[RESOLU]Trojan qui balance des pop-up : 9ringtone etc... merci

Recherche :

Mot : Pseudo : Filtrer
Bas de page
Auteur	Sujet : [RESOLU]Trojan qui balance des pop-up : 9ringtone etc... merci

Eternos

Adewale Akinnuoye-Agbaje

Bon voilà, j'ai surement choper un trojan !!

Ca me balance des pop-up toutes les 5 minutes sur 9ringtone ou sur des ptite fenètre qui génère des espèce d'erreur Windows avec un truc byzarre mms:/// donc, j'vous met un log d'hijackthis pour que vous puissiez voir et m'aider merci bien !! C'est horrible de jouer en réseau avec ces saloperies :cry:

Logfile of HijackThis v1.99.1
Scan saved at 18:50:57, on 18/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe
C:\Program Files\NXP\CursorXP\CursorXP.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\l?gonui.exe
C:\Documents and Settings\Colonel ETERNOS\Application Data\tasa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Poste de Travail Sans Fil Labtec\MulMouse.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\Program Files\Poste de Travail Sans Fil Labtec\MagicKey.exe
C:\Program Files\The All-Seeing Eye\eye.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fr/0SEFRFR/SAOS02
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\NXP\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Rkwnogn] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [Ssma] C:\Documents and Settings\Colonel ETERNOS\Application Data\tasa.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Activer le Poste de Travail Sans Fil Labtec.lnk = C:\Program Files\Poste de Travail Sans Fil Labtec\MulMouse.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ [...] loader.cab
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0025.exe
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\e8jmli1118.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\FICHIE~1\Stardock\mcpstub.dll (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

Message édité par Eternos le 18-04-2005 à 22:06:36

Publicité

acrobaze

Commence par ceci : télécharge ce fichier.
Lance-le et redémarre.

Idem avec celui-ci

Poste un nouvel HijackThis.

Eternos

Adewale Akinnuoye-Agbaje

J'ai lancé tout ce que t'a dit en redemarrant à chaque fois et voici le log de hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 19:08:28, on 18/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe
C:\Program Files\NXP\CursorXP\CursorXP.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Poste de Travail Sans Fil Labtec\MulMouse.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\Program Files\Poste de Travail Sans Fil Labtec\MagicKey.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fr/0SEFRFR/SAOS02
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\NXP\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Activer le Poste de Travail Sans Fil Labtec.lnk = C:\Program Files\Poste de Travail Sans Fil Labtec\MulMouse.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ [...] loader.cab
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0025.exe
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\FICHIE~1\Stardock\mcpstub.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\k862lijo18oc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

Merci de m'aider Acrobaze

acrobaze

C'est déjà mieux!

Maintenant, ceci :

Télécharge ce fichier.
Mets-le sur ton bureau.
Dézippe-le sur ton bureau.
Double-clique l2mfix.bat et choisis l'option 1 (et entrée).
Laisse-le travailler qq minutes et copie/colle le log final ici.

Ps : surtout, ne clique pas encore l'option 2..ni aucun autre fichier de l2mfix!!!

Message édité par acrobaze le 18-04-2005 à 19:27:54

Eternos

Adewale Akinnuoye-Agbaje

ok, j'ai entendu parler de ce fichier !!

je te fai confiance et je te tien o courant merci !!

Eternos

Adewale Akinnuoye-Agbaje

Y m-a mis 2 erreur au début, ca été assez rapide voici le log !

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient]
"Asynchronous"=dword:00000000
"DllName"="C:\\PROGRA~1\\FICHIE~1\\Stardock\\mcpstub.dll"
"Startup"="MCPSystemStartup"
"Logon"="MCPLogonStartup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k862lijo18oc.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
"Asynchronous"=dword:00000000
"DllName"="C:\\PROGRA~1\\STARDOCK\\OBJECT~1\\WINDOW~1\\fastload.dll"
"Startup"="StartSys"
"Logon"="StartWB"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{83F2A538-A3AC-6082-4E8F-6619C1BA2D20}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Feuille de proprits du fichier multimdia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de scurit NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des proprits de OLE DocFile"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'environnement pour le partage"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage cran du Panneau de configuration"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Panorama du Panneau de configuration"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Page de scurit DS"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Page de compatibilit"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Gestionnaire de donnes endommages de l'environnement"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Extension copie de disquette"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensions de l'environnement pour les objets rseau de Microsoft Windows"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gestion d'cran ICM"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gestion d'imprimante ICM"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensions de l'environnement de compression de fichiers"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Extension de l'environnement d'imprimante Web"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu contextuel de cryptage"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porte-documents"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Extension icne HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profil ICC"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Page de scurit des imprimantes"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensions de l'environnement pour le partage"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie PKO"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie Sign"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Connexions rseau"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Connexions rseau"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&Scanneurs et appareils photo"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&Scanneurs et appareils photo"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="&Scanneurs et appareils photo"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&Scanneurs et appareils photo"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&Scanneurs et appareils photo"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensions de l'interprteur de commandes pour l'environnement d'excution de scripts Windows"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Liaison de donnes Microsoft"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tches planifies"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barre des tches et menu Dmarrer"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Rechercher"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Excuter..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Courrier lectronique"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Polices"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Outils d'administration"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barre d'outils Internet Microsoft"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="tat du tlchargement"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Dossier Bureau tendu"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Dossier du shell augment"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Bande du navigateur Microsoft"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Bande de recherche"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Volet intgr de recherche"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Recherche Web"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilitaire des options de l'arborescence du Registre"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Bote d'entre de l'adresse"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Saisie semi-automatique Microsoft"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="Liste de saisie semi-automatique MRU"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Liste de saisie semi-automatique personnalise MRU"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barre de progrs auto-ouvrante"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analyseur de la barre d'adresses"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Liste de saisie semi-automatique de l'historique Microsoft"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Liste de saisie semi-automatique du dossier Shell Microsoft"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Conteneur de la liste de saisie semi-automatique multiple Microsoft"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu Site de bandes"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Barre du Bureau"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistance utilisateur"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Paramtres du dossier global"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historique"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Image de dmarrage de la Suite IE4"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Dossier ActiveX Cache"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Dossier Inscription"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gestionnaire d'applications d'environnement"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="numrateur d'applications installes"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Publication d'application Darwin"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extracteur de miniatures de fichier + GDI"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Gestionnaire de miniatures - Informations de rsum (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extracteur de miniatures HTML"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Assistant Publication de sites Web"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Commande d'impressions via le Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objet Assistant de publication Shell"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Assistant Obtenir une identit Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Comptes d'utilisateurs"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Fichier de chane"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Raccourci de chane"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Dossier Fichiers hors connexion"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Des &personnes..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{51550900-DCAC-11d4-AA0F-0080C87C465B}"="WayTech MultiMouse"
"{2F5AC606-70CF-461C-BFE1-734234536262}"="WindowBlinds CPL Extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{6A0D4C37-277A-4F26-9C98-35B75F8AC74D}"=""
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Dossiers Web"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6A0D4C37-277A-4F26-9C98-35B75F8AC74D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6A0D4C37-277A-4F26-9C98-35B75F8AC74D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6A0D4C37-277A-4F26-9C98-35B75F8AC74D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6A0D4C37-277A-4F26-9C98-35B75F8AC74D}\InprocServer32]
@="C:\\WINDOWS\\system32\\camrepl.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
**********************************************************************************
Directory Listing of system files:
Le volume dans le lecteur C s'appelle CENTRALE
Le numro de srie du volume est 1C36-08E1

Rpertoire de C:\WINDOWS\System32

18/04/2005 19:07 234ÿ220 camrepl.dll
18/04/2005 19:07 235ÿ285 ir60l5jm1.dll
18/04/2005 19:03 234ÿ220 k862lijo18oc.dll
17/04/2005 22:58 233ÿ015 mfgina.dll
16/04/2005 14:05 234ÿ703 g440lehm1h4a.dll
16/04/2005 14:05 233ÿ659 mmlul9391.dll
16/04/2005 12:47 232ÿ881 sycpack.dll
16/04/2005 11:45 233ÿ886 r48slel71hq.dll
16/04/2005 11:26 233ÿ151 hr2805fue.dll
16/04/2005 10:34 232ÿ818 mv8ml9l11.dll
16/04/2005 10:10 233ÿ700 fpnm0351e.dll
15/04/2005 22:05 234ÿ754 gp2sl3f71.dll
15/04/2005 21:09 233ÿ235 e2202cfmgf2a2.dll
15/04/2005 17:25 225ÿ762 mjxoci.dll
15/04/2005 17:24 225ÿ225 o266lcjs1fo6.dll
15/04/2005 12:04 225ÿ762 jtlq0735e.dll
15/04/2005 12:04 225ÿ225 ensadu.dll
14/04/2005 22:59 224ÿ750 swrio800.dll
14/04/2005 22:12 223ÿ016 swxcoins.dll
14/04/2005 21:51 224ÿ750 uximdmat.dll
14/04/2005 21:33 224ÿ541 tQpi32.dll
14/04/2005 21:27 223ÿ004 mpimg32.dll
14/04/2005 19:17 222ÿ670 mpisam11.dll
14/04/2005 19:14 222ÿ383 iIssam.dll
14/04/2005 15:38 226ÿ048 ieetmib1.dll
14/04/2005 15:20 225ÿ698 kodnec.dll
14/04/2005 14:05 226ÿ048 sgmedia.dll
14/04/2005 11:24 225ÿ698 ueimdmat.dll
13/04/2005 17:46 225ÿ661 mhimg32.dll
13/04/2005 17:25 224ÿ717 FZ20.DLL
13/04/2005 17:05 222ÿ725 nlmsdba.dll
13/04/2005 15:32 225ÿ948 scpcsrv32.dll
13/04/2005 13:26 224ÿ347 mkgsvc.dll
13/04/2005 11:35 223ÿ481 tjemeui.dll
12/04/2005 23:48 222ÿ445 mbwmdmsp.dll
12/04/2005 21:37 222ÿ445 mbcat32.dll
12/04/2005 21:37 224ÿ384 mvlul9391.dll
12/04/2005 20:52 222ÿ445 njhtml.dll
12/04/2005 20:52 224ÿ138 gpr6l39s1.dll
12/04/2005 20:17 225ÿ953 mxgina.dll
12/04/2005 20:13 224ÿ854 iHssvcs.dll
12/04/2005 20:09 226ÿ015 en6ml1j11.dll
12/04/2005 20:09 224ÿ854 rlaenh.dll
12/04/2005 19:53 223ÿ061 pgmas.dll
12/04/2005 19:43 224ÿ854 hketmon.dll
23/01/2005 14:41 225ÿ218 l46o0ej3eho.dll
09/01/2005 21:48 223ÿ254 vvwwdm32.dll
09/01/2005 21:42 224ÿ057 fp0803due.dll
03/10/2004 19:14 <REP> Microsoft
03/10/2004 18:46 <REP> dllcache
48 fichier(s) 10ÿ894ÿ963 octets
2 Rp(s) 165ÿ192ÿ892ÿ416 octets libres

acrobaze

Donc maintenant :

- Ferme tes applications, il va y avoir un reboot.
- Tu double-cliques l2mfix.bat et cette fois-ci, tu choisis l'option 2 (taper 2 et entrée). Ne t'inquiète pas si le bureau ou les icônes disparaissent un instant. C'est normal.
Pareil, il y aura un fichier texte à la fin.

- Copie/colle ce fichier texte et un nouvel HijackThis, pour finir.

Eternos

Adewale Akinnuoye-Agbaje

ok, j'te fai tou ça !!

Eternos

Adewale Akinnuoye-Agbaje

Voilà le log de l2mfix :

L2Mfix 1.03

Running From:
C:\Documents and Settings\Colonel ETERNOS\Bureau\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrateurs
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Colonel ETERNOS\Bureau\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Colonel ETERNOS\Bureau\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2012 'explorer.exe'
Killing PID 2012 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 432 'rundll32.exe'
Killing PID 800 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\camrepl.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\fpnm0351e.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\sycpack.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\gp2sl3f71.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\ir60l5jm1.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\e2202cfmgf2a2.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\mv8ml9l11.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\hr2805fue.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\mmlul9391.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\r48slel71hq.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\mfgina.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\gftext.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\g440lehm1h4a.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\fp0803due.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\vvwwdm32.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\l46o0ej3eho.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\ibhlpapi.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\hketmon.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\pgmas.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\en6ml1j11.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\rlaenh.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\iHssvcs.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\mxgina.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\gpr6l39s1.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\njhtml.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\mvlul9391.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\mbcat32.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\mbwmdmsp.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\tjemeui.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\mkgsvc.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\scpcsrv32.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\nlmsdba.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\FZ20.DLL
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\mhimg32.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\ueimdmat.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\sgmedia.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\kodnec.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\ieetmib1.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\iIssam.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\mpisam11.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\mpimg32.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\tQpi32.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\uximdmat.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\swxcoins.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\swrio800.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\jtlq0735e.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\ensadu.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\o266lcjs1fo6.dll
1 fichier(s) copi(s).
Backing Up: C:\WINDOWS\system32\mjxoci.dll
1 fichier(s) copi(s).
deleting: C:\WINDOWS\system32\camrepl.dll
Successfully Deleted: C:\WINDOWS\system32\camrepl.dll
deleting: C:\WINDOWS\system32\fpnm0351e.dll
Successfully Deleted: C:\WINDOWS\system32\fpnm0351e.dll
deleting: C:\WINDOWS\system32\sycpack.dll
Successfully Deleted: C:\WINDOWS\system32\sycpack.dll
deleting: C:\WINDOWS\system32\gp2sl3f71.dll
Successfully Deleted: C:\WINDOWS\system32\gp2sl3f71.dll
deleting: C:\WINDOWS\system32\ir60l5jm1.dll
Successfully Deleted: C:\WINDOWS\system32\ir60l5jm1.dll
deleting: C:\WINDOWS\system32\e2202cfmgf2a2.dll
Successfully Deleted: C:\WINDOWS\system32\e2202cfmgf2a2.dll
deleting: C:\WINDOWS\system32\mv8ml9l11.dll
Successfully Deleted: C:\WINDOWS\system32\mv8ml9l11.dll
deleting: C:\WINDOWS\system32\hr2805fue.dll
Successfully Deleted: C:\WINDOWS\system32\hr2805fue.dll
deleting: C:\WINDOWS\system32\mmlul9391.dll
Successfully Deleted: C:\WINDOWS\system32\mmlul9391.dll
deleting: C:\WINDOWS\system32\r48slel71hq.dll
Successfully Deleted: C:\WINDOWS\system32\r48slel71hq.dll
deleting: C:\WINDOWS\system32\mfgina.dll
Successfully Deleted: C:\WINDOWS\system32\mfgina.dll
deleting: C:\WINDOWS\system32\gftext.dll
Successfully Deleted: C:\WINDOWS\system32\gftext.dll
deleting: C:\WINDOWS\system32\g440lehm1h4a.dll
Successfully Deleted: C:\WINDOWS\system32\g440lehm1h4a.dll
deleting: C:\WINDOWS\system32\fp0803due.dll
Successfully Deleted: C:\WINDOWS\system32\fp0803due.dll
deleting: C:\WINDOWS\system32\vvwwdm32.dll
Successfully Deleted: C:\WINDOWS\system32\vvwwdm32.dll
deleting: C:\WINDOWS\system32\l46o0ej3eho.dll
Successfully Deleted: C:\WINDOWS\system32\l46o0ej3eho.dll
deleting: C:\WINDOWS\system32\ibhlpapi.dll
Successfully Deleted: C:\WINDOWS\system32\ibhlpapi.dll
deleting: C:\WINDOWS\system32\hketmon.dll
Successfully Deleted: C:\WINDOWS\system32\hketmon.dll
deleting: C:\WINDOWS\system32\pgmas.dll
Successfully Deleted: C:\WINDOWS\system32\pgmas.dll
deleting: C:\WINDOWS\system32\en6ml1j11.dll
Successfully Deleted: C:\WINDOWS\system32\en6ml1j11.dll
deleting: C:\WINDOWS\system32\rlaenh.dll
Successfully Deleted: C:\WINDOWS\system32\rlaenh.dll
deleting: C:\WINDOWS\system32\iHssvcs.dll
Successfully Deleted: C:\WINDOWS\system32\iHssvcs.dll
deleting: C:\WINDOWS\system32\mxgina.dll
Successfully Deleted: C:\WINDOWS\system32\mxgina.dll
deleting: C:\WINDOWS\system32\gpr6l39s1.dll
Successfully Deleted: C:\WINDOWS\system32\gpr6l39s1.dll
deleting: C:\WINDOWS\system32\njhtml.dll
Successfully Deleted: C:\WINDOWS\system32\njhtml.dll
deleting: C:\WINDOWS\system32\mvlul9391.dll
Successfully Deleted: C:\WINDOWS\system32\mvlul9391.dll
deleting: C:\WINDOWS\system32\mbcat32.dll
Successfully Deleted: C:\WINDOWS\system32\mbcat32.dll
deleting: C:\WINDOWS\system32\mbwmdmsp.dll
Successfully Deleted: C:\WINDOWS\system32\mbwmdmsp.dll
deleting: C:\WINDOWS\system32\tjemeui.dll
Successfully Deleted: C:\WINDOWS\system32\tjemeui.dll
deleting: C:\WINDOWS\system32\mkgsvc.dll
Successfully Deleted: C:\WINDOWS\system32\mkgsvc.dll
deleting: C:\WINDOWS\system32\scpcsrv32.dll
Successfully Deleted: C:\WINDOWS\system32\scpcsrv32.dll
deleting: C:\WINDOWS\system32\nlmsdba.dll
Successfully Deleted: C:\WINDOWS\system32\nlmsdba.dll
deleting: C:\WINDOWS\system32\FZ20.DLL
Successfully Deleted: C:\WINDOWS\system32\FZ20.DLL
deleting: C:\WINDOWS\system32\mhimg32.dll
Successfully Deleted: C:\WINDOWS\system32\mhimg32.dll
deleting: C:\WINDOWS\system32\ueimdmat.dll
Successfully Deleted: C:\WINDOWS\system32\ueimdmat.dll
deleting: C:\WINDOWS\system32\sgmedia.dll
Successfully Deleted: C:\WINDOWS\system32\sgmedia.dll
deleting: C:\WINDOWS\system32\kodnec.dll
Successfully Deleted: C:\WINDOWS\system32\kodnec.dll
deleting: C:\WINDOWS\system32\ieetmib1.dll
Successfully Deleted: C:\WINDOWS\system32\ieetmib1.dll
deleting: C:\WINDOWS\system32\iIssam.dll
Successfully Deleted: C:\WINDOWS\system32\iIssam.dll
deleting: C:\WINDOWS\system32\mpisam11.dll
Successfully Deleted: C:\WINDOWS\system32\mpisam11.dll
deleting: C:\WINDOWS\system32\mpimg32.dll
Successfully Deleted: C:\WINDOWS\system32\mpimg32.dll
deleting: C:\WINDOWS\system32\tQpi32.dll
Successfully Deleted: C:\WINDOWS\system32\tQpi32.dll
deleting: C:\WINDOWS\system32\uximdmat.dll
Successfully Deleted: C:\WINDOWS\system32\uximdmat.dll
deleting: C:\WINDOWS\system32\swxcoins.dll
Successfully Deleted: C:\WINDOWS\system32\swxcoins.dll
deleting: C:\WINDOWS\system32\swrio800.dll
Successfully Deleted: C:\WINDOWS\system32\swrio800.dll
deleting: C:\WINDOWS\system32\jtlq0735e.dll
Successfully Deleted: C:\WINDOWS\system32\jtlq0735e.dll
deleting: C:\WINDOWS\system32\ensadu.dll
Successfully Deleted: C:\WINDOWS\system32\ensadu.dll
deleting: C:\WINDOWS\system32\o266lcjs1fo6.dll
Successfully Deleted: C:\WINDOWS\system32\o266lcjs1fo6.dll
deleting: C:\WINDOWS\system32\mjxoci.dll
Successfully Deleted: C:\WINDOWS\system32\mjxoci.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: camrepl.dll (deflated 5%)
adding: fpnm0351e.dll (deflated 5%)
adding: sycpack.dll (deflated 4%)
adding: gp2sl3f71.dll (deflated 5%)
adding: ir60l5jm1.dll (deflated 5%)
adding: e2202cfmgf2a2.dll (deflated 4%)
adding: mv8ml9l11.dll (deflated 4%)
adding: hr2805fue.dll (deflated 5%)
adding: mmlul9391.dll (deflated 5%)
adding: r48slel71hq.dll (deflated 5%)
adding: mfgina.dll (deflated 4%)
adding: gftext.dll (deflated 5%)
adding: g440lehm1h4a.dll (deflated 5%)
adding: fp0803due.dll (deflated 4%)
adding: vvwwdm32.dll (deflated 3%)
adding: l46o0ej3eho.dll (deflated 4%)
adding: ibhlpapi.dll (deflated 4%)
adding: hketmon.dll (deflated 4%)
adding: pgmas.dll (deflated 3%)
adding: en6ml1j11.dll (deflated 5%)
adding: rlaenh.dll (deflated 4%)
adding: iHssvcs.dll (deflated 4%)
adding: mxgina.dll (deflated 5%)
adding: gpr6l39s1.dll (deflated 4%)
adding: njhtml.dll (deflated 3%)
adding: mvlul9391.dll (deflated 4%)
adding: mbcat32.dll (deflated 3%)
adding: mbwmdmsp.dll (deflated 3%)
adding: tjemeui.dll (deflated 4%)
adding: mkgsvc.dll (deflated 4%)
adding: scpcsrv32.dll (deflated 5%)
adding: nlmsdba.dll (deflated 3%)
adding: FZ20.DLL (deflated 4%)
adding: mhimg32.dll (deflated 5%)
adding: ueimdmat.dll (deflated 5%)
adding: sgmedia.dll (deflated 5%)
adding: kodnec.dll (deflated 5%)
adding: ieetmib1.dll (deflated 5%)
adding: iIssam.dll (deflated 3%)
adding: mpisam11.dll (deflated 3%)
adding: mpimg32.dll (deflated 4%)
adding: tQpi32.dll (deflated 4%)
adding: uximdmat.dll (deflated 4%)
adding: swxcoins.dll (deflated 4%)
adding: swrio800.dll (deflated 4%)
adding: jtlq0735e.dll (deflated 5%)
adding: ensadu.dll (deflated 5%)
adding: o266lcjs1fo6.dll (deflated 5%)
adding: mjxoci.dll (deflated 5%)
adding: echo.reg (deflated 10%)
adding: clear.reg (deflated 22%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 65%)
adding: lo2.txt (deflated 85%)
adding: test2.txt (stored 0%)
adding: test3.txt (stored 0%)
adding: test5.txt (stored 0%)
adding: test.txt (deflated 83%)
adding: xfind.txt (deflated 78%)
adding: backregs/shell.reg (deflated 74%)
adding: backregs/6A0D4C37-277A-4F26-9C98-35B75F8AC74D.reg (deflated 70%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

deleting local copy: camrepl.dll
deleting local copy: fpnm0351e.dll
deleting local copy: sycpack.dll
deleting local copy: gp2sl3f71.dll
deleting local copy: ir60l5jm1.dll
deleting local copy: e2202cfmgf2a2.dll
deleting local copy: mv8ml9l11.dll
deleting local copy: hr2805fue.dll
deleting local copy: mmlul9391.dll
deleting local copy: r48slel71hq.dll
deleting local copy: mfgina.dll
deleting local copy: gftext.dll
deleting local copy: g440lehm1h4a.dll
deleting local copy: fp0803due.dll
deleting local copy: vvwwdm32.dll
deleting local copy: l46o0ej3eho.dll
deleting local copy: ibhlpapi.dll
deleting local copy: hketmon.dll
deleting local copy: pgmas.dll
deleting local copy: en6ml1j11.dll
deleting local copy: rlaenh.dll
deleting local copy: iHssvcs.dll
deleting local copy: mxgina.dll
deleting local copy: gpr6l39s1.dll
deleting local copy: njhtml.dll
deleting local copy: mvlul9391.dll
deleting local copy: mbcat32.dll
deleting local copy: mbwmdmsp.dll
deleting local copy: tjemeui.dll
deleting local copy: mkgsvc.dll
deleting local copy: scpcsrv32.dll
deleting local copy: nlmsdba.dll
deleting local copy: FZ20.DLL
deleting local copy: mhimg32.dll
deleting local copy: ueimdmat.dll
deleting local copy: sgmedia.dll
deleting local copy: kodnec.dll
deleting local copy: ieetmib1.dll
deleting local copy: iIssam.dll
deleting local copy: mpisam11.dll
deleting local copy: mpimg32.dll
deleting local copy: tQpi32.dll
deleting local copy: uximdmat.dll
deleting local copy: swxcoins.dll
deleting local copy: swrio800.dll
deleting local copy: jtlq0735e.dll
deleting local copy: ensadu.dll
deleting local copy: o266lcjs1fo6.dll
deleting local copy: mjxoci.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient]
"Asynchronous"=dword:00000000
"DllName"="C:\\PROGRA~1\\FICHIE~1\\Stardock\\mcpstub.dll"
"Startup"="MCPSystemStartup"
"Logon"="MCPLogonStartup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
"Asynchronous"=dword:00000000
"DllName"="C:\\PROGRA~1\\STARDOCK\\OBJECT~1\\WINDOW~1\\fastload.dll"
"Startup"="StartSys"
"Logon"="StartWB"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\camrepl.dll
C:\WINDOWS\system32\fpnm0351e.dll
C:\WINDOWS\system32\sycpack.dll
C:\WINDOWS\system32\gp2sl3f71.dll
C:\WINDOWS\system32\ir60l5jm1.dll
C:\WINDOWS\system32\e2202cfmgf2a2.dll
C:\WINDOWS\system32\mv8ml9l11.dll
C:\WINDOWS\system32\hr2805fue.dll
C:\WINDOWS\system32\mmlul9391.dll
C:\WINDOWS\system32\r48slel71hq.dll
C:\WINDOWS\system32\mfgina.dll
C:\WINDOWS\system32\gftext.dll
C:\WINDOWS\system32\g440lehm1h4a.dll
C:\WINDOWS\system32\fp0803due.dll
C:\WINDOWS\system32\vvwwdm32.dll
C:\WINDOWS\system32\l46o0ej3eho.dll
C:\WINDOWS\system32\ibhlpapi.dll
C:\WINDOWS\system32\hketmon.dll
C:\WINDOWS\system32\pgmas.dll
C:\WINDOWS\system32\en6ml1j11.dll
C:\WINDOWS\system32\rlaenh.dll
C:\WINDOWS\system32\iHssvcs.dll
C:\WINDOWS\system32\mxgina.dll
C:\WINDOWS\system32\gpr6l39s1.dll
C:\WINDOWS\system32\njhtml.dll
C:\WINDOWS\system32\mvlul9391.dll
C:\WINDOWS\system32\mbcat32.dll
C:\WINDOWS\system32\mbwmdmsp.dll
C:\WINDOWS\system32\tjemeui.dll
C:\WINDOWS\system32\mkgsvc.dll
C:\WINDOWS\system32\scpcsrv32.dll
C:\WINDOWS\system32\nlmsdba.dll
C:\WINDOWS\system32\FZ20.DLL
C:\WINDOWS\system32\mhimg32.dll
C:\WINDOWS\system32\ueimdmat.dll
C:\WINDOWS\system32\sgmedia.dll
C:\WINDOWS\system32\kodnec.dll
C:\WINDOWS\system32\ieetmib1.dll
C:\WINDOWS\system32\iIssam.dll
C:\WINDOWS\system32\mpisam11.dll
C:\WINDOWS\system32\mpimg32.dll
C:\WINDOWS\system32\tQpi32.dll
C:\WINDOWS\system32\uximdmat.dll
C:\WINDOWS\system32\swxcoins.dll
C:\WINDOWS\system32\swrio800.dll
C:\WINDOWS\system32\jtlq0735e.dll
C:\WINDOWS\system32\ensadu.dll
C:\WINDOWS\system32\o266lcjs1fo6.dll
C:\WINDOWS\system32\mjxoci.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{6A0D4C37-277A-4F26-9C98-35B75F8AC74D}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6A0D4C37-277A-4F26-9C98-35B75F8AC74D}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************

Et celui de HIjackThis

Logfile of HijackThis v1.99.1
Scan saved at 19:35:27, on 18/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe
C:\Program Files\NXP\CursorXP\CursorXP.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Poste de Travail Sans Fil Labtec\MulMouse.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\Program Files\Poste de Travail Sans Fil Labtec\MagicKey.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fr/0SEFRFR/SAOS02
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fr\msnappau.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\NXP\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Activer le Poste de Travail Sans Fil Labtec.lnk = C:\Program Files\Poste de Travail Sans Fil Labtec\MulMouse.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ [...] loader.cab
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0025.exe
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\FICHIE~1\Stardock\mcpstub.dll (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

Merci..

acrobaze

Oki. Toujours des popups ?

Publicité

Eternos

Adewale Akinnuoye-Agbaje

on dirait pas pour l'instant !!

Je te tiens au courant, et merci pour ton aide !!

:hello: CIAO et bonne chance pour la suite !!

Message édité par Eternos le 18-04-2005 à 19:42:01

acrobaze

Je pense que c'est bon.

Qd tu as cinq minutes, "fixe" cette lignôle:

R3 - Default URLSearchHook is missing

A+ ! :hello:

Eternos

Adewale Akinnuoye-Agbaje

Merci bocoup, plus aucune pop-up c'est du niquel chrome !!

A la prochaine si besoin est !!!

PS: je m'occupe de cette petite ligne....

acrobaze

FORUM HardWare.fr

Windows & Software

Sécurité

[RESOLU]Trojan qui balance des pop-up : 9ringtone etc... merci

Sujets relatifs
Trojan bien accroché	Foutu trojan qui veut pas se barrer (log HijackThis)
[Résolu] Bug internet explorer	Problème d'install Windows [ résolu ]
azesearch2.ocx trojan.Maqise problème ...	svp aidez moi merci....
[Résolu] Internet lent sur pc win98se avec freebox en ethernet	[Résolu] Accéder à mon routeur à distance via Internet ?
Wanadoo & Outlook [résolu]	[excel] need help, 2eme question technique inside (résolu)
Plus de sujets relatifs à : [RESOLU]Trojan qui balance des pop-up : 9ringtone etc... merci

Page générée en 0.117 secondes