TROJAN (CRAZY GIRL) AIDEZ MOI !!!

Question

bonjour a tous,
jai attrapé un trojan (crazy girl) et je ne sais pa comment faire pour leliminer
je ne my connais pa tro en informatique.
Jai fait une analyse par hijackthis et il ma sorti sa : je ny compren rien

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:26:36, on 04/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Filesnamfler
aomf.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
c:\program filesnamfleradprcmp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32
vsvc32.exe
C:\Program Filesnamfler
aofsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trojan Remover	rupd.exe
C:\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\kamel\Bureau\Kamélia\Sécurité ordi\Anticrypt\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://actus.sfr.fr
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcD3RW7BXlKjvc5QyGaMjmoIYiDMFu/mMChN1OYBW4eRF7y0gj+NGdZHICLPI77bAjoInmByNTsheqdYhGUvOQWb43l3x20OUDn7V0UR/Rp1qSbekWvwvbCk1GPWkgu08v4hz5PL9+ak2ggvynk0B1jJtpX0yxOK11u
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [wrna3ls] C:\Program Filesnamfler
aomf.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [snfugp] c:\windows\system32\snfugp.exe snfugp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://scripts.dlv4.com/binaries/egaccess4/egaccess4_1071_em_XP.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61F4389C-20AE-40ED-919D-7D6BD1F51F96}: NameServer = 86.64.145.145 84.103.237.145
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Filesnamfler
aofsvc.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

did71 · Answer

bonsoir,

Télécharge Blacklight (de F-Secure), sauvegarde le sur ton Bureau: 

https://europe.f-secure.com/exclude/blacklight/index.shtml 

Double-clique blbeta.exe et accepte la licence ;clique Scan puis Next 

Tu verras une liste de fichiers détectés apparaître. Tu verras également un rapport, sur ton Bureau, nommé fsbl.xxxxxxx.log (les xxxxxxx sont des chiffres). 

Copie et colle le contenu de ce rapport dans ta prochaine réponse!

a+

Darkkiller · Answer

RE,

Ouvre Hijackthis et clique sur "Do a system scan only" et coche ces lignes :

O4 - HKLM\..\Run: [snfugp] c:\windows\system32\snfugp.exe snfugp

O16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://scripts.dlv4.com/binaries/egaccess4/egaccess4_1071_em_XP.cab

Puis quand tu as coché ces lignes, clique sur "Fix Checked"
----------------------------------------------------------------------------


Prends connaissance du contenu le lien suivant: 

http://www.f-secure.com/products/license-terms/eult_fra.pdf 

Tu as donc pris connaissance et accepté les conditions d'utilisations du programme blacklight qui est inclus dans le dossier compressé navilog1.zip que tu vas télécharger. 

Maintenant fais un clic droit sur ce lien : 

http://perso.orange.fr/il.mafioso/Navifix/navilog1.zip 

Enregistrer la cible (du lien) sous... et enregistre-le sur ton bureau. 

Fais un clic droit sur navilog1.zip et choisis "tout extraire" 

Ensuite double clique sur navilog1.bat 

Laisses-toi guider. 

Au menu principal, choisis 1 et valides. 

(Ne fais pas le choix 2 sans notre avis/accord) 

Patientes jusqu'au message : 

*** Analyse Termine le ..... *** 

Appuies sur une touche comme demandé, le bloc note va s'ouvrir. 

Copies-colles l'intégralité dans une réponse. 

Refermes le bloc note. 

Le rapport est en outre sauvegardé à la racine du disque (fixnavi.txt)

Lolilola13 · Answer

Bonsoir,
jai fait ce que Did71 ma demandé de faire et il maffiche ke rien na été detecté...
En plus je ne m'y connais pas bien...

Lolilola13 · Answer

pardon, il y a eu un rapport mais pas sur mon bureau...
le voici

05/05/07 21:12:16 [Info]: BlackLight Engine 1.0.61 initialized
05/05/07 21:12:16 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/05/07 21:12:16 [Note]: 7019 4
05/05/07 21:12:16 [Note]: 7005 0
05/05/07 21:12:19 [Note]: 7006 0
05/05/07 21:12:19 [Note]: 7011 1712
05/05/07 21:12:19 [Note]: 7026 0
05/05/07 21:12:19 [Note]: 7026 0
05/05/07 21:12:21 [Note]: FSRAW library version 1.7.1021
05/05/07 21:14:39 [Note]: 7007 0

Que dois-je faire par la suite ?

did71 · Answer

Bonsoir, 

bizarre que blacklight ne trouve rien, pourtant le rapport hijackthis montre la bébéte EGDACCESS!

On va continuer tout de même sur cette infection, je ne connais pas assez navilog, j'utilise un autre outil pour cette infection!

1/ Télécharge : 

- Brute Force Uninstaller:


http//www.merijn.org/files/bfu.zip


et décompresse-le dans un dossier propre à lui (C:\BFU) 

Fais un clic droit de souris sur ce lien :

http://metallica.geekstogo.com/EGDACCESS.bfu 

et choisis "Enregistrer sous" (dans IE c'est "Enregistrer le lien sous..") 
afin de télécharger EGDACCESS.bfu, Type "Tous les fichiers". Sauvegarde dans le dossier créé (C:\BFU) 

- Navipromo.zip http://www.alt-shift-return.org/Info/Fichiers/Navipromo073.zip et décompresse-le sur ton bureau 

2/ Copie la suite des instructions dans un fichier texte, sur ton bureau. et redémarre en mode sans échec comme indiqué ici https://docs.microsoft.com/en-us/ 
Il faudra choisir ta session habituelle, pas le compte "Administrateur" ou autre. 

3/ lance le fichier Navipromo.bat qui se trouve dans le dossier Navipromo, sur ton bureau. 

* Sélectionne l'option "Recherche et suppression automatique". Patiente. 
S'il trouve quelque chose, tu verras défiler des lignes dans la fenêtre de commande et au bout de quelques instants, il faudra que tu appuies sur une touche pour que le nettoyage soit lancé. Lorsqu'il a terminé, ferme le rapport qui s'est ouvert 

* Relance l'outil, Sélectionne l'option "Suppression Heuristique", et patiente quelques minutes. Lorsqu'il a terminé, ferme le rapport qui s'est ouvert 

4/ Démarre le "Brute Force Uninstaller" en double-cliquant sur BFU.exe. 
Clique sur le petit dossier jaune, à la droite de la boîte "Scriptline to execute", et double-clique sur : EGDACCESS.bfu 
- Dans la boîte "Scriptline to execute", tu devrais maintenant voir ceci : C:\BFU\EGDACCESS.bfu 
Clique sur "Execute" et laisse-le faire son travail. 
Attendre que "Complete script execution" apparaîsse et clique sur OK. Clique exit pour fermer le programme BFU. 
Recommence encore une fois. 

5/ Démarrer -> panneau de configuration -> options internet 
Clique sur l'onglet "Contenu" puis onglet "Certificats" et si tu trouves ceci, en particulier dans "éditeurs approuvés" : 

electronic-group - egroup - Montorgueil - VIP - "Sunny Day Design Ltd" 

=> Supprime-les tous 

6/ redémarre normalement et poste le contenu du fichier Navipromo.txt qui se trouve dans Poste de travail > disque C:\ 


a+

Lolilola13 · Answer

Je crois que mon virus est parti car lors d'un autre scan avec trojan remover il ma affiché trojan horse detected & remo..
Voila
je vous affiche le rapport :



***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.6.0.2465. For information, email simplysupsupport@aol.com
[Unregistered version]
Scan started at: 06/05/2007 15:38:14
Using Database v6791
Operating System: Windows XP Home Edition Service Pack 2 (Build 2600)
Using data directory: C:\Documents and Settings\kamel\Application Data\Simply Super Software\Trojan Remover\
Logfile directory:    C:\Documents and Settings\kamel\Mes documents\Simply Super Software\Trojan Remover Logfiles\
Running with Administrator privileges


**************************************************
Checking Registry exefile command for modifications
Checking Registry comfile command for modifications
Checking Registry piffile command for modifications
Checking Registry batfile command for modifications
Checking Registry regfile command for modifications
Checking Registry cmdfile command for modifications
Checking Registry scrfile command for modifications

**************************************************
15:38:14: Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINDOWS

**************************************************
15:38:14: Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINDOWS

**************************************************
15:38:14: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

**************************************************
15:38:16: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Explorer.exe - this entry has been left in place
----------
This key's "Userinit" value calls the following program(s):
C:\WINDOWS\system32\userinit.exe - this entry has been left in place
----------
This key's "System" value appears to be blank
----------
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name = load
The Data Value for this entry appears to be blank
--------------------
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This Registry Key attempts to run the following program(s):
Value Name = avast!
Value Data = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe - this command has been left in place
--------------------
Value Name = NvCplDaemon
Value Data = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup - this command has been left in place
--------------------
Value Name = nwiz
Value Data = nwiz.exe /install - this command has been left in place
--------------------
Value Name = NvMediaCenter
Value Data = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit - this command has been left in place
--------------------
Value Name = wrna3ls
Value Data = C:\Program Filesnamfler
aomf.exe - this command has been left in place
--------------------
Value Name = SunJavaUpdateSched
Value Data = C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe - this command has been left in place
--------------------
Value Name = QuickTime Task
Value Data = C:\Program Files\QuickTime\qttask.exe" -atboottime - this command has been left in place
--------------------
Value Name = iTunesHelper
Value Data = C:\Program Files\iTunes\iTunesHelper.exe - this command has been left in place
--------------------
Value Name = SoundMan
Value Data = SOUNDMAN.EXE - this command has been left in place
--------------------
Value Name = TrojanScanner
Value Data = C:\Program Files\Trojan Remover\Trjscan.exe - this program is Trojan Remover's own scan file
--------------------
Value Name = snfugp
Value Data = c:\windows\system32\snfugp.exe snfugp - this command has been left in place [file not found to scan]
--------------------
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
This Registry Key attempts to run the following program(s):
Value Name = SpybotSD TeaTimer
Value Data = C:\Spybot - Search & Destroy\TeaTimer.exe - this command has been left in place
--------------------
Value Name = WMPNSCFG
Value Data = C:\Program Files\Windows Media Player\WMPNSCFG.exe - this command has been left in place
--------------------

**************************************************
15:38:26: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File:      shell32.dll - this file is expected and has been left in place
----------

**************************************************
15:38:26: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Registry Run Keys Hidden Entries found
----------

**************************************************
15:38:27: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver=C:\WINDOWS\system32\logon.scr - this command has been left in place
--------------------

**************************************************
15:38:27: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Checking the StubPath calls in the Active Setup\Installed Components registry keys:
Key=>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
StubPath=C:\WINDOWS\inf\unregmp2.exe - this reference has been left in place
----------
Key=>{26923b43-4d38-484f-9b9e-de460746276c}
StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place
----------
Key=>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place
----------
Key={2C7339CF-2B09-4501-B3F3-F3508C9228ED}
StubPath=C:\WINDOWS\system32egsvr32.exe - this reference has been left in place
----------
Key={44BBA840-CC51-11CF-AAFA-00AA00B6015C}
StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place
----------
Key={7790769C-0471-11d2-AF11-00C04FA35D02}
StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place
----------
Key={89820200-ECBD-11cf-8B85-00AA005B4340}
StubPath=regsvr32.exe - this reference has been left in place
----------
Key={89820200-ECBD-11cf-8B85-00AA005B4383}
StubPath=C:\WINDOWS\system32\ie4uinit.exe - this reference has been left in place
----------

**************************************************
15:38:28: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Checking DLL files called from the CurrentControlSet\Services Keys:
--------------------
Key=Alerter
ServiceDLL=%SystemRoot%\system32\alrsvc.dll - this reference has been left in place
--------------------
Key=AppMgmt
ServiceDLL=%SystemRoot%\System32\appmgmts.dll - this file is globally excluded (file cannot be found)
--------------------
Key=AudioSrv
ServiceDLL=%SystemRoot%\System32\audiosrv.dll - this reference has been left in place
--------------------
Key=BITS
ServiceDLL=C:\WINDOWS\system32\qmgr.dll - this reference has been left in place
--------------------
Key=Browser
ServiceDLL=%SystemRoot%\System32\browser.dll - this reference has been left in place
--------------------
Key=CryptSvc
ServiceDLL=%SystemRoot%\System32\cryptsvc.dll - this reference has been left in place
--------------------
Key=DcomLaunch
ServiceDLL=%SystemRoot%\system32pcss.dll - this reference has been left in place
--------------------
Key=Dhcp
ServiceDLL=%SystemRoot%\System32\dhcpcsvc.dll - this reference has been left in place
--------------------
Key=dmserver
ServiceDLL=%SystemRoot%\System32\dmserver.dll - this reference has been left in place
--------------------
Key=Dnscache
ServiceDLL=%SystemRoot%\System32\dnsrslvr.dll - this reference has been left in place
--------------------
Key=ERSvc
ServiceDLL=%SystemRoot%\System32\ersvc.dll - this reference has been left in place
--------------------
Key=EventSystem
ServiceDLL=C:\WINDOWS\system32\es.dll - this reference has been left in place
--------------------
Key=FastUserSwitchingCompatibility
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
--------------------
Key=helpsvc
ServiceDLL=%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll - this reference has been left in place
--------------------
Key=HidServ
ServiceDLL=%SystemRoot%\System32\hidserv.dll - this file is globally excluded (file cannot be found)
--------------------
Key=HTTPFilter
ServiceDLL=%SystemRoot%\System32\w3ssl.dll - this reference has been left in place
--------------------
Key=lanmanserver
ServiceDLL=%SystemRoot%\System32\srvsvc.dll - this reference has been left in place
--------------------
Key=lanmanworkstation
ServiceDLL=%SystemRoot%\System32\wkssvc.dll - this reference has been left in place
--------------------
Key=LmHosts
ServiceDLL=%SystemRoot%\System32\lmhsvc.dll - this reference has been left in place
--------------------
Key=Messenger
ServiceDLL=%SystemRoot%\System32\msgsvc.dll - this reference has been left in place
--------------------
Key=Netman
ServiceDLL=%SystemRoot%\System32
etman.dll - this reference has been left in place
--------------------
Key=Nla
ServiceDLL=%SystemRoot%\System32\mswsock.dll - this reference has been left in place
--------------------
Key=NtmsSvc
ServiceDLL=%SystemRoot%\system32
tmssvc.dll - this reference has been left in place
--------------------
Key=RasAuto
ServiceDLL=%SystemRoot%\System32asauto.dll - this reference has been left in place
--------------------
Key=RasMan
ServiceDLL=%SystemRoot%\System32asmans.dll - this reference has been left in place
--------------------
Key=RemoteAccess
ServiceDLL=%SystemRoot%\System32\mprdim.dll - this reference has been left in place
--------------------
Key=RpcSs
ServiceDLL=%SystemRoot%\system32pcss.dll - this reference has been left in place
--------------------
Key=Schedule
ServiceDLL=%SystemRoot%\system32\schedsvc.dll - this reference has been left in place
--------------------
Key=seclogon
ServiceDLL=%SystemRoot%\System32\seclogon.dll - this reference has been left in place
--------------------
Key=SENS
ServiceDLL=%SystemRoot%\system32\sens.dll - this reference has been left in place
--------------------
Key=SharedAccess
ServiceDLL=%SystemRoot%\System32\ipnathlp.dll - this reference has been left in place
--------------------
Key=ShellHWDetection
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
--------------------
Key=srservice
ServiceDLL=C:\WINDOWS\system32\srsvc.dll - this reference has been left in place
--------------------
Key=SSDPSRV
ServiceDLL=%SystemRoot%\System32\ssdpsrv.dll - this reference has been left in place
--------------------
Key=stisvc
ServiceDLL=%SystemRoot%\system32\wiaservc.dll - this reference has been left in place
--------------------
Key=TapiSrv
ServiceDLL=%SystemRoot%\System32	apisrv.dll - this reference has been left in place
--------------------
Key=TermService
ServiceDLL=%SystemRoot%\System32	ermsrv.dll - this reference has been left in place
--------------------
Key=Themes
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
--------------------
Key=TrkWks
ServiceDLL=%SystemRoot%\system32	rkwks.dll - this reference has been left in place
--------------------
Key=upnphost
ServiceDLL=%SystemRoot%\System32\upnphost.dll - this reference has been left in place
--------------------
Key=W32Time
ServiceDLL=C:\WINDOWS\system32\w32time.dll - this reference has been left in place
--------------------
Key=WebClient
ServiceDLL=%SystemRoot%\System32\webclnt.dll - this reference has been left in place
--------------------
Key=winmgmt
ServiceDLL=%SystemRoot%\system32\wbem\WMIsvc.dll - this reference has been left in place
--------------------
Key=WmdmPmSN
ServiceDLL=C:\WINDOWS\system32\MsPMSNSv.dll - this reference has been left in place
--------------------
Key=wscsvc
ServiceDLL=%SYSTEMROOT%\system32\wscsvc.dll - this reference has been left in place
--------------------
Key=wuauserv
ServiceDLL=C:\WINDOWS\system32\wuauserv.dll - this reference has been left in place
--------------------
Key=WudfSvc
ServiceDLL=%SystemRoot%\System32\WUDFSvc.dll - this reference has been left in place
--------------------
Key=WZCSVC
ServiceDLL=%SystemRoot%\System32\wzcsvc.dll - this reference has been left in place
--------------------
Key=xmlprov
ServiceDLL=%SystemRoot%\System32\xmlprov.dll - this reference has been left in place

**************************************************
15:38:32: Scanning ----- SERVICES REGISTRY KEYS -----
Checking files called from the CurrentControlSet\Services Keys:
Key=ACPI
ImagePath=system32\DRIVERS\ACPI.sys - this reference has been left in place
----------
Key=aec
ImagePath=system32\drivers\aec.sys - this reference has been left in place
----------
Key=AFD
ImagePath=\SystemRoot\System32\drivers\afd.sys - this reference has been left in place
----------
Key=ALCXWDM
ImagePath=system32\drivers\ALCXWDM.SYS - this reference has been left in place
----------
Key=ALG
ImagePath=%SystemRoot%\System32\alg.exe - this reference has been left in place
----------
Key=Arp1394
ImagePath=system32\DRIVERS\arp1394.sys - this reference has been left in place
----------
Key=aspnet_state
ImagePath=%SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe - this reference has been left in place
----------
Key=aswUpdSv
ImagePath="C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" - this reference has been left in place
----------
Key=AsyncMac
ImagePath=system32\DRIVERS\asyncmac.sys - this reference has been left in place
----------
Key=atapi
ImagePath=system32\DRIVERS\atapi.sys - this reference has been left in place
----------
Key=Atmarpc
ImagePath=system32\DRIVERS\atmarpc.sys - this reference has been left in place
----------
Key=audstub
ImagePath=system32\DRIVERS\audstub.sys - this reference has been left in place
----------
Key=avast! Antivirus
ImagePath="C:\Program Files\Alwil Software\Avast4\ashServ.exe" - this reference has been left in place
----------
Key=avast! Mail Scanner
ImagePath="C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service - this reference has been left in place
----------
Key=avast! Web Scanner
ImagePath="C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service - this reference has been left in place
----------
Key=banshee
ImagePath=system32\DRIVERS\banshee.sys - this reference has been left in place
----------
Key=Cdrom
ImagePath=system32\DRIVERS\cdrom.sys - this reference has been left in place
----------
Key=CiSvc
ImagePath=%SystemRoot%\system32\cisvc.exe - this reference has been left in place
----------
Key=ClipSrv
ImagePath=%SystemRoot%\system32\clipsrv.exe - this reference has been left in place
----------
Key=COMSysApp
ImagePath=C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} - this reference has been left in place
----------
Key=Disk
ImagePath=system32\DRIVERS\disk.sys - this reference has been left in place
----------
Key=dmadmin
ImagePath=%SystemRoot%\System32\dmadmin.exe /com - this reference has been left in place
----------
Key=dmboot
ImagePath=System32\drivers\dmboot.sys - this reference has been left in place
----------
Key=dmio
ImagePath=System32\drivers\dmio.sys - this reference has been left in place
----------
Key=dmload
ImagePath=System32\drivers\dmload.sys - this reference has been left in place
----------
Key=DMusic
ImagePath=system32\drivers\DMusic.sys - this reference has been left in place
----------
Key=drmkaud
ImagePath=system32\drivers\drmkaud.sys - this reference has been left in place
----------
Key=EpsonBidirectionalService
ImagePath=C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe - this reference has been left in place
----------
Key=EPSONStatusAgent2
ImagePath=C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe - this reference has been left in place
----------
Key=Eventlog
ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place
----------
Key=Fdc
ImagePath=system32\DRIVERS\fdc.sys - this reference has been left in place
----------
Key=FltMgr
ImagePath=system32\DRIVERS\fltMgr.sys - this reference has been left in place
----------
Key=Ftdisk
ImagePath=system32\DRIVERS\ftdisk.sys - this reference has been left in place
----------
Key=GEARAspiWDM
ImagePath=System32\Drivers\GEARAspiWDM.sys - this reference has been left in place
----------
Key=Gpc
ImagePath=system32\DRIVERS\msgpc.sys - this reference has been left in place
----------
Key=HidUsb
ImagePath=system32\DRIVERS\hidusb.sys - this reference has been left in place
----------
Key=HTTP
ImagePath=System32\Drivers\HTTP.sys - this reference has been left in place
----------
Key=i8042prt
ImagePath=system32\DRIVERS\i8042prt.sys - this reference has been left in place
----------
Key=Imapi
ImagePath=system32\DRIVERS\imapi.sys - this reference has been left in place
----------
Key=ImapiService
ImagePath=C:\WINDOWS\system32\imapi.exe - this reference has been left in place
----------
Key=intelppm
ImagePath=system32\DRIVERS\intelppm.sys - this reference has been left in place
----------
Key=Ip6Fw
ImagePath=system32\DRIVERS\Ip6Fw.sys - this reference has been left in place
----------
Key=IpFilterDriver
ImagePath=system32\DRIVERS\ipfltdrv.sys - this reference has been left in place
----------
Key=IpInIp
ImagePath=system32\DRIVERS\ipinip.sys - this reference has been left in place
----------
Key=IpNat
ImagePath=system32\DRIVERS\ipnat.sys - this reference has been left in place
----------
Key=iPod Service
ImagePath="C:\Program Files\iPod\bin\iPodService.exe" - this reference has been left in place
----------
Key=IPSec
ImagePath=system32\DRIVERS\ipsec.sys - this reference has been left in place
----------
Key=IRENUM
ImagePath=system32\DRIVERS\irenum.sys - this reference has been left in place
----------
Key=isapnp
ImagePath=system32\DRIVERS\isapnp.sys - this reference has been left in place
----------
Key=Kbdclass
ImagePath=system32\DRIVERS\kbdclass.sys - this reference has been left in place
----------
Key=kmixer
ImagePath=system32\drivers\kmixer.sys - this reference has been left in place
----------
Key=mnmsrvc
ImagePath=C:\WINDOWS\system32\mnmsrvc.exe - this reference has been left in place
----------
Key=Mouclass
ImagePath=system32\DRIVERS\mouclass.sys - this reference has been left in place
----------
Key=mouhid
ImagePath=system32\DRIVERS\mouhid.sys - this reference has been left in place
----------
Key=MRxDAV
ImagePath=system32\DRIVERS\mrxdav.sys - this reference has been left in place
----------
Key=MRxSmb
ImagePath=system32\DRIVERS\mrxsmb.sys - this reference has been left in place
----------
Key=MSDTC
ImagePath=C:\WINDOWS\system32\msdtc.exe - this reference has been left in place
----------
Key=MSIServer
ImagePath=C:\WINDOWS\system32\msiexec.exe /V - this reference has been left in place
----------
Key=MSKSSRV
ImagePath=system32\drivers\MSKSSRV.sys - this reference has been left in place
----------
Key=MSPCLOCK
ImagePath=system32\drivers\MSPCLOCK.sys - this reference has been left in place
----------
Key=MSPQM
ImagePath=system32\drivers\MSPQM.sys - this reference has been left in place
----------
Key=mssmbios
ImagePath=system32\DRIVERS\mssmbios.sys - this reference has been left in place
----------
Key=NdisTapi
ImagePath=system32\DRIVERS
distapi.sys - this reference has been left in place
----------
Key=Ndisuio
ImagePath=system32\DRIVERS
disuio.sys - this reference has been left in place
----------
Key=NdisWan
ImagePath=system32\DRIVERS
diswan.sys - this reference has been left in place
----------
Key=NetBIOS
ImagePath=system32\DRIVERS
etbios.sys - this reference has been left in place
----------
Key=NetBT
ImagePath=system32\DRIVERS
etbt.sys - this reference has been left in place
----------
Key=NetDDE
ImagePath=%SystemRoot%\system32
etdde.exe - this reference has been left in place
----------
Key=NetDDEdsdm
ImagePath=%SystemRoot%\system32
etdde.exe - this reference has been left in place
----------
Key=Netlogon
ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
----------
Key=NIC1394
ImagePath=system32\DRIVERS
ic1394.sys - this reference has been left in place
----------
Key=NtLmSsp
ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
----------
Key=nv
ImagePath=system32\DRIVERS
v4_mini.sys - this reference has been left in place
----------
Key=NVSvc
ImagePath=%SystemRoot%\system32
vsvc32.exe - this reference has been left in place
----------
Key=NwlnkFlt
ImagePath=system32\DRIVERS
wlnkflt.sys - this reference has been left in place
----------
Key=NwlnkFwd
ImagePath=system32\DRIVERS
wlnkfwd.sys - this reference has been left in place
----------
Key=ohci1394
ImagePath=system32\DRIVERS\ohci1394.sys - this reference has been left in place
----------
Key=PALLADIA
ImagePath=system32\DRIVERS\usbiad.sys - this reference has been left in place
----------
Key=Parport
ImagePath=system32\DRIVERS\parport.sys - this reference has been left in place
----------
Key=PCI
ImagePath=system32\DRIVERS\pci.sys - this reference has been left in place
----------
Key=PCIIde
ImagePath=system32\DRIVERS\pciide.sys - this reference has been left in place
----------
Key=PlugPlay
ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place
----------
Key=PolicyAgent
ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
----------
Key=PptpMiniport
ImagePath=system32\DRIVERSaspptp.sys - this reference has been left in place
----------
Key=ProtectedStorage
ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
----------
Key=PSched
ImagePath=system32\DRIVERS\psched.sys - this reference has been left in place
----------
Key=Ptilink
ImagePath=system32\DRIVERS\ptilink.sys - this reference has been left in place
----------
Key=RasAcd
ImagePath=system32\DRIVERSasacd.sys - this reference has been left in place
----------
Key=Rasl2tp
ImagePath=system32\DRIVERSasl2tp.sys - this reference has been left in place
----------
Key=RasPppoe
ImagePath=system32\DRIVERSaspppoe.sys - this reference has been left in place
----------
Key=Raspti
ImagePath=system32\DRIVERSaspti.sys - this reference has been left in place
----------
Key=Rdbss
ImagePath=system32\DRIVERSdbss.sys - this reference has been left in place
----------
Key=RdnaoFlSvc
ImagePath=C:\Program Filesnamfler
aofsvc.exe - this reference has been left in place
----------
Key=RDPCDD
ImagePath=System32\DRIVERS\RDPCDD.sys - this reference has been left in place
----------
Key=RDSessMgr
ImagePath=C:\WINDOWS\system32\sessmgr.exe - this reference has been left in place
----------
Key=redbook
ImagePath=system32\DRIVERSedbook.sys - this reference has been left in place
----------
Key=RpcLocator
ImagePath=%SystemRoot%\system32\locator.exe - this reference has been left in place
----------
Key=RSVP
ImagePath=%SystemRoot%\system32svp.exe - this reference has been left in place
----------
Key=SamSs
ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
----------
Key=SCardSvr
ImagePath=%SystemRoot%\System32\SCardSvr.exe - this reference has been left in place
----------
Key=Secdrv
ImagePath=system32\DRIVERS\secdrv.sys - this reference has been left in place
----------
Key=serenum
ImagePath=system32\DRIVERS\serenum.sys - this reference has been left in place
----------
Key=Serial
ImagePath=system32\DRIVERS\serial.sys - this reference has been left in place
----------
Key=SiSGbeXP
ImagePath=system32\DRIVERS\SiSGbeXP.sys - this reference has been left in place
----------
Key=SONYPVU1
ImagePath=system32\DRIVERS\SONYPVU1.SYS - this reference has been left in place
----------
Key=splitter
ImagePath=system32\drivers\splitter.sys - this reference has been left in place
----------
Key=Spooler
ImagePath=%SystemRoot%\system32\spoolsv.exe - this reference has been left in place
----------
Key=sr
ImagePath=system32\DRIVERS\sr.sys - this reference has been left in place
----------
Key=Srv
ImagePath=system32\DRIVERS\srv.sys - this reference has been left in place
----------
Key=swenum
ImagePath=system32\DRIVERS\swenum.sys - this reference has been left in place
----------
Key=swmidi
ImagePath=system32\drivers\swmidi.sys - this reference has been left in place
----------
Key=SwPrv
ImagePath=C:\WINDOWS\system32\dllhost.exe /Processid:{D752E131-73B4-4A0A-8791-AA1F67A05ABF} - this reference has been left in place
----------
Key=sysaudio
ImagePath=system32\drivers\sysaudio.sys - this reference has been left in place
----------
Key=SysmonLog
ImagePath=%SystemRoot%\system32\smlogsvc.exe - this reference has been left in place
----------
Key=Tcpip
ImagePath=system32\DRIVERS	cpip.sys - this reference has been left in place
----------
Key=TermDD
ImagePath=system32\DRIVERS	ermdd.sys - this reference has been left in place
----------
Key=truecrypt
ImagePath=System32\drivers	ruecrypt.sys - this reference has been left in place
----------
Key=Update
ImagePath=system32\DRIVERS\update.sys - this reference has been left in place
----------
Key=UPS
ImagePath=%SystemRoot%\System32\ups.exe - this reference has been left in place
----------
Key=usbccgp
ImagePath=system32\DRIVERS\usbccgp.sys - this reference has been left in place
----------
Key=usbehci
ImagePath=system32\DRIVERS\usbehci.sys - this reference has been left in place
----------
Key=usbhub
ImagePath=system32\DRIVERS\usbhub.sys - this reference has been left in place
----------
Key=usbohci
ImagePath=system32\DRIVERS\usbohci.sys - this reference has been left in place
----------
Key=usbprint
ImagePath=system32\DRIVERS\usbprint.sys - this reference has been left in place
----------
Key=usbscan
ImagePath=system32\DRIVERS\usbscan.sys - this reference has been left in place
----------
Key=usbstor
ImagePath=system32\DRIVERS\USBSTOR.SYS - this reference has been left in place
----------
Key=VgaSave
ImagePath=\SystemRoot\System32\drivers\vga.sys - this reference has been left in place
----------
Key=VSS
ImagePath=%SystemRoot%\System32\vssvc.exe - this reference has been left in place
----------
Key=Wanarp
ImagePath=system32\DRIVERS\wanarp.sys - this reference has been left in place
----------
Key=wdmaud
ImagePath=system32\drivers\wdmaud.sys - this reference has been left in place
----------
Key=WmiApSrv
ImagePath=C:\WINDOWS\system32\wbem\wmiapsrv.exe - this reference has been left in place
----------
Key=WMPNetworkSvc
ImagePath="C:\Program Files\Windows Media Player\WMPNetwk.exe" - this reference has been left in place
----------
Key=WudfPf
ImagePath=system32\DRIVERS\WudfPf.sys - this reference has been left in place
----------
Key=WudfRd
ImagePath=system32\DRIVERS\wudfrd.sys - this reference has been left in place
----------

**************************************************
15:38:50: Scanning -----VXD ENTRIES-----
Checking VMM32 VxD files being loaded

**************************************************
15:38:50: Scanning ----- WINLOGON\NOTIFY DLLS -----
Checking DLLs called from the Winlogon\Notify key:
Key=crypt32chain
DLLName=crypt32.dll - this reference has been left in place
----------
Key=cryptnet
DLLName=cryptnet.dll - this reference has been left in place
----------
Key=cscdll
DLLName=cscdll.dll - this reference has been left in place
----------
Key=ScCertProp
DLLName=wlnotify.dll - this reference has been left in place
----------
Key=Schedule
DLLName=wlnotify.dll - this reference has been left in place
----------
Key=sclgntfy
DLLName=sclgntfy.dll - this reference has been left in place
----------
Key=SensLogn
DLLName=WlNotify.dll - this reference has been left in place
----------
Key=termsrv
DLLName=wlnotify.dll - this reference has been left in place
----------
Key=WgaLogon
DLLName=WgaLogon.dll - this reference has been left in place
----------
Key=wlballoon
DLLName=wlnotify.dll - this reference has been left in place
----------

**************************************************
15:38:51: Scanning ----- CONTEXTMENUHANDLERS -----
Key = avast
CLSID = {472083B0-C522-11CF-8763-00608CC02F24}
C:\Program Files\Alwil Software\Avast4\ashShell.dll - this ContextMenuHandler has been left in place
----------
Key = axcrypt.File
CLSID = {8918E81F-EE50-4642-BF75-B195A559111F}
C:\Program Files\Axon Data\AxCrypt\1.6.3\AxCrypt.dll - this ContextMenuHandler has been left in place
----------
Key = Fichiers hors connexion
CLSID = {750fdf0e-2a26-11d1-a3ea-080036587f03}
%SystemRoot%\System32\cscui.dll - this ContextMenuHandler has been left in place
----------
Key = Open With
CLSID = {09799AFB-AD67-11d1-ABCD-00C04FC30936}
%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
----------
Key = Open With EncryptionMenu
CLSID = {A470F8CF-A1E8-4f65-8335-227475AA5C46}
%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
----------
Key = Trojan Remover
CLSID = {52B87208-9CCF-42C9-B88E-069281105805}
C:\PROGRA~1\TROJAN~1\Trshlex.dll - this ContextMenuHandler has been left in place
----------
Key = {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
----------

**************************************************
15:38:52: Scanning ----- FOLDER\COLUMNHANDLERS -----
Key = {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------
Key = {24F14F01-7B1C-11d1-838f-0000F80461CF}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------
Key = {24F14F02-7B1C-11d1-838f-0000F80461CF}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------
Key = {66742402-F9B9-11D1-A202-0000F81FEDEE}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------
Key = {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll - this Folder\ColumnHandler has been left in place
----------

**************************************************
15:38:52: Scanning ----- BROWSER HELPER OBJECTS -----
Key = {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - this Browser Helper Object has been left in place
----------
Key = {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - this Browser Helper Object has been left in place
----------
Key = {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll - this Browser Helper Object has been left in place
----------
Key = {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll - this Browser Helper Object has been left in place
----------

**************************************************
15:38:52: Scanning ----- SHELLSERVICEOBJECTS -----
Key = PostBootReminder
%SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place
----------
Key = CDBurn
%SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place
----------
Key = WebCheck
%SystemRoot%\system32\webcheck.dll - this ShellServiceObject has been left in place
----------
Key = SysTray
C:\WINDOWS\system32\stobject.dll - this ShellServiceObject has been left in place
----------
Key = WPDShServiceObj
C:\WINDOWS\system32\WPDShServiceObj.dll - this ShellServiceObject has been left in place
----------

**************************************************
15:38:53: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----
Value = {438755C2-A8BA-11D1-B96B-00A0C90312E1}
Comment = Pré-chargeur Browseui
File: %SystemRoot%\system32\browseui.dll - this SharedTaskScheduler entry has been left in place
----------
Value = {8C7461EF-2B13-11d2-BE35-3078302C2030}
Comment = Démon de cache des catégories de composant
File: %SystemRoot%\system32\browseui.dll - this SharedTaskScheduler entry has been left in place
----------

**************************************************
15:38:53: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

**************************************************
15:38:53: Scanning ----- APPINIT_DLLS -----
The AppInit_DLLs value is blank

**************************************************
15:38:53: Scanning ------ COMMON STARTUP GROUP ------
[C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage]
The Common Startup Group attempts to load the following file(s) at boot time:
desktop.ini - this file is expected and has been left in place
--------------------
Lancement rapide d'Adobe Reader.lnk - this links to C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe and has been left in place
--------------------

**************************************************
No User Startup Groups were located to check

**************************************************
15:38:53: Scanning ----- SCHEDULED TASKS -----

**************************************************
15:38:53: ----- EXTRA CHECKS -----
PE386 rootkit checks completed
----------
Winlogon registry rootkit checks completed
----------
Heuristic checks for hidden files/drivers completed
----------

**************************************************
15:38:53: Scanning ------ DOWNLOADED PROGRAM FILES ------
The following files are located in the DOWNLOADED PROGRAM FILES directory:
C:\WINDOWS\Downloaded Program Files\desktop.ini - this file is expected and has been left in place
C:\WINDOWS\Downloaded Program Files\GAME_UNO1.dll - this file has been left in place
C:\WINDOWS\Downloaded Program Files\GAME_UNO1.INF - this file has been left in place
C:\WINDOWS\Downloaded Program Files\IaLdr32.inf - this file has been left in place
C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll - this file has been left in place
C:\WINDOWS\Downloaded Program Files\swflash.inf - this file has been left in place

**************************************************
15:38:54: Scanning ----- RUNNING PROCESSES -----

C:\WINDOWS\System32\smss.exe
--------------------
C:\WINDOWS\system32\csrss.exe
--------------------
C:\WINDOWS\system32\winlogon.exe
--------------------
C:\WINDOWS\system32\services.exe
--------------------
C:\WINDOWS\system32\lsass.exe
--------------------
C:\WINDOWS\system32\svchost.exe
--------------------
C:\WINDOWS\system32\svchost.exe
--------------------
C:\WINDOWS\System32\svchost.exe
--------------------
C:\WINDOWS\system32\svchost.exe
--------------------
C:\WINDOWS\system32\svchost.exe
--------------------
C:\WINDOWS\Explorer.EXE
--------------------
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
--------------------
C:\Program Files\Alwil Software\Avast4\ashServ.exe
--------------------
C:\WINDOWS\system32\spoolsv.exe
--------------------
C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
--------------------
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
--------------------
C:\WINDOWS\System32\svchost.exe
--------------------
C:\WINDOWS\system32
vsvc32.exe
--------------------
C:\Program Filesnamfler
aofsvc.exe
--------------------
C:\WINDOWS\system32\svchost.exe
--------------------
C:\Program Files\Windows Media Player\WMPNetwk.exe
--------------------
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
--------------------
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
--------------------
C:\WINDOWS\System32\alg.exe
--------------------
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
--------------------
C:\WINDOWS\system32\RUNDLL32.EXE
--------------------
C:\Program Filesnamfler
aomf.exe
--------------------
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
--------------------
C:\Program Files\QuickTime\qttask.exe
--------------------
C:\Program Files\iTunes\iTunesHelper.exe
--------------------
C:\WINDOWS\SOUNDMAN.EXE
--------------------
C:\Spybot - Search & Destroy\TeaTimer.exe
--------------------
C:\Program Files\Windows Media Player\WMPNSCFG.exe
--------------------
C:\Program Files\iPod\bin\iPodService.exe
--------------------
c:\program filesnamfleradprcmp.exe
--------------------
C:\WINDOWS\system32\wscntfy.exe
--------------------
C:\Program Files\MSN Messenger\msnmsgr.exe
--------------------
C:\Documents and Settings\kamel\Application Data\Simply Super Software\Trojan Remover\sjx2.exe
FileSize:          1 782 336
[This is a Trojan Remover component]
--------------------
C:\Program Files\Internet Explorer\iexplore.exe
--------------------

**************************************************
15:39:00: Checking AUTOEXEC.BAT file
AUTOEXEC.BAT found in C:\
No malicious entries were found in the AUTOEXEC.BAT file

**************************************************
15:39:00: Checking AUTOEXEC.NT file
AUTOEXEC.NT found in C:\WINDOWS\system32
No malicious entries were found in the AUTOEXEC.NT file

**************************************************
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Local Page":
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
https://www.bing.com/?toHttps=1&redig=8F3F334EA60E4B1CB4D040DCFE393A89{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcD3RW7BXlKjvc5QyGaMjmoIYiDMFu/mMChN1OYBW4eRF7y0gj+NGdZHICLPI77bAjoInmByNTsheqdYhGUvOQWb43l3x20OUDn7V0UR/Rp1qSbekWvwvbCk1GPWkgu08v4hz5PL9+ak2ggvynk0B1jJtpX0yxOK11u
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page":
https://actus.sfr.fr
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

**************************************************
 NO CHANGES HAVE BEEN MADE TO YOUR SYSTEM FILES 
Scan completed at: 06/05/2007 15:39:00
************************************************************


***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.6.0.2465. For information, email simplysupsupport@aol.com
[Unregistered version]
Scan started at: 06/05/2007 13:24:10
Using Database v6791
Operating System: Windows XP Home Edition Service Pack 2 (Build 2600)
Using data directory: C:\Documents and Settings\kamel\Application Data\Simply Super Software\Trojan Remover\
Logfile directory:    C:\Documents and Settings\kamel\Mes documents\Simply Super Software\Trojan Remover Logfiles\
Running with Administrator privileges


**************************************************
Checking Registry exefile command for modifications
Checking Registry comfile command for modifications
Checking Registry piffile command for modifications
Checking Registry batfile command for modifications
Checking Registry regfile command for modifications
Checking Registry cmdfile command for modifications
Checking Registry scrfile command for modifications

**************************************************
13:24:10: Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINDOWS

**************************************************
13:24:10: Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINDOWS

**************************************************
13:24:10: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

**************************************************
13:24:11: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Explorer.exe - this entry has been left in place
----------
This key's "Userinit" value calls the following program(s):
C:\WINDOWS\system32\userinit.exe - this entry has been left in place
----------
This key's "System" value appears to be blank
----------
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name = load
The Data Value for this entry appears to be blank
--------------------
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This Registry Key attempts to run the following program(s):
Value Name = avast!
Value Data = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe - this command has been left in place
--------------------
Value Name = NvCplDaemon
Value Data = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup - this command has been left in place
--------------------
Value Name = nwiz
Value Data = nwiz.exe /install - this command has been left in place
--------------------
Value Name = NvMediaCenter
Value Data = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit - this command has been left in place
--------------------
Value Name = wrna3ls
Value Data = C:\Program Filesnamfler
aomf.exe - this command has been left in place
--------------------
Value Name = SunJavaUpdateSched
Value Data = C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe - this command has been left in place
--------------------
Value Name = QuickTime Task
Value Data = C:\Program Files\QuickTime\qttask.exe" -atboottime - this command has been left in place
--------------------
Value Name = iTunesHelper
Value Data = C:\Program Files\iTunes\iTunesHelper.exe - this command has been left in place
--------------------
Value Name = SoundMan
Value Data = SOUNDMAN.EXE - this command has been left in place
--------------------
Value Name = TrojanScanner
Value Data = C:\Program Files\Trojan Remover\Trjscan.exe - this program is Trojan Remover's own scan file
--------------------
Value Name = snfugp
Value Data = c:\windows\system32\snfugp.exe snfugp - this command has been left in place [file not found to scan]
--------------------
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
This Registry Key attempts to run the following program(s):
Value Name = SpybotSD TeaTimer
Value Data = C:\Spybot - Search & Destroy\TeaTimer.exe - this command has been left in place
--------------------
Value Name = WMPNSCFG
Value Data = C:\Program Files\Windows Media Player\WMPNSCFG.exe - this command has been left in place
--------------------

**************************************************
13:24:12: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File:      shell32.dll - this file is expected and has been left in place
----------

**************************************************
13:24:12: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Registry Run Keys Hidden Entries found
----------

**************************************************
13:24:12: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver=C:\WINDOWS\system32\logon.scr - this command has been left in place
--------------------

**************************************************
13:24:12: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Checking the StubPath calls in the Active Setup\Installed Components registry keys:
Key=>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
StubPath=C:\WINDOWS\inf\unregmp2.exe - this reference has been left in place
----------
Key=>{26923b43-4d38-484f-9b9e-de460746276c}
StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place
----------
Key=>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place
----------
Key={2C7339CF-2B09-4501-B3F3-F3508C9228ED}
StubPath=C:\WINDOWS\system32egsvr32.exe - this reference has been left in place
----------
Key={44BBA840-CC51-11CF-AAFA-00AA00B6015C}
StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place
----------
Key={7790769C-0471-11d2-AF11-00C04FA35D02}
StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place
----------
Key={89820200-ECBD-11cf-8B85-00AA005B4340}
StubPath=regsvr32.exe - this reference has been left in place
----------
Key={89820200-ECBD-11cf-8B85-00AA005B4383}
StubPath=C:\WINDOWS\system32\ie4uinit.exe - this reference has been left in place
----------

**************************************************
13:24:13: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Checking DLL files called from the CurrentControlSet\Services Keys:
--------------------
Key=Alerter
ServiceDLL=%SystemRoot%\system32\alrsvc.dll - this reference has been left in place
--------------------
Key=AppMgmt
ServiceDLL=%SystemRoot%\System32\appmgmts.dll - this file is globally excluded (file cannot be found)
--------------------
Key=AudioSrv
ServiceDLL=%SystemRoot%\System32\audiosrv.dll - this reference has been left in place
--------------------
Key=BITS
ServiceDLL=C:\WINDOWS\system32\qmgr.dll - this reference has been left in place
--------------------
Key=Browser
ServiceDLL=%SystemRoot%\System32\browser.dll - this reference has been left in place
--------------------
Key=CryptSvc
ServiceDLL=%SystemRoot%\System32\cryptsvc.dll - this reference has been left in place
--------------------
Key=DcomLaunch
ServiceDLL=%SystemRoot%\system32pcss.dll - this reference has been left in place
--------------------
Key=Dhcp
ServiceDLL=%SystemRoot%\System32\dhcpcsvc.dll - this reference has been left in place
--------------------
Key=dmserver
ServiceDLL=%SystemRoot%\System32\dmserver.dll - this reference has been left in place
--------------------
Key=Dnscache
ServiceDLL=%SystemRoot%\System32\dnsrslvr.dll - this reference has been left in place
--------------------
Key=ERSvc
ServiceDLL=%SystemRoot%\System32\ersvc.dll - this reference has been left in place
--------------------
Key=EventSystem
ServiceDLL=C:\WINDOWS\system32\es.dll - this reference has been left in place
--------------------
Key=FastUserSwitchingCompatibility
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
--------------------
Key=helpsvc
ServiceDLL=%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll - this reference has been left in place
--------------------
Key=HidServ
ServiceDLL=%SystemRoot%\System32\hidserv.dll - this file is globally excluded (file cannot be found)
--------------------
Key=HTTPFilter
ServiceDLL=%SystemRoot%\System32\w3ssl.dll - this reference has been left in place
--------------------
Key=lanmanserver
ServiceDLL=%SystemRoot%\System32\srvsvc.dll - this reference has been left in place
--------------------
Key=lanmanworkstation
ServiceDLL=%SystemRoot%\System32\wkssvc.dll - this reference has been left in place
--------------------
Key=LmHosts
ServiceDLL=%SystemRoot%\System32\lmhsvc.dll - this reference has been left in place
--------------------
Key=Messenger
ServiceDLL=%SystemRoot%\System32\msgsvc.dll - this reference has been left in place
--------------------
Key=Netman
ServiceDLL=%SystemRoot%\System32
etman.dll - this reference has been left in place
--------------------
Key=Nla
ServiceDLL=%SystemRoot%\System32\mswsock.dll - this reference has been left in place
--------------------
Key=NtmsSvc
ServiceDLL=%SystemRoot%\system32
tmssvc.dll - this reference has been left in place
--------------------
Key=RasAuto
ServiceDLL=%SystemRoot%\System32asauto.dll - this reference has been left in place
--------------------
Key=RasMan
ServiceDLL=%SystemRoot%\System32asmans.dll - this reference has been left in place
--------------------
Key=RemoteAccess
ServiceDLL=%SystemRoot%\System32\mprdim.dll - this reference has been left in place
--------------------
Key=RpcSs
ServiceDLL=%SystemRoot%\system32pcss.dll - this reference has been left in place
--------------------
Key=Schedule
ServiceDLL=%SystemRoot%\system32\schedsvc.dll - this reference has been left in place
--------------------
Key=seclogon
ServiceDLL=%SystemRoot%\System32\seclogon.dll - this reference has been left in place
--------------------
Key=SENS
ServiceDLL=%SystemRoot%\system32\sens.dll - this reference has been left in place
--------------------
Key=SharedAccess
ServiceDLL=%SystemRoot%\System32\ipnathlp.dll - this reference has been left in place
--------------------
Key=ShellHWDetection
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
--------------------
Key=srservice
ServiceDLL=C:\WINDOWS\system32\srsvc.dll - this reference has been left in place
--------------------
Key=SSDPSRV
ServiceDLL=%SystemRoot%\System32\ssdpsrv.dll - this reference has been left in place
--------------------
Key=stisvc
ServiceDLL=%SystemRoot%\system32\wiaservc.dll - this reference has been left in place
--------------------
Key=TapiSrv
ServiceDLL=%SystemRoot%\System32	apisrv.dll - this reference has been left in place
--------------------
Key=TermService
ServiceDLL=%SystemRoot%\System32	ermsrv.dll - this reference has been left in place
--------------------
Key=Themes
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
--------------------
Key=TrkWks
ServiceDLL=%SystemRoot%\system32	rkwks.dll - this reference has been left in place
--------------------
Key=upnphost
ServiceDLL=%SystemRoot%\System32\upnphost.dll - this reference has been left in place
--------------------
Key=W32Time
ServiceDLL=C:\WINDOWS\system32\w32time.dll - this reference has been left in place
--------------------
Key=WebClient
ServiceDLL=%SystemRoot%\System32\webclnt.dll - this reference has been left in place
--------------------
Key=winmgmt
ServiceDLL=%SystemRoot%\system32\wbem\WMIsvc.dll - this reference has been left in place
--------------------
Key=WmdmPmSN
ServiceDLL=C:\WINDOWS\system32\MsPMSNSv.dll - this reference has been left in place
--------------------
Key=wscsvc
ServiceDLL=%SYSTEMROOT%\system32\wscsvc.dll - this reference has been left in place
--------------------
Key=wuauserv
ServiceDLL=C:\WINDOWS\system32\wuauserv.dll - this reference has been left in place
--------------------
Key=WudfSvc
ServiceDLL=%SystemRoot%\System32\WUDFSvc.dll - this reference has been left in place
--------------------
Key=WZCSVC
ServiceDLL=%SystemRoot%\System32\wzcsvc.dll - this reference has been left in place
--------------------
Key=xmlprov
ServiceDLL=%SystemRoot%\System32\xmlprov.dll - this reference has been left in place

**************************************************
13:24:17: Scanning ----- SERVICES REGISTRY KEYS -----
Checking files called from the CurrentControlSet\Services Keys:
Key=ACPI
ImagePath=system32\DRIVERS\ACPI.sys - this reference has been left in place
----------
Key=aec
ImagePath=system32\drivers\aec.sys - this reference has been left in place
----------
Key=AFD
ImagePath=\SystemRoot\System32\drivers\afd.sys - this reference has been left in place
----------
Key=ALCXWDM
ImagePath=system32\drivers\ALCXWDM.SYS - this reference has been left in place
----------
Key=ALG
ImagePath=%SystemRoot%\System32\alg.exe - this reference has been left in place
----------
Key=Arp1394
ImagePath=system32\DRIVERS\arp1394.sys - this reference has been left in place
----------
Key=aspnet_state
ImagePath=%SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe - this reference has been left in place
----------
Key=aswUpdSv
ImagePath="C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" - this reference has been left in place
----------
Key=AsyncMac
ImagePath=system32\DRIVERS\asyncmac.sys - this reference has been left in place
----------
Key=atapi
ImagePath=system32\DRIVERS\atapi.sys - this reference has been left in place
----------
Key=Atmarpc
ImagePath=system32\DRIVERS\atmarpc.sys - this reference has been left in place
----------
Key=audstub
ImagePath=system32\DRIVERS\audstub.sys - this reference has been left in place
----------
Key=avast! Antivirus
ImagePath="C:\Program Files\Alwil Software\Avast4\ashServ.exe" - this reference has been left in place
----------
Key=avast! Mail Scanner
ImagePath="C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service - this reference has been left in place
----------
Key=avast! Web Scanner
ImagePath="C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service - this reference has been left in place
----------
Key=banshee
ImagePath=system32\DRIVERS\banshee.sys - this reference has been left in place
----------
Key=Cdrom
ImagePath=system32\DRIVERS\cdrom.sys - this reference has been left in place
----------
Key=CiSvc
ImagePath=%SystemRoot%\system32\cisvc.exe - this reference has been left in place
----------
Key=ClipSrv
ImagePath=%SystemRoot%\system32\clipsrv.exe - this reference has been left in place
----------
Key=COMSysApp
ImagePath=C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} - this reference has been left in place
----------
Key=Disk
ImagePath=system32\DRIVERS\disk.sys - this reference has been left in place
----------
Key=dmadmin
ImagePath=%SystemRoot%\System32\dmadmin.exe /com - this reference has been left in place
----------
Key=dmboot
ImagePath=System32\drivers\dmboot.sys - this reference has been left in place
----------
Key=dmio
ImagePath=System32\drivers\dmio.sys - this reference has been left in place
----------
Key=dmload
ImagePath=System32\drivers\dmload.sys - this reference has been left in place
----------
Key=DMusic
ImagePath=system32\drivers\DMusic.sys - this reference has been left in place
----------
Key=drmkaud
ImagePath=system32\drivers\drmkaud.sys - this reference has been left in place
----------
Key=EpsonBidirectionalService
ImagePath=C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe - this reference has been left in place
----------
Key=EPSONStatusAgent2
ImagePath=C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe - this reference has been left in place
----------
Key=Eventlog
ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place
----------
Key=Fdc
ImagePath=system32\DRIVERS\fdc.sys - this reference has been left in place
----------
Key=FltMgr
ImagePath=system32\DRIVERS\fltMgr.sys - this reference has been left in place
----------
Key=Ftdisk
ImagePath=system32\DRIVERS\ftdisk.sys - this reference has been left in place
----------
Key=GEARAspiWDM
ImagePath=System32\Drivers\GEARAspiWDM.sys - this reference has been left in place
----------
Key=Gpc
ImagePath=system32\DRIVERS\msgpc.sys - this reference has been left in place
----------
Key=HidUsb
ImagePath=system32\DRIVERS\hidusb.sys - this reference has been left in place
----------
Key=HTTP
ImagePath=System32\Drivers\HTTP.sys - this reference has been left in place
----------
Key=i8042prt
ImagePath=system32\DRIVERS\i8042prt.sys - this reference has been left in place
----------
Key=Imapi
ImagePath=system32\DRIVERS\imapi.sys - this reference has been left in place
----------
Key=ImapiService
ImagePath=C:\WINDOWS\system32\imapi.exe - this reference has been left in place
----------
Key=intelppm
ImagePath=system32\DRIVERS\intelppm.sys - this reference has been left in place
----------
Key=Ip6Fw
ImagePath=system32\DRIVERS\Ip6Fw.sys - this reference has been left in place
----------
Key=IpFilterDriver
ImagePath=system32\DRIVERS\ipfltdrv.sys - this reference has been left in place
----------
Key=IpInIp
ImagePath=system32\DRIVERS\ipinip.sys - this reference has been left in place
----------
Key=IpNat
ImagePath=system32\DRIVERS\ipnat.sys - this reference has been left in place
----------
Key=iPod Service
ImagePath="C:\Program Files\iPod\bin\iPodService.exe" - this reference has been left in place
----------
Key=IPSec
ImagePath=system32\DRIVERS\ipsec.sys - this reference has been left in place
----------
Key=IRENUM
ImagePath=system32\DRIVERS\irenum.sys - this reference has been left in place
----------
Key=isapnp
ImagePath=system32\DRIVERS\isapnp.sys - this reference has been left in place
----------
Key=Kbdclass
ImagePath=system32\DRIVERS\kbdclass.sys - this reference has been left in place
----------
Key=kmixer
ImagePath=system32\drivers\kmixer.sys - this reference has been left in place
--------

did71 · Answer

Bonjour,

Pour vérifier,

Télécharge AVG Anti-Spyware: 


https://www.avg.com/en-ww/free-antivirus-download 


Tu l'installes. 
Lance AVG Anti-Spyware et clique sur le bouton Mise à jour. Patiente 

Lance AVG Anti-Spyware 
Clique sur le bouton Analyse (de la barre d'outils) 
Puis sur l'onglets Comment réagir, clique sur Actions recommandées. Sélectionne Quarantaine. 
Reviens à l'onglet Analyse. Clique sur Analyse complète du système. 
A la fin du scan, choisis l'option " Appliquer toutes les actions " en bas. 
Clique sur "Enregistrer le rapport". Ceci génère un rapport en fichier texte qui se trouve dans le dossier Reports du dossier d'AVG Anti-Spyware. 

poste le rapport AVG ainsi qu'un nouvel hijackthis! 

a+

Lolilola13 · Answer

Voici le rapport de AVG et je vais en faire un de hijackthis



---------------------------------------------------------
AVG Anti-Spyware - Rapport d'analyse
---------------------------------------------------------

 + Créé à:	19:09:23 06/05/2007

 + Résultat de l'analyse:	



C:\WINDOWS\system32\linkprd.exe -> Dialer.InstantAccess.ar : Nettoyé et sauvegardé (mise en quarantaine).
C:\Documents and Settings\kamel\Cookies\kamel@247realmedia[1].txt -> TrackingCookie.247realmedia : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@adtech[2].txt -> TrackingCookie.Adtech : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@com[1].txt -> TrackingCookie.Com : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@fl01.ct2.comclick[1].txt -> TrackingCookie.Comclick : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@estat[1].txt -> TrackingCookie.Estat : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@search.live[1].txt -> TrackingCookie.Live : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@ie.search.msn[2].txt -> TrackingCookie.Msn : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@search.msn[3].txt -> TrackingCookie.Msn : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@overture[1].txt -> TrackingCookie.Overture : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@www.paypal[1].txt -> TrackingCookie.Paypal : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@revsci[2].txt -> TrackingCookie.Revsci : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@serving-sys[2].txt -> TrackingCookie.Serving-sys : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@www.smartadserver[2].txt -> TrackingCookie.Smartadserver : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@h.starware[2].txt -> TrackingCookie.Starware : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@try.starware[1].txt -> TrackingCookie.Starware : Nettoyé.
C:\Documents and Settings\kamel\Cookies\kamel@weborama[2].txt -> TrackingCookie.Weborama : Nettoyé.


Fin du rapport


Voila

a la suite celui de hijackthis


Lolilola13

Lolilola13 · Answer

Voici le rapport de hijackthis

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:11:54, on 06/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32
vsvc32.exe
C:\Program Filesnamfler
aofsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Filesnamfler
aomf.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program filesnamfleradprcmp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\kamel\Bureau\Kamélia\Sécurité ordi\Anticrypt\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://actus.sfr.fr
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcD3RW7BXlKjvc5QyGaMjmoIYiDMFu/mMChN1OYBW4eRF7y0gj+NGdZHICLPI77bAjoInmByNTsheqdYhGUvOQWb43l3x20OUDn7V0UR/Rp1qSbekWvwvbCk1GPWkgu08v4hz5PL9+ak2ggvynk0B1jJtpX0yxOK11u
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [wrna3ls] C:\Program Filesnamfler
aomf.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [snfugp] c:\windows\system32\snfugp.exe snfugp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://scripts.dlv4.com/binaries/egaccess4/egaccess4_1071_em_XP.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61F4389C-20AE-40ED-919D-7D6BD1F51F96}: NameServer = 84.103.237.143 86.64.145.143
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Filesnamfler
aofsvc.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

did71 · Answer

re,

1) relance hijackthis, coche les lignes citées ci dessous et fix checked (toutes fenêtres IE fermées) :

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/ 
O4 - HKLM\..\Run: [snfugp] c:\windows\system32\snfugp.exe snfugp 
O16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://scripts.dlv4.com/binaries/egaccess4/egaccess4_1071_em_XP.cab

2) Télécharge OTMoveIt (de Old_Timer) sur ton Bureau.
double-clique sur OTMoveIt.exe pour le lancer.
copie la liste qui se trouve en gras ci-dessous,
et colle-la dans le cadre de gauche de OTMoveIt :Paste List of Files/Folders to be moved.


c:\windows\system32\snfugp.exe


clique sur MoveIt! pour lancer la suppression.
le résultat apparaitra dans le cadre Results.
clique sur Exit pour fermer.
poste le rapport situé dans C:\\_OTMoveIt\MovedFiles.

il te sera peut-être demander de redémarrer le pc pour achever la suppression.
si c'est le cas accepte par Yes.
 
a+

Lolilola13 · Answer

J'ai deux questions a vous poser:
1) sa veut dire que le virus est toujours sur mon ordi ?
2)pouvez vous me donner un lien pour telecharger  OTMoveIt s'il vous plait.

   Merci d'avance,
          cordialement,
Lolilola.

did71 · Answer

Bonsoir,

oups, désolé pour le lien, c'est ici:

http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

oui, il reste des traces de bébétes!

a+

Lolilola13 · Answer

S'il vous plait repondez moi !!!!!!

did71 · Answer

bonjour, 

tu n'as pas fait la dernière manip proposé, suis la procédure!

a+

Lolilola13 · Answer

svp repondez.
Merci

did71 · Answer

Bonsoir,

c'est à toi de répondre!!!!

tu as fait la manip avec Otmoveit?

tu ne donnes aucunes nouvelles?

a+

Lolilola13 · Answer

je viens de faire une analyse avec AVG Anti-Spyware 7.5 et il a detecté un virus qui s'appelle : Dialer.InstantAccess.ar
Je ne sais pas d'où ça vient mais je vous envoie le rapport quand l'analyse sera terminée.

Lolilola13 · Answer

voici le rapport de AVG :


---------------------------------------------------------
AVG Anti-Spyware - Rapport d'analyse
---------------------------------------------------------

 + Créé à:	21:26:03 23/05/2007

 + Résultat de l'analyse:	



C:\System Volume Information\_restore{ACA180CF-123D-4E70-BE61-DA6F762F4696}\RP42\A0010442.exe -> Dialer.InstantAccess.ar : Aucune action entreprise.


Fin du rapport







Alala, je suis desespérée.
Mais je n'ai pas fait la manip avec Ot moveit...
Ou en est la chose ?

did71 · Answer

re,

pas bien méchant ce rapport!

1) désactive ta restauration système, info ici:

http://service1.symantec.com/SUPPORT/INTER/tsgeninfointl.nsf/fr_docid/20020830101856924

2) relance AVG et poste le nouveau rapport!

3) poste un nouvel hijackthis!

a+

Lolilola13 · Answer

Bonjour, 
voici le rapport avg :


---------------------------------------------------------
AVG Anti-Spyware - Rapport d'analyse
---------------------------------------------------------

 + Créé à:	19:15:54 24/05/2007

 + Résultat de l'analyse:	



	Rien à signaler.



Fin du rapport



Je suis etonnée du rapport !!!
Je dois poster celui de hijackthis quand meme ?

did71 · Answer

Bonjour,

comment se comporte le PC?

a+

Lolilola13 · Answer

aucun probleme particulier, tout va bien meme quand javais le virus
  Je poste le rapport hijackthis on sait jamais, nn ?

did71 · Answer

Bonsoir,

oui, poste le rapport, on verra s'il y a des choses à virer!

a+

Lolilola13 · Answer

voici le rapport de asquare



Version - a-squared Free 2.1

Réglages Scan:

Objets: Mémoire, Traces, Cookies, C:\
Scan archives: Marche
Heuristiques: Marche
Scan ADS: Marche

Début du scan:	11/06/2007 18:03:13

C:\Documents and Settings\kamel\Cookies\kamel@adserver.aol[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@adtech[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@bizrate[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@bs.serving-sys[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@common[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@comparez.priceminister[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@comz.skyblog[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@fl01.ct2.comclick[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@mediametrics.mpsa[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@popotamo[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@serving-sys[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@tripod[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@weborama[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@www.cibleclick[2].txt 	Détecter: Trace.TrackingCookie

Scanné

Fichiers: 	63606
Traces: 	118336
Cookies: 	513
Processus: 	38

Trouver

Fichiers: 	0
Traces: 	0
Cookies: 	14
Processus: 	0
Clés de Registre: 	0

Fin du Scan:	11/06/2007 18:20:55
Temps du Scan:	00:17:42

C:\Documents and Settings\kamel\Cookies\kamel@adserver.aol[2].txt	Quarantaine Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@adtech[2].txt	Quarantaine Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@bizrate[1].txt	Quarantaine Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@bs.serving-sys[2].txt	Quarantaine Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@common[1].txt	Quarantaine Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@comparez.priceminister[1].txt	Quarantaine Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@comz.skyblog[1].txt	Quarantaine Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@fl01.ct2.comclick[1].txt	Quarantaine Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@mediametrics.mpsa[1].txt	Quarantaine Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@popotamo[2].txt	Quarantaine Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@serving-sys[2].txt	Quarantaine Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@tripod[1].txt	Quarantaine Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@weborama[1].txt	Quarantaine Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@www.cibleclick[2].txt	Quarantaine Trace.TrackingCookie

Quarantaine

Fichiers: 	0
Traces: 	0
Cookies: 	14





voila.
Dois-je poster le rapport hijackthis ?

Lolilola13.

did71 · Answer

Bonsoir,

seulement des cookies, donc c'est ok pour moi!

si tout va bien?

a+

Lolilola13 · Answer

cela veut dire que je n'ai pas de virus ? je ne suis pas tres convaincue donc je fais une analyse avec hijackthis et encore avec a squared free mais plus lent et je vous poste tout ça.
Merci d'avance...
Lolilola13.

Lolilola13 · Answer

Bonjour, 
voici les rapoorts promis !

Asqured free :


Version - a-squared Free 3.0
Dernière mise à jour: 11/06/2007 18:02:50

Réglages Scan:

Objets: Mémoire, Traces, Cookies, C:\
Scan archives: Marche
Heuristiques: Marche
Scan ADS: Marche

Début du scan:	16/06/2007 13:09:06

C:\Documents and Settings\kamel\Cookies\kamel@247realmedia[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@2o7[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@adtech[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@bs.serving-sys[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@serving-sys[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@weborama[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Mes documents\TomTom Navigator 5.00 PPC multilangue + carte france benelux by (-=DKFreeZer=-)\TomTom Navigator 5.00\(TT5 Map FR)  - France-MaptFrance-Map\France-Map.part01.rar/CNAME.DAT 	Détecter: Heuristic.ArchiveBomb

Scanné

Fichiers: 	82522
Traces: 	256159
Cookies: 	524
Processus: 	42

Trouver

Fichiers: 	1
Traces: 	0
Cookies: 	6
Processus: 	0
Clés de Registre: 	0

Fin du Scan:	16/06/2007 14:03:09
Temps du Scan:	00:54:03






Et voici le rapport hijackthis :


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:30:06, on 16/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\rnamfler\naomf.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
c:\program files\rnamfler\radprcmp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\rnamfler\naofsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\kamel\Bureau\Kamélia\Sécurité ordi\Anticrypt\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://actus.sfr.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [wrna3ls] C:\Program Files\rnamfler\naomf.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snfugp] c:\windows\system32\snfugp.exe snfugp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - https://onedrive.live.com/?id=favorites
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61F4389C-20AE-40ED-919D-7D6BD1F51F96}: NameServer = 86.64.145.146 84.103.237.146
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Files\rnamfler\naofsvc.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

did71 · Answer

Bonjour,

c'est toujours propre, juste des cookies, ton pc est sain, rien à signaler!

a+

Lolilola13 · Answer

Bonjour, 
jai fait une analyse avec asquaredfree. Voici le rapport :


Version - a-squared Free 3.0
Dernière mise à jour: 09/08/2007 14:51:26

Réglages Scan:

Objets: Mémoire, Traces, Cookies, C:\
Scan archives: Marche
Heuristiques: Marche
Scan ADS: Marche

Début du scan:	09/08/2007 15:02:41

C:\Documents and Settings\kamel\Cookies\kamel@247realmedia[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@2o7[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@adtech[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@bs.serving-sys[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@com[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@dealtime[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@edge.ru4[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@findwhat[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@fl01.ct2.comclick[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@mediametrics.mpsa[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@mediaservices.myspace[1].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@serving-sys[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@smartadserver[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@specificclick[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@stat.dealtime[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@tribalfusion[2].txt 	Détecter: Trace.TrackingCookie
C:\Documents and Settings\kamel\Cookies\kamel@weborama[1].txt 	Détecter: Trace.TrackingCookie

Scanné

Fichiers: 	85069
Traces: 	303355
Cookies: 	788
Processus: 	64

Trouver

Fichiers: 	0
Traces: 	0
Cookies: 	17
Processus: 	0
Clés de Registre: 	0

Fin du Scan:	09/08/2007 16:18:20
Temps du Scan:	01:15:39



Voila.
Merci davance...:)

badboys · Answer

Bonjour, tu dois faire un format c: et le probleme sera resolu

TROJAN (CRAZY GIRL) AIDEZ MOI !!!

30 réponses

Votre réponse

Discussions similaires

Newsletters