Re.
je crois qu’il y a quelque chose qui cloche!
a la fin du scan, j’ai vu aucun pop-up, ya juste la fenetre du scan qui etait affiché, donc je sais plus quoi faire, il y a eu ces deux rapport que te poste
1)
Results of system analysis
Kaspersky Virus Removal Tool 2010 9.0.0.722 (database released 25/12/2009; 06:53)
List of processes
File name PID Description Copyright MD5 Information
c:\windows\explorer.exe
Script: Quarantine, Delete, BC delete, Terminate 832 Explorateur Windows © Microsoft Corporation. Tous droits r?serv?s. ?? 1013.50 kb, rsah,
created: 13/04/2008 17:34:04,
modified: 13/04/2008 17:34:04
Command line:
C:\WINDOWS\Explorer.EXE
c:\windows\system32\winlogon.exe
Script: Quarantine, Delete, BC delete, Terminate 244 Application d’ouverture de session Windows NT © Microsoft Corporation. Tous droits r?serv?s. ?? 500.00 kb, rsah,
created: 13/04/2008 17:34:30,
modified: 13/04/2008 17:34:30
Command line:
winlogon.exe
Detected:12, recognized as trusted 12
Module name Handle Description Copyright MD5 Used by processes
C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.FRA
Script: Quarantine, Delete, BC delete 29229056 PDF Shell Extension Copyright 2000-2007 Adobe Systems, Inc. – 832
C:\WINDOWS\system32\WgaLogon.dll
Script: Quarantine, Delete, BC delete 17891328 Windows Genuine Advantage Notifications © 1995-2008 Microsoft Corporation – 244
Modules detected:231, recognized as trusted 229
Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\WINDOWS\System32\Drivers\dump_atapi.sys
Script: Quarantine, Delete, BC delete BACEF000 018000 (98304)
C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Script: Quarantine, Delete, BC delete F79B5000 002000 (8192)
Modules detected - 74, recognized as trusted - 72
Services
Service Description Status File Group Dependencies
gusvc
Service: Stop, Delete, Disable Google Software Updater Not started C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
Script: Quarantine, Delete, BC delete RPCSS
NMIndexingService
Service: Stop, Delete, Disable NMIndexingService Not started C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
Script: Quarantine, Delete, BC delete RPCSS
NVSvc
Service: Stop, Delete, Disable NVIDIA Display Driver Service Not started C:\WINDOWS\system32\nvsvc32.exe
Script: Quarantine, Delete, BC delete
WMPNetworkSvc
Service: Stop, Delete, Disable Service Partage r?seau du Lecteur Windows Media Not started C:\Program Files\Windows Media Player\WMPNetwk.exe
Script: Quarantine, Delete, BC delete upnphost
Detected - 110, recognized as trusted - 106
Drivers
Service Description Status File Group Dependencies
Abiosdsk
Driver: Unload, Delete, Disable Abiosdsk Not started Abiosdsk.sys
Script: Quarantine, Delete, BC delete Primary disk
abp480n5
Driver: Unload, Delete, Disable abp480n5 Not started abp480n5.sys
Script: Quarantine, Delete, BC delete SCSI miniport
adpu160m
Driver: Unload, Delete, Disable adpu160m Not started adpu160m.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Aha154x
Driver: Unload, Delete, Disable Aha154x Not started Aha154x.sys
Script: Quarantine, Delete, BC delete SCSI miniport
aic78u2
Driver: Unload, Delete, Disable aic78u2 Not started aic78u2.sys
Script: Quarantine, Delete, BC delete SCSI miniport
aic78xx
Driver: Unload, Delete, Disable aic78xx Not started aic78xx.sys
Script: Quarantine, Delete, BC delete SCSI miniport
AliIde
Driver: Unload, Delete, Disable AliIde Not started AliIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
amsint
Driver: Unload, Delete, Disable amsint Not started amsint.sys
Script: Quarantine, Delete, BC delete SCSI miniport
asc
Driver: Unload, Delete, Disable asc Not started asc.sys
Script: Quarantine, Delete, BC delete SCSI miniport
asc3350p
Driver: Unload, Delete, Disable asc3350p Not started asc3350p.sys
Script: Quarantine, Delete, BC delete SCSI miniport
asc3550
Driver: Unload, Delete, Disable asc3550 Not started asc3550.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Atdisk
Driver: Unload, Delete, Disable Atdisk Not started Atdisk.sys
Script: Quarantine, Delete, BC delete Primary disk
catchme
Driver: Unload, Delete, Disable catchme Not started C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
Script: Quarantine, Delete, BC delete Base
cd20xrnt
Driver: Unload, Delete, Disable cd20xrnt Not started cd20xrnt.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Changer
Driver: Unload, Delete, Disable Changer Not started Changer.sys
Script: Quarantine, Delete, BC delete Filter
CmdIde
Driver: Unload, Delete, Disable CmdIde Not started CmdIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
Cpqarray
Driver: Unload, Delete, Disable Cpqarray Not started Cpqarray.sys
Script: Quarantine, Delete, BC delete SCSI miniport
dac960nt
Driver: Unload, Delete, Disable dac960nt Not started dac960nt.sys
Script: Quarantine, Delete, BC delete SCSI miniport
dpti2o
Driver: Unload, Delete, Disable dpti2o Not started dpti2o.sys
Script: Quarantine, Delete, BC delete SCSI miniport
GPU-Z
Driver: Unload, Delete, Disable GPU-Z Not started GPU-Z.sys
Script: Quarantine, Delete, BC delete
hpn
Driver: Unload, Delete, Disable hpn Not started hpn.sys
Script: Quarantine, Delete, BC delete SCSI miniport
i2omgmt
Driver: Unload, Delete, Disable i2omgmt Not started i2omgmt.sys
Script: Quarantine, Delete, BC delete SCSI Class
i2omp
Driver: Unload, Delete, Disable i2omp Not started i2omp.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ini910u
Driver: Unload, Delete, Disable ini910u Not started ini910u.sys
Script: Quarantine, Delete, BC delete SCSI miniport
IntelIde
Driver: Unload, Delete, Disable IntelIde Not started IntelIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
lbrtfdc
Driver: Unload, Delete, Disable lbrtfdc Not started lbrtfdc.sys
Script: Quarantine, Delete, BC delete System Bus Extender
mraid35x
Driver: Unload, Delete, Disable mraid35x Not started mraid35x.sys
Script: Quarantine, Delete, BC delete SCSI miniport
nv
Driver: Unload, Delete, Disable nv Not started C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Script: Quarantine, Delete, BC delete Video
PCIDump
Driver: Unload, Delete, Disable PCIDump Not started PCIDump.sys
Script: Quarantine, Delete, BC delete PCI Configuration
PDCOMP
Driver: Unload, Delete, Disable PDCOMP Not started PDCOMP.sys
Script: Quarantine, Delete, BC delete
PDFRAME
Driver: Unload, Delete, Disable PDFRAME Not started PDFRAME.sys
Script: Quarantine, Delete, BC delete
PDRELI
Driver: Unload, Delete, Disable PDRELI Not started PDRELI.sys
Script: Quarantine, Delete, BC delete
PDRFRAME
Driver: Unload, Delete, Disable PDRFRAME Not started PDRFRAME.sys
Script: Quarantine, Delete, BC delete
perc2
Driver: Unload, Delete, Disable perc2 Not started perc2.sys
Script: Quarantine, Delete, BC delete SCSI miniport
perc2hib
Driver: Unload, Delete, Disable perc2hib Not started perc2hib.sys
Script: Quarantine, Delete, BC delete Filter
ql1080
Driver: Unload, Delete, Disable ql1080 Not started ql1080.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Ql10wnt
Driver: Unload, Delete, Disable Ql10wnt Not started Ql10wnt.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ql12160
Driver: Unload, Delete, Disable ql12160 Not started ql12160.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ql1240
Driver: Unload, Delete, Disable ql1240 Not started ql1240.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ql1280
Driver: Unload, Delete, Disable ql1280 Not started ql1280.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Simbad
Driver: Unload, Delete, Disable Simbad Not started Simbad.sys
Script: Quarantine, Delete, BC delete Filter
Sparrow
Driver: Unload, Delete, Disable Sparrow Not started Sparrow.sys
Script: Quarantine, Delete, BC delete SCSI miniport
sym_hi
Driver: Unload, Delete, Disable sym_hi Not started sym_hi.sys
Script: Quarantine, Delete, BC delete SCSI miniport
sym_u3
Driver: Unload, Delete, Disable sym_u3 Not started sym_u3.sys
Script: Quarantine, Delete, BC delete SCSI miniport
symc810
Driver: Unload, Delete, Disable symc810 Not started symc810.sys
Script: Quarantine, Delete, BC delete SCSI miniport
symc8xx
Driver: Unload, Delete, Disable symc8xx Not started symc8xx.sys
Script: Quarantine, Delete, BC delete SCSI miniport
TosIde
Driver: Unload, Delete, Disable TosIde Not started TosIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
ultra
Driver: Unload, Delete, Disable ultra Not started ultra.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ViaIde
Driver: Unload, Delete, Disable ViaIde Not started ViaIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
WDICA
Driver: Unload, Delete, Disable WDICA Not started WDICA.sys
Script: Quarantine, Delete, BC delete
ZD1211BU(Atheros)
Driver: Unload, Delete, Disable ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(Atheros) Not started C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys
Script: Quarantine, Delete, BC delete NDIS
Detected - 208, recognized as trusted - 157
Autoruns
File name Status Startup method Description
C:\Program Files\Alwil Software\Avast4\aswRes.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Antivirus\avast!, EventMessageFile
Delete
C:\Program Files\Bonjour\mDNSResponder.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Bonjour Service, EventMessageFile
Delete
C:\Program Files\FlashFXP\FlashFXP.exe
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch, C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch\FlashFXP.lnk,
C:\Program Files\Free 3GP Converter\Free3GPConverter.exe
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch, C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch\Free 3GP Converter.lnk,
C:\Program Files\Free Video Converter\FreeVideoConverter.exe
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch, C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch\Free Video Converter.lnk,
C:\Program Files\Mobile Partner\Mobile Partner.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-21-1275210071-1202660629-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Run, Mobile Partner
Delete
C:\Program Files\MyPlayCity.com\Need For Extreme 3D\NFE3D.exe
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch, C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch\Need For Extreme 3D.lnk,
C:\Program Files\SABnzbd\SABnzbd.exe
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch, C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch\SABnzbd.lnk,
C:\Program Files\Videos To DVD\VideosToDVD.exe
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch, C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch\Free Videos To DVD.lnk,
C:\Program Files\WinAVI MP4 Converter\WinAVI MP4 Converter.exe
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch, C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch\WinAVI MP4 Converter.lnk,
C:\Program Files\WinMover\WinMover.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-21-1275210071-1202660629-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Run, WinMover
Delete
C:\Program Files\Windows Media Player\WMPNetwk.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\WMPNetworkSvc, EventMessageFile
Delete
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\fr\aspnet_rc.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\ASP.NET 2.0.50727.0, EventMessageFile
Delete
C:\WINDOWS\System32\PrintFilterPipelineSvc.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PrintFilterPipelineSvc, EventMessageFile
Delete
C:\WINDOWS\System32\hidserv.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\HidServ\Parameters, ServiceDll
Delete
C:\WINDOWS\System32\igmpv2.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
Delete
C:\WINDOWS\System32\ipbootp.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
Delete
C:\WINDOWS\System32\iprip2.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
Delete
C:\WINDOWS\System32\ospf.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF, EventMessageFile
Delete
C:\WINDOWS\System32\ospfmib.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib, EventMessageFile
Delete
C:\WINDOWS\System32\polagent.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent, EventMessageFile
Delete
C:\WINDOWS\System32\tssdis.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir, EventMessageFile
Delete
C:\WINDOWS\system32\DivX.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, vidc.DIVX
Delete
C:\WINDOWS\system32\DivX.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, vidc.yv12
Delete
C:\WINDOWS\system32\JKDEFR~1.SCR
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-20\Control Panel\Desktop, scrnsave.exe
Delete
C:\WINDOWS\system32\MsSip1.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL
Delete
C:\WINDOWS\system32\MsSip2.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL
Delete
C:\WINDOWS\system32\MsSip3.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL
Delete
C:\WINDOWS\system32\NvCpl.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, NvCplDaemon
Delete
C:\WINDOWS\system32\NvMcTray.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, NvMediaCenter
Delete
C:\WINDOWS\system32\stisvc.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System, EventMessageFile
Delete
D:\Picasa2\Picasa2.exe
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch, C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer\Quick Launch\Picasa2.lnk,
WgaLogon.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon, DLLName
Delete
kbd101.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver JPN
Delete
kbd101a.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver KOR
Delete
mvfs32.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB
Delete
mvfs32.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB
Delete
mvfs32.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB
Delete
mvfs32.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-21-1275210071-1202660629-1177238915-500\Control Panel\IOProcs, MVB
Delete
nvoglnt.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\OpenGLDrivers\RIVATNT, DLL
Delete
vgafix.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon
Delete
vgaoem.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon
Delete
vgasys.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon
Delete
Autoruns items detected - 633, recognized as trusted - 590
Microsoft Internet Explorer extension modules (BHOs, Toolbars …)
File name Type Description Manufacturer CLSID
C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
Script: Quarantine, Delete, BC delete BHO Epson Easy Photo Print (TBL) Copyright © SEIKO EPSON CORPORATION 2008, All rights reserved. {9421DD08-935F-4701-A9CA-22DF90AC4EA6}
Delete
Extension module {2670000A-7350-4f3c-8081-5663EE0C6C49}
Delete
Extension module {92780B25-18CC-41C8-B9BE-3C9C571A8263}
Delete
Extension module {B205A35E-1FC4-4CE3-818B-899DBBB3388C}
Delete
Elements detected - 19, recognized as trusted - 15
Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
Extensions de l’environnement de compression de fichiers {764BF0E1-F219-11ce-972D-00AA00A14F56}
Delete
Menu contextuel de cryptage {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}
Delete
C:\WINDOWS\system32\ShellExt\CmdOpen.dll
Script: Quarantine, Delete, BC delete CmdOpen Shell Extension Open Command Prompt Shell Extension Copyright © Kai Liu. All rights reserved. {693B08DA-DA1F-4f2b-A145-C06BDF01868A}
Delete
Barre des t?ches et menu D?marrer {0DF44EAA-FF21-4412-828E-260A8728E7F1}
Delete
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
Script: Quarantine, Delete, BC delete Autoplay for SlideShow {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
Delete
Comptes d’utilisateurs {7A9D77BD-5403-11d2-8785-2E0420524153}
Delete
C:\WINDOWS\system32\Audiodev.dll
Script: Quarantine, Delete, BC delete Portable Media Devices Portable Media Devices Shell Extension Copyright © Microsoft Corporation. All rights reserved. {640167b4-59b0-47a6-b335-a6b3c0695aea}
Delete
QuickPar ContextMenu extension {D120D80B-BD26-4A74-8E43-2C2AF0966139}
Delete
NeroDigitalIconHandler {B327765E-D724-4347-8B16-78AE18552FC3}
Delete
NeroDigitalPropSheetHandler {7F1CF152-04F8-453A-B34C-E609530A9DC8}
Delete
Glary Utilities Context Menu Shell Extension {72923739-5A47-40A3-9895-25AF0DFBB9E4}
Delete
“C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe” /PhotoViewerComServer {2BE99FD4-A181-4996-BFA9-58C5FFD11F6C}
Script: Quarantine, Delete, BC delete Windows Live Photo Gallery Autoplay Drop Target {2BE99FD4-A181-4996-BFA9-58C5FFD11F6C}
Delete
“C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe” /PhotoViewerComServer {00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C}
Script: Quarantine, Delete, BC delete Windows Live Photo Gallery Viewer Drop Target {00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C}
Delete
“C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe” /PhotoViewerComServer {00F374B7-B390-4884-B372-2FC349F2172B}
Script: Quarantine, Delete, BC delete Windows Live Photo Gallery Editor Drop Target {00F374B7-B390-4884-B372-2FC349F2172B}
Delete
deskpan.dll
Script: Quarantine, Delete, BC delete Extension Affichage Panorama du Panneau de configuration {42071714-76d4-11d1-8b24-00a0c9068ff3}
Delete
C:\WINDOWS\system32\nvcpl.dll
Script: Quarantine, Delete, BC delete NvCpl DesktopContext Class NVIDIA Display Properties Extension © NVIDIA Corporation. All rights reserved. {A70C977A-BF00-412C-90B7-034C51DA2439}
Delete
C:\WINDOWS\system32\nvshell.dll
Script: Quarantine, Delete, BC delete Desktop Explorer {1CDB2949-8F65-4355-8456-263E7C208A5D}
Delete
C:\WINDOWS\system32\nvshell.dll
Script: Quarantine, Delete, BC delete Desktop Explorer Menu {1E9B04FB-F9E5-4718-997B-B8DA88302A47}
Delete
C:\WINDOWS\system32\nvshell.dll
Script: Quarantine, Delete, BC delete nView Desktop Context Menu {1E9B04FB-F9E5-4718-997B-B8DA88302A48}
Delete
C:\WINDOWS\system32\nvcpl.dll
Script: Quarantine, Delete, BC delete Play on my TV helper NVIDIA Display Properties Extension © NVIDIA Corporation. All rights reserved. {FFB699E0-306A-11d3-8BD1-00104B6F7516}
Delete
ColumnHandler {7D4D6379-F301-4311-BEBA-E26EB0561882}
Delete
Elements detected - 248, recognized as trusted - 227
Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
Elements detected - 9, recognized as trusted - 9
Task Scheduler jobs
File name Job name Job status Description Manufacturer
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
Script: Quarantine, Delete, BC delete Google Software Updater.job The task has not yet run.
C:\WINDOWS\tasks\JkDefragTask.cmd
Script: Quarantine, Delete, BC delete JkDefrag.job The task has not yet run.
C:\WINDOWS\system32\OGAEXEC.exe
Script: Quarantine, Delete, BC delete OGALogon.job The task has not yet run.
Elements detected - 7, recognized as trusted - 4
SPI/LSP settings
Namespace providers (NSP) Provider Status EXE file Description GUID
Detected - 4, recognized as trusted - 4
Transport protocol providers (TSP, LSP) Provider EXE file Description
Detected - 28, recognized as trusted - 28
Results of automatic SPI settings check LSP settings checked. No errors detected
TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
UDP ports
Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
Elements detected - 4, recognized as trusted - 4
Control Panel Applets (CPL)
File name Description Manufacturer
C:\WINDOWS\system32\cttune.cpl
Script: Quarantine, Delete, BC delete ClearType Tuning Applet Copyright © 2002 - 2004 Microsoft Corp.
C:\WINDOWS\system32\javacpl.cpl
Script: Quarantine, Delete, BC delete Java™ Control Panel Copyright © 2004
C:\WINDOWS\system32\nvtuicpl.cpl
Script: Quarantine, Delete, BC delete
Elements detected - 31, recognized as trusted - 28
Active Setup
File name Description Manufacturer CLSID
Elements detected - 17, recognized as trusted - 17
HOSTS file
Hosts file record
127.0.0.1 localhost
Protocols and handlers
File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Elements detected - 34, recognized as trusted - 31
Suspicious objects
File Description Type
Main script of analysis
Windows version: Microsoft Windows XP, Build=2600, SP=“Service Pack 3”
System Restore: enabled
System booted in Safe Mode
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00B60010<>7C80236B
IAT modification detected: GetModuleFileNameA - 00B60080<>7C80B56F
IAT modification detected: GetModuleFileNameW - 00B600F0<>7C80B475
IAT modification detected: CreateProcessW - 00B60160<>7C802336
IAT modification detected: LoadLibraryW - 00B60240<>7C80AEEB
IAT modification detected: LoadLibraryA - 00B60320<>7C801D7B
IAT modification detected: GetProcAddress - 00B60390<>7C80AE40
IAT modification detected: FreeLibrary - 00B60400<>7C80AC7E
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
Driver communication failure [00000002] - [1]
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
Driver communication failure [00000002] - [1]
Services: potentially dangerous service allowed: RemoteRegistry (Acc?s ? distance au Registre)
Services: potentially dangerous service allowed: TermService (Services Terminal Server)
Services: potentially dangerous service allowed: Schedule (Planificateur de t?ches)
Services: potentially dangerous service allowed: mnmsrvc (Partage de Bureau ? distance NetMeeting)
Services: potentially dangerous service allowed: RDSessMgr (Gestionnaire de session d’aide sur le Bureau ? distance)
Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
Security: disk drives’ autorun is enabled
Security: administrative shares (C$, D$ …) are enabled
Security: anonymous user access is enabled
Security: automatic logon is enabled
Connecting and disconnecting network drives blocked
Elements of Start menu blocked
Process termination timeout is out of admissible values
Service termination timeout is out of admissible values
Timeout of “Not Responding” verdict for processes is out of admissible values
Disable HDD autorun
Disable autorun from network drives
Disable CD/DVD autorun
Disable removable media autorun
Windows Explorer - show extensions of known file types
System Analysis in progress
System Analysis - complete
Script commands
Add commands to script:Blocking hooks using Anti-RootkitEnable AVZGuardOperations with AVZPM (true=enable,false=disable)BootCleaner - import list of deleted filesRegistry cleanup after deleting filesBootCleaner - activateRebootInsert template for QuarantineFile() - quarantining fileInsert template for BC_QrFile() - quarantining file via BootCleanerInsert template for DeleteFile() - deleting fileInsert template for DelCLSID() - deleting CLSID item from registryAdditional operations:Performance tweaking: disable service RemoteRegistry (Acc?s ? distance au Registre)Performance tweaking: disable service TermService (Services Terminal Server)Performance tweaking: disable service Schedule (Planificateur de t?ches)Performance tweaking: disable service mnmsrvc (Partage de Bureau ? distance NetMeeting)Performance tweaking: disable service RDSessMgr (Gestionnaire de session d’aide sur le Bureau ? distance)Security tweaking: disable CD autorunSecurity tweaking: disable administrative sharesSecurity tweaking: disable anonymous user accessSecurity tweaking: disable automatic logon--------------------------------------------------------------------------------
File list
2)
<?xml version="1.0" encoding="windows-1251" ?>
-
-
-
-
-
-
-
-
-
-
-
-
<ITEM File="C:\WINDOWS\system32\mswsock.dll" CheckResult="-1" SPIType="3" SPINaim="MSAFD NetBIOS [\Device\NetBT_Tcpip_{B3129F3F-CABC-408C-84A9-45B2C5E1E58E}] SEQPACKET 3" Descr="Fournisseur de service Sockets 2.0 de Microsoft Windows" LegalCopyright="© Microsoft Corporation. Tous droits r?serv?s." Size="247808" Attr="rsah" CreateDate="13/04/2008 17:33:34" Ch