤¤¤¤¤¤¤¤ | Cryptsvc
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[DisplayName] : @%SystemRoot%\system32\cryptsvc.dll,-1001
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k NetworkService
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Description] : @%SystemRoot%\system32\cryptsvc.dll,-1002
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ObjectName] : NT Authority\NetworkService
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Start] : 3
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[DependOnService] : RpcSs
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[RequiredPrivileges] : SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000
[HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceDll] : %SystemRoot%\system32\cryptsvc.dll
[HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceMain] : CryptServiceMain
[HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\Cryptsvc\Security]|[Security] : 0x00000E0001
¤¤¤¤¤¤¤¤¤¤ | MPSSVC
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[DisplayName] : @%SystemRoot%\system32\FirewallAPI.dll,-23090
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[Group] : NetworkProvider
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[Description] : @%SystemRoot%\system32\FirewallAPI.dll,-23091
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[ObjectName] : NT Authority\LocalService
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[Start] : 4
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[DependOnService] : mpsdrv
bfe
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[ServiceSidType] : 3
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[RequiredPrivileges] : SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
[HKLM\System\Currentcontrolset\Services\MPSSVC\Parameters]|[ServiceDll] : %SystemRoot%\system32\mpssvc.dll
[HKLM\System\Currentcontrolset\Services\MPSSVC\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\MPSSVC\Security]|[Security] : 0x01001480B4000000C0000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020084000500000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D010200010100000000000504000000000014008D010200010100000000000506000000000028001500000001060000000000055000000049599D779156E555DCF4E20EA78BEBCA7B421356010100000000000512000000010100000000000512000000
¤¤¤¤¤¤¤¤¤¤ | RPCSS
[HKLM\System\Currentcontrolset\Services\RPCSS]|[DisplayName] : @oleres.dll,-5010
[HKLM\System\Currentcontrolset\Services\RPCSS]|[Group] : COM Infrastructure
[HKLM\System\Currentcontrolset\Services\RPCSS]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k rpcss
[HKLM\System\Currentcontrolset\Services\RPCSS]|[Description] : @oleres.dll,-5011
[HKLM\System\Currentcontrolset\Services\RPCSS]|[ObjectName] : NT AUTHORITY\NetworkService
[HKLM\System\Currentcontrolset\Services\RPCSS]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\RPCSS]|[Start] : 2
[HKLM\System\Currentcontrolset\Services\RPCSS]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\RPCSS]|[DependOnService] : RpcEptMapper
DcomLaunch
[HKLM\System\Currentcontrolset\Services\RPCSS]|[FailureActions] : 0x00000000000000000000000001000000000000000200000060EA0000
[HKLM\System\Currentcontrolset\Services\RPCSS]|[RequiredPrivileges] : SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
[HKLM\System\Currentcontrolset\Services\RPCSS]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\RPCSS\Parameters]|[ServiceDll] : %SystemRoot%\system32\rpcss.dll
[HKLM\System\Currentcontrolset\Services\RPCSS\Security]|[Security] : 0x01001480900000009C000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200600004000000000014008500020001010000000000050B00000000001400FF000E0001010000000000051200000000001800FD000E0001020000000000052000000020020000000018008500000001020000000000052000000021020000010100000000000512000000010100000000000512000000
¤¤¤¤¤¤¤¤¤¤ | Windefend
[HKLM\System\Currentcontrolset\Services\Windefend]|[DisplayName] : @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103
[HKLM\System\Currentcontrolset\Services\Windefend]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\Windefend]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k secsvcs
[HKLM\System\Currentcontrolset\Services\Windefend]|[Start] : 2
[HKLM\System\Currentcontrolset\Services\Windefend]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\Windefend]|[Description] : @%ProgramFiles%\Windows Defender\MsMpRes.dll,-1176
[HKLM\System\Currentcontrolset\Services\Windefend]|[DependOnService] : RpcSs
[HKLM\System\Currentcontrolset\Services\Windefend]|[ObjectName] : LocalSystem
[HKLM\System\Currentcontrolset\Services\Windefend]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\Windefend]|[RequiredPrivileges] : SeImpersonatePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeChangeNotifyPrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
[HKLM\System\Currentcontrolset\Services\Windefend]|[DelayedAutoStart] : 1
[HKLM\System\Currentcontrolset\Services\Windefend]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA00000100000060EA00000000000000000000
[HKLM\System\Currentcontrolset\Services\Windefend\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\Windefend\Parameters]|[ServiceDll] : %ProgramFiles%\Windows Defender\mpsvc.dll
[HKLM\System\Currentcontrolset\Services\Windefend\Security]|[Security] : 0x01001480DC000000E8000000140000003000000002001C000100000002801400FF010F000101000000000001000000000200AC000600000000002800FF010F00010600000000000550000000B589FB381984C2CB5C6C236D5700776EC0026487000B280000000010010600000000000550000000B589FB381984C2CB5C6C236D5700776EC002648700001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D010200010100000000000504000000000014009D010200010100000000000506000000010100000000000512000000010100000000000512000000
¤¤¤¤¤¤¤¤¤¤ | wscsvc
[HKLM\System\Currentcontrolset\Services\wscsvc]|[DisplayName] : @%SystemRoot%\System32\wscsvc.dll,-200
[HKLM\System\Currentcontrolset\Services\wscsvc]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\wscsvc]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
[HKLM\System\Currentcontrolset\Services\wscsvc]|[Start] : 4
[HKLM\System\Currentcontrolset\Services\wscsvc]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\wscsvc]|[Description] : @%SystemRoot%\System32\wscsvc.dll,-201
[HKLM\System\Currentcontrolset\Services\wscsvc]|[DependOnService] : RpcSs
WinMgmt
[HKLM\System\Currentcontrolset\Services\wscsvc]|[ObjectName] : NT AUTHORITY\LocalService
[HKLM\System\Currentcontrolset\Services\wscsvc]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\wscsvc]|[RequiredPrivileges] : SeChangeNotifyPrivilege
SeImpersonatePrivilege
[HKLM\System\Currentcontrolset\Services\wscsvc]|[DelayedAutoStart] : 1
[HKLM\System\Currentcontrolset\Services\wscsvc]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
[HKLM\System\Currentcontrolset\Services\wscsvc\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\wscsvc\Parameters]|[ServiceDll] : %SystemRoot%\System32\wscsvc.dll
[HKLM\System\Currentcontrolset\Services\wscsvc\Security]|[Security] : 0x01001480C8000000D4000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020098000600000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D010200010100000000000504000000000014008D010200010100000000000506000000000014000001000001010000000000050B000000000028001500000001060000000000055000000049599D779156E555DCF4E20EA78BEBCA7B421356010100000000000512000000010100000000000512000000
¤¤¤¤¤¤¤¤¤¤ | wuauserv
[HKLM\System\Currentcontrolset\Services\wuauserv]|[PreshutdownTimeout] : 57600000
[HKLM\System\Currentcontrolset\Services\wuauserv]|[DisplayName] : @%systemroot%\system32\wuaueng.dll,-105
[HKLM\System\Currentcontrolset\Services\wuauserv]|[ImagePath] : %systemroot%\system32\svchost.exe -k netsvcs
[HKLM\System\Currentcontrolset\Services\wuauserv]|[Description] : @%systemroot%\system32\wuaueng.dll,-106
[HKLM\System\Currentcontrolset\Services\wuauserv]|[ObjectName] : LocalSystem
[HKLM\System\Currentcontrolset\Services\wuauserv]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\wuauserv]|[Start] : 4
[HKLM\System\Currentcontrolset\Services\wuauserv]|[DelayedAutoStart] : 1
[HKLM\System\Currentcontrolset\Services\wuauserv]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\wuauserv]|[DependOnService] : rpcss
[HKLM\System\Currentcontrolset\Services\wuauserv]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\wuauserv]|[RequiredPrivileges] : SeAuditPrivilege
SeCreateGlobalPrivilege
SeCreatePageFilePrivilege
SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeShutdownPrivilege
[HKLM\System\Currentcontrolset\Services\wuauserv]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000
[HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceDll] : %systemroot%\system32\wuaueng.dll
[HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceMain] : WUServiceMain
[HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\wuauserv\Security]|[Security] : 0x010014807800000084000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200480003000000000014009D00020001010000000000050B00000000001800FF010F000102000000000005200000002002000000001400FF010F00010100000000000512000000010100000000000512000000010100000000000512000000
¤¤¤¤¤¤¤¤¤¤ | BFE
[HKLM\System\Currentcontrolset\Services\BFE]|[DisplayName] : @%SystemRoot%\system32\bfe.dll,-1001
[HKLM\System\Currentcontrolset\Services\BFE]|[Group] : NetworkProvider
[HKLM\System\Currentcontrolset\Services\BFE]|[ImagePath] : %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork
[HKLM\System\Currentcontrolset\Services\BFE]|[Description] : @%SystemRoot%\system32\bfe.dll,-1002
[HKLM\System\Currentcontrolset\Services\BFE]|[ObjectName] : NT AUTHORITY\LocalService
[HKLM\System\Currentcontrolset\Services\BFE]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\BFE]|[Start] : 4
[HKLM\System\Currentcontrolset\Services\BFE]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\BFE]|[DependOnService] : RpcSs
[HKLM\System\Currentcontrolset\Services\BFE]|[ServiceSidType] : 3
[HKLM\System\Currentcontrolset\Services\BFE]|[RequiredPrivileges] : SeAuditPrivilege
[HKLM\System\Currentcontrolset\Services\BFE]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
[HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceDll] : %SystemRoot%\System32\bfe.dll
[HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceMain] : BfeServiceMain
¤¤¤¤¤¤¤¤¤¤ | BITS
[HKLM\System\Currentcontrolset\Services\BITS]|[DisplayName] : @%SystemRoot%\system32\qmgr.dll,-1000
[HKLM\System\Currentcontrolset\Services\BITS]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k netsvcs
[HKLM\System\Currentcontrolset\Services\BITS]|[Description] : @%SystemRoot%\system32\qmgr.dll,-1001
[HKLM\System\Currentcontrolset\Services\BITS]|[ObjectName] : LocalSystem
[HKLM\System\Currentcontrolset\Services\BITS]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\BITS]|[Start] : 4
[HKLM\System\Currentcontrolset\Services\BITS]|[DelayedAutoStart] : 1
[HKLM\System\Currentcontrolset\Services\BITS]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\BITS]|[DependOnService] : RpcSs
EventSystem
[HKLM\System\Currentcontrolset\Services\BITS]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\BITS]|[RequiredPrivileges] : SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeIncreaseQuotaPrivilege
[HKLM\System\Currentcontrolset\Services\BITS]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000001000000C0D401000000000000000000
[HKLM\System\Currentcontrolset\Services\BITS\Parameters]|[ServiceDll] : %SystemRoot%\System32\qmgr.dll
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Library] : bitsperf.dll
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Open] : PerfMon_Open
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Collect] : PerfMon_Collect
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Close] : PerfMon_Close
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[InstallType] : 1
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[PerfIniFile] : bitsctrs.ini
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[First Counter] : 2156
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Last Counter] : 2172
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[First Help] : 2157
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Last Help] : 2173
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Object List] : 2156
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[PerfMMFileName] : Global\MMF_BITS_s
[HKLM\System\Currentcontrolset\Services\BITS\Security]|[Security] : 0x0100148090000000A00000001400000034000000020020000100000002C0180000000C000102000000000005200000002002000002005C000400000000021400FF010F0001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D010200010100000000000504000000000014008D0102000101000000000005060000000102000000000005200000002002000001020000000000052000000020020000
¤¤¤¤¤¤¤¤¤¤ | Cryptsvc
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[DisplayName] : @%SystemRoot%\system32\cryptsvc.dll,-1001
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k NetworkService
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Description] : @%SystemRoot%\system32\cryptsvc.dll,-1002
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ObjectName] : NT Authority\NetworkService
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Start] : 3
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[DependOnService] : RpcSs
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[RequiredPrivileges] : SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000
[HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceDll] : %SystemRoot%\system32\cryptsvc.dll
[HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceMain] : CryptServiceMain
[HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\Cryptsvc\Security]|[Security] : 0x00000E0001
¤¤¤¤¤¤¤¤¤¤ | MPSSVC
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[DisplayName] : @%SystemRoot%\system32\FirewallAPI.dll,-23090
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[Group] : NetworkProvider
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[Description] : @%SystemRoot%\system32\FirewallAPI.dll,-23091
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[ObjectName] : NT Authority\LocalService
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[Start] : 4
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[DependOnService] : mpsdrv
bfe
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[ServiceSidType] : 3
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[RequiredPrivileges] : SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
[HKLM\System\Currentcontrolset\Services\MPSSVC\Parameters]|[ServiceDll] : %SystemRoot%\system32\mpssvc.dll
[HKLM\System\Currentcontrolset\Services\MPSSVC\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\MPSSVC\Security]|[Security] : 0x01001480B4000000C0000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020084000500000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D010200010100000000000504000000000014008D010200010100000000000506000000000028001500000001060000000000055000000049599D779156E555DCF4E20EA78BEBCA7B421356010100000000000512000000010100000000000512000000
¤¤¤¤¤¤¤¤¤¤ | RPCSS
[HKLM\System\Currentcontrolset\Services\RPCSS]|[DisplayName] : @oleres.dll,-5010
[HKLM\System\Currentcontrolset\Services\RPCSS]|[Group] : COM Infrastructure
[HKLM\System\Currentcontrolset\Services\RPCSS]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k rpcss
[HKLM\System\Currentcontrolset\Services\RPCSS]|[Description] : @oleres.dll,-5011
[HKLM\System\Currentcontrolset\Services\RPCSS]|[ObjectName] : NT AUTHORITY\NetworkService
[HKLM\System\Currentcontrolset\Services\RPCSS]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\RPCSS]|[Start] : 2
[HKLM\System\Currentcontrolset\Services\RPCSS]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\RPCSS]|[DependOnService] : RpcEptMapper
DcomLaunch
[HKLM\System\Currentcontrolset\Services\RPCSS]|[FailureActions] : 0x00000000000000000000000001000000000000000200000060EA0000
[HKLM\System\Currentcontrolset\Services\RPCSS]|[RequiredPrivileges] : SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
[HKLM\System\Currentcontrolset\Services\RPCSS]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\RPCSS\Parameters]|[ServiceDll] : %SystemRoot%\system32\rpcss.dll
[HKLM\System\Currentcontrolset\Services\RPCSS\Security]|[Security] : 0x01001480900000009C000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200600004000000000014008500020001010000000000050B00000000001400FF000E0001010000000000051200000000001800FD000E0001020000000000052000000020020000000018008500000001020000000000052000000021020000010100000000000512000000010100000000000512000000
¤¤¤¤¤¤¤¤¤¤ | Windefend
[HKLM\System\Currentcontrolset\Services\Windefend]|[DisplayName] : @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103
[HKLM\System\Currentcontrolset\Services\Windefend]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\Windefend]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k secsvcs
[HKLM\System\Currentcontrolset\Services\Windefend]|[Start] : 2
[HKLM\System\Currentcontrolset\Services\Windefend]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\Windefend]|[Description] : @%ProgramFiles%\Windows Defender\MsMpRes.dll,-1176
[HKLM\System\Currentcontrolset\Services\Windefend]|[DependOnService] : RpcSs
[HKLM\System\Currentcontrolset\Services\Windefend]|[ObjectName] : LocalSystem
[HKLM\System\Currentcontrolset\Services\Windefend]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\Windefend]|[RequiredPrivileges] : SeImpersonatePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeChangeNotifyPrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
[HKLM\System\Currentcontrolset\Services\Windefend]|[DelayedAutoStart] : 1
[HKLM\System\Currentcontrolset\Services\Windefend]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA00000100000060EA00000000000000000000
[HKLM\System\Currentcontrolset\Services\Windefend\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\Windefend\Parameters]|[ServiceDll] : %ProgramFiles%\Windows Defender\mpsvc.dll
[HKLM\System\Currentcontrolset\Services\Windefend\Security]|[Security] : 0x01001480DC000000E8000000140000003000000002001C000100000002801400FF010F000101000000000001000000000200AC000600000000002800FF010F00010600000000000550000000B589FB381984C2CB5C6C236D5700776EC0026487000B280000000010010600000000000550000000B589FB381984C2CB5C6C236D5700776EC002648700001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D010200010100000000000504000000000014009D010200010100000000000506000000010100000000000512000000010100000000000512000000
¤¤¤¤¤¤¤¤¤¤ | wscsvc
[HKLM\System\Currentcontrolset\Services\wscsvc]|[DisplayName] : @%SystemRoot%\System32\wscsvc.dll,-200
[HKLM\System\Currentcontrolset\Services\wscsvc]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\wscsvc]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
[HKLM\System\Currentcontrolset\Services\wscsvc]|[Start] : 4
[HKLM\System\Currentcontrolset\Services\wscsvc]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\wscsvc]|[Description] : @%SystemRoot%\System32\wscsvc.dll,-201
[HKLM\System\Currentcontrolset\Services\wscsvc]|[DependOnService] : RpcSs
WinMgmt
[HKLM\System\Currentcontrolset\Services\wscsvc]|[ObjectName] : NT AUTHORITY\LocalService
[HKLM\System\Currentcontrolset\Services\wscsvc]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\wscsvc]|[RequiredPrivileges] : SeChangeNotifyPrivilege
SeImpersonatePrivilege
[HKLM\System\Currentcontrolset\Services\wscsvc]|[DelayedAutoStart] : 1
[HKLM\System\Currentcontrolset\Services\wscsvc]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
[HKLM\System\Currentcontrolset\Services\wscsvc\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\wscsvc\Parameters]|[ServiceDll] : %SystemRoot%\System32\wscsvc.dll
[HKLM\System\Currentcontrolset\Services\wscsvc\Security]|[Security] : 0x01001480C8000000D4000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020098000600000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D010200010100000000000504000000000014008D010200010100000000000506000000000014000001000001010000000000050B000000000028001500000001060000000000055000000049599D779156E555DCF4E20EA78BEBCA7B421356010100000000000512000000010100000000000512000000
¤¤¤¤¤¤¤¤¤¤ | wuauserv
[HKLM\System\Currentcontrolset\Services\wuauserv]|[PreshutdownTimeout] : 57600000
[HKLM\System\Currentcontrolset\Services\wuauserv]|[DisplayName] : @%systemroot%\system32\wuaueng.dll,-105
[HKLM\System\Currentcontrolset\Services\wuauserv]|[ImagePath] : %systemroot%\system32\svchost.exe -k netsvcs
[HKLM\System\Currentcontrolset\Services\wuauserv]|[Description] : @%systemroot%\system32\wuaueng.dll,-106
[HKLM\System\Currentcontrolset\Services\wuauserv]|[ObjectName] : LocalSystem
[HKLM\System\Currentcontrolset\Services\wuauserv]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\wuauserv]|[Start] : 4
[HKLM\System\Currentcontrolset\Services\wuauserv]|[DelayedAutoStart] : 1
[HKLM\System\Currentcontrolset\Services\wuauserv]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\wuauserv]|[DependOnService] : rpcss
[HKLM\System\Currentcontrolset\Services\wuauserv]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\wuauserv]|[RequiredPrivileges] : SeAuditPrivilege
SeCreateGlobalPrivilege
SeCreatePageFilePrivilege
SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeShutdownPrivilege
[HKLM\System\Currentcontrolset\Services\wuauserv]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000
[HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceDll] : %systemroot%\system32\wuaueng.dll
[HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceMain] : WUServiceMain
[HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\wuauserv\Security]|[Security] : 0x010014807800000084000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200480003000000000014009D00020001010000000000050B00000000001800FF010F000102000000000005200000002002000000001400FF010F00010100000000000512000000010100000000000512000000010100000000000512000000
¤¤¤¤¤¤¤¤¤¤ | BFE
[HKLM\System\Currentcontrolset\Services\BFE]|[DisplayName] : @%SystemRoot%\system32\bfe.dll,-1001
[HKLM\System\Currentcontrolset\Services\BFE]|[Group] : NetworkProvider
[HKLM\System\Currentcontrolset\Services\BFE]|[ImagePath] : %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork
[HKLM\System\Currentcontrolset\Services\BFE]|[Description] : @%SystemRoot%\system32\bfe.dll,-1002
[HKLM\System\Currentcontrolset\Services\BFE]|[ObjectName] : NT AUTHORITY\LocalService
[HKLM\System\Currentcontrolset\Services\BFE]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\BFE]|[Start] : 4
[HKLM\System\Currentcontrolset\Services\BFE]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\BFE]|[DependOnService] : RpcSs
[HKLM\System\Currentcontrolset\Services\BFE]|[ServiceSidType] : 3
[HKLM\System\Currentcontrolset\Services\BFE]|[RequiredPrivileges] : SeAuditPrivilege
[HKLM\System\Currentcontrolset\Services\BFE]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
[HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceDll] : %SystemRoot%\System32\bfe.dll
[HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\BFE\Parameters]|[ServiceMain] : BfeServiceMain
¤¤¤¤¤¤¤¤¤¤ | BITS
[HKLM\System\Currentcontrolset\Services\BITS]|[DisplayName] : @%SystemRoot%\system32\qmgr.dll,-1000
[HKLM\System\Currentcontrolset\Services\BITS]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k netsvcs
[HKLM\System\Currentcontrolset\Services\BITS]|[Description] : @%SystemRoot%\system32\qmgr.dll,-1001
[HKLM\System\Currentcontrolset\Services\BITS]|[ObjectName] : LocalSystem
[HKLM\System\Currentcontrolset\Services\BITS]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\BITS]|[Start] : 4
[HKLM\System\Currentcontrolset\Services\BITS]|[DelayedAutoStart] : 1
[HKLM\System\Currentcontrolset\Services\BITS]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\BITS]|[DependOnService] : RpcSs
EventSystem
[HKLM\System\Currentcontrolset\Services\BITS]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\BITS]|[RequiredPrivileges] : SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeIncreaseQuotaPrivilege
[HKLM\System\Currentcontrolset\Services\BITS]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000001000000C0D401000000000000000000
[HKLM\System\Currentcontrolset\Services\BITS\Parameters]|[ServiceDll] : %SystemRoot%\System32\qmgr.dll
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Library] : bitsperf.dll
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Open] : PerfMon_Open
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Collect] : PerfMon_Collect
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Close] : PerfMon_Close
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[InstallType] : 1
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[PerfIniFile] : bitsctrs.ini
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[First Counter] : 2156
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Last Counter] : 2172
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[First Help] : 2157
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Last Help] : 2173
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[Object List] : 2156
[HKLM\System\Currentcontrolset\Services\BITS\Performance]|[PerfMMFileName] : Global\MMF_BITS_s
[HKLM\System\Currentcontrolset\Services\BITS\Security]|[Security] : 0x0100148090000000A00000001400000034000000020020000100000002C0180000000C000102000000000005200000002002000002005C000400000000021400FF010F0001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D010200010100000000000504000000000014008D0102000101000000000005060000000102000000000005200000002002000001020000000000052000000020020000
¤¤¤¤¤¤¤¤¤¤ | Cryptsvc
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[DisplayName] : @%SystemRoot%\system32\cryptsvc.dll,-1001
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k NetworkService
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Description] : @%SystemRoot%\system32\cryptsvc.dll,-1002
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ObjectName] : NT Authority\NetworkService
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Start] : 3
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[DependOnService] : RpcSs
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[RequiredPrivileges] : SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
[HKLM\System\Currentcontrolset\Services\Cryptsvc]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000
[HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceDll] : %SystemRoot%\system32\cryptsvc.dll
[HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceMain] : CryptServiceMain
[HKLM\System\Currentcontrolset\Services\Cryptsvc\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\Cryptsvc\Security]|[Security] : 0x00000E0001
¤¤¤¤¤¤¤¤¤¤ | MPSSVC
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[DisplayName] : @%SystemRoot%\system32\FirewallAPI.dll,-23090
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[Group] : NetworkProvider
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[Description] : @%SystemRoot%\system32\FirewallAPI.dll,-23091
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[ObjectName] : NT Authority\LocalService
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[Start] : 4
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[DependOnService] : mpsdrv
bfe
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[ServiceSidType] : 3
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[RequiredPrivileges] : SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
[HKLM\System\Currentcontrolset\Services\MPSSVC]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
[HKLM\System\Currentcontrolset\Services\MPSSVC\Parameters]|[ServiceDll] : %SystemRoot%\system32\mpssvc.dll
[HKLM\System\Currentcontrolset\Services\MPSSVC\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\MPSSVC\Security]|[Security] : 0x01001480B4000000C0000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020084000500000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D010200010100000000000504000000000014008D010200010100000000000506000000000028001500000001060000000000055000000049599D779156E555DCF4E20EA78BEBCA7B421356010100000000000512000000010100000000000512000000
¤¤¤¤¤¤¤¤¤¤ | RPCSS
[HKLM\System\Currentcontrolset\Services\RPCSS]|[DisplayName] : @oleres.dll,-5010
[HKLM\System\Currentcontrolset\Services\RPCSS]|[Group] : COM Infrastructure
[HKLM\System\Currentcontrolset\Services\RPCSS]|[ImagePath] : %SystemRoot%\system32\svchost.exe -k rpcss
[HKLM\System\Currentcontrolset\Services\RPCSS]|[Description] : @oleres.dll,-5011
[HKLM\System\Currentcontrolset\Services\RPCSS]|[ObjectName] : NT AUTHORITY\NetworkService
[HKLM\System\Currentcontrolset\Services\RPCSS]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\RPCSS]|[Start] : 2
[HKLM\System\Currentcontrolset\Services\RPCSS]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\RPCSS]|[DependOnService] : RpcEptMapper
DcomLaunch
[HKLM\System\Currentcontrolset\Services\RPCSS]|[FailureActions] : 0x00000000000000000000000001000000000000000200000060EA0000
[HKLM\System\Currentcontrolset\Services\RPCSS]|[RequiredPrivileges] : SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
[HKLM\System\Currentcontrolset\Services\RPCSS]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\RPCSS\Parameters]|[ServiceDll] : %SystemRoot%\system32\rpcss.dll
[HKLM\System\Currentcontrolset\Services\RPCSS\Security]|[Security] : 0x01001480900000009C000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200600004000000000014008500020001010000000000050B00000000001400FF000E0001010000000000051200000000001800FD000E0001020000000000052000000020020000000018008500000001020000000000052000000021020000010100000000000512000000010100000000000512000000
¤¤¤¤¤¤¤¤¤¤ | Windefend
[HKLM\System\Currentcontrolset\Services\Windefend]|[DisplayName] : @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103
[HKLM\System\Currentcontrolset\Services\Windefend]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\Windefend]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k secsvcs
[HKLM\System\Currentcontrolset\Services\Windefend]|[Start] : 2
[HKLM\System\Currentcontrolset\Services\Windefend]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\Windefend]|[Description] : @%ProgramFiles%\Windows Defender\MsMpRes.dll,-1176
[HKLM\System\Currentcontrolset\Services\Windefend]|[DependOnService] : RpcSs
[HKLM\System\Currentcontrolset\Services\Windefend]|[ObjectName] : LocalSystem
[HKLM\System\Currentcontrolset\Services\Windefend]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\Windefend]|[RequiredPrivileges] : SeImpersonatePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeChangeNotifyPrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
[HKLM\System\Currentcontrolset\Services\Windefend]|[DelayedAutoStart] : 1
[HKLM\System\Currentcontrolset\Services\Windefend]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA00000100000060EA00000000000000000000
[HKLM\System\Currentcontrolset\Services\Windefend\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\Windefend\Parameters]|[ServiceDll] : %ProgramFiles%\Windows Defender\mpsvc.dll
[HKLM\System\Currentcontrolset\Services\Windefend\Security]|[Security] : 0x01001480DC000000E8000000140000003000000002001C000100000002801400FF010F000101000000000001000000000200AC000600000000002800FF010F00010600000000000550000000B589FB381984C2CB5C6C236D5700776EC0026487000B280000000010010600000000000550000000B589FB381984C2CB5C6C236D5700776EC002648700001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D010200010100000000000504000000000014009D010200010100000000000506000000010100000000000512000000010100000000000512000000
¤¤¤¤¤¤¤¤¤¤ | wscsvc
[HKLM\System\Currentcontrolset\Services\wscsvc]|[DisplayName] : @%SystemRoot%\System32\wscsvc.dll,-200
[HKLM\System\Currentcontrolset\Services\wscsvc]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\wscsvc]|[ImagePath] : %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
[HKLM\System\Currentcontrolset\Services\wscsvc]|[Start] : 4
[HKLM\System\Currentcontrolset\Services\wscsvc]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\wscsvc]|[Description] : @%SystemRoot%\System32\wscsvc.dll,-201
[HKLM\System\Currentcontrolset\Services\wscsvc]|[DependOnService] : RpcSs
WinMgmt
[HKLM\System\Currentcontrolset\Services\wscsvc]|[ObjectName] : NT AUTHORITY\LocalService
[HKLM\System\Currentcontrolset\Services\wscsvc]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\wscsvc]|[RequiredPrivileges] : SeChangeNotifyPrivilege
SeImpersonatePrivilege
[HKLM\System\Currentcontrolset\Services\wscsvc]|[DelayedAutoStart] : 1
[HKLM\System\Currentcontrolset\Services\wscsvc]|[FailureActions] : 0x805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
[HKLM\System\Currentcontrolset\Services\wscsvc\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\wscsvc\Parameters]|[ServiceDll] : %SystemRoot%\System32\wscsvc.dll
[HKLM\System\Currentcontrolset\Services\wscsvc\Security]|[Security] : 0x01001480C8000000D4000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020098000600000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D010200010100000000000504000000000014008D010200010100000000000506000000000014000001000001010000000000050B000000000028001500000001060000000000055000000049599D779156E555DCF4E20EA78BEBCA7B421356010100000000000512000000010100000000000512000000
¤¤¤¤¤¤¤¤¤¤ | wuauserv
[HKLM\System\Currentcontrolset\Services\wuauserv]|[PreshutdownTimeout] : 57600000
[HKLM\System\Currentcontrolset\Services\wuauserv]|[DisplayName] : @%systemroot%\system32\wuaueng.dll,-105
[HKLM\System\Currentcontrolset\Services\wuauserv]|[ImagePath] : %systemroot%\system32\svchost.exe -k netsvcs
[HKLM\System\Currentcontrolset\Services\wuauserv]|[Description] : @%systemroot%\system32\wuaueng.dll,-106
[HKLM\System\Currentcontrolset\Services\wuauserv]|[ObjectName] : LocalSystem
[HKLM\System\Currentcontrolset\Services\wuauserv]|[ErrorControl] : 1
[HKLM\System\Currentcontrolset\Services\wuauserv]|[Start] : 4
[HKLM\System\Currentcontrolset\Services\wuauserv]|[DelayedAutoStart] : 1
[HKLM\System\Currentcontrolset\Services\wuauserv]|[Type] : 32
[HKLM\System\Currentcontrolset\Services\wuauserv]|[DependOnService] : rpcss
[HKLM\System\Currentcontrolset\Services\wuauserv]|[ServiceSidType] : 1
[HKLM\System\Currentcontrolset\Services\wuauserv]|[RequiredPrivileges] : SeAuditPrivilege
SeCreateGlobalPrivilege
SeCreatePageFilePrivilege
SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeShutdownPrivilege
[HKLM\System\Currentcontrolset\Services\wuauserv]|[FailureActions] : 0x80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000
[HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceDll] : %systemroot%\system32\wuaueng.dll
[HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceMain] : WUServiceMain
[HKLM\System\Currentcontrolset\Services\wuauserv\Parameters]|[ServiceDllUnloadOnStop] : 1
[HKLM\System\Currentcontrolset\Services\wuauserv\Security]|[Security] : 0x010014807800000084000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200480003000000000014009D00020001010000000000050B00000000001800FF010F000102000000000005200000002002000000001400FF010F00010100000000000512000000010100000000000512000000010100000000000512000000 -
les trois quarts des services sont desactivés.....
telecharge ici : Load_SalityKiller
Desactive tes protections
lance-le , clique sur lancer le nettoyage
à la fin SalityKiller.txt se mettra sur ton bureau
▶▶▶ NE LE POSTE PAS SUR LE FORUM (il est trop long)
clic droit dessus , envoyer vers , dossiers compressés
ensuite :
tu m'envoies l'archive comme ceci :
clique sur ce lien : http://www.cijoint.fr/
▶ Clique sur Parcourir et cherche le fichier ci-dessus.
▶ Clique sur Ouvrir.
▶ Clique sur "Cliquez ici pour déposer le fichier".
Un lien de cette forme :
http://www.cijoint.fr/cjlink.php?file=cjge368/cijSKAP5fU.txt
est ajouté dans la page.
▶ Copie ce lien dans ta réponse.
-
Bonjour g3n-h@ckm@n,
Problème : le lien renvoie vers une erreur 404. Il m'est donc impossible de télécharger le logiciel.
Peux-tu être plus précis quant à la désactivation des protections ?
Merci-
-
-
Antivirus et pare-feu desactivés. J'ai bien pu télécharger Sality (désolé pour la maladresse ;-)).
Nouveau problème : Le logiciel est maintenant intallé sur le PC infecté, mais il est impossible de le lancer. Je suis sur la session Invité, peut-être n'ai-je pas les droits pour faire cette manip ? Ce serait embetant, vu que je ne peux plus ouvrir de session Administrateur
-
-
-
Je voudrais bien !
La session infectée est protegée par un mot de passe et malheureusement, le clavier étant inopérant sous cette session, je ne peux pas rentrer le mot de passe.
Aie ! -
-
-
-
-
En session invité :
actuellement, la session Invité est plantée car j'ai essayé de tester le fonctionnement du clavier sur un document TXT. Apparement, il n'a pas aimé puiqu'il rame depuis 30 min -
-
J'ai redémarré la machine.
Cela peut prendre un certain temps !
Le problème de fonctionnement du clavier est apparu depuis l'utilisation de Winlogon. Aurais-je fais une anerie en cliquant sur "KILL" ? -
-
Peut-être un redémarrage "mal controlé".
Vu qu'il faut 20 à 30 minutes au PC pour s'arreter, il m'arrive souvent de le stopper via le bouton ON/OFF afin d'accelerer la manoeuvre. -
Ca y est, le PC est repartit.
Session Administrateur impossible (clavier inopérant)
Session Invité active, mais impossible de lancer Sality. Le curser clignote comme un parkingsonien après le double clic sur l'icone, puis plus de résultat !
Y aurait-il une solution sous DOS ?
- 1
- 2
- 3
- 4
- 5