analyse HyJackThis SVP -après PAD+divers actions MERCI bcp

Sécurité et insécurité. Virus, Trojans, Spywares, Failles etc. …

Modérateur: Modérateurs et Modératrices

Règles du forum
Assiste.com a suspendu l'assistance à la décontamination après presque 15 ans sur l'ancien forum puis celui-ci. Voir :

Procédure de décontamination 1 - Anti-malware
Décontamination anti-malwares

Procédure de décontamination 2 - Anti-malware et antivirus (La Manip)
La Manip - Procédure standard de décontamination

Entretien périodique d'un PC sous Windows
Entretien périodique d'un PC sous Windows

Protection des navigateurs, de la navigation et de la vie privée
Protéger le navigateur, la navigation et la vie privée

analyse HyJackThis SVP -après PAD+divers actions MERCI bcp

Messagede Pantalon » 15 Déc 2008, 23:58

Bonjour,

J'ai un soucis sur la machine de mon fils, infectée avant-hier en fin de journée via MSN et un lien envoyé par un de ces contacts (probablement lui aussi infecté)... Sa machine est sous WindowsXpSp2 avec pratiquement toutes les mises
à jour réalisées.


Les symptômes ont étés pleins de pop-up pour des merdes, des pub pourries et aussi un truc du genre Scan-Antivirus360 qui ne veut pas partir.
La machine est aussi très très très lente mais sans vraiment de trafic sur le réseau.
Comme il ne m'a signalé sont problème que bien après son erreur, je n'ai pu couper la conection qu'après 5 heures de foncitonnement sans surveillance (il avait tout laissé comme cela et était passé sur ma machine).
Il y a aussi un truc appelé quoykeeg.exe qui est planté (après différents redémarrage) et me mets un message "application ??? voulez-vous en informer MicroSoft".

J'ai alors fait repasser son antivirus qui a détecté et mis en quarantaine trois fichiers dont :

C:\Documents and Settings\Dylan\Local Settings\Temporary Internet Files\Content.IE5\W3C6G1CL\wax[1].jpg (Win32/Adware.Virtumonde application)

C:\waxx.exe (Win32/Adware.Virtumonde application)

http ://fwt.txdnl.com/6-20/b/l/blubla/wax.jpg (Win32/Adware.Virtumonde application)

Je les ai détruit !

Le lendemain, d'autres sont arrivés:

http ://childhe.com/pas/apstpldr.dll.html?affid=156649&uid=&guid=C016BBDA37604B26BBF86093819CA9F4
C:\WINDOWS\system32\cbXPfGww.dll
C:\Documents and Settings\Dylan\Local Settings\Temporary Internet Files\Content.IE5\5V9JOUTC\apstpldr.dll[1].htm
et celui-ci aussi qui me semble encore pire que les autres:
http ://fwt.txdnl.com/6-20/b/l/blubla/noi.jpg annoncé comme Win32/TrojanDownloader.Agent.OOJ cheval de Troie

Ils ont été bloqués par NOD32 et détruits. (les url sont avec espace pour pas les cliquer !!! DANGER !!! )

Depuis, je suis sur sa machine pour nettoyage. J'ai fait des scannes avec:
- NOD32 (Antivirus)
- MSN Fix (winchat.exe, WinFXDocObj.exe, winhlp32.exe, winlogon.exe, winmine.exe, winmsd.exe, winspool.exe, winver.exe)
- SD Fix (une 20aine de saletés)
- DB Fix (de SD Fix) (pour continuer)
- MalWareBytes (une 30aine de saloperies type Trojans + registres + mémoires)
- SpyBot Search & DesTroy (du Virtumondo principalement)
- Ad-Aware 2008 (3-4 saletés virées)
- CCleaner (près de 500Mb de gagné)
- VundoFix (il y avait plus rien)
- VirtumundoBeGone (nada)
- HiJackThis (plus bas pour le détail)
- OTListIt (à la suite)
et ensuite un scan online avec Kaspersky... qui va prendre des plomb, je le sent (2h30 waouw et 3 saletés mais dans "infected NOD32 = j'avais oublié de les virer).

En vous remerciant d'avance, Pantalon.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:27:44, on 15/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\system32\Grxp4exe.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Fichiers communs\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /runonce
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [qoykeeg] "c:\documents and settings\dylan\local settings\application data\qoykeeg.exe" qoykeeg
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O9 - Extra button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-BE/a-U ... E_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 9250870453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9250859078
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/softwar ... launch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ppwbae.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6664 bytes[url][/url]

----------------------------------------------------------------------------------------------------------------------------------------

OTListIt logfile created on: 15/12/2008 22:33:11 - Run
OTListIt by OldTimer - Version 1.0.12.1 Folder = C:\Documents and Settings\All Users\Documents\_NETTOYAGE_&_SECU
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 0000080C | Country: Belgique | Language: FRB | Date Format: d/MM/yyyy

511,48 Mb Total Physical Memory | 202,99 Mb Available Physical Memory | 39,69% Memory free
1,22 Gb Paging File | 0,94 Gb Available in Paging File | 76,61% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39,06 Gb Total Space | 29,59 Gb Free Space | 75,75% Space Free | Partition Type: NTFS
Drive D: | 72,72 Gb Total Space | 6,40 Gb Free Space | 8,80% Space Free | Partition Type: NTFS
Drive E: | 3,43 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC-DYLAN
Current User Name: Dylan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2007/12/05 03:53:58 | 00,495,616 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
[2007/12/05 03:53:58 | 00,495,616 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
[2008/07/07 08:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[2004/06/03 19:51:54 | 00,131,072 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
[2006/04/15 16:45:37 | 00,462,848 | ---- | M] (SlySoft, Inc.) -- C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
[2002/02/26 09:05:42 | 00,036,864 | ---- | M] (Kensington Technology Group) -- C:\WINDOWS\system32\grxp4exe.exe
[2004/12/16 19:55:28 | 00,339,968 | ---- | M] (Sonix) -- C:\WINDOWS\vsnpstd3.exe
[2006/02/22 02:05:00 | 00,344,064 | ---- | M] (ATI Technologies, Inc.) -- C:\WINDOWS\system32\atiptaxx.exe
[2006/03/01 18:43:20 | 00,090,112 | ---- | M] (Nero AG) -- C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
[2006/11/03 08:59:20 | 00,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
[2006/09/01 11:01:42 | 00,671,744 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
[2006/07/19 12:03:56 | 00,094,208 | ---- | M] (Logitech Inc.) -- C:\Program Files\Fichiers communs\Logitech\khalshared\KHALMNPR.exe
[2006/04/15 12:16:02 | 00,495,616 | ---- | M] (Eset ) -- C:\Program Files\ESET\nod32krn.exe
[2007/10/03 01:03:39 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe
[2008/05/26 21:18:44 | 00,439,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\searchindexer.exe
[2006/11/03 08:59:14 | 00,918,016 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe
[2004/08/03 23:55:04 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
[2008/12/14 15:29:28 | 00,418,816 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\All Users\Documents\_NETTOYAGE_&_SECU\OTListIt.exe

========== (O23) Win32 Services ==========

[2008/07/07 08:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
[2007/10/24 00:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2007/12/05 03:53:58 | 00,495,616 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
[2007/09/28 21:05:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
[2007/10/24 00:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2007/10/09 11:58:12 | 00,036,864 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2007/01/04 02:40:21 | 00,136,120 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
[2007/10/11 08:55:10 | 00,864,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2007/10/11 08:55:14 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2006/04/15 12:16:02 | 00,495,616 | ---- | M] (Eset ) -- C:\Program Files\ESET\nod32krn.exe -- (NOD32krn [Auto | Running])
[2006/08/24 07:46:00 | 00,159,810 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Stopped])
[2007/10/03 01:03:39 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA [Auto | Running])
[2007/10/18 10:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
[2007/10/25 14:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
[2006/11/03 08:59:14 | 00,918,016 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [Auto | Running])
[2008/05/26 21:18:44 | 00,439,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\searchindexer.exe -- (WSearch [Auto | Running])

========== Driver Services ==========

[2004/08/04 00:05:42 | 00,041,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\amdk7.sys -- (AmdK7 [System | Running])
[2006/04/15 12:16:03 | 00,502,208 | ---- | M] (Eset ) -- C:\WINDOWS\system32\drivers\amon.sys -- (AMON [Auto | Running])
[2006/02/24 23:04:05 | 00,019,200 | ---- | M] (SlySoft, Inc.) -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD [On_Demand | Running])
[2007/12/05 06:26:40 | 02,782,208 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
[2007/11/07 04:40:20 | 00,169,856 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\atinavt2.sys -- (ATIAVAIW [On_Demand | Running])
[2004/08/04 02:08:30 | 00,105,984 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\atinrvxx.sys -- (atinrvxx [On_Demand | Stopped])
[2007/11/05 08:55:04 | 00,017,952 | ---- | M] () -- C:\Program Files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys -- (atitray [System | Running])
[2003/01/10 09:56:34 | 00,030,921 | ---- | M] (Service & Quality Technology.) -- C:\WINDOWS\system32\drivers\SQCaptur.sys -- (DCamUSBSQTECH [On_Demand | Stopped])
[2005/04/21 12:40:36 | 00,010,624 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO [Auto | Running])
[2004/08/04 00:08:22 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum [On_Demand | Running])
[2001/09/26 13:59:34 | 00,011,920 | ---- | M] (Kensington Technology Group) -- C:\WINDOWS\system32\drivers\KID_SYS.sys -- (kid_sys [System | Running])
[2006/07/19 12:27:26 | 00,013,568 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd [On_Demand | Running])
[2006/07/19 12:27:46 | 00,055,936 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou [On_Demand | Running])
[2006/09/01 12:32:50 | 00,003,712 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE [Auto | Running])
[2006/07/19 12:29:08 | 00,027,136 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\LHidKE.Sys -- (LHidKe [On_Demand | Running])
[2006/07/19 12:28:56 | 00,071,936 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE [On_Demand | Running])
[2004/08/03 23:10:14 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE [On_Demand | Stopped])
[2001/08/17 23:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401 [On_Demand | Running])
[2004/08/04 02:08:36 | 00,013,824 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\atinmdxx.sys -- (MVDCODEC [On_Demand | Stopped])
[2002/02/26 09:03:28 | 00,266,432 | ---- | M] (Kensington Technology Group) -- C:\WINDOWS\system32\drivers\ntxpusb.sys -- (ntxpusb [On_Demand | Stopped])
[2006/08/24 07:46:00 | 03,983,680 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [System | Stopped])
[2004/05/25 14:58:02 | 00,048,640 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax [On_Demand | Running])
[2004/01/29 00:45:50 | 00,093,764 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET [On_Demand | Running])
[2004/05/25 14:58:04 | 00,396,032 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce [On_Demand | Running])
[2004/04/02 14:40:00 | 00,021,760 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv_agp.SYS -- (nv_agp [Boot | Running])
[2003/09/19 15:45:48 | 00,021,248 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
[2002/08/30 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2006/09/27 22:53:22 | 00,036,560 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2007/11/13 11:25:54 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Running])
[2005/08/10 13:44:04 | 00,050,688 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfdrv01.sys -- (sfdrv01 [Boot | Running])
[2005/05/16 14:20:39 | 00,006,656 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfhlp02.sys -- (sfhlp02 [Boot | Running])
[2005/11/03 15:40:07 | 00,063,488 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfvfs02.sys -- (sfvfs02 [Boot | Running])
[2005/01/05 18:29:30 | 00,432,768 | ---- | M] () -- C:\WINDOWS\system32\drivers\snpstd3.sys -- (SNPSTD3 [On_Demand | Running])
[2004/08/03 23:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio [On_Demand | Running])
[2002/08/30 12:00:00 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ws2ifsl.sys -- (WS2IFSL [System | Running])

========== Internet Explorer ==========

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions =
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



HKU\S-1-5-21-1454471165-1229272821-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
HKU\S-1-5-21-1454471165-1229272821-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
HKU\S-1-5-21-1454471165-1229272821-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions =
HKU\S-1-5-21-1454471165-1229272821-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
HKU\S-1-5-21-1454471165-1229272821-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1454471165-1229272821-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
HKU\S-1-5-21-1454471165-1229272821-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
HKU\S-1-5-21-1454471165-1229272821-725345543-1005\S-1-5-21-1454471165-1229272821-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: (289869 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-domains-registrations.com
O1 - Hosts: 127.0.0.1 www.1-domains-registrations.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 9985 more lines...
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe (SlySoft, Inc.)
O4 - HKLM..\Run: [ATIPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE (ATI Technologies, Inc.)
O4 - HKLM..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init (Kensington Technology Group)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE (Logitech Inc.)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE (Logitech Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE (Eset )
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install ()
O4 - HKLM..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /runonce (FinePrint Software, LLC)
O4 - HKLM..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe (Sonix)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe" (Nero AG)
O4 - HKCU..\Run: [qoykeeg] "c:\documents and settings\dylan\local settings\application data\qoykeeg.exe" qoykeeg File not found
O4 - HKCU..\Run: [Steam] File not found
O4 - HKCU..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (Adobe Systems Incorporated)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)
O4 - HKU\S-1-5-18..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)
O4 - HKU\S-1-5-21-1454471165-1229272821-725345543-1005..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe" (Nero AG)
O4 - HKU\S-1-5-21-1454471165-1229272821-725345543-1005..\Run: [qoykeeg] "c:\documents and settings\dylan\local settings\application data\qoykeeg.exe" qoykeeg File not found
O4 - HKU\S-1-5-21-1454471165-1229272821-725345543-1005..\Run: [Steam] File not found
O4 - HKU\S-1-5-21-1454471165-1229272821-725345543-1005..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (Adobe Systems Incorporated)
O4 - HKU\S-1-5-21-1454471165-1229272821-725345543-1005..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART File not found
O4 - HKU\S-1-5-18..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART File not found
O4 - Startup: C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1454471165-1229272821-725345543-1005\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1454471165-1229272821-725345543-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra Button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Sites: 50 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Sites: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Sites: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Sites: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1454471165-1229272821-725345543-1005\..Trusted Sites: 49 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shoc ... tor/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/FR-BE/a-U ... E_UNO1.cab (UnoCtrl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftup ... 9250870453 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftup ... 9250859078 (MUWebControl Class)
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} http://launch.gamespyarcade.com/softwar ... launch.cab (Reg Error: Key does not exist or could not be opened.)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} http://messenger.zone.msn.com/binary/Me ... b31267.cab (MessengerStatsClient Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shoc ... wflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler: - ipp - No CLSID value found
O18 - Protocol\Handler: - ipp\0x00000001 - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - livecall - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler: - msdaipp - No CLSID value found
O18 - Protocol\Handler: - msdaipp\0x00000001 - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - msdaipp\oledb - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - msnim - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler: - skype4com - C:\Program Files\Fichiers communs\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler: - wlmailhtml - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - See sections below for AppInitDlls and Winlogon settings

========== AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls" = ppwbae.dll
>File not found --

========== Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
AtiExtEvent: "DllName" = Ati2evxx.dll -- C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}" (HKLM) -- C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)

========== Safeboot Options ==========

"AlternateShell" = cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2006/03/23 19:16:04 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

autoplay.exe [MZ | ]
[2006/09/15 19:31:42 | 00,983,040 | R--- | M] () -- E:\autoplay.exe -- [ UDF ]

Autoplay.ini [[general] | | ; loc id for the "Exit" link | exit = 1004 | | ; loc id for the "Browse CD" link | browse = 1006 | | ; loc id for title of the window | title = 1000 | | ; loc id for the "Play Game" link | play = 1002 | | ; loc id for the "Install Game" link | install = 1001 | | [display] | | ; background bitmap. it will be strecthed to cover the entire window | background = Autorun.bmp | | ; width of the window (in pixels) | width = 640 | | ; height of the window (in pixels) | height = 300 | | ; truetype font to use for the links | fontName = Tahoma | | ; font size (in points) for links displayed in large font | fontLarge = 17 | | ; font size (in points) for links displayed in small font | fontSmall = 15 | | ; text colour for the links | colourNormal = R235 G245 B251 | | ; text colour when the mouse is over a link | colourHover = R255 G230 B52 | | ; text colour when a link is clicked | colourClicked = R255 G0 B0 | | [app] | | ; name of the setup exe to install the game | appsetup = setup.exe | | ; name of the game exe to launch the game | appexec = DarkCrusade.exe | | ; name of the key to look for in the registry | registrykey = Software\THQ\Dawn of War - Dark Crusade | | ; name of the installation folder registry value | registryvalueinstall = InstallLocation | | ; name of the cd key registry value | registryvaluecdkey = CDKEY | | [blockprocesses] | | ; names of processes to block on - if any of these processes is active when the autorun starts, the autorun will abort | | 102 = DarkCrusade.exe | | [links] | | ; each link must follow this format: | ; alpha-sorted-name = loc id of the link, use large font (0/1), command to execute | | ; empty links are allowed, in this format: | ; alpha-sorted-name = 0, 0, | | l01 = 1003, 1, readme.html | l02 = 0, 0, | l04 = 1013, 0, http://www.thq.com | l05 = 1008, 0, http://www.thq.com/support | l06 = 1012, 0, http://www.dawnofwargame.com/register/ | l07 = 1011, 0, directx/dxsetup.exe | l08 = 1014, 0, xfire_installer.exe | l09 = 0, 0, | l10 = 0, 0, | l11 = 0, 0 | | ]
[2006/09/15 04:50:54 | 00,001,989 | R--- | M] () -- E:\Autoplay.ini -- [ UDF ]

Autoplay.ucs [1000 Dawn of War: Dark Crusade Launcher | 1001 Install The Game | 1002 Play The Game | 1003 Readme | 1004 Close Window | 1005 Install Adobe Acrobat | 1006 Browse DVD | 1007 Extras | 1008 Support Website | 1009 Full Spectrum Warrior Trailer | 1010 Company of Heroes Trailer | 1011 Install DirectX 9.0c | 1012 Register Online | 1013 THQ Website | 1014 Install XFire | ]
[2006/09/15 04:50:54 | 00,000,706 | R--- | M] () -- E:\Autoplay.ucs -- [ UDF ]

autorun.bmp [BM8Ê | ]
[2006/08/31 23:39:37 | 00,576,056 | R--- | M] () -- E:\autorun.bmp -- [ UDF ]

autorun.inf [[autorun] | open=AutoPlay.exe | icon=AutoPlay.exe | ]
[2006/08/30 13:00:03 | 00,000,049 | R--- | M] () -- E:\autorun.inf -- [ UDF ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell]
"" = AutoRun


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun\command]
"" = E:\AutoPlay.exe -- [2006/09/15 19:31:42 | 00,983,040 | R--- | M] ()

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\*.tmp files]
[2008/12/15 22:26:56 | 00,000,846 | ---- | C] () -- C:\Documents and Settings\Dylan\Bureau\Raccourci vers HJT.exe.lnk
[2008/12/15 22:25:45 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/12/15 19:20:49 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2008/12/15 11:35:24 | 00,000,844 | ---- | C] () -- C:\Documents and Settings\All Users\Bureau\Ad-Watch.lnk
[2008/12/15 11:35:24 | 00,000,844 | ---- | C] () -- C:\Documents and Settings\All Users\Bureau\Ad-Aware.lnk
[2008/12/15 03:50:19 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2008/12/15 03:50:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2008/12/15 02:13:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dylan\Application Data\Malwarebytes
[2008/12/15 01:58:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dylan\Application Data\WinRAR
[2008/12/15 01:23:33 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2008/12/14 16:52:17 | 00,000,800 | ---- | C] () -- C:\Documents and Settings\Dylan\Bureau\_NETTOYAGE_&_SECU.lnk
[2008/12/14 16:51:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\_NETTOYAGE_&_SECU
[2008/12/14 16:03:15 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2008/12/14 15:05:48 | 00,000,000 | ---D | C] -- C:\Program Files\AxBx
[2008/12/14 14:44:53 | 00,000,000 | ---D | C] -- C:\MSNCleaner
[2008/12/14 14:34:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2008/12/14 14:26:18 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2008/12/14 13:38:53 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008/12/14 13:38:50 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/12/14 13:38:49 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/12/14 13:38:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/12/14 11:35:21 | 00,027,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2008/12/13 19:33:03 | 00,052,786 | ---- | C] () -- C:\WINDOWS\fxstaller.MSNFix


========== Files - Modified Within 30 Days ==========

[3 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2008/12/15 22:26:56 | 00,000,846 | ---- | M] () -- C:\Documents and Settings\Dylan\Bureau\Raccourci vers HJT.exe.lnk
[2008/12/15 22:23:02 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/12/15 22:22:43 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/12/15 22:22:33 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/12/15 19:19:22 | 00,289,869 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2008/12/15 11:35:24 | 00,000,844 | ---- | M] () -- C:\Documents and Settings\All Users\Bureau\Ad-Watch.lnk
[2008/12/15 11:35:24 | 00,000,844 | ---- | M] () -- C:\Documents and Settings\All Users\Bureau\Ad-Aware.lnk
[2008/12/15 11:28:44 | 00,289,869 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20081215-191922.backup
[2008/12/15 01:40:47 | 00,000,686 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20081215-112844.backup
[2008/12/14 16:52:17 | 00,000,800 | ---- | M] () -- C:\Documents and Settings\Dylan\Bureau\_NETTOYAGE_&_SECU.lnk
[2008/12/14 11:55:59 | 00,000,477 | ---- | M] () -- C:\Documents and Settings\Dylan\Bureau\Serveur MUSIQUES.lnk
[2008/12/14 11:52:47 | 00,105,416 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/12/14 11:30:58 | 00,000,036 | ---- | M] () -- C:\WINDOWS\System32\imon1.dat
[2008/12/13 16:29:49 | 00,000,628 | ---- | M] () -- C:\Documents and Settings\Dylan\Mes documents\Mes dossiers de partage.lnk
[2008/12/13 01:16:20 | 00,052,786 | ---- | M] () -- C:\WINDOWS\fxstaller.MSNFix
[2008/12/09 15:24:38 | 17,593,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2008/12/03 19:52:38 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/12/03 19:52:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

<End>

--------------------------------------------------------------------------------------------------------------------------

OTListIt Extras logfile created on: 15/12/2008 22:33:11 - Run
OTListIt by OldTimer - Version 1.0.12.1 Folder = C:\Documents and Settings\All Users\Documents\_NETTOYAGE_&_SECU
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 0000080C | Country: Belgique | Language: FRB | Date Format: d/MM/yyyy

511,48 Mb Total Physical Memory | 202,99 Mb Available Physical Memory | 39,69% Memory free
1,22 Gb Paging File | 0,94 Gb Available in Paging File | 76,61% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39,06 Gb Total Space | 29,59 Gb Free Space | 75,75% Space Free | Partition Type: NTFS
Drive D: | 72,72 Gb Total Space | 6,40 Gb Free Space | 8,80% Space Free | Partition Type: NTFS
Drive E: | 3,43 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC-DYLAN
Current User Name: Dylan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2006/10/10 13:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/10/18 10:34:04 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 16:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
File not found -- D:\GAMES\SIERRA\Half-Life\Steam\SteamApps\andy2489\day of defeat\hl.exe:*:Enabled:Half-Life Launcher
File not found -- D:\_Program File\_GAMES\SIERRA\Half-Life\Steam\SteamApps\andy2489\half-life\hl.exe:*:Enabled:Half-Life Launcher
File not found -- D:\_Program File\_GAMES\SIERRA\Half-Life\Steam\SteamApps\andy2489\day of defeat\hl.exe:*:Enabled:Half-Life Launcher
[2007/01/17 16:53:58 | 08,493,568 | ---- | M] () -- D:\_Program File\_GAMES\TrackMania Nations ESWC\TmNationsESWC.exe:*:Enabled:TmNationsESWC
[2008/11/11 17:01:54 | 00,098,304 | ---- | M] () -- D:\_Program File\_GAMES\SIERRA\Half-Life\Steam\SteamApps\andy2489\day of defeat source\hl2.exe:*:Enabled:hl2
File not found -- D:\_Program File\_GAMES\Activision\Civilization-Call to Power\ctp_program\ctp\civctp.exe:*:Enabled:Civilization: Call to Power
File not found -- C:\Program Files\Sierra On-Line\SIGSPat.exe:*:Disabled:SIGSPat
[2006/08/21 22:17:28 | 04,206,658 | ---- | M] (IGN Entertainment, Inc.) -- D:\_Program File\_GAMES\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade
[2005/03/10 13:00:26 | 01,286,144 | ---- | M] () -- D:\_Program File\_GAMES\Wolfenstein - Enemy Territory\ET.exe:*:Enabled:ET
File not found -- D:\_Program File\_GAMES\GPotato\SpaceCowboy\SpaceCowboy.exe:*:Enabled:SpaceCowboy
File not found -- D:\_Program File\_GAMES\SIERRA\Half-Life\Steam\SteamApps\andy2489\counter-strike\hl.exe:*:Enabled:Half-Life Launcher
[2004/10/19 13:04:08 | 05,648,384 | ---- | M] () -- D:\_Program File\_GAMES\EA GAMES\Battlefield 1942\BF1942.exe:*:Enabled:BF1942
[2006/08/23 15:29:10 | 07,249,920 | ---- | M] (Techland) -- D:\_Program File\_GAMES\Demo\Call of Juarez MP Demo\CoJMPdemo.exe:*:Enabled:ChromeEngine3
File not found -- D:\_Program File\_GAMES\SIERRA\Half-Life\Steam\SteamApps\andy2489\team fortress classic\hl.exe:*:Enabled:Half-Life Launcher
[2005/01/07 16:01:36 | 00,224,768 | R--- | M] () -- D:\_Program File\_GAMES\SIERRA\FEARCombat\fpupdate.exe:*:Enabled:fpupdate
[2006/08/25 14:54:04 | 05,431,296 | R--- | M] (Monolith Productions, Inc.) -- D:\_Program File\_GAMES\SIERRA\FEARCombat\FEARMP.exe:*:Enabled:FEAR Combat
File not found -- D:\_Program File\_GAMES\SIERRA\Half-Life\Steam\SteamApps\andy2489\deathmatch classic\hl.exe:*:Enabled:Half-Life Launcher
[2006/10/10 13:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2000/08/27 09:07:02 | 02,580,578 | ---- | M] (Microsoft Corporation) -- D:\_Program File\_GAMES\Crimson Skies\crimson.icd:*:Enabled:Crimson Skies Executable
[2007/11/07 18:42:10 | 11,310,352 | ---- | M] (Turbine, Inc.) -- D:\_Program File\_GAMES\Le Seigneur des Anneaux Online\lotroclient.exe:*:Enabled:lotroclient
[2007/10/03 01:03:39 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA
[2008/09/07 15:01:30 | 00,111,928 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB
[2007/10/27 17:34:19 | 04,793,584 | ---- | M] (Splash Damage, Ltd.) -- D:\_Program File\_GAMES\SIERRA\Half-Life\Steam\SteamApps\common\enemy territory quake wars demo\etqw.exe:*:Enabled:Enemy Territory: QUAKE Wars
[2008/11/11 16:48:06 | 01,410,296 | ---- | M] (Valve Corporation) -- D:\_Program File\_GAMES\SIERRA\Half-Life\Steam\Steam.exe:*:Enabled:Steam
[2008/11/11 16:50:38 | 00,217,088 | ---- | M] () -- D:\_Program File\_GAMES\SIERRA\Half-Life\Steam\SteamApps\common\red orchestra\System\RedOrchestra.exe:*:Enabled:RedOrchestra
[2005/05/23 00:13:54 | 07,401,174 | ---- | M] () -- D:\_Program File\_GAMES\EA GAMES\Battlefield 2\BF2.exe:*:Enabled:Battlefield 2
File not found -- D:\_Program File\_GAMES\THQ\Frontlines-Fuel of War Beta\Binaries\FFOW-Beta.exe:*:Enabled:Frontlines Game
[2006/09/17 03:15:16 | 03,110,488 | ---- | M] (THQ Canada Inc.) -- D:\_Program File\_GAMES\THQ\Dawn of War - Dark Crusade\DarkCrusade.exe:*:Enabled:DarkCrusade
[2004/10/13 17:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2008/08/18 13:22:46 | 11,997,184 | ---- | M] () -- D:\_Program File\_GAMES\SIERRA\Half-Life\Steam\SteamApps\common\trackmania nations forever\TmForever.exe:*:Enabled:TmForever
[2007/10/18 10:34:04 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 16:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)
[2007/07/02 16:10:58 | 23,237,416 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
[2008/11/20 18:43:02 | 00,106,496 | ---- | M] () -- D:\_Program File\_GAMES\SIERRA\Half-Life\Steam\SteamApps\andy2489\insurgency\hl2.exe:*:Enabled:hl2

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}" = Battlefield 2(TM)
"{0684EECC-380C-4B97-8C51-5BDB9E4D679C}" = ArcSoft Software Suite
"{0ED47137-C071-46CC-A243-E5E33271E10E}" = Windows Live Sign-in Assistant
"{127B684B-A002-44C8-99A7-6CF8F1E26873}" = PunkBuster pour Battlefield 1942
"{13599F5D-20A2-449A-BA81-A7D8B98A8DF1}" = Gravis Xperience 4.5
"{225AF9A1-B556-88D5-94AA-0010B5426419}" = My DSC
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}" = Logitech SetPoint
"{350C940c-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3DFF4274-EBB0-4356-9692-972965018954}" = Windows Live Writer
"{3F7924B9-D148-3141-87B1-68F36043A940}" = Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - FRA
"{45235788-142C-44BE-8A4D-DDE9A84492E5}" = AGEIA PhysX v7.09.13
"{472076D2-F0D4-480A-A05E-59CC7CA06D78}" = GameShadow
"{511DF669-2930-30C0-8EB6-552887E29EC8}" = Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - FRA
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.2
"{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}" = Battlefield 1942
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75E607CF-7BAE-4B88-84B3-97F3DF44BA28}" = FEARCombat
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{9A394342-4A68-4EBA-85A6-55B559F4E700}" = Microsoft .NET Framework 1.1 French Language Pack
"{A594DE4B-ED0D-4168-BF52-40C9A14ECD20}_is1" = Call of Juarez MP Demo
"{A70FA218-6598-4AC9-813D-63597C5DD068}" = Galerie de photos Windows Live
"{ABDA708A-5180-207F-30CE-675965461036}" = Nero 7 Demo
"{AC76BA86-7AD7-1036-7B44-A70900000002}" = Adobe Reader 7.0.9 - Français
"{AC76BA86-7AD7-5464-3428-7050000000A7}" = Adobe Reader 7.0.5 Language Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B73B4A99-4173-4747-BBEC-0F05E966F9D2}" = Battlefield 1942: Secret Weapons of WWII
"{BADF6744-3787-48F6-B8C9-4C4995401D65}" = Windows Live Messenger
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C514C594-23AA-4F13-A070-DB8BDB27594F}" = Windows Live Mail
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D057AA08-8CBF-42E3-9EAB-23B8FED1C279}" = Battlefield 1942: The Road To Rome
"{D7A6C517-11F2-419F-B5BB-27772B939698}" = NvMixer
"{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1" = NOD32 FiX v1.9
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{ECD03DA7-5952-406A-8156-5F0C93618D1F}" = PC-30
"{EE7B9A8D-19F0-450D-8E94-3E391E6044CD}" = KhalSetup
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{FD44E544-E7D0-4DBA-9FA0-8AE1A1300390}" = Windows Live installer
"{FF39FC01-819B-42E4-AE49-1968AF12DDD4}" = Dawn of War - Dark Crusade
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"Alexander" = Alexander
"AnyDVD" = AnyDVD
"ATI Display Driver" = ATI Display Driver (Omega 3.8.442)
"CCleaner" = CCleaner (remove only)
"Clean Virus MSN_is1" = Clean Virus MSN
"Crimson Skies 1.0" = Microsoft Crimson Skies
"DesertCombat" = DesertCombat 0.7
"Dofus 1.25.0" = Dofus 1.25.0
"du Mappack 8" = du Mappack 8
"DVD Shrink_is1" = DVD Shrink 3.2
"f1da9168-b3a1-4c92-8eb3-faf5506d20bf_is1" = Le Seigneur des Anneaux Online™: Les Ombres d'Angmar™ v07.11.30
"Forgotten Hope" = Forgotten Hope 0.70
"GameSpy Arcade" = GameSpy Arcade
"Half-Life" = Half-Life
"HijackThis" = HijackThis 2.0.2
"Icon Restore_is1" = Icon Restore 1.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MAP PACK BERNADETTE" = MAP PACK BERNADETTE
"Mapack 7" = Mapack 7
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"MultiRes (remove only)" = MultiRes (remove only)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NOD32" = NOD32 Antivirus System
"NVIDIA Drivers" = NVIDIA Drivers
"pdfFactory Pro" = pdfFactory Pro
"Picasa2" = Picasa 2
"Quake 4 Multiplayer Demo" = Quake 4 Multiplayer Demo 1.4.2
"Radeon Omega Drivers for Windows 2k/XPv3.8.231" = Radeon Omega Drivers v3.8.231 Setup Files and Tools
"Radeon Omega Drivers for Windows XP/2kv4.8.442" = Radeon Omega Drivers v4.8.442 Setup Files and Tools
"Steam" = Steam
"Steam App 11020" = TrackMania Nations Forever
"Steam App 1230" = Mare Nostrum
"Steam App 17700" = Insurgency
"Steam App 440" = Team Fortress 2
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"TmNations_is1" = TrackMania Nations ESWC 1.7.9
"Totalcmd" = Total Commander (Remove or Repair)
"Utilitaires Sierra" = Utilitaires Sierra
"VLC media player" = VideoLAN VLC media player 0.8.6c
"Wakfu" = Wakfu
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Lecteur Windows Media 11
"WinRAR archiver" = Archiveur WinRAR
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wolfenstein - Enemy Territory" = Wolfenstein - Enemy Territory
"Wow Cartographe" = Wow Cartographe 1.07
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xfire" = Xfire (remove only)
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 15/11/2008 17:37:08 | Computer Name = PC-DYLAN | Source = Application Hang | ID = 1002
Description = Application bloquée iexplore.exe, version 7.0.6000.16705, module bloqué
hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

Error - 15/11/2008 17:37:09 | Computer Name = PC-DYLAN | Source = Application Hang | ID = 1002
Description = Application bloquée iexplore.exe, version 7.0.6000.16705, module bloqué
hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

Error - 15/11/2008 17:42:10 | Computer Name = PC-DYLAN | Source = Application Hang | ID = 1002
Description = Application bloquée wmplayer.exe, version 11.0.5721.5145, module bloqué
hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

Error - 15/11/2008 17:45:57 | Computer Name = PC-DYLAN | Source = Application Hang | ID = 1002
Description = Application bloquée iexplore.exe, version 7.0.6000.16705, module bloqué
hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

Error - 14/12/2008 7:10:52 | Computer Name = PC-DYLAN | Source = Application Hang | ID = 1002
Description = Application bloquée iexplore.exe, version 7.0.6000.16762, module bloqué
hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

Error - 14/12/2008 7:59:55 | Computer Name = PC-DYLAN | Source = Application Error | ID = 1000
Description = Application défaillante qoykeeg.exe, version 0.0.0.0, module défaillant
unknown, version 0.0.0.0, adresse de défaillance 0x00c5e87a.

Error - 14/12/2008 8:56:07 | Computer Name = PC-DYLAN | Source = Application Error | ID = 1000
Description = Application défaillante qoykeeg.exe, version 0.0.0.0, module défaillant
unknown, version 0.0.0.0, adresse de défaillance 0x00d8e87a.

Error - 14/12/2008 11:51:06 | Computer Name = PC-DYLAN | Source = Application Error | ID = 1000
Description = Application défaillante qoykeeg.exe, version 0.0.0.0, module défaillant
unknown, version 0.0.0.0, adresse de défaillance 0x00d8e87a.

Error - 14/12/2008 18:04:19 | Computer Name = PC-DYLAN | Source = Application Error | ID = 1000
Description = Application défaillante qoykeeg.exe, version 0.0.0.0, module défaillant
unknown, version 0.0.0.0, adresse de défaillance 0x00e3e87a.

Error - 15/12/2008 8:05:47 | Computer Name = PC-DYLAN | Source = Application Hang | ID = 1002
Description = Application bloquée Ad-Aware.exe, version 7.1.0.11, module bloqué
hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

[ System Events ]
Error - 14/12/2008 20:57:56 | Computer Name = PC-DYLAN | Source = Service Control Manager | ID = 7026
Description = Le pilote de démarrage système ou d'amorçage suivant n'a pas pu se
charger : AFD AmdK7 atitray Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL

Error - 14/12/2008 21:06:04 | Computer Name = PC-DYLAN | Source = DCOM | ID = 10005
Description = DCOM a reçu l'erreur "%1084" lors de la mise en route du service EventSystem
avec les arguments "" pour démarrer le serveur : {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 14/12/2008 21:07:32 | Computer Name = PC-DYLAN | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 14/12/2008 22:44:38 | Computer Name = PC-DYLAN | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 14/12/2008 22:48:23 | Computer Name = PC-DYLAN | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 14/12/2008 23:05:57 | Computer Name = PC-DYLAN | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 15/12/2008 8:04:48 | Computer Name = PC-DYLAN | Source = Service Control Manager | ID = 7034
Description = Le service Lavasoft Ad-Aware Service s'est terminé de façon inattendue
pour la 1ème fois.

Error - 15/12/2008 8:10:04 | Computer Name = PC-DYLAN | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 15/12/2008 14:13:02 | Computer Name = PC-DYLAN | Source = DCOM | ID = 10005
Description = DCOM a reçu l'erreur "%1058" lors de la mise en route du service wuauserv
avec les arguments "" pour démarrer le serveur : {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 15/12/2008 17:23:02 | Computer Name = PC-DYLAN | Source = ati2mtag | ID = 45062
Description = CRT invalid display type


<End>
----------------------------------------------------------------------------------------------------------------
Pantalon
 
Messages: 3
Inscription: 14 Déc 2008, 16:36
Localisation: Bruxelles, Belgium

Messagede nickW » 16 Déc 2008, 11:58

Bonjour,

Pantalon a écrit:VundoFix (il y avait plus rien)

On ne devrait pas écrire "Il n'y avait plus rien", mais "VundoFix n'a rien trouvé".
Note: VundoFix n'a pas été mis à jour depuis bien longtemps, et ne détecte aujourd'hui pas grand-chose.


Il n'y a plus dans les logs que deux lignes relatives à l'infection, mais inactives.


Nettoyage:

Note: Ces manips doivent être effectuées en ayant ouvert une session avec les "droits Administrateur" (ne pas utiliser le profil utilisateur nommé "Administrateur" visible en mode sans échec).
Sous Windows XP, pour vérifier si un compte a les droits "Administrateur":
Démarrer---->Paramètres---->Panneau de configuration---->Comptes d'utilisateurs
A côté de l'icône représentant certains comptes (hormis celui nommé "Administrateur"), il est indiqué "Administrateur de l'ordinateur"
C'est l'un de ces comptes qu'il faudra utiliser.



Étape 1: ERUNT (de Lars Hederer): sauvegarde du Registre
Télécharger ERUNT depuis la page: http://www.larshederer.homepage.t-online.de/erunt/
Sous Download ERUNT:, télécharger erunt-setup.exe
Télécharger également le fichier de langue française: sous French télécharger le fichier erunt-loc_fr.zip

Installer ERUNT en faisant un double clic sur erunt-setup.exe
Décompresser l'archive erunt-loc_fr.zip (sous XP, clic droit puis Extraire tout) et placer les fichiers extraits dans le dossier d'installation de ERUNT.

Lancer ERUNT par un double clic sur ERUNT.EXE
Sur le message de Bienvenue, cliquer sur OK
Dans la fenêtre intitulée "ERU pour Windows NT", cocher toutes les options de sauvegarde (Registre système, Registre utilisateur courant et Autres registres utilisateur)
Cliquer ensuite sur OK
Accepter la création du dossier (dans le dossier Windows\ERDNT\) en cliquant sur Oui.
Attendre la fin de la sauvegarde, signalée par le message "Sauvegarde du registre effectuée", et cliquer sur OK.


Étape 2: OTMoveIt3 (de OldTimer)
Télécharger OTMoveIt3 via un clic droit sur le lien ci-dessous:
http://oldtimer.geekstogo.com/OTMoveIt3.exe
Enregistrer le fichier sur le Bureau.

Ouvrir une fenêtre du Bloc-notes, via Démarrer---->Exécuter, taper notepad puis cliquer sur OK
Sélectionner toutes les lignes de la zone blanche située sous "Code:" ci-dessous, puis appuyer simultanément sur les touches Ctrl et C

Code: Tout sélectionner
rien
:Processes
explorer.exe

:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"qoykeeg"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=""

:Commands
[start explorer]
[emptytemp]



Retourner dans la fenêtre du Bloc-notes, faire un clic droit dans la fenêtre et choisir Coller
Vérifier dans le menu Format (en haut) que "Retour automatique à ligne" n'est pas actif (pas coché).
Enregistrer le fichier sous le nom OTMI-1.txt
Fermer le Bloc-notes.
Note: Les lignes de la zone Code ci-dessus ont été créées exclusivement pour CET utilisateur: Pantalon.
si vous n'êtes pas CET utilisateur, il ne faut pas les utiliser: elles pourraient endommager votre système.



Étape 3: OTMoveIt3 (de OldTimer)
Faire un double clic sur OTMoveIt3.exe pour lancer l'outil.
Ouvrir le fichier OTMI-1.txt dans le Bloc-notes.
Dans le Bloc-notes, cliquer sur le menu Edition (en haut) et choisir Sélectionner tout.
Dans le Bloc-notes, cliquer sur le menu Edition (en haut) et choisir Copier.

Retourner dans la fenêtre de OTMoveIt3, faire un clic droit dans la fenêtre située sur la gauche nommée "Paste Instructions for Items to be Moved"
Image et choisir Coller.

Cliquer sur le bouton MoveIt!: Image
Attendre la fin du travail de l'outil puis fermer OTMoveIt3.
Note: Un redémarrage est parfois nécessaire. S'il est demandé, cliquer sur Oui/Yes


Étape 4: Résultats
Envoyer en réponse:

*- le rapport de OTMoveIt3 (contenu du fichier Lecteur\_OTMoveIt\MovedFiles\********_******.log - les *** sont des chiffres représentant la date [moisjourannée] et l'heure)
[Lecteur représente la partition depuis laquelle OTMoveIt3 a été lancé, généralement C:]
*- un nouveau log HijackThis
*- le rapport de l'analyse en ligne Kaspersky


Autre remarque:
L'observateur d'événements signale des problèmes avec le pilote de la carte vidéo.
Voir: http://www.eventid.net/display.asp?even ... ag&phase=1

Voir également ces deux lignes (visibles dans Ajout/Suppression de programmes):
"Radeon Omega Drivers for Windows 2k/XPv3.8.231" = Radeon Omega Drivers v3.8.231 Setup Files and Tools
"Radeon Omega Drivers for Windows XP/2kv4.8.442" = Radeon Omega Drivers v4.8.442 Setup Files and Tools

Le gestionnaire de périphériques signale-t-il quelque chose?
Démarrer---->Paramètres---->Panneau de configuration---->Système---->Onglet Matériel--->Bouton Gestionnaire de périphériques

De quand date la dernière mise à jour de ce pilote?

A suivre,
nickW - Image
30/07/2012: Plus de désinfection de PC jusqu'à nouvel ordre.
Pas de demande d'analyse de log en MP (Message Privé)
Mes configs
Avatar de l’utilisateur
nickW
Modérateur
 
Messages: 21698
Inscription: 20 Mai 2004, 17:41
Localisation: Dordogne/Île de France

dés que je peux... déjà MERCI + question backup ???

Messagede Pantalon » 20 Déc 2008, 00:16

Bonsoir nicKW,
désolé du délai et déjà merci pour ta réponse qui me régouit... Grâce à toi et test homologues du Web (ainsi que leurs logiciels et tutoriaux), j'apprends que j'ai réussi à nettoier correctement et pleinement (enfin presque) le pauvre pc ainsi vandalisé par un malencontreux clic de son très jeune propriétaire (qui vous en remercie de tout son coeur !!! - enfin pas encore, il doit souffrir du manque de perspicacité de son geste).

J'en viens au fait, pour la carte graphique et son driver (enfin ses drivers), elle fonctionne parfaitement malgré l'info "invalid display". Je n'oserai pas changer et mettre à jour si ce n'est après un backup complet du pc, histoire de conserver les pauvres performances encore obtenues dans ces jeux 3D forts utilisés...

En parlant de backup, le mieux c'est:
tout le PC (C et D), C seulement ou juste le dossier système sur C ??? (je n'en ai jamais fait malgré les 4 machines à la maison).
Le meilleur/plus simple/plus efficace soft est ??? Ghost ??? Drive Image ???
Est-ce que je peux sans risque et avec relative facilité le faire sur mon NAS en réseau ???
Questions idiotes mais de néophites dans ce domaine (un peu naïf aussi ou plutôt téméraire).

En te remerciant encore, en mon nom et celui de mon fils, je te tiens au courant dés que le temps me permet de reprendre la suite des opérations, Vincent.
Pantalon
 
Messages: 3
Inscription: 14 Déc 2008, 16:36
Localisation: Bruxelles, Belgium


Retourner vers Sécurité (Contamination - Décontamination)

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 49 invités