Aller au contenu

cimone

Membres
 Afficher le profil  Afficher son activité

  • Compteur de contenus

    38

  • Inscription

  • Dernière visite

 Type de contenu 

Tout ce qui a été posté par cimone

  1. cimone
    pour le moment oui sauf qu il est reste bloque tout a l heure sur l ecran de fermeture! mais rien a voir peut etre. Sinon j ai un atre souci avec ma carte son qui ne sort plus que du mono. J ai tout verifie mais???? Si tu peux me renseigner la dessus aussi ce serait cool.
  2. cimone
    oki! voici le rapport: Effectué le 15/11/2007 à 16:34:54,26. Le volume dans le lecteur C s'appelle HP_PAVILION Le numéro de série du volume est 005A-6CCF Répertoire de C:\WINDOWS\$hf_mig$\KB893066\SP2QFE 14/03/2005 09:17 359 936 tcpip.sys 1 fichier(s) 359 936 octets Répertoire de C:\WINDOWS\$hf_mig$\KB917953\SP2QFE 20/04/2006 13:18 360 576 tcpip.sys 1 fichier(s) 360 576 octets Répertoire de C:\WINDOWS\$NtUninstallKB893066$ 10/08/2004 12:00 359 040 tcpip.sys 1 fichier(s) 359 040 octets Répertoire de C:\WINDOWS\$NtUninstallKB917953$ 14/03/2005 08:55 359 808 tcpip.sys 1 fichier(s) 359 808 octets Répertoire de C:\WINDOWS\system32\dllcache 09/03/2007 20:01 359 808 TCPIP.SYS 1 fichier(s) 359 808 octets Répertoire de C:\WINDOWS\system32\drivers 09/03/2007 20:01 359 808 TCPIP.SYS 1 fichier(s) 359 808 octets
  3. cimone
    ca y est le reste est fait! Je te tiens au courant du fonctionnement. Dis moi koi pour virustotal! merci a toi Cimone
  4. cimone
    hello! je n ai plus le fichier tcpip.sys Je n ai que tcpip ou tcpip.sys.original!! je fais le reste et te tien au courant! @+
  5. cimone
    voila, cé fé! et voila donc le rapport! impossible de' l envoyer toujours! DiagHelp version v1.4 - http://www.malekal.com excute le 14/11/2007 à 23:37:51,84 Liste des derniers fichies modifies/crees dans windir\system32 et prefetch C:\WINDOWS\prefetch\CMD.EXE-087B4001.pf -->14/11/2007 23:37:49 C:\WINDOWS\prefetch\CHCP.COM-18156052.pf -->14/11/2007 23:37:49 C:\WINDOWS\prefetch\RUNDLL32.EXE-147710F4.pf -->14/11/2007 23:37:24 C:\WINDOWS\prefetch\WUAUCLT.EXE-399A8E72.pf -->14/11/2007 23:37:23 C:\WINDOWS\prefetch\WGATRAY.EXE-0ED38BED.pf -->14/11/2007 23:37:22 C:\WINDOWS\prefetch\SWEETIM.EXE-2E64256A.pf -->14/11/2007 23:37:22 C:\WINDOWS\prefetch\RUNDLL32.EXE-30908AFF.pf -->14/11/2007 23:37:22 C:\WINDOWS\prefetch\NTOSBOOT-B00DFAAD.pf -->14/11/2007 23:37:22 C:\WINDOWS\prefetch\LXCRTIME.EXE-0399C77B.pf -->14/11/2007 23:37:22 C:\WINDOWS\prefetch\KBD.EXE-2AF7866F.pf -->14/11/2007 23:37:22 C:\WINDOWS\System32\drivers\fidbox.dat -->14/11/2007 23:36:24 C:\WINDOWS\System32\drivers\fidbox.idx -->14/11/2007 23:34:59 C:\WINDOWS\System32\drivers\avipbb.sys -->10/10/2007 20:55:13 C:\WINDOWS\System32\drivers\NSDriver.sys -->19/08/2007 12:08:03 C:\WINDOWS\System32\drivers\AWRTRD.sys -->19/08/2007 12:08:03 C:\WINDOWS\System32\drivers\klif.sys -->19/07/2007 14:10:28 C:\WINDOWS\System32\drivers\StarOpen.sys -->20/06/2007 14:49:59 C:\WINDOWS\System32\wpa.dbl -->14/11/2007 23:36:47 C:\WINDOWS\System32\nvapps.xml -->14/11/2007 23:36:36 C:\WINDOWS\System32\vsconfig.xml -->14/11/2007 23:36:33 C:\WINDOWS\System32\FNTCACHE.DAT -->04/11/2007 20:55:35 C:\WINDOWS\System32\perfh00C.dat -->03/11/2007 23:38:58 C:\WINDOWS\System32\perfh009.dat -->03/11/2007 23:38:58 C:\WINDOWS\System32\perfc00C.dat -->03/11/2007 23:38:58 C:\WINDOWS\System32\perfc009.dat -->03/11/2007 23:38:58 C:\WINDOWS\System32\PerfStringBackup.INI -->03/11/2007 23:38:57 C:\WINDOWS\System32\MRT.exe -->02/11/2007 08:12:57 C:\WINDOWS\System32\settings.aaw -->30/10/2007 17:20:33 C:\WINDOWS\System32\history.aaw -->30/10/2007 17:20:33 C:\WINDOWS\System32\xpsp3res.dll -->29/10/2007 16:07:16 C:\WINDOWS\System32\shell32.dll -->25/10/2007 17:43:25 C:\WINDOWS\System32\jupdate-1.6.0_03-b05.log -->15/10/2007 08:31:45 C:\WINDOWS\System32\catchme.exe -->11/10/2007 10:59:50 C:\WINDOWS\System32\LexFiles.ulf -->09/10/2007 17:37:12 C:\WINDOWS\System32\javaws.exe -->24/09/2007 22:31:42 C:\WINDOWS\System32\javacpl.cpl -->24/09/2007 22:31:42 C:\WINDOWS\System32\javaw.exe -->24/09/2007 21:30:30 C:\WINDOWS\System32\java.exe -->24/09/2007 21:30:28 C:\WINDOWS\System32\zllictbl.dat -->19/09/2007 19:32:08 C:\WINDOWS\System32\vsdatant.sys -->06/09/2007 15:14:28 C:\WINDOWS\System32\zpeng24.dll -->06/09/2007 15:14:12 C:\WINDOWS\System32\zlcommdb.dll -->06/09/2007 15:14:08 C:\WINDOWS\WindowsUpdate.log -->14/11/2007 23:37:14 C:\WINDOWS.log -->14/11/2007 23:36:31 C:\WINDOWS\wiadebug.log -->14/11/2007 23:36:29 C:\WINDOWS\wiaservc.log -->14/11/2007 23:36:28 C:\WINDOWS\bootstat.dat -->14/11/2007 23:36:09 C:\WINDOWS\SchedLgU.Txt -->14/11/2007 23:34:54 C:\WINDOWS\setupapi.log -->14/11/2007 20:22:24 C:\WINDOWS\ntbtlog.txt -->14/11/2007 20:15:17 C:\WINDOWS\setuperr.log -->14/11/2007 01:45:42 C:\WINDOWS\setupact.log -->14/11/2007 01:45:42 C:\WINDOWS\tsoc.log -->14/11/2007 01:39:51 C:\WINDOWS\tabletoc.log -->14/11/2007 01:39:51 C:\WINDOWS\ocmsn.log -->14/11/2007 01:39:51 C:\WINDOWS\ntdtcsetup.log -->14/11/2007 01:39:51 C:\WINDOWS\MedCtrOC.log -->14/11/2007 01:39:51 winlogon.exe Verified: Signed svchost.exe Verified: Signed ws2_32.dll Verified: Signed user32.dll Verified: Signed tcpip.sys Verified: Unsigned ndis.sys Verified: Signed null.sys Verified: Signed ListDLLs v2.25 - DLL lister for Win9x/NT Copyright © 1997-2004 Mark Russinovich Sysinternals - www.sysinternals.com ------------------------------------------------------------------------------ explorer.exe pid: 1616 Command line: C:\WINDOWS\Explorer.EXE Base Size Version Path 0x58b50000 0x9a000 5.82.2900.2982 C:\WINDOWS\system32\comctl32.dll 0x76f80000 0x7f000 2001.12.4414.0308 C:\WINDOWS\system32\CLBCATQ.DLL 0x77000000 0xd4000 2001.12.4414.0258 C:\WINDOWS\system32\COMRes.dll 0x76ac0000 0x11000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL 0x7d200000 0x2be000 3.01.4000.4039 C:\WINDOWS\system32\msi.dll 0x10000000 0x16f000 6.14.0010.11040 C:\WINDOWS\system32\nview.dll 0x017c0000 0x50000 6.14.0010.11040 C:\WINDOWS\system32\NVWRSFR.DLL 0x164a0000 0x23000 5.02.5721.5145 C:\WINDOWS\system32\WPDShServiceObj.dll 0x109c0000 0x2c000 5.02.5721.5145 C:\WINDOWS\system32\PortableDeviceTypes.dll 0x10930000 0x49000 5.02.5721.5145 C:\WINDOWS\system32\PortableDeviceApi.dll 0x01180000 0x9000 2.01.0000.0020 C:\Program Files\Macrogaming\SweetIM\mgAdaptersProxy.dll 0x7c360000 0x56000 7.10.6030.0000 C:\Program Files\Macrogaming\SweetIM\MSVCR71.dll 0x52200000 0xb000 7.00.0408.0000 C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll 0x01c60000 0x2b000 C:\Program Files\WinRAR\rarext.dll 0x02090000 0x6000 C:\Program Files\Unlocker\UnlockerCOM.dll 0x020a0000 0x11000 7.00.0000.0010 C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll 0x7c250000 0x102000 7.10.3077.0000 C:\Program Files\AntiVir PersonalEdition Classic\MFC71U.DLL 0x5d360000 0xf000 7.10.3077.0000 C:\WINDOWS\system32\MFC71FRA.DLL 0x78130000 0x9b000 8.00.50727.0163 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\MSVCR80.dll 0x02bb0000 0x5b000 8.01.0000.0000 C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.dll 0x02c10000 0x4c000 8.00.0000.0000 C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.FRA 0x60980000 0x7000 3.01.4000.1823 C:\WINDOWS\system32\MSISIP.DLL 0x74e10000 0x10000 5.06.0000.8820 C:\WINDOWS\system32\wshext.dll 0x73d20000 0xfe000 6.02.4131.0000 C:\WINDOWS\system32\MFC42.DLL 0x61d70000 0xe000 6.00.8665.0000 C:\WINDOWS\system32\MFC42LOC.DLL 0x59000000 0xe000 5.06.0000.6626 C:\WINDOWS\system32\wshFR.DLL 0x02d80000 0x15000 6.14.0010.9132 C:\WINDOWS\system32\nvwddi.dll ListDLLs v2.25 - DLL lister for Win9x/NT Copyright © 1997-2004 Mark Russinovich Sysinternals - www.sysinternals.com ------------------------------------------------------------------------------ winlogon.exe pid: 760 Command line: winlogon.exe Base Size Version Path 0x01000000 0x81000 \??\C:\WINDOWS\system32\winlogon.exe 0x58b50000 0x9a000 5.82.2900.2982 C:\WINDOWS\system32\COMCTL32.dll 0x74730000 0x3d000 3.525.1117.0000 C:\WINDOWS\system32\ODBC32.dll 0x20000000 0x18000 3.525.1117.0000 C:\WINDOWS\system32\odbcint.dll 0x01220000 0x3b000 1.07.0017.0000 C:\WINDOWS\system32\WgaLogon.dll 0x76f80000 0x7f000 2001.12.4414.0308 C:\WINDOWS\system32\CLBCATQ.DLL 0x77000000 0xd4000 2001.12.4414.0258 C:\WINDOWS\system32\COMRes.dll Le volume dans le lecteur C s'appelle HP_PAVILION Le numéro de série du volume est 005A-6CCF Répertoire de C:\WINDOWS\system 07/05/1998 17:04 52 736 hpsysdrv.exe 1 fichier(s) 52 736 octets 0 Rép(s) 121 579 454 464 octets libres Le volume dans le lecteur C s'appelle HP_PAVILION Le numéro de série du volume est 005A-6CCF Répertoire de C:\WINDOWS\system32 10/08/2004 12:00 6 144 csrss.exe 1 fichier(s) 6 144 octets 0 Rép(s) 121 579 454 464 octets libres Contenu de Downloaded Program Files Le volume dans le lecteur C s'appelle HP_PAVILION Le numéro de série du volume est 005A-6CCF Répertoire de C:\WINDOWS\Downloaded Program Files 14/11/2007 20:22 <REP> . 14/11/2007 20:22 <REP> .. 10/10/2005 12:32 65 desktop.ini 07/01/2007 12:55 2 305 kavwebscan.inf 2 fichier(s) 2 370 octets Total des fichiers listés : 2 fichier(s) 2 370 octets 2 Rép(s) 121 579 454 464 octets libres Recherche de rootkit! (Merci S!Ri) Recherche d'infections connues Export des clefs sensibles.. Liste des fichiers en exception sur le pare-feu XP SP2 "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent" "C:\\WINDOWS\\system32\\lxcrcoms.exe"="C:\\WINDOWS\\system32\\lxcrcoms.exe:*:Enabled:Lexmark Communications System" "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Export de la clef SharedTaskScheduler [sharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant" exports des policies REGEDIT4 [system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 "InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\ 63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\ 6d,73,73,74,79,6c,65,73,00 "InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\ 73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00 Export des clefs sensibles.. Rechercher adresses sensibles dans le fichier HOSTS... catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-14 23:38:30 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\E100B] "EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll;%SystemRoot%\System32\e100bmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\NtServicePack] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\nv] "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\nv4_mini.sys" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\PS2] "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\PS2.sys" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\Windows Installer 3.1] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\WindowsMedia] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\E100B] "EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll;%SystemRoot%\System32\e100bmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\NtServicePack] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\nv] "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\nv4_mini.sys" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\PS2] "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\PS2.sys" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\Windows Installer 3.1] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\WindowsMedia] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows\CurrentVersion] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{11DF0055-8BF6-475C-B0D6-9BC20C840229}"="EL04 Power Management Ext" [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop] "FFlags"=dword:00000224 "Mode"=dword:00000001 "ScrollPos800x600(1).x"=dword:00000000 "ScrollPos800x600(1).y"=dword:00000000 "Sort"=dword:00000000 "SortDir"=dword:00000001 "Col"=dword:ffffffff "ColInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,fd,df,df,fd,0f,.. "ItemPos800x600(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,dc,02,00,00,e8,.. "ScrollPos1024x768(1).x"=dword:00000000 "ScrollPos1024x768(1).y"=dword:00000000 "ItemPos1024x768(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,c1,03,00,00,92,.. "ScrollPos320x240(1).x"=dword:00000000 "ScrollPos320x240(1).y"=dword:00000000 "ItemPos320x240(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f9,00,00,00,6b,.. "ScrollPos400x300(1).x"=dword:00000000 "ScrollPos400x300(1).y"=dword:00000000 "ItemPos400x300(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ea,00,00,00,5c,.. "ScrollPos720x480(1).x"=dword:00000000 "ScrollPos720x480(1).y"=dword:00000000 "ItemPos720x480(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,d1,00,00,00,4d,.. "ScrollPos640x480(1).x"=dword:00000000 "ScrollPos640x480(1).y"=dword:00000000 "ItemPos640x480(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,c1,03,00,00,92,.. "ScrollPos720x576(1).x"=dword:00000000 "ScrollPos720x576(1).y"=dword:00000000 "ItemPos720x576(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,d1,00,00,00,50,.. "ScrollPos2048x1536(1).x"=dword:00000000 "ScrollPos2048x1536(1).y"=dword:00000000 "ItemPos2048x1536(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,c4,00,00,00,4d,.. "ScrollPos1152x864(1).x"=dword:00000000 "ScrollPos1152x864(1).y"=dword:00000000 "ItemPos1152x864(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,3c,04,00,00,f0,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU] "NodeSlot"=dword:00000003 [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\] "NodeSlot"=dword:00000001 "MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff "0"=hex:1e,00,71,2d,00,00,00,00,00,00,00,00,00,00,80,a2,27,22,ea,3a,69,.. "1"=hex:1e,00,71,80,00,00,00,00,00,00,00,00,00,00,e1,a4,0e,d2,57,39,d2,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\] "NodeSlot"=dword:0000001b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\\1] "NodeSlot"=dword:0000008c "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1] "0"=hex:3c,00,31,00,00,00,00,00,48,36,e0,89,30,00,57,49,4e,44,4f,57,53,.. "MRUListEx"=hex:01,00,00,00,02,00,00,00,03,00,00,00,05,00,00,00,04,00,00,00,00,.. "NodeSlot"=dword:00000004 "1"=hex:5c,00,31,00,00,00,00,00,48,36,91,89,10,00,44,4f,43,55,4d,45,7e,.. "2"=hex:4a,00,31,00,00,00,00,00,69,36,01,7e,11,00,50,52,4f,47,52,41,7e,.. "3"=hex:54,00,31,00,00,00,00,00,69,36,01,7e,10,00,42,38,41,46,37,39,7e,.. "4"=hex:30,00,31,00,00,00,00,00,75,36,82,72,10,00,4e,65,6f,00,1e,00,03,.. "5"=hex:36,00,31,00,00,00,00,00,74,36,b2,95,10,00,47,61,6d,65,73,00,22,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1] "NodeSlot"=dword:0000000a "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:40,00,31,00,00,00,00,00,48,36,1b,8a,10,00,73,79,73,74,65,6d,33,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\] "0"=hex:36,00,31,00,00,00,00,00,6f,33,bc,19,10,00,73,70,6f,6f,6c,00,22,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\] "0"=hex:3c,00,31,00,00,00,00,00,6f,33,bc,19,10,00,64,72,69,76,65,72,73,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\\] "0"=hex:36,00,31,00,00,00,00,00,6f,33,bc,19,10,00,63,6f,6c,6f,72,00,22,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\\] "NodeSlot"=dword:00000002 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1] "0"=hex:52,00,31,00,00,00,00,00,69,36,f2,8e,10,00,48,50,5f,41,44,4d,7e,.. "MRUListEx"=hex:00,00,00,00,01,00,00,00,02,00,00,00,ff,ff,ff,ff "NodeSlot"=dword:00000071 "1"=hex:42,00,31,00,00,00,00,00,23,34,f9,03,10,00,41,4c,4c,55,53,45,7e,.. "2"=hex:4c,00,31,00,00,00,00,00,77,36,d4,62,10,00,41,44,4d,49,4e,49,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1] "0"=hex:5e,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,45,4e,55,44,4d,7e,.. "MRUListEx"=hex:01,00,00,00,00,00,00,00,02,00,00,00,ff,ff,ff,ff "1"=hex:78,00,31,00,00,00,00,00,6d,36,60,88,11,00,4d,45,53,44,4f,43,7e,.. "NodeSlot"=dword:00000072 "2"=hex:4c,00,31,00,00,00,00,00,6f,33,d9,12,12,00,4c,4f,43,41,4c,53,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\] "0"=hex:58,00,31,00,00,00,00,00,69,36,07,8e,11,00,50,52,4f,47,52,41,7e,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "NodeSlot"=dword:0000001d [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\] "NodeSlot"=dword:0000001c "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3a,00,31,00,00,00,00,00,00,00,00,00,10,00,57,69,6e,52,41,52,00,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\\] "NodeSlot"=dword:00000029 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1] "0"=hex:54,00,31,00,00,00,00,00,6d,36,77,95,10,00,4d,45,53,46,49,43,7e,.. "MRUListEx"=hex:03,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,ff,ff,ff,ff "NodeSlot"=dword:00000073 "1"=hex:6c,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,45,53,56,49,44,7e,.. "2"=hex:72,00,31,00,00,00,00,00,b4,36,41,69,11,00,4d,41,4d,55,53,49,7e,.. "3"=hex:72,00,31,00,00,00,00,00,77,36,b3,7d,11,00,4d,45,53,49,4d,41,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1] "NodeSlot"=dword:0000002b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\1] "NodeSlot"=dword:00000074 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\2] "NodeSlot"=dword:000000a4 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\3] "NodeSlot"=dword:000000ab "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2] "0"=hex:34,00,31,00,00,00,00,00,a4,36,2e,63,10,00,54,65,6d,70,00,00,20,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2] "NodeSlot"=dword:00000084 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1] "0"=hex:66,00,35,00,00,00,00,00,71,36,40,8b,11,00,4d,00,65,00,6e,00,75,.. "MRUListEx"=hex:00,00,00,00,02,00,00,00,01,00,00,00,ff,ff,ff,ff "NodeSlot"=dword:0000009f "1"=hex:3a,00,31,00,00,00,00,00,a9,36,04,57,10,00,42,75,72,65,61,75,00,.. "2"=hex:56,00,31,00,00,00,00,00,49,36,bc,95,11,00,44,4f,43,55,4d,45,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1] "0"=hex:58,00,31,00,00,00,00,00,b4,36,3d,6a,11,00,50,52,4f,47,52,41,7e,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "NodeSlot"=dword:000000a3 [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\] "0"=hex:6c,00,31,00,00,00,00,00,b4,36,40,6a,10,00,50,4f,57,45,52,51,7e,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\] "NodeSlot"=dword:0000009a "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\1] "NodeSlot"=dword:000000a0 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\2] "NodeSlot"=dword:000000a1 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:58,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,41,4d,55,53,49,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\2] "NodeSlot"=dword:000000a2 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2] "NodeSlot"=dword:0000009b "MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff "0"=hex:4a,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,45,53,44,4f,43,7e,.. "1"=hex:66,00,35,00,00,00,00,00,41,34,49,58,11,00,4d,00,65,00,6e,00,75,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2] "NodeSlot"=dword:0000009c "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:44,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,41,4d,55,53,49,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2\] "NodeSlot"=dword:0000009d "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2\1] "NodeSlot"=dword:0000009e "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2] "NodeSlot"=dword:0000001e "MRUListEx"=hex:02,00,00,00,0a,00,00,00,09,00,00,00,08,00,00,00,07,00,00,00,06,.. "0"=hex:4e,00,31,00,00,00,00,00,69,36,80,92,10,00,4d,4f,5a,49,4c,4c,7e,.. "1"=hex:7e,00,31,00,00,00,00,00,69,36,bc,93,10,00,4d,49,43,52,4f,53,7e,.. "2"=hex:36,00,31,00,00,00,00,00,00,00,00,00,10,00,65,4d,75,6c,65,00,22,.. "3"=hex:42,00,31,00,00,00,00,00,6e,36,14,a4,10,00,4d,52,50,4f,53,54,7e,.. "4"=hex:34,00,31,00,00,00,00,00,00,00,00,00,10,00,4a,61,76,61,00,00,20,.. "5"=hex:44,00,31,00,00,00,00,00,22,34,a3,ba,10,00,46,52,45,4e,43,48,7e,.. "6"=hex:5e,00,31,00,00,00,00,00,23,34,d6,00,10,00,50,43,2d,44,4f,43,7e,.. "7"=hex:44,00,31,00,00,00,00,00,6a,36,9c,92,10,00,46,52,45,45,50,4c,7e,.. "8"=hex:58,00,31,00,00,00,00,00,72,36,c5,82,10,00,57,49,4e,44,4f,57,7e,.. "9"=hex:d9,00,31,00,00,00,00,00,8f,36,03,85,10,00,4d,45,44,49,41,4d,7e,.. "10"=hex:44,00,31,00,00,00,00,00,b4,36,3a,6a,10,00,50,4f,57,45,52,51,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2] "NodeSlot"=dword:0000001f "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\1] "NodeSlot"=dword:00000021 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\10] "NodeSlot"=dword:000000a5 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:56,00,31,00,00,00,00,00,b4,36,40,6a,10,00,50,41,52,54,49,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\10] "NodeSlot"=dword:000000a6 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2] "0"=hex:40,00,31,00,00,00,00,00,00,00,00,00,10,00,49,6e,63,6f,6d,69,6e,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2] "0"=hex:e6,01,32,00,00,00,00,00,00,00,00,00,20,00,41,6c,6c,20,4d,69,63,.. "MRUListEx"=hex:0b,00,00,00,0a,00,00,00,09,00,00,00,08,00,00,00,06,00,00,00,07,.. "1"=hex:e0,01,32,00,00,00,00,00,00,00,00,00,20,00,41,6c,6c,20,4d,69,63,.. "2"=hex:2a,01,32,00,00,00,00,00,00,00,00,00,20,00,5b,41,70,70,73,5d,20,.. "NodeSlot"=dword:0000002c "3"=hex:70,00,31,00,00,00,00,00,6d,36,03,96,10,00,43,4f,4d,50,49,4c,7e,.. "4"=hex:6c,00,31,00,00,00,00,00,73,36,8d,9b,10,00,4d,41,52,54,49,4e,7e,.. "5"=hex:86,00,31,00,00,00,00,00,74,36,4f,95,10,00,5f,50,43,47,41,4d,7e,.. "6"=hex:8c,00,31,00,00,00,00,00,99,36,ca,4c,10,00,43,48,52,49,53,54,7e,.. "7"=hex:b4,00,31,00,00,00,00,00,99,36,2e,4f,10,00,53,45,52,49,41,4c,7e,.. "8"=hex:80,00,31,00,00,00,00,00,9b,36,6a,9a,10,00,44,49,41,4d,27,53,7e,.. "9"=hex:58,00,31,00,00,00,00,00,af,36,81,6a,10,00,4c,45,4a,45,55,44,7e,.. "10"=hex:cc,00,31,00,00,00,00,00,af,36,38,96,10,00,41,4d,42,49,41,4e,7e,.. "11"=hex:70,00,31,00,00,00,00,00,b4,36,d6,69,10,00,50,41,52,54,49,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\] "NodeSlot"=dword:00000023 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\1] "NodeSlot"=dword:00000024 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\10] "NodeSlot"=dword:0000008a "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:58,00,31,00,00,00,00,00,5c,32,65,39,10,00,30,38,2d,4d,55,53,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\10] "NodeSlot"=dword:0000008b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11] "NodeSlot"=dword:00000094 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:70,00,31,00,00,00,00,00,b4,36,d8,69,30,00,50,41,52,54,49,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11] "NodeSlot"=dword:00000095 "MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff "0"=hex:3a,00,31,00,00,00,00,00,b4,36,d8,69,30,00,73,65,72,69,61,6c,00,.. "1"=hex:86,00,31,00,00,00,00,00,b4,36,0d,6a,10,00,50,41,52,54,49,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\] "NodeSlot"=dword:00000096 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:5a,00,31,00,00,00,00,00,b4,36,d8,69,30,00,46,52,45,45,57,41,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\] "NodeSlot"=dword:00000097 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\1] "NodeSlot"=dword:00000098 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:36,00,31,00,00,00,00,00,b4,36,0a,6a,10,00,53,65,74,75,70,00,22,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\1] "NodeSlot"=dword:00000099 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\2] "NodeSlot"=dword:00000025 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:74,00,16,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,10,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\2] "NodeSlot"=dword:0000002a "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\3] "NodeSlot"=dword:0000002d "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:50,00,31,00,00,00,00,00,b6,32,1b,4f,10,00,50,45,54,49,54,53,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\3] "NodeSlot"=dword:0000002e "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\4] "NodeSlot"=dword:0000004d "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:6c,00,31,00,00,00,00,00,84,35,9d,8b,10,00,4d,41,52,54,49,4e,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\4] "NodeSlot"=dword:0000004e "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5] "NodeSlot"=dword:00000058 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:86,00,31,00,00,00,00,00,74,36,4f,95,10,00,5f,50,43,47,41,4d,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5] "NodeSlot"=dword:00000059 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:7a,00,31,00,00,00,00,00,74,36,4f,95,30,00,5f,50,43,5f,43,4f,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5\] "NodeSlot"=dword:0000005a "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:5a,00,31,00,00,00,00,00,74,36,5b,95,10,00,43,4f,4c,44,46,45,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5\] "NodeSlot"=dword:0000005b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\6] "NodeSlot"=dword:0000007d "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:8c,00,31,00,00,00,00,00,8d,36,ca,50,10,00,43,48,52,49,53,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\6] "NodeSlot"=dword:0000007e "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\7] "NodeSlot"=dword:0000007f "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\8] "NodeSlot"=dword:00000082 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:6a,00,31,00,00,00,00,00,44,34,ce,56,10,00,44,49,41,4d,27,53,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\8] "NodeSlot"=dword:00000083 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\9] "NodeSlot"=dword:00000089 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3] "NodeSlot"=dword:00000031 "MRUListEx"=hex:04,00,00,00,03,00,00,00,00,00,00,00,02,00,00,00,01,00,00,00,ff,.. "0"=hex:40,00,31,00,00,00,00,00,6e,36,14,a4,10,00,6a,61,76,61,5f,63,75,.. "1"=hex:30,00,31,00,00,00,00,00,6e,36,13,a4,10,00,45,44,55,00,1e,00,03,.. "2"=hex:2e,00,31,00,00,00,00,00,6e,36,14,a4,10,00,65,6e,00,00,1c,00,03,.. "3"=hex:40,00,31,00,00,00,00,00,6e,36,17,a4,10,00,4d,45,54,41,2d,49,4e,.. "4"=hex:30,00,31,00,00,00,00,00,6e,36,14,a4,10,00,6f,72,67,00,1e,00,03,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3] "NodeSlot"=dword:00000032 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3c,00,31,00,00,00,00,00,6e,36,14,a4,10,00,72,75,6e,74,69,6d,65,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\] "NodeSlot"=dword:0000003b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1] "NodeSlot"=dword:00000033 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3a,00,31,00,00,00,00,00,6e,36,13,a4,10,00,6f,73,77,65,67,6f,00,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1] "NodeSlot"=dword:00000034 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:2e,00,31,00,00,00,00,00,6e,36,13,a4,10,00,63,73,00,00,1c,00,03,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\] "NodeSlot"=dword:00000035 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:2e,00,31,00,00,00,00,00,6e,36,13,a4,10,00,64,6c,00,00,1c,00,03,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\] "NodeSlot"=dword:00000036 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:34,00,31,00,00,00,00,00,6e,36,13,a4,10,00,75,74,69,6c,00,00,20,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\\] "NodeSlot"=dword:00000037 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:44,00,31,00,00,00,00,00,6e,36,14,a4,10,00,43,4f,4e,43,55,52,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\\] "NodeSlot"=dword:00000038 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\2] "NodeSlot"=dword:00000039 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3c,00,31,00,00,00,00,00,6e,36,14,a4,10,00,68,6f,74,6d,61,69,6c,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\2] "NodeSlot"=dword:0000003a "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\3] "NodeSlot"=dword:0000003c "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\4] "NodeSlot"=dword:0000003d "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\4] "NodeSlot"=dword:0000003f "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:48,00,31,00,00,00,00,00,22,34,4f,bb,10,00,4a,52,45,31,35,7e,31,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\4] "NodeSlot"=dword:00000040 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\5] "NodeSlot"=dword:00000043 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\6] "NodeSlot"=dword:00000044 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\7] "NodeSlot"=dword:0000004a "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\8] "NodeSlot"=dword:0000004b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\9] "NodeSlot"=dword:00000077 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\3] "NodeSlot"=dword:00000020 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\4] "NodeSlot"=dword:0000006d "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3a,00,31,00,00,00,00,00,75,36,5d,89,10,00,48,69,74,6d,61,6e,00,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\4] "NodeSlot"=dword:0000006e "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\5] "NodeSlot"=dword:0000006f "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:4a,00,31,00,00,00,00,00,74,36,4f,96,10,00,44,45,4c,55,58,45,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\5] "NodeSlot"=dword:00000070 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2] "NodeSlot"=dword:0000005d "MRUListEx"=hex:04,00,00,00,01,00,00,00,03,00,00,00,02,00,00,00,00,00,00,00,ff,.. "0"=hex:72,00,31,00,00,00,00,00,b4,36,f1,6d,11,00,4d,41,4d,55,53,49,7e,.. "1"=hex:6a,00,31,00,00,00,00,00,b4,36,f1,6d,11,00,4d,75,73,69,71,75,65,.. "2"=hex:3c,00,31,00,00,00,00,00,b4,36,65,6f,10,00,50,61,70,69,65,72,73,.. "3"=hex:6c,00,31,00,00,00,00,00,b4,36,c6,70,11,00,4d,45,53,56,49,44,7e,.. "4"=hex:60,00,31,00,00,00,00,00,b4,36,e2,70,11,00,56,49,44,4f,7e,31,00,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2] "NodeSlot"=dword:000000a7 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1] "NodeSlot"=dword:000000a8 "MRUListEx"=hex:12,00,00,00,11,00,00,00,10,00,00,00,0f,00,00,00,0d,00,00,00,0e,.. "0"=hex:3e,00,31,00,00,00,00,00,b4,36,dd,6c,10,00,52,41,50,48,41,4c,7e,.. "1"=hex:50,00,31,00,00,00,00,00,b4,36,d8,6c,10,00,56,52,4f,4e,49,51,7e,.. "2"=hex:3c,00,31,00,00,00,00,00,b4,36,cd,7c,10,00,42,61,72,62,61,72,61,.. "3"=hex:44,00,31,00,00,00,00,00,b5,36,e0,71,10,00,45,44,49,54,48,50,7e,.. "4"=hex:42,00,31,00,00,00,00,00,b4,36,c2,6d,10,00,4b,45,52,45,4e,41,7e,.. "5"=hex:42,00,31,00,00,00,00,00,b5,36,ee,73,10,00,4d,41,4e,4f,53,4f,7e,.. "6"=hex:4a,00,31,00,00,00,00,00,b4,36,43,6d,10,00,4d,59,4c,45,4e,45,7e,.. "7"=hex:44,00,31,00,00,00,00,00,b4,36,e1,6c,10,00,50,4f,52,54,49,53,7e,.. "8"=hex:56,00,31,00,00,00,00,00,b4,36,f1,6d,10,00,43,48,52,49,53,54,7e,.. "9"=hex:46,00,31,00,00,00,00,00,b5,36,31,7f,10,00,46,52,41,4e,43,45,7e,.. "10"=hex:36,00,31,00,00,00,00,00,b4,36,70,78,10,00,54,65,78,61,73,00,22,.. "11"=hex:3a,00,31,00,00,00,00,00,b4,36,e8,6d,10,00,44,69,76,65,72,73,00,.. "12"=hex:48,00,31,00,00,00,00,00,b5,36,95,6b,10,00,4c,49,4c,49,41,4e,7e,.. "13"=hex:44,00,31,00,00,00,00,00,b4,36,ee,79,10,00,4c,49,41,4e,45,46,7e,.. "14"=hex:4e,00,31,00,00,00,00,00,b5,36,e1,83,10,00,56,41,4e,45,53,53,7e,.. "15"=hex:50,00,31,00,00,00,00,00,b4,36,47,6d,10,00,4d,49,43,48,45,4c,7e,.. "16"=hex:36,00,31,00,00,00,00,00,b5,36,3d,7c,10,00,5a,61,7a,69,65,00,22,.. "17"=hex:46,00,31,00,00,00,00,00,b5,36,74,5c,10,00,4c,41,52,41,46,41,7e,.. "18"=hex:4a,00,31,00,00,00,00,00,b5,36,ef,82,10,00,4c,45,53,49,4e,4e,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1] "NodeSlot"=dword:000000bd "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:58,00,31,00,00,00,00,00,b5,36,33,6c,10,00,52,41,50,48,41,4c,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\] "NodeSlot"=dword:000000be "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:68,00,31,00,00,00,00,00,b5,36,33,6c,10,00,52,41,50,48,41,45,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\] "NodeSlot"=dword:000000bf "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\1] "NodeSlot"=dword:000000c0 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:42,00,31,00,00,00,00,00,b5,36,7a,79,10,00,4c,45,4d,41,55,44,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\1] "NodeSlot"=dword:000000ca "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\10] "NodeSlot"=dword:000000d1 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:44,00,31,00,00,00,00,00,b4,36,02,79,10,00,52,49,43,4b,53,52,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\10] "NodeSlot"=dword:000000d2 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\11] "NodeSlot"=dword:000000d3 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\12] "NodeSlot"=dword:000000d4 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:52,00,31,00,00,00,00,00,b5,36,ad,6b,10,00,4c,45,53,50,45,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\12] "NodeSlot"=dword:000000d7 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\13] "NodeSlot"=dword:000000d5 "MRUListEx"=hex:00,00,00,00,01,00,00,00,ff,ff,ff,ff "0"=hex:52,00,31,00,00,00,00,00,b5,36,96,6b,10,00,4c,45,53,50,45,54,7e,.. "1"=hex:44,00,31,00,00,00,00,00,b5,36,a5,89,10,00,41,43,4f,55,53,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\13] "NodeSlot"=dword:000000d6 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\13\1] "NodeSlot"=dword:000000da "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\14] "NodeSlot"=dword:000000d8 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:36,00,31,00,00,00,00,00,b4,36,da,72,10,00,4d,26,4a,7e,31,00,22,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\14] "NodeSlot"=dword:000000d9 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\15] "NodeSlot"=dword:000000db "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:50,00,31,00,00,00,00,00,b4,36,4a,6d,10,00,4c,49,56,45,41,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\15] "NodeSlot"=dword:000000dc "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\16] "NodeSlot"=dword:000000dd "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\17] "NodeSlot"=dword:000000de "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\18] "NodeSlot"=dword:000000df "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:4a,00,31,00,00,00,00,00,b5,36,8c,83,10,00,4c,45,53,49,4e,4e,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\18] "NodeSlot"=dword:000000e0 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\2] "NodeSlot"=dword:000000c1 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3c,00,31,00,00,00,00,00,b5,36,cd,6e,10,00,42,61,72,62,61,72,61,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\2] "NodeSlot"=dword:000000c2 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\3] "NodeSlot"=dword:000000c3 "MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff "0"=hex:3e,00,31,00,00,00,00,00,b5,36,ed,71,10,00,42,45,53,54,4f,46,7e,.. "1"=hex:60,00,31,00,00,00,00,00,b5,36,e0,71,10,00,4e,4f,4e,5f,4a,45,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\3] "NodeSlot"=dword:000000c4 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\3\1] "NodeSlot"=dword:000000c5 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\4] "NodeSlot"=dword:000000c6 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\5] "NodeSlot"=dword:000000c7 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\6] "NodeSlot"=dword:000000c8 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:6a,00,31,00,00,00,00,00,b4,36,0a,6d,10,00,30,39,2d,4c,45,53,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\6] "NodeSlot"=dword:000000c9 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\7] "NodeSlot"=dword:000000cb "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3c,00,31,00,00,00,00,00,b5,36,c0,7a,10,00,49,6e,63,6f,6e,6e,75,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\7] "NodeSlot"=dword:000000cc "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3c,00,31,00,00,00,00,00,b5,36,c2,7a,10,00,49,6e,63,6f,6e,6e,75,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\7\] "NodeSlot"=dword:000000cd "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\8] "NodeSlot"=dword:000000ce "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\9] "NodeSlot"=dword:000000cf "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:60,00,31,00,00,00,00,00,b5,36,0d,80,10,00,4c,45,53,50,4c,55,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\9] "NodeSlot"=dword:000000d0 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\2] "NodeSlot"=dword:000000ac "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\3] "NodeSlot"=dword:000000af "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\4] "NodeSlot"=dword:000000b0 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\3] "NodeSlot"=dword:000000ae "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\10\Shell] "Mode"=dword:00000006 "ScrollPos800x600(1).x"=dword:00000000 "ScrollPos800x600(1).y"=dword:00000000 "Sort"=dword:00000000 "SortDir"=dword:00000001 "Col"=dword:ffffffff "ColInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,fd,df,df,fd,0f,.. "MinPos800x600(1).x"=dword:ffff8300 "MinPos800x600(1).y"=dword:ffff8300 "MaxPos800x600(1).x"=dword:ffffffff "MaxPos800x600(1).y"=dword:ffffffff "WinPos800x600(1).left"=dword:00000016 "WinPos800x600(1).top"=dword:0000001d "WinPos800x600(1).right"=dword:0000026e "WinPos800x600(1).bottom"=dword:000001b1 "Rev"=dword:00000000 "WFlags"=dword:00000002 "ShowCmd"=dword:00000003 "FFlags"=dword:00000001 "HotKey"=dword:00000000 "Buttons"=dword:ffffffff "Status"=dword:00000000 "Links"=dword:00000000 "Address"=dword:ffffffff "Vid"="{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" "FolderType"="Documents" scanning hidden files ... scan completed successfully hidden services: 0 hidden files: 0 KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg) Process list by traversal of KiWaitListHead 4 - System 160 - spoolsv.exe 436 - a2service.exe 476 - sched.exe 488 - avguard.exe 548 - ehSched.exe 568 - cmd.exe 608 - IAANTmon.exe 736 - csrss.exe 760 - winlogon.exe 804 - services.exe 816 - lsass.exe 984 - svchost.exe 1060 - svchost.exe 1104 - lxcrcoms.exe 1144 - nvsvc32.exe 1156 - svchost.exe 1196 - svchost.exe 1324 - svchost.exe 1400 - vsmon.exe 1420 - svchost.exe 1520 - svchost.exe 1616 - explorer.exe 1716 - ELService.exe 1896 - mcrdsvc.exe 1968 - aawservice.exe 2144 - wmiprvse.exe 2452 - dllhost.exe 2804 - alg.exe 3120 - RTHDCPL.EXE 3128 - IAAnotif.exe 3144 - HPBootOp.exe 3152 - avgnt.exe 3184 - PCBooster.exe 3216 - zlclient.exe 3224 - lxcrmon.exe 3232 - ezprint.exe 3260 - realsched.exe 3272 - itype.exe 3292 - ipoint.exe 3300 - rundll32.exe 3404 - ctfmon.exe 3428 - SweetIM.exe 3880 - kbd.exe 3960 - wuauclt.exe Total number of processes = 45 NOTE: Under WinXP, this will not show all processes. KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg) Driver/Module list by traversal of PsLoadedModuleList 804D7000 - \WINDOWS\system32\ntkrnlpa.exe 806E2000 - \WINDOWS\system32\hal.dll F7B10000 - \WINDOWS\system32\KDCOM.DLL F7A20000 - \WINDOWS\system32\BOOTVID.dll F74E0000 - ACPI.sys F7B12000 - \WINDOWS\system32\DRIVERS\WMILIB.SYS F74CF000 - pci.sys F7610000 - isapnp.sys F7620000 - ohci1394.sys F7630000 - \WINDOWS\system32\DRIVERS\1394BUS.SYS F7BD8000 - pciide.sys F7890000 - \WINDOWS\system32\DRIVERS\PCIIDEX.SYS F7B14000 - viaide.sys F7B16000 - intelide.sys F7640000 - MountMgr.sys F74B0000 - ftdisk.sys F7B18000 - dmload.sys F748A000 - dmio.sys F7898000 - PartMgr.sys F7650000 - VolSnap.sys F73CA000 - iastor.sys F73B2000 - atapi.sys F736F000 - ftsata2.sys F7357000 - \WINDOWS\system32\DRIVERS\SCSIPORT.SYS F7660000 - disk.sys F7670000 - \WINDOWS\system32\DRIVERS\CLASSPNP.SYS F7337000 - fltMgr.sys F7680000 - bb-run.sys F7690000 - PxHelp20.sys F7320000 - KSecDD.sys F730D000 - WudfPf.sys F7280000 - Ntfs.sys F7253000 - NDIS.sys F723F000 - srescan.sys F7224000 - Mup.sys F78A0000 - BTHidMgr.sys F77D0000 - \SystemRoot\system32\DRIVERS\intelppm.sys F7928000 - \SystemRoot\system32\DRIVERS\ELacpi.sys F662F000 - \SystemRoot\system32\DRIVERS\nv4_mini.sys F661B000 - \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS F65F6000 - \SystemRoot\system32\DRIVERS\HDAudBus.sys F7930000 - \SystemRoot\system32\DRIVERS\usbuhci.sys F65D3000 - \SystemRoot\system32\DRIVERS\USBPORT.SYS F7938000 - \SystemRoot\system32\DRIVERS\usbehci.sys F65AB000 - \SystemRoot\system32\DRIVERS\e100b325.sys F6597000 - \SystemRoot\system32\DRIVERS\parport.sys F77E0000 - \SystemRoot\system32\DRIVERS\i8042prt.sys F7940000 - \SystemRoot\system32\DRIVERS\point32.sys F7948000 - \SystemRoot\system32\DRIVERS\mouclass.sys F7B52000 - \??\C:\WINDOWS\System32\Drivers\Elmou.sys F7950000 - \SystemRoot\system32\DRIVERS\PS2.sys F7958000 - \SystemRoot\system32\DRIVERS\kbdclass.sys F7B54000 - \??\C:\WINDOWS\System32\Drivers\Elkbd.sys F77F0000 - \SystemRoot\system32\DRIVERS\imapi.sys F7800000 - \SystemRoot\system32\DRIVERS\cdrom.sys F7810000 - \SystemRoot\system32\DRIVERS\redbook.sys F6574000 - \SystemRoot\system32\DRIVERS\ks.sys F7C18000 - \SystemRoot\system32\DRIVERS\audstub.sys F7820000 - \SystemRoot\system32\DRIVERS\rasl2tp.sys F71EC000 - \SystemRoot\system32\DRIVERS\ndistapi.sys F655D000 - \SystemRoot\system32\DRIVERS\ndiswan.sys F7830000 - \SystemRoot\system32\DRIVERS\raspppoe.sys F7850000 - \SystemRoot\system32\DRIVERS\raspptp.sys F7960000 - \SystemRoot\system32\DRIVERS\TDI.SYS F6529000 - \SystemRoot\system32\DRIVERS\psched.sys F7860000 - \SystemRoot\system32\DRIVERS\msgpc.sys F7A08000 - \SystemRoot\system32\DRIVERS\ptilink.sys F7A10000 - \SystemRoot\system32\DRIVERS\raspti.sys F5E5A000 - \SystemRoot\system32\DRIVERS\rdpdr.sys F77B0000 - \SystemRoot\system32\DRIVERS\termdd.sys F7B5E000 - \SystemRoot\system32\DRIVERS\swenum.sys F580F000 - \SystemRoot\system32\DRIVERS\update.sys F7AC4000 - \SystemRoot\system32\DRIVERS\mssmbios.sys F61E8000 - \SystemRoot\System32\Drivers\NDProxy.SYS EE962000 - \SystemRoot\system32\drivers\RtkHDAud.sys EE940000 - \SystemRoot\system32\drivers\portcls.sys F28D1000 - \SystemRoot\system32\drivers\drmk.sys ED50D000 - \SystemRoot\system32\DRIVERS\usbhub.sys F7BD2000 - \SystemRoot\system32\DRIVERS\USBD.SYS EB045000 - \SystemRoot\system32\DRIVERS\klif.sys EFC32000 - \SystemRoot\system32\DRIVERS\usbccgp.sys F7B7E000 - \SystemRoot\System32\Drivers\Fs_Rec.SYS F054B000 - \SystemRoot\System32\Drivers\Null.SYS F7B80000 - \SystemRoot\System32\Drivers\Beep.SYS EFC2A000 - \SystemRoot\System32\drivers\vga.sys F7B82000 - \SystemRoot\System32\Drivers\mnmdd.SYS F7B84000 - \SystemRoot\System32\DRIVERS\RDPCDD.sys EFC1A000 - \SystemRoot\System32\Drivers\Msfs.SYS EFC12000 - \SystemRoot\System32\Drivers\Npfs.SYS EF56D000 - \SystemRoot\system32\DRIVERS\rasacd.sys EB3E0000 - \SystemRoot\system32\DRIVERS\ipsec.sys EB388000 - \SystemRoot\system32\DRIVERS\tcpip.sys EB360000 - \SystemRoot\system32\DRIVERS\netbt.sys EB33F000 - \SystemRoot\system32\DRIVERS\ipnat.sys EF276000 - \SystemRoot\system32\DRIVERS\wanarp.sys EB2DF000 - \SystemRoot\System32\vsdatant.sys EB2BD000 - \SystemRoot\System32\drivers\afd.sys EF266000 - \SystemRoot\system32\DRIVERS\netbios.sys EFC0A000 - \SystemRoot\System32\Drivers\StarOpen.SYS EB292000 - \SystemRoot\system32\DRIVERS\rdbss.sys EB223000 - \SystemRoot\system32\DRIVERS\mrxsmb.sys EF256000 - \SystemRoot\System32\Drivers\Fips.SYS F7B8A000 - \??\C:\WINDOWS\System32\Drivers\Elmon.sys F0511000 - \??\C:\WINDOWS\System32\Drivers\Elhid.sys EFBFA000 - \??\C:\WINDOWS\System32\Drivers\HIDPARSE.SYS F7B8C000 - \??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys EB200000 - \SystemRoot\System32\Drivers\Fastfat.SYS F0290000 - \SystemRoot\system32\DRIVERS\USBSTOR.SYS F04F5000 - \SystemRoot\system32\DRIVERS\usbscan.sys F0288000 - \SystemRoot\system32\DRIVERS\usbprint.sys F04F1000 - \SystemRoot\system32\DRIVERS\hidusb.sys EF236000 - \SystemRoot\system32\DRIVERS\HIDCLASS.SYS EB140000 - \SystemRoot\System32\Drivers\dump_iaStor.sys BF800000 - \SystemRoot\System32\win32k.sys F00A2000 - \SystemRoot\System32\drivers\Dxapi.sys F0278000 - \SystemRoot\System32\watchdog.sys BF9C3000 - \SystemRoot\System32\drivers\dxg.sys F7CAC000 - \SystemRoot\System32\drivers\dxgthk.sys BF9D5000 - \SystemRoot\System32\nv4_disp.dll EE130000 - \SystemRoot\system32\DRIVERS\ndisuio.sys BA523000 - \SystemRoot\system32\drivers\wdmaud.sys EFF3A000 - \SystemRoot\system32\drivers\sysaudio.sys BA4A8000 - \SystemRoot\system32\DRIVERS\mrxdav.sys BA417000 - \SystemRoot\System32\Drivers\HTTP.sys BA375000 - \SystemRoot\system32\DRIVERS\srv.sys B9EDA000 - \??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys B9E52000 - \SystemRoot\System32\Drivers\Cdfs.SYS B9975000 - \SystemRoot\system32\DRIVERS\sr.sys F7D2D000 - \SystemRoot\System32\DRIVERS\KProcCheck.sys Total number of drivers = 129 Liste des programmes installes a-squared Free 2.1 ABBYY FineReader 6.0 Sprint Ad-Aware 2007 Adobe Reader 8.1.0 - Français AIDA32 v3.93 Apple Software Update Archiveur WinRAR Avira AntiVir PersonalEdition Classic BeClean BitTorrent 5.0.9 BufferChm CCleaner (remove only) CDBurnerXP Pro 3 Correctif n° 2 pour Windows XP Édition Media Center 2005 Correctif pour Lecteur Windows Media 10 (KB910393) Correctif pour Lecteur Windows Media 11 (KB939683) Correctif pour Windows XP (KB888795) Correctif pour Windows XP (KB891593) Correctif pour Windows XP (KB893357) Correctif pour Windows XP (KB899337) Correctif pour Windows XP (KB899510) Correctif pour Windows XP (KB902841) Correctif pour Windows XP (KB906569) Correctif pour Windows XP (KB912024) Correctif pour Windows XP (KB914440) Correctif pour Windows XP (KB935448) Correctif Windows XP - KB873339 Correctif Windows XP - KB883667 Correctif Windows XP - KB885250 Correctif Windows XP - KB885835 Correctif Windows XP - KB885836 Correctif Windows XP - KB885884 Correctif Windows XP - KB886185 Correctif Windows XP - KB887472 Correctif Windows XP - KB887742 Correctif Windows XP - KB888113 Correctif Windows XP - KB888302 Correctif Windows XP - KB890175 Correctif Windows XP - KB890859 Correctif Windows XP - KB891781 Correctif Windows XP - KB892050 Correctif Windows XP - KB893066 Correctif Windows XP - KB895961 CP_AtenaShokunin1Config CP_CalendarTemplates1 cp_LightScribeConfig cp_OnlineProjectsConfig CP_Package_Basic1 CP_Package_Variety1 CP_Package_Variety2 CP_Package_Variety3 CP_Panorama1Config cp_PosterPrintConfig cp_UpdateProjectsConfig CueTour Destinations DeviceManagementQFolder EasyCleaner Enhanced Multimedia Keyboard Solution Freeplayer FullDPAppQFolder G-Force GemMaster Mystic HaxFix 4.57 High Definition Audio - KB888111 HijackThis 1.99.1 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 10 (KB903157) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) HP Boot Optimizer HP DigitalMedia Archive HP DVD Play 2.1 HP Imaging Device Functions 7.0 HP Photosmart for Media Center PC HP Photosmart Premier Software 6.5 hp psc 1200 series HP Software Update HPPhotoSmartExpress HpSdpAppCoreApp InstantShareDevices Intel® Matrix Storage Manager Intel® PRO Network Connections Drivers Intel® Quick Resume Technology Drivers IrfanView (remove only) IsoBuster 2.0 J2SE Runtime Environment 5.0 Update 11 J2SE Runtime Environment 5.0 Update 6 Java 6 Update 2 Java 6 Update 3 Java SE Runtime Environment 6 Update 1 jv16 PowerTools 1.3 Kaspersky Online Scanner Le logiciel Intel® Viiv™ Lecteur Windows Media 11 Lexmark 2400 Series Lexmark Barre d'outils LightScribe 1.4.105.1 Macrogaming SweetIM 2.1 Microsoft .NET Framework 1.0 Hotfix (KB887998) Microsoft .NET Framework 1.0 Hotfix (KB930494) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 French Language Pack Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Compression Client Pack 1.0 for Windows XP Microsoft IntelliPoint 6.1 Microsoft IntelliType Pro 6.1 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Access MUI (French) 2007 Microsoft Office Excel MUI (French) 2007 Microsoft Office InfoPath MUI (French) 2007 Microsoft Office Outlook MUI (French) 2007 Microsoft Office PowerPoint MUI (French) 2007 Microsoft Office Professional Plus 2007 Microsoft Office Professional Plus 2007 Microsoft Office Proof (Arabic) 2007 Microsoft Office Proof (Dutch) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (German) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (French) 2007 Microsoft Office Publisher MUI (French) 2007 Microsoft Office Shared MUI (French) 2007 Microsoft Office Word MUI (French) 2007 Microsoft Software Update for Web Folders (French) 12 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Works Mise à jour de sécurité pour Lecteur Windows Media 10 (KB911565) Mise à jour de sécurité pour Lecteur Windows Media 10 (KB917734) Mise à jour de sécurité pour Lecteur Windows Media 11 (KB936782) Mise à jour de sécurité pour Lecteur Windows Media 6.4 (KB925398) Mise à jour de sécurité pour Step by Step Interactive Training (KB923723) Mise à jour de sécurité pour Windows XP (KB893756) Mise à jour de sécurité pour Windows XP (KB896358) Mise à jour de sécurité pour Windows XP (KB896422) Mise à jour de sécurité pour Windows XP (KB896423) Mise à jour de sécurité pour Windows XP (KB896424) Mise à jour de sécurité pour Windows XP (KB896428) Mise à jour de sécurité pour Windows XP (KB899587) Mise à jour de sécurité pour Windows XP (KB899591) Mise à jour de sécurité pour Windows XP (KB900725) Mise à jour de sécurité pour Windows XP (KB901017) Mise à jour de sécurité pour Windows XP (KB901214) Mise à jour de sécurité pour Windows XP (KB902400) Mise à jour de sécurité pour Windows XP (KB904706) Mise à jour de sécurité pour Windows XP (KB905414) Mise à jour de sécurité pour Windows XP (KB905749) Mise à jour de sécurité pour Windows XP (KB908519) Mise à jour de sécurité pour Windows XP (KB908531) Mise à jour de sécurité pour Windows XP (KB911562) Mise à jour de sécurité pour Windows XP (KB911927) Mise à jour de sécurité pour Windows XP (KB912812) Mise à jour de sécurité pour Windows XP (KB912919) Mise à jour de sécurité pour Windows XP (KB913580) Mise à jour de sécurité pour Windows XP (KB914388) Mise à jour de sécurité pour Windows XP (KB914389) Mise à jour de sécurité pour Windows XP (KB917344) Mise à jour de sécurité pour Windows XP (KB917422) Mise à jour de sécurité pour Windows XP (KB917953) Mise à jour de sécurité pour Windows XP (KB918118) Mise à jour de sécurité pour Windows XP (KB918439) Mise à jour de sécurité pour Windows XP (KB919007) Mise à jour de sécurité pour Windows XP (KB920213) Mise à jour de sécurité pour Windows XP (KB920670) Mise à jour de sécurité pour Windows XP (KB920683) Mise à jour de sécurité pour Windows XP (KB920685) Mise à jour de sécurité pour Windows XP (KB921503) Mise à jour de sécurité pour Windows XP (KB922819) Mise à jour de sécurité pour Windows XP (KB923191) Mise à jour de sécurité pour Windows XP (KB923414) Mise à jour de sécurité pour Windows XP (KB923689) Mise à jour de sécurité pour Windows XP (KB923694) Mise à jour de sécurité pour Windows XP (KB923980) Mise à jour de sécurité pour Windows XP (KB924191) Mise à jour de sécurité pour Windows XP (KB924270) Mise à jour de sécurité pour Windows XP (KB924496) Mise à jour de sécurité pour Windows XP (KB924667) Mise à jour de sécurité pour Windows XP (KB925902) Mise à jour de sécurité pour Windows XP (KB926255) Mise à jour de sécurité pour Windows XP (KB926436) Mise à jour de sécurité pour Windows XP (KB927779) Mise à jour de sécurité pour Windows XP (KB927802) Mise à jour de sécurité pour Windows XP (KB928090) Mise à jour de sécurité pour Windows XP (KB928255) Mise à jour de sécurité pour Windows XP (KB928843) Mise à jour de sécurité pour Windows XP (KB929123) Mise à jour de sécurité pour Windows XP (KB930178) Mise à jour de sécurité pour Windows XP (KB931261) Mise à jour de sécurité pour Windows XP (KB931784) Mise à jour de sécurité pour Windows XP (KB932168) Mise à jour de sécurité pour Windows XP (KB933566) Mise à jour de sécurité pour Windows XP (KB933729) Mise à jour de sécurité pour Windows XP (KB935839) Mise à jour de sécurité pour Windows XP (KB935840) Mise à jour de sécurité pour Windows XP (KB936021) Mise à jour de sécurité pour Windows XP (KB937143) Mise à jour de sécurité pour Windows XP (KB938127) Mise à jour de sécurité pour Windows XP (KB938829) Mise à jour de sécurité pour Windows XP (KB939653) Mise à jour de sécurité pour Windows XP (KB943460) Mise à jour pour Lecteur Windows Media 10 (KB913800) Mise à jour pour Lecteur Windows Media 10 (KB926251) Mise à jour pour Windows XP (KB898461) Mise à jour pour Windows XP (KB900485) Mise à jour pour Windows XP (KB904942) Mise à jour pour Windows XP (KB910437) Mise à jour pour Windows XP (KB911280) Mise à jour pour Windows XP (KB912945) Mise à jour pour Windows XP (KB916595) Mise à jour pour Windows XP (KB920342) Mise à jour pour Windows XP (KB920872) Mise à jour pour Windows XP (KB922582) Mise à jour pour Windows XP (KB927891) Mise à jour pour Windows XP (KB929338) Mise à jour pour Windows XP (KB930916) Mise à jour pour Windows XP (KB931836) Mise à jour pour Windows XP (KB933360) Mise à jour pour Windows XP (KB936357) Mise à jour pour Windows XP (KB938828) Mozilla Firefox (2.0.0.9) MSN MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) muvee autoProducer 5.0 muvee autoProducer unPlugged 2.0 NVIDIA Drivers OptionalContentQFolder Otto PC-Doctor 5 pour Windows PC Booster Photo et imagerie HP 2.0 - All-in-One Pilote Photo et imagerie HP 2.0 - All-in-One Series Photo et imagerie HP 2.0 - hp psc 1200 series PhotoGallery Python 2.2 pywin32 extensions (build 203) Python 2.2.3 QuickTime RandMap RealPlayer Realtek High Definition Audio Driver SAMSUNG CDMA Modem Driver Set SAMSUNG Mobile USB Modem ^^ SAMSUNG Mobile USB Modem 1.0 Software SAMSUNG Mobile USB Modem Software Samsung PC Studio Samsung PC Studio Samsung PC Studio 3 USB Driver Installer Security Update for CAPICOM (KB931906) Security Update for CAPICOM (KB931906) Services Internet Services Internet SkinsHP1 SlideShow SlideShowMusic SoftSkies Solutions de télécopie Lexmark Sonic Express Labeler Sonic MyDVD Plus Sonic RecordNow Audio Sonic RecordNow Copy Sonic RecordNow Data Sonic Update Manager Sonic_PrimoSDK Spybot - Search & Destroy 1.4 SpywareBlaster v3.5.1 SweetIM For Internet Explorer 3.0b Unload Unlocker 1.8.5 VideoLAN VLC media player 0.8.6a WebFldrs XP Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Installer 3.1 (KB893803) Windows Live Messenger Windows Live Sign-in Assistant Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player Firefox Plugin Windows XP Media Center Edition 2005 KB925766 ZoneAlarm Le volume dans le lecteur C s'appelle HP_PAVILION Le numéro de série du volume est 005A-6CCF Répertoire de C:\Program Files 14/11/2007 15:54 <REP> . 14/11/2007 15:54 <REP> .. 09/10/2007 17:51 <REP> Abbyy FineReader 6.0 Sprint 25/07/2007 10:39 <REP> Adobe 26/10/2007 11:04 <REP> AIDA32 - Personal System Information 14/11/2007 22:27 <REP> AntiVir PersonalEdition Classic 03/11/2007 21:42 <REP> Apple Software Update 04/11/2007 20:51 <REP> a-squared Free 25/07/2007 22:34 86 autoclean.ini 09/10/2007 17:06 <REP> Backup 04/11/2007 19:09 <REP> BeClean 22/10/2007 10:52 <REP> BitTorrent 13/03/2007 20:12 <REP> CCleaner 24/05/2007 21:00 <REP> CDBurnerXP Pro 3 12/11/2005 01:09 <REP> ComPlus Applications 03/01/2006 01:10 <REP> EasyBits 14/11/2007 00:43 <REP> eMule1 09/10/2007 19:06 <REP> Fichiers communs 30/10/2007 21:22 <REP> Freeplayer 03/01/2006 00:21 <REP> FrenchOtto 03/01/2006 00:21 <REP> GemMasterFrench 07/11/2007 12:02 <REP> Google 01/06/2007 22:14 <REP> Grisoft 14/11/2007 15:56 <REP> HaxFix 03/01/2006 01:10 <REP> Hewlett-Packard 14/11/2007 22:38 <REP> hijackthis 09/10/2007 16:28 0 history.txt 03/01/2006 00:52 <REP> HP 03/01/2006 00:49 <REP> HP DigitalMedia Archive 26/07/2007 21:49 <REP> inKline Global 03/01/2006 00:40 <REP> Intel 10/10/2007 21:00 <REP> Internet Explorer 08/11/2007 02:43 <REP> IrfanView 06/07/2007 18:23 <REP> IVT Corporation 15/10/2007 08:31 <REP> Java 22/05/2007 15:45 <REP> jv16 PowerTools 25/07/2007 22:35 95 lang.ini 13/03/2007 20:13 <REP> Languages 19/08/2007 12:05 <REP> Lavasoft 09/10/2007 17:36 <REP> Lexmark 2400 Series 09/10/2007 17:36 <REP> Lexmark Fax Solutions 09/10/2007 17:39 <REP> Lexmark Toolbar 14/11/2007 23:36 <REP> lx_cats 07/11/2007 21:56 <REP> Macrogaming 08/11/2007 02:13 <REP> Messenger 09/05/2007 11:48 <REP> Microsoft CAPICOM 2.1.0.2 15/11/2005 03:24 <REP> microsoft frontpage 06/11/2007 19:33 <REP> Microsoft IntelliPoint 06/11/2007 19:32 <REP> Microsoft IntelliType Pro 09/10/2007 19:06 <REP> Microsoft Office 09/10/2007 19:06 <REP> Microsoft Visual Studio 09/10/2007 19:07 <REP> Microsoft Works 09/10/2007 19:05 <REP> Microsoft.NET 15/11/2005 03:24 <REP> Movie Maker 14/11/2007 23:33 <REP> Mozilla Firefox 09/10/2007 19:07 <REP> MSBuild 30/05/2007 18:49 <REP> MSN 15/11/2005 03:25 <REP> MSN Gaming Zone 24/05/2007 14:19 <REP> MSN Messenger 09/03/2007 16:48 <REP> MSXML 4.0 03/01/2006 00:55 <REP> muvee Technologies 15/11/2005 03:25 <REP> NetMeeting 15/11/2005 03:25 <REP> Online Services 13/06/2007 11:17 <REP> Outlook Express 03/01/2006 01:06 <REP> PC-Doctor 5 for Windows 03/08/2007 16:01 <REP> QuickTime 03/01/2006 00:49 <REP> Real 22/05/2007 15:59 <REP> RegCleaner 25/07/2007 22:35 0 regfav.ini 25/04/2007 11:33 <REP> Samsung 03/01/2006 01:12 <REP> Services en ligne 24/05/2007 21:25 <REP> Smart Projects 03/01/2006 00:50 <REP> Sonic 24/08/2007 13:10 <REP> SoundSpectrum 04/11/2007 20:05 <REP> Spybot - Search & Destroy 19/08/2007 11:52 <REP> SpywareBlaster 19/08/2007 11:58 <REP> SpywareGuard 13/03/2007 20:11 <REP> ToniArts 22/08/2007 17:04 <REP> Unlocker 19/03/2007 17:34 <REP> VideoLAN 18/03/2007 17:22 <REP> Windows Media Connect 2 28/05/2007 14:28 <REP> Windows Media Player 15/11/2005 03:25 <REP> Windows NT 15/11/2005 03:25 <REP> Windows Plus 07/11/2007 22:14 <REP> WinRAR 15/11/2005 03:26 <REP> xerox 09/10/2007 17:06 <REP> Yahoo! 14/03/2007 22:46 <REP> Zone Labs 4 fichier(s) 181 octets 84 Rép(s) 121 579 257 856 octets libres Le volume dans le lecteur C s'appelle HP_PAVILION Le numéro de série du volume est 005A-6CCF Répertoire de C:\Program Files\fichiers communs 09/10/2007 19:06 <REP> . 09/10/2007 19:06 <REP> .. 16/06/2007 21:43 <REP> Adobe 09/10/2007 19:06 <REP> DESIGNER 13/03/2007 18:47 <REP> Hewlett-Packard 03/01/2006 00:45 <REP> HP 03/01/2006 01:08 <REP> InstallShield 03/01/2006 00:26 <REP> Java 03/01/2006 00:51 <REP> LightScribe 03/01/2006 00:51 <REP> LS Getting Started 09/10/2007 19:07 <REP> Microsoft Shared 15/11/2005 03:24 <REP> MSSoap 03/01/2006 00:54 <REP> muvee Technologies 15/11/2005 03:24 <REP> ODBC 03/01/2006 00:49 <REP> Real 15/11/2005 03:24 <REP> Services 03/01/2006 00:50 <REP> Sonic Shared 15/11/2005 03:24 <REP> SpeechEngines 03/01/2006 00:50 <REP> SureThing Shared 14/03/2007 22:40 <REP> Symantec Shared 09/10/2007 19:02 <REP> System 03/01/2006 00:50 <REP> TiVo Shared 19/08/2007 12:05 <REP> Wise Installation Wizard 03/01/2006 00:49 <REP> xing shared 0 fichier(s) 0 octets 24 Rép(s) 121 579 257 856 octets libres Le volume dans le lecteur C s'appelle HP_PAVILION Le numéro de série du volume est 005A-6CCF Répertoire de C:\Program Files\fichiers communs\Microsoft Shared\Web Folders 09/10/2007 19:06 <REP> . 09/10/2007 19:06 <REP> .. 13/03/2007 19:58 <REP> 1033 09/10/2007 19:01 <REP> 1036 26/10/2006 18:49 970 528 MSONSEXT.DLL 26/10/2006 19:12 40 256 MSOSV.DLL 03/06/1999 10:09 122 937 MSOWS409.DLL 07/03/2001 05:00 127 033 MSOWS40c.DLL 22/01/2001 05:25 86 016 PKMWS.DLL 5 fichier(s) 1 346 770 octets 4 Rép(s) 121 579 253 760 octets libres c:\Documents and Settings\All Users\Application Data\Hewlett-Packard\HP Boot Optimizer\InstMsiA.Exe c:\Documents and Settings\All Users\Application Data\Hewlett-Packard\HP Boot Optimizer\InstMsiW.Exe c:\Documents and Settings\All Users\Application Data\Hewlett-Packard\HP Boot Optimizer\Setup.Exe c:\Documents and Settings\HP_Administrateur\.limewire\.NetworkShare\LimeWireWinInstaller 1.exe c:\Documents and Settings\HP_Administrateur\.limewire\.NetworkShare\LimeWireWinInstaller.exe c:\Documents and Settings\HP_Administrateur\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr709_fr_FR.exe c:\Documents and Settings\HP_Administrateur\Application Data\Microsoft\Installer\{F6D63A65-BD23-46F3-B9A3-87F442423481}\ARPPRODUCTICON.exe c:\Documents and Settings\HP_Administrateur\Bureau\haxfix.exe c:\Documents and Settings\HP_Administrateur\Bureau\OTMoveIt.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\catchme.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\diff.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\dumphive.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\FilesInfoCmd.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\find2.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\Fport.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\grep.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\gzip.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\KProcCheck.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\LFiles.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\LISTDLLS.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\md5sums.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\pslist.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\sigcheck.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\streams.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\swreg.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\tar.exe c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\RegSeeker.exe c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\OFFICE12\SaveAsPDFandXPS.exe c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\OFFICE12\SETUP.EXE c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\OFFICE12\OFFICE.FR-FR\DW20.EXE c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\OFFICE12\OFFICE.FR-FR\DWTRIG20.EXE c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\OFFICE12\PROPLUS.WW\OSE.EXE c:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\BACKUP\FAILSAFE\avewin32.dll c:\Documents and Settings\All Users\Application Data\Grisoft\AVG Anti-Spyware 7.5\Downloads\help.dll c:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig.dll c:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll c:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll c:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll ****** Fin du rapport DiagHelp Veuillez svp envoyer le fichier C:\upload_moi_MAYKE.tar.gz a l'adresse http://upload.malekal.com
  6. cimone
    voila les 2 rapports! KASPERSKY ONLINE SCANNER REPORT Wednesday, November 14, 2007 10:37:16 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 14/11/2007 Kaspersky Anti-Virus database records: 459583 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ Scan Statistics Total number of scanned objects 106196 Number of viruses found 3 Number of infected objects 8 Number of suspicious objects 0 Duration of the scan process 02:03:22 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\cert8.db Object is locked skipped C:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\formhistory.dat Object is locked skipped C:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\history.dat Object is locked skipped C:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\key3.db Object is locked skipped C:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\parent.lock Object is locked skipped C:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\HP_Administrateur\Cookies\index.dat Object is locked skipped C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\HP_Administrateur\Local Settings\Historique\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\HP_Administrateur\Local Settings\Historique\History.IE5\MSHist012007111420071115\index.dat Object is locked skipped C:\Documents and Settings\HP_Administrateur\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\HP_Administrateur\ntuser.dat Object is locked skipped C:\Documents and Settings\HP_Administrateur\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Historique\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\hijackthis\backups\backup-20071114-182338-902.dll Infected: not-a-virus:AdWare.Win32.Stud.a skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP143\A0041368.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP143\A0041369.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP143\A0041370.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP143\A0041531.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP143\A0041549.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP143\A0041557.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP212\A0084487.dll Infected: not-a-virus:AdWare.Win32.Stud.a skipped C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP212\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped C:\WINDOWS\Internet Logs\MAYKE.ldb Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8A22ED84-A4C0-4FEC-B11F-C058138277BB}.crmlog Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped C:\WINDOWS\system32\config\OSession.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\ZLT0472b.TMP Object is locked skipped C:\WINDOWS\Temp\ZLT0472e.TMP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped Scan process completed. Logfile of HijackThis v1.99.1 Scan saved at 22:38:25, on 14/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\a-squared free\a2service.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe C:\WINDOWS\system32\lxcrcoms.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\inKline Global\PC Booster\PCBooster.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Lexmark 2400 Series\lxcrmon.exe C:\Program Files\Lexmark 2400 Series\ezprint.exe C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Macrogaming\SweetIM\SweetIM.exe C:\HP\KBD\KBD.EXE c:\windows\system\hpsysdrv.exe C:\Program Files\hijackthis\Maykiki.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Lexmark Barre d'outils - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\Macrogaming\SweetIMBarForIE\toolbar.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Lexmark Barre d'outils - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\PCBooster.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe" O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: Aide à la connexion - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Aide à la connexion - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Fichiers communs\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FICHIE~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  7. cimone
    OKI§ mALGRE LE FAIT DE NE PAS AVOIR DE VIRUS TROUVE PAR ANTIVIR? CELUI CI VIENT DE S ALERTER POUR M INDIQUER LA TRACE DU MEME TROJAN! a tout et merci
  8. cimone
    Alors, pour info, aucune des dll indiquees n etaient presentes! Voila le rapport antivir (hier, apres mon premier rapport, j avais deja supprimer des fichiers, peut etre ceux en question!). Aujourd hui, il ne trouve rien. Le kaspersky est en cours!
  9. cimone
    alors, j ai bien envoye le fichier. Analyse terminé 0/32 sinon, pour OTmoveit, qd je clique sur moveit! message d erreur: impossible de creer c:/_0moveit... Je me suis arrete la et attends de tes news! merci
  10. cimone
    Je n ai pas le fichier tcpip.sys!!!
  11. cimone
    Re! Voila les rapports demandes. Par contre pour le 2eme, lors de l envoi du message j ai un message d erreur qui est revenu disant que le fichier erreur est invalide! HAXFIX logfile - by Marckie version 4.57_1 14/11/2007 15:55:21,70 --- Checking for Haxdoor --- checking for a3d files a3d files not found checking for matching notify keys no matching notify keys found checking for matching services no matching services found checking for matching safeboot services no matching safeboot services found checking for other Haxdoor-files no other Haxdoor-files found --- Checking for Goldun --- checking for SSODL keys no ssodl keys found checking for notify keys no notify keys found checking for services no services found checking for other Goldun-files no other Goldun-files found checking iexplore.exe iexplore.exe is not infected --- Catchme logfile - thank you Gmer --- catchme 0.3.1207.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-14 15:55:21 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\E100B] "EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll;%SystemRoot%\System32\e100bmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\NtServicePack] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\nv] "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\nv4_mini.sys" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\PS2] "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\PS2.sys" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\Windows Installer 3.1] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\WindowsMedia] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\E100B] "EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll;%SystemRoot%\System32\e100bmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\NtServicePack] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\nv] "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\nv4_mini.sys" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\PS2] "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\PS2.sys" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\Windows Installer 3.1] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\WindowsMedia] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows\CurrentVersion] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{11DF0055-8BF6-475C-B0D6-9BC20C840229}"="EL04 Power Management Ext" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher] "TracesProcessed"=dword:00000000 "TracesSuccessful"=dword:00000000 "LastTraceFailure"=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop] "FFlags"=dword:00000224 "Mode"=dword:00000001 "ScrollPos800x600(1).x"=dword:00000000 "ScrollPos800x600(1).y"=dword:00000000 "Sort"=dword:00000000 "SortDir"=dword:00000001 "Col"=dword:ffffffff "ColInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,fd,df,df,fd,0f,.. "ItemPos800x600(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,dc,02,00,00,e8,.. "ScrollPos1024x768(1).x"=dword:00000000 "ScrollPos1024x768(1).y"=dword:00000000 "ItemPos1024x768(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,c1,03,00,00,92,.. "ScrollPos320x240(1).x"=dword:00000000 "ScrollPos320x240(1).y"=dword:00000000 "ItemPos320x240(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f9,00,00,00,6b,.. "ScrollPos400x300(1).x"=dword:00000000 "ScrollPos400x300(1).y"=dword:00000000 "ItemPos400x300(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ea,00,00,00,5c,.. "ScrollPos720x480(1).x"=dword:00000000 "ScrollPos720x480(1).y"=dword:00000000 "ItemPos720x480(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,d1,00,00,00,4d,.. "ScrollPos640x480(1).x"=dword:00000000 "ScrollPos640x480(1).y"=dword:00000000 "ItemPos640x480(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,c1,03,00,00,92,.. "ScrollPos720x576(1).x"=dword:00000000 "ScrollPos720x576(1).y"=dword:00000000 "ItemPos720x576(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,d1,00,00,00,50,.. "ScrollPos2048x1536(1).x"=dword:00000000 "ScrollPos2048x1536(1).y"=dword:00000000 "ItemPos2048x1536(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,c4,00,00,00,4d,.. "ScrollPos1152x864(1).x"=dword:00000000 "ScrollPos1152x864(1).y"=dword:00000000 "ItemPos1152x864(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,3c,04,00,00,f0,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU] "NodeSlot"=dword:00000003 [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\] "NodeSlot"=dword:00000001 "MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff "0"=hex:1e,00,71,2d,00,00,00,00,00,00,00,00,00,00,80,a2,27,22,ea,3a,69,.. "1"=hex:1e,00,71,80,00,00,00,00,00,00,00,00,00,00,e1,a4,0e,d2,57,39,d2,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\] "NodeSlot"=dword:0000001b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\\1] "NodeSlot"=dword:0000008c "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1] "0"=hex:3c,00,31,00,00,00,00,00,48,36,e0,89,30,00,57,49,4e,44,4f,57,53,.. "MRUListEx"=hex:01,00,00,00,02,00,00,00,03,00,00,00,05,00,00,00,04,00,00,00,00,.. "NodeSlot"=dword:00000004 "1"=hex:5c,00,31,00,00,00,00,00,48,36,91,89,10,00,44,4f,43,55,4d,45,7e,.. "2"=hex:4a,00,31,00,00,00,00,00,69,36,01,7e,11,00,50,52,4f,47,52,41,7e,.. "3"=hex:54,00,31,00,00,00,00,00,69,36,01,7e,10,00,42,38,41,46,37,39,7e,.. "4"=hex:30,00,31,00,00,00,00,00,75,36,82,72,10,00,4e,65,6f,00,1e,00,03,.. "5"=hex:36,00,31,00,00,00,00,00,74,36,b2,95,10,00,47,61,6d,65,73,00,22,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1] "NodeSlot"=dword:0000000a "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:40,00,31,00,00,00,00,00,48,36,1b,8a,10,00,73,79,73,74,65,6d,33,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\] "0"=hex:36,00,31,00,00,00,00,00,6f,33,bc,19,10,00,73,70,6f,6f,6c,00,22,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\] "0"=hex:3c,00,31,00,00,00,00,00,6f,33,bc,19,10,00,64,72,69,76,65,72,73,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\\] "0"=hex:36,00,31,00,00,00,00,00,6f,33,bc,19,10,00,63,6f,6c,6f,72,00,22,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\\] "NodeSlot"=dword:00000002 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1] "0"=hex:52,00,31,00,00,00,00,00,69,36,f2,8e,10,00,48,50,5f,41,44,4d,7e,.. "MRUListEx"=hex:00,00,00,00,01,00,00,00,02,00,00,00,ff,ff,ff,ff "NodeSlot"=dword:00000071 "1"=hex:42,00,31,00,00,00,00,00,23,34,f9,03,10,00,41,4c,4c,55,53,45,7e,.. "2"=hex:4c,00,31,00,00,00,00,00,77,36,d4,62,10,00,41,44,4d,49,4e,49,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1] "0"=hex:5e,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,45,4e,55,44,4d,7e,.. "MRUListEx"=hex:01,00,00,00,00,00,00,00,02,00,00,00,ff,ff,ff,ff "1"=hex:78,00,31,00,00,00,00,00,6d,36,60,88,11,00,4d,45,53,44,4f,43,7e,.. "NodeSlot"=dword:00000072 "2"=hex:4c,00,31,00,00,00,00,00,6f,33,d9,12,12,00,4c,4f,43,41,4c,53,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\] "0"=hex:58,00,31,00,00,00,00,00,69,36,07,8e,11,00,50,52,4f,47,52,41,7e,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "NodeSlot"=dword:0000001d [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\] "NodeSlot"=dword:0000001c "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3a,00,31,00,00,00,00,00,00,00,00,00,10,00,57,69,6e,52,41,52,00,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\\] "NodeSlot"=dword:00000029 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1] "0"=hex:54,00,31,00,00,00,00,00,6d,36,77,95,10,00,4d,45,53,46,49,43,7e,.. "MRUListEx"=hex:03,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,ff,ff,ff,ff "NodeSlot"=dword:00000073 "1"=hex:6c,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,45,53,56,49,44,7e,.. "2"=hex:72,00,31,00,00,00,00,00,b4,36,41,69,11,00,4d,41,4d,55,53,49,7e,.. "3"=hex:72,00,31,00,00,00,00,00,77,36,b3,7d,11,00,4d,45,53,49,4d,41,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1] "NodeSlot"=dword:0000002b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\1] "NodeSlot"=dword:00000074 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\2] "NodeSlot"=dword:000000a4 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\3] "NodeSlot"=dword:000000ab "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2] "0"=hex:34,00,31,00,00,00,00,00,a4,36,2e,63,10,00,54,65,6d,70,00,00,20,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2] "NodeSlot"=dword:00000084 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1] "0"=hex:66,00,35,00,00,00,00,00,71,36,40,8b,11,00,4d,00,65,00,6e,00,75,.. "MRUListEx"=hex:00,00,00,00,02,00,00,00,01,00,00,00,ff,ff,ff,ff "NodeSlot"=dword:0000009f "1"=hex:3a,00,31,00,00,00,00,00,a9,36,04,57,10,00,42,75,72,65,61,75,00,.. "2"=hex:56,00,31,00,00,00,00,00,49,36,bc,95,11,00,44,4f,43,55,4d,45,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1] "0"=hex:58,00,31,00,00,00,00,00,b4,36,3d,6a,11,00,50,52,4f,47,52,41,7e,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "NodeSlot"=dword:000000a3 [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\] "0"=hex:6c,00,31,00,00,00,00,00,b4,36,40,6a,10,00,50,4f,57,45,52,51,7e,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\] "NodeSlot"=dword:0000009a "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\1] "NodeSlot"=dword:000000a0 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\2] "NodeSlot"=dword:000000a1 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:58,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,41,4d,55,53,49,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\2] "NodeSlot"=dword:000000a2 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2] "NodeSlot"=dword:0000009b "MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff "0"=hex:4a,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,45,53,44,4f,43,7e,.. "1"=hex:66,00,35,00,00,00,00,00,41,34,49,58,11,00,4d,00,65,00,6e,00,75,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2] "NodeSlot"=dword:0000009c "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:44,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,41,4d,55,53,49,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2\] "NodeSlot"=dword:0000009d "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2\1] "NodeSlot"=dword:0000009e "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2] "NodeSlot"=dword:0000001e "MRUListEx"=hex:02,00,00,00,0a,00,00,00,09,00,00,00,08,00,00,00,07,00,00,00,06,.. "0"=hex:4e,00,31,00,00,00,00,00,69,36,80,92,10,00,4d,4f,5a,49,4c,4c,7e,.. "1"=hex:7e,00,31,00,00,00,00,00,69,36,bc,93,10,00,4d,49,43,52,4f,53,7e,.. "2"=hex:36,00,31,00,00,00,00,00,00,00,00,00,10,00,65,4d,75,6c,65,00,22,.. "3"=hex:42,00,31,00,00,00,00,00,6e,36,14,a4,10,00,4d,52,50,4f,53,54,7e,.. "4"=hex:34,00,31,00,00,00,00,00,00,00,00,00,10,00,4a,61,76,61,00,00,20,.. "5"=hex:44,00,31,00,00,00,00,00,22,34,a3,ba,10,00,46,52,45,4e,43,48,7e,.. "6"=hex:5e,00,31,00,00,00,00,00,23,34,d6,00,10,00,50,43,2d,44,4f,43,7e,.. "7"=hex:44,00,31,00,00,00,00,00,6a,36,9c,92,10,00,46,52,45,45,50,4c,7e,.. "8"=hex:58,00,31,00,00,00,00,00,72,36,c5,82,10,00,57,49,4e,44,4f,57,7e,.. "9"=hex:d9,00,31,00,00,00,00,00,8f,36,03,85,10,00,4d,45,44,49,41,4d,7e,.. "10"=hex:44,00,31,00,00,00,00,00,b4,36,3a,6a,10,00,50,4f,57,45,52,51,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2] "NodeSlot"=dword:0000001f "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\1] "NodeSlot"=dword:00000021 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\10] "NodeSlot"=dword:000000a5 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:56,00,31,00,00,00,00,00,b4,36,40,6a,10,00,50,41,52,54,49,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\10] "NodeSlot"=dword:000000a6 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2] "0"=hex:40,00,31,00,00,00,00,00,00,00,00,00,10,00,49,6e,63,6f,6d,69,6e,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2] "0"=hex:e6,01,32,00,00,00,00,00,00,00,00,00,20,00,41,6c,6c,20,4d,69,63,.. "MRUListEx"=hex:0b,00,00,00,0a,00,00,00,09,00,00,00,08,00,00,00,06,00,00,00,07,.. "1"=hex:e0,01,32,00,00,00,00,00,00,00,00,00,20,00,41,6c,6c,20,4d,69,63,.. "2"=hex:2a,01,32,00,00,00,00,00,00,00,00,00,20,00,5b,41,70,70,73,5d,20,.. "NodeSlot"=dword:0000002c "3"=hex:70,00,31,00,00,00,00,00,6d,36,03,96,10,00,43,4f,4d,50,49,4c,7e,.. "4"=hex:6c,00,31,00,00,00,00,00,73,36,8d,9b,10,00,4d,41,52,54,49,4e,7e,.. "5"=hex:86,00,31,00,00,00,00,00,74,36,4f,95,10,00,5f,50,43,47,41,4d,7e,.. "6"=hex:8c,00,31,00,00,00,00,00,99,36,ca,4c,10,00,43,48,52,49,53,54,7e,.. "7"=hex:b4,00,31,00,00,00,00,00,99,36,2e,4f,10,00,53,45,52,49,41,4c,7e,.. "8"=hex:80,00,31,00,00,00,00,00,9b,36,6a,9a,10,00,44,49,41,4d,27,53,7e,.. "9"=hex:58,00,31,00,00,00,00,00,af,36,81,6a,10,00,4c,45,4a,45,55,44,7e,.. "10"=hex:cc,00,31,00,00,00,00,00,af,36,38,96,10,00,41,4d,42,49,41,4e,7e,.. "11"=hex:70,00,31,00,00,00,00,00,b4,36,d6,69,10,00,50,41,52,54,49,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\] "NodeSlot"=dword:00000023 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\1] "NodeSlot"=dword:00000024 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\10] "NodeSlot"=dword:0000008a "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:58,00,31,00,00,00,00,00,5c,32,65,39,10,00,30,38,2d,4d,55,53,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\10] "NodeSlot"=dword:0000008b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11] "NodeSlot"=dword:00000094 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:70,00,31,00,00,00,00,00,b4,36,d8,69,30,00,50,41,52,54,49,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11] "NodeSlot"=dword:00000095 "MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff "0"=hex:3a,00,31,00,00,00,00,00,b4,36,d8,69,30,00,73,65,72,69,61,6c,00,.. "1"=hex:86,00,31,00,00,00,00,00,b4,36,0d,6a,10,00,50,41,52,54,49,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\] "NodeSlot"=dword:00000096 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:5a,00,31,00,00,00,00,00,b4,36,d8,69,30,00,46,52,45,45,57,41,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\] "NodeSlot"=dword:00000097 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\1] "NodeSlot"=dword:00000098 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:36,00,31,00,00,00,00,00,b4,36,0a,6a,10,00,53,65,74,75,70,00,22,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\1] "NodeSlot"=dword:00000099 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\2] "NodeSlot"=dword:00000025 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:74,00,16,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,10,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\2] "NodeSlot"=dword:0000002a "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\3] "NodeSlot"=dword:0000002d "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:50,00,31,00,00,00,00,00,b6,32,1b,4f,10,00,50,45,54,49,54,53,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\3] "NodeSlot"=dword:0000002e "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\4] "NodeSlot"=dword:0000004d "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:6c,00,31,00,00,00,00,00,84,35,9d,8b,10,00,4d,41,52,54,49,4e,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\4] "NodeSlot"=dword:0000004e "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5] "NodeSlot"=dword:00000058 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:86,00,31,00,00,00,00,00,74,36,4f,95,10,00,5f,50,43,47,41,4d,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5] "NodeSlot"=dword:00000059 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:7a,00,31,00,00,00,00,00,74,36,4f,95,30,00,5f,50,43,5f,43,4f,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5\] "NodeSlot"=dword:0000005a "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:5a,00,31,00,00,00,00,00,74,36,5b,95,10,00,43,4f,4c,44,46,45,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5\] "NodeSlot"=dword:0000005b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\6] "NodeSlot"=dword:0000007d "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:8c,00,31,00,00,00,00,00,8d,36,ca,50,10,00,43,48,52,49,53,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\6] "NodeSlot"=dword:0000007e "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\7] "NodeSlot"=dword:0000007f "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\8] "NodeSlot"=dword:00000082 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:6a,00,31,00,00,00,00,00,44,34,ce,56,10,00,44,49,41,4d,27,53,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\8] "NodeSlot"=dword:00000083 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\9] "NodeSlot"=dword:00000089 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3] "NodeSlot"=dword:00000031 "MRUListEx"=hex:04,00,00,00,03,00,00,00,00,00,00,00,02,00,00,00,01,00,00,00,ff,.. "0"=hex:40,00,31,00,00,00,00,00,6e,36,14,a4,10,00,6a,61,76,61,5f,63,75,.. "1"=hex:30,00,31,00,00,00,00,00,6e,36,13,a4,10,00,45,44,55,00,1e,00,03,.. "2"=hex:2e,00,31,00,00,00,00,00,6e,36,14,a4,10,00,65,6e,00,00,1c,00,03,.. "3"=hex:40,00,31,00,00,00,00,00,6e,36,17,a4,10,00,4d,45,54,41,2d,49,4e,.. "4"=hex:30,00,31,00,00,00,00,00,6e,36,14,a4,10,00,6f,72,67,00,1e,00,03,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3] "NodeSlot"=dword:00000032 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3c,00,31,00,00,00,00,00,6e,36,14,a4,10,00,72,75,6e,74,69,6d,65,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\] "NodeSlot"=dword:0000003b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1] "NodeSlot"=dword:00000033 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3a,00,31,00,00,00,00,00,6e,36,13,a4,10,00,6f,73,77,65,67,6f,00,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1] "NodeSlot"=dword:00000034 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:2e,00,31,00,00,00,00,00,6e,36,13,a4,10,00,63,73,00,00,1c,00,03,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\] "NodeSlot"=dword:00000035 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:2e,00,31,00,00,00,00,00,6e,36,13,a4,10,00,64,6c,00,00,1c,00,03,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\] "NodeSlot"=dword:00000036 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:34,00,31,00,00,00,00,00,6e,36,13,a4,10,00,75,74,69,6c,00,00,20,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\\] "NodeSlot"=dword:00000037 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:44,00,31,00,00,00,00,00,6e,36,14,a4,10,00,43,4f,4e,43,55,52,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\\] "NodeSlot"=dword:00000038 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\2] "NodeSlot"=dword:00000039 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3c,00,31,00,00,00,00,00,6e,36,14,a4,10,00,68,6f,74,6d,61,69,6c,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\2] "NodeSlot"=dword:0000003a "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\3] "NodeSlot"=dword:0000003c "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\4] "NodeSlot"=dword:0000003d "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\4] "NodeSlot"=dword:0000003f "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:48,00,31,00,00,00,00,00,22,34,4f,bb,10,00,4a,52,45,31,35,7e,31,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\4] "NodeSlot"=dword:00000040 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\5] "NodeSlot"=dword:00000043 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\6] "NodeSlot"=dword:00000044 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\7] "NodeSlot"=dword:0000004a "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\8] "NodeSlot"=dword:0000004b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\9] "NodeSlot"=dword:00000077 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\3] "NodeSlot"=dword:00000020 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\4] "NodeSlot"=dword:0000006d "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3a,00,31,00,00,00,00,00,75,36,5d,89,10,00,48,69,74,6d,61,6e,00,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\4] "NodeSlot"=dword:0000006e "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\5] "NodeSlot"=dword:0000006f "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:4a,00,31,00,00,00,00,00,74,36,4f,96,10,00,44,45,4c,55,58,45,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\5] "NodeSlot"=dword:00000070 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2] "NodeSlot"=dword:0000005d "MRUListEx"=hex:04,00,00,00,01,00,00,00,03,00,00,00,02,00,00,00,00,00,00,00,ff,.. "0"=hex:72,00,31,00,00,00,00,00,b4,36,f1,6d,11,00,4d,41,4d,55,53,49,7e,.. "1"=hex:6a,00,31,00,00,00,00,00,b4,36,f1,6d,11,00,4d,75,73,69,71,75,65,.. "2"=hex:3c,00,31,00,00,00,00,00,b4,36,65,6f,10,00,50,61,70,69,65,72,73,.. "3"=hex:6c,00,31,00,00,00,00,00,b4,36,c6,70,11,00,4d,45,53,56,49,44,7e,.. "4"=hex:60,00,31,00,00,00,00,00,b4,36,e2,70,11,00,56,49,44,4f,7e,31,00,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2] "NodeSlot"=dword:000000a7 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1] "NodeSlot"=dword:000000a8 "MRUListEx"=hex:12,00,00,00,11,00,00,00,10,00,00,00,0f,00,00,00,0d,00,00,00,0e,.. "0"=hex:3e,00,31,00,00,00,00,00,b4,36,dd,6c,10,00,52,41,50,48,41,4c,7e,.. "1"=hex:50,00,31,00,00,00,00,00,b4,36,d8,6c,10,00,56,52,4f,4e,49,51,7e,.. "2"=hex:3c,00,31,00,00,00,00,00,b4,36,cd,7c,10,00,42,61,72,62,61,72,61,.. "3"=hex:44,00,31,00,00,00,00,00,b5,36,e0,71,10,00,45,44,49,54,48,50,7e,.. "4"=hex:42,00,31,00,00,00,00,00,b4,36,c2,6d,10,00,4b,45,52,45,4e,41,7e,.. "5"=hex:42,00,31,00,00,00,00,00,b5,36,ee,73,10,00,4d,41,4e,4f,53,4f,7e,.. "6"=hex:4a,00,31,00,00,00,00,00,b4,36,43,6d,10,00,4d,59,4c,45,4e,45,7e,.. "7"=hex:44,00,31,00,00,00,00,00,b4,36,e1,6c,10,00,50,4f,52,54,49,53,7e,.. "8"=hex:56,00,31,00,00,00,00,00,b4,36,f1,6d,10,00,43,48,52,49,53,54,7e,.. "9"=hex:46,00,31,00,00,00,00,00,b5,36,31,7f,10,00,46,52,41,4e,43,45,7e,.. "10"=hex:36,00,31,00,00,00,00,00,b4,36,70,78,10,00,54,65,78,61,73,00,22,.. "11"=hex:3a,00,31,00,00,00,00,00,b4,36,e8,6d,10,00,44,69,76,65,72,73,00,.. "12"=hex:48,00,31,00,00,00,00,00,b5,36,95,6b,10,00,4c,49,4c,49,41,4e,7e,.. "13"=hex:44,00,31,00,00,00,00,00,b4,36,ee,79,10,00,4c,49,41,4e,45,46,7e,.. "14"=hex:4e,00,31,00,00,00,00,00,b5,36,e1,83,10,00,56,41,4e,45,53,53,7e,.. "15"=hex:50,00,31,00,00,00,00,00,b4,36,47,6d,10,00,4d,49,43,48,45,4c,7e,.. "16"=hex:36,00,31,00,00,00,00,00,b5,36,3d,7c,10,00,5a,61,7a,69,65,00,22,.. "17"=hex:46,00,31,00,00,00,00,00,b5,36,74,5c,10,00,4c,41,52,41,46,41,7e,.. "18"=hex:4a,00,31,00,00,00,00,00,b5,36,ef,82,10,00,4c,45,53,49,4e,4e,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1] "NodeSlot"=dword:000000bd "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:58,00,31,00,00,00,00,00,b5,36,33,6c,10,00,52,41,50,48,41,4c,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\] "NodeSlot"=dword:000000be "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:68,00,31,00,00,00,00,00,b5,36,33,6c,10,00,52,41,50,48,41,45,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\] "NodeSlot"=dword:000000bf "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\1] "NodeSlot"=dword:000000c0 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:42,00,31,00,00,00,00,00,b5,36,7a,79,10,00,4c,45,4d,41,55,44,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\1] "NodeSlot"=dword:000000ca "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\10] "NodeSlot"=dword:000000d1 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:44,00,31,00,00,00,00,00,b4,36,02,79,10,00,52,49,43,4b,53,52,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\10] "NodeSlot"=dword:000000d2 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\11] "NodeSlot"=dword:000000d3 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\12] "NodeSlot"=dword:000000d4 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:52,00,31,00,00,00,00,00,b5,36,ad,6b,10,00,4c,45,53,50,45,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\12] "NodeSlot"=dword:000000d7 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\13] "NodeSlot"=dword:000000d5 "MRUListEx"=hex:00,00,00,00,01,00,00,00,ff,ff,ff,ff "0"=hex:52,00,31,00,00,00,00,00,b5,36,96,6b,10,00,4c,45,53,50,45,54,7e,.. "1"=hex:44,00,31,00,00,00,00,00,b5,36,a5,89,10,00,41,43,4f,55,53,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\13] "NodeSlot"=dword:000000d6 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\13\1] "NodeSlot"=dword:000000da "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\14] "NodeSlot"=dword:000000d8 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:36,00,31,00,00,00,00,00,b4,36,da,72,10,00,4d,26,4a,7e,31,00,22,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\14] "NodeSlot"=dword:000000d9 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\15] "NodeSlot"=dword:000000db "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:50,00,31,00,00,00,00,00,b4,36,4a,6d,10,00,4c,49,56,45,41,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\15] "NodeSlot"=dword:000000dc "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\16] "NodeSlot"=dword:000000dd "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\17] "NodeSlot"=dword:000000de "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\18] "NodeSlot"=dword:000000df "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:4a,00,31,00,00,00,00,00,b5,36,8c,83,10,00,4c,45,53,49,4e,4e,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\18] "NodeSlot"=dword:000000e0 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\2] "NodeSlot"=dword:000000c1 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3c,00,31,00,00,00,00,00,b5,36,cd,6e,10,00,42,61,72,62,61,72,61,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\2] "NodeSlot"=dword:000000c2 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\3] "NodeSlot"=dword:000000c3 "MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff "0"=hex:3e,00,31,00,00,00,00,00,b5,36,ed,71,10,00,42,45,53,54,4f,46,7e,.. "1"=hex:60,00,31,00,00,00,00,00,b5,36,e0,71,10,00,4e,4f,4e,5f,4a,45,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\3] "NodeSlot"=dword:000000c4 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\3\1] "NodeSlot"=dword:000000c5 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\4] "NodeSlot"=dword:000000c6 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\5] "NodeSlot"=dword:000000c7 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\6] "NodeSlot"=dword:000000c8 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:6a,00,31,00,00,00,00,00,b4,36,0a,6d,10,00,30,39,2d,4c,45,53,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\6] "NodeSlot"=dword:000000c9 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\7] "NodeSlot"=dword:000000cb "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3c,00,31,00,00,00,00,00,b5,36,c0,7a,10,00,49,6e,63,6f,6e,6e,75,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\7] "NodeSlot"=dword:000000cc "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3c,00,31,00,00,00,00,00,b5,36,c2,7a,10,00,49,6e,63,6f,6e,6e,75,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\7\] "NodeSlot"=dword:000000cd "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\8] "NodeSlot"=dword:000000ce "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\9] "NodeSlot"=dword:000000cf "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:60,00,31,00,00,00,00,00,b5,36,0d,80,10,00,4c,45,53,50,4c,55,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\9] "NodeSlot"=dword:000000d0 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\2] "NodeSlot"=dword:000000ac "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\3] "NodeSlot"=dword:000000af "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\4] "NodeSlot"=dword:000000b0 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\3] "NodeSlot"=dword:000000ae "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\10\Shell] "Mode"=dword:00000006 "ScrollPos800x600(1).x"=dword:00000000 "ScrollPos800x600(1).y"=dword:00000000 "Sort"=dword:00000000 "SortDir"=dword:00000001 "Col"=dword:ffffffff "ColInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,fd,df,df,fd,0f,.. "MinPos800x600(1).x"=dword:ffff8300 "MinPos800x600(1).y"=dword:ffff8300 "MaxPos800x600(1).x"=dword:ffffffff "MaxPos800x600(1).y"=dword:ffffffff "WinPos800x600(1).left"=dword:00000016 "WinPos800x600(1).top"=dword:0000001d "WinPos800x600(1).right"=dword:0000026e "WinPos800x600(1).bottom"=dword:000001b1 "Rev"=dword:00000000 "WFlags"=dword:00000002 "ShowCmd"=dword:00000003 "FFlags"=dword:00000001 "HotKey"=dword:00000000 "Buttons"=dword:ffffffff "Status"=dword:00000000 "Links"=dword:00000000 "Address"=dword:ffffffff "Vid"="{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" "FolderType"="Documents" scanning hidden files ... C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Microsoft\Messenger\ekyam@hotmail.fr\SharingMetadata\albana_peace_love@hotmail.com\DFSR\Staging\CS{12CD4118-9065-0517-28EB-8C067C9B382B}1\11-{12CD4118-9065-0517-28EB-8C067C9B382B}-v1-{0F6682CA-DA87-4B20-ADED-BB3925C14E2C}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 1 --- Analysing Catchme logfile --- no matching regkeys found Finished! DiagHelp version v1.4 - http://www.malekal.com excute le 14/11/2007 à 15:59:32,26 Liste des derniers fichies modifies/crees dans windir\system32 et prefetch C:\WINDOWS\prefetch\CHCP.COM-18156052.pf -->14/11/2007 15:59:12 C:\WINDOWS\prefetch\CMD.EXE-087B4001.pf -->14/11/2007 15:58:53 C:\WINDOWS\prefetch\WINRAR.EXE-39C6DAD9.pf -->14/11/2007 15:57:58 C:\WINDOWS\prefetch\NOTEPAD.EXE-336351A9.pf -->14/11/2007 15:57:14 C:\WINDOWS\prefetch\PROCESS.EXE-0AC319D7.pf -->14/11/2007 15:57:00 C:\WINDOWS\prefetch\REGEDIT.EXE-1B606482.pf -->14/11/2007 15:56:00 C:\WINDOWS\prefetch\PING.EXE-31216D26.pf -->14/11/2007 15:55:57 C:\WINDOWS\prefetch\CATCHME.EXE-16F03412.pf -->14/11/2007 15:55:31 C:\WINDOWS\prefetch\FINDSTR.EXE-0CA6274B.pf -->14/11/2007 15:55:29 C:\WINDOWS\prefetch\FIND.EXE-0EC32F1E.pf -->14/11/2007 15:54:45 C:\WINDOWS\System32\drivers\fidbox.dat -->14/11/2007 15:57:51 C:\WINDOWS\System32\drivers\fidbox.idx -->14/11/2007 01:46:14 C:\WINDOWS\System32\drivers\avipbb.sys -->10/10/2007 20:55:13 C:\WINDOWS\System32\drivers\NSDriver.sys -->19/08/2007 12:08:03 C:\WINDOWS\System32\drivers\AWRTRD.sys -->19/08/2007 12:08:03 C:\WINDOWS\System32\drivers\klif.sys -->19/07/2007 14:10:28 C:\WINDOWS\System32\drivers\StarOpen.sys -->20/06/2007 14:49:59 C:\WINDOWS\System32\wpa.dbl -->14/11/2007 12:21:30 C:\WINDOWS\System32\nvapps.xml -->14/11/2007 12:21:16 C:\WINDOWS\System32\vsconfig.xml -->14/11/2007 12:21:13 C:\WINDOWS\System32\FNTCACHE.DAT -->04/11/2007 20:55:35 C:\WINDOWS\System32\perfh00C.dat -->03/11/2007 23:38:58 C:\WINDOWS\System32\perfh009.dat -->03/11/2007 23:38:58 C:\WINDOWS\System32\perfc00C.dat -->03/11/2007 23:38:58 C:\WINDOWS\System32\perfc009.dat -->03/11/2007 23:38:58 C:\WINDOWS\System32\PerfStringBackup.INI -->03/11/2007 23:38:57 C:\WINDOWS\System32\MRT.exe -->02/11/2007 08:12:57 C:\WINDOWS\System32\settings.aaw -->30/10/2007 17:20:33 C:\WINDOWS\System32\history.aaw -->30/10/2007 17:20:33 C:\WINDOWS\System32\xpsp3res.dll -->29/10/2007 16:07:16 C:\WINDOWS\System32\shell32.dll -->25/10/2007 17:43:25 C:\WINDOWS\System32\jupdate-1.6.0_03-b05.log -->15/10/2007 08:31:45 C:\WINDOWS\System32\catchme.exe -->11/10/2007 10:59:50 C:\WINDOWS\System32\LexFiles.ulf -->09/10/2007 17:37:12 C:\WINDOWS\System32\javaws.exe -->24/09/2007 22:31:42 C:\WINDOWS\System32\javacpl.cpl -->24/09/2007 22:31:42 C:\WINDOWS\System32\javaw.exe -->24/09/2007 21:30:30 C:\WINDOWS\System32\java.exe -->24/09/2007 21:30:28 C:\WINDOWS\System32\zllictbl.dat -->19/09/2007 19:32:08 C:\WINDOWS\System32\vsdatant.sys -->06/09/2007 15:14:28 C:\WINDOWS\System32\zpeng24.dll -->06/09/2007 15:14:12 C:\WINDOWS\System32\zlcommdb.dll -->06/09/2007 15:14:08 C:\WINDOWS\WindowsUpdate.log -->14/11/2007 15:21:30 C:\WINDOWS.log -->14/11/2007 12:21:12 C:\WINDOWS\wiadebug.log -->14/11/2007 12:21:09 C:\WINDOWS\wiaservc.log -->14/11/2007 12:21:06 C:\WINDOWS\bootstat.dat -->14/11/2007 12:20:49 C:\WINDOWS\ntbtlog.txt -->14/11/2007 02:39:49 C:\WINDOWS\SchedLgU.Txt -->14/11/2007 01:46:12 C:\WINDOWS\setuperr.log -->14/11/2007 01:45:42 C:\WINDOWS\setupact.log -->14/11/2007 01:45:42 C:\WINDOWS\tsoc.log -->14/11/2007 01:39:51 C:\WINDOWS\tabletoc.log -->14/11/2007 01:39:51 C:\WINDOWS\ocmsn.log -->14/11/2007 01:39:51 C:\WINDOWS\ntdtcsetup.log -->14/11/2007 01:39:51 C:\WINDOWS\MedCtrOC.log -->14/11/2007 01:39:51 C:\WINDOWS\imsins.log -->14/11/2007 01:39:51 winlogon.exe Verified: Signed svchost.exe Verified: Signed ws2_32.dll Verified: Signed user32.dll Verified: Signed tcpip.sys Verified: Unsigned ndis.sys Verified: Signed null.sys Verified: Signed ListDLLs v2.25 - DLL lister for Win9x/NT Copyright © 1997-2004 Mark Russinovich Sysinternals - www.sysinternals.com ------------------------------------------------------------------------------ explorer.exe pid: 1624 Command line: C:\WINDOWS\Explorer.EXE Base Size Version Path 0x58b50000 0x9a000 5.82.2900.2982 C:\WINDOWS\system32\comctl32.dll 0x76f80000 0x7f000 2001.12.4414.0308 C:\WINDOWS\system32\CLBCATQ.DLL 0x77000000 0xd4000 2001.12.4414.0258 C:\WINDOWS\system32\COMRes.dll 0x76ac0000 0x11000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL 0x7d200000 0x2be000 3.01.4000.4039 C:\WINDOWS\system32\msi.dll 0x164a0000 0x23000 5.02.5721.5145 C:\WINDOWS\system32\WPDShServiceObj.dll 0x10000000 0x16f000 6.14.0010.11040 C:\WINDOWS\system32\nview.dll 0x01770000 0x50000 6.14.0010.11040 C:\WINDOWS\system32\NVWRSFR.DLL 0x109c0000 0x2c000 5.02.5721.5145 C:\WINDOWS\system32\PortableDeviceTypes.dll 0x10930000 0x49000 5.02.5721.5145 C:\WINDOWS\system32\PortableDeviceApi.dll 0x00ac0000 0x9000 2.01.0000.0020 C:\Program Files\Macrogaming\SweetIM\mgAdaptersProxy.dll 0x7c360000 0x56000 7.10.6030.0000 C:\Program Files\Macrogaming\SweetIM\MSVCR71.dll 0x78130000 0x9b000 8.00.50727.0163 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\MSVCR80.dll 0x02550000 0x5b000 8.01.0000.0000 C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.dll 0x025b0000 0x4c000 8.00.0000.0000 C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.FRA 0x012d0000 0x15000 6.14.0010.9132 C:\WINDOWS\system32\nvwddi.dll 0x74730000 0x3d000 3.525.1117.0000 C:\WINDOWS\system32\ODBC32.dll 0x02510000 0x18000 3.525.1117.0000 C:\WINDOWS\system32\odbcint.dll 0x00b00000 0x6000 C:\Program Files\Unlocker\UnlockerCOM.dll 0x52200000 0xb000 7.00.0408.0000 C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll 0x00d00000 0x2b000 C:\Program Files\WinRAR\rarext.dll 0x00e10000 0x11000 7.00.0000.0010 C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll 0x7c250000 0x102000 7.10.3077.0000 C:\Program Files\AntiVir PersonalEdition Classic\MFC71U.DLL 0x5d360000 0xf000 7.10.3077.0000 C:\WINDOWS\system32\MFC71FRA.DLL 0x5a500000 0x4e000 8.01.0178.0000 C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll 0x16210000 0x27e000 5.02.5721.5145 C:\WINDOWS\system32\wpdshext.dll 0x07160000 0x46000 5.02.5721.5145 C:\WINDOWS\system32\Audiodev.dll 0x15110000 0x25a000 11.00.5721.5145 C:\WINDOWS\system32\WMVCore.DLL 0x11c70000 0x39000 11.00.5721.5145 C:\WINDOWS\system32\WMASF.DLL 0x014a0000 0x10000 8.00.0000.0456 C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll 0x02000000 0xa000 C:\WINDOWS\system32\fmifs32.dll 0x037b0000 0xd5000 1.04.0000.0000 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 0x6bd10000 0x10000 12.00.4518.1014 C:\Program Files\Microsoft Office\Office12\msohevi.dll ListDLLs v2.25 - DLL lister for Win9x/NT Copyright © 1997-2004 Mark Russinovich Sysinternals - www.sysinternals.com ------------------------------------------------------------------------------ winlogon.exe pid: 760 Command line: winlogon.exe Base Size Version Path 0x01000000 0x81000 \??\C:\WINDOWS\system32\winlogon.exe 0x58b50000 0x9a000 5.82.2900.2982 C:\WINDOWS\system32\COMCTL32.dll 0x74730000 0x3d000 3.525.1117.0000 C:\WINDOWS\system32\ODBC32.dll 0x20000000 0x18000 3.525.1117.0000 C:\WINDOWS\system32\odbcint.dll 0x01230000 0x3b000 1.07.0017.0000 C:\WINDOWS\system32\WgaLogon.dll 0x76f80000 0x7f000 2001.12.4414.0308 C:\WINDOWS\system32\CLBCATQ.DLL 0x77000000 0xd4000 2001.12.4414.0258 C:\WINDOWS\system32\COMRes.dll 0x76010000 0x65000 6.02.3104.0000 C:\WINDOWS\system32\MSVCP60.dll Le volume dans le lecteur C s'appelle HP_PAVILION Le numéro de série du volume est 005A-6CCF Répertoire de C:\WINDOWS\system 07/05/1998 17:04 52 736 hpsysdrv.exe 1 fichier(s) 52 736 octets 0 Rép(s) 112 717 991 936 octets libres Le volume dans le lecteur C s'appelle HP_PAVILION Le numéro de série du volume est 005A-6CCF Répertoire de C:\WINDOWS\system32 10/08/2004 12:00 6 144 csrss.exe 1 fichier(s) 6 144 octets 0 Rép(s) 112 717 987 840 octets libres Contenu de Downloaded Program Files Le volume dans le lecteur C s'appelle HP_PAVILION Le numéro de série du volume est 005A-6CCF Répertoire de C:\WINDOWS\Downloaded Program Files 09/10/2007 16:08 <REP> . 09/10/2007 16:08 <REP> .. 10/10/2005 12:32 65 desktop.ini 1 fichier(s) 65 octets Total des fichiers listés : 1 fichier(s) 65 octets 2 Rép(s) 112 717 987 840 octets libres Recherche de rootkit! (Merci S!Ri) Recherche d'infections connues Export des clefs sensibles.. Liste des fichiers en exception sur le pare-feu XP SP2 "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent" "C:\\WINDOWS\\system32\\lxcrcoms.exe"="C:\\WINDOWS\\system32\\lxcrcoms.exe:*:Enabled:Lexmark Communications System" "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Export de la clef SharedTaskScheduler [sharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant" exports des policies REGEDIT4 [system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 "InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\ 63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\ 6d,73,73,74,79,6c,65,73,00 "InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\ 73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00 Export des clefs sensibles.. Rechercher adresses sensibles dans le fichier HOSTS... catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-14 16:00:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\E100B] "EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll;%SystemRoot%\System32\e100bmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\NtServicePack] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\nv] "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\nv4_mini.sys" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\PS2] "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\PS2.sys" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\Windows Installer 3.1] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\WindowsMedia] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\E100B] "EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll;%SystemRoot%\System32\e100bmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\NtServicePack] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\nv] "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\nv4_mini.sys" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\PS2] "EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\PS2.sys" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\Windows Installer 3.1] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\WindowsMedia] "EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll" "TypesSupported"=dword:00000007 scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows\CurrentVersion] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{11DF0055-8BF6-475C-B0D6-9BC20C840229}"="EL04 Power Management Ext" [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop] "FFlags"=dword:00000224 "Mode"=dword:00000001 "ScrollPos800x600(1).x"=dword:00000000 "ScrollPos800x600(1).y"=dword:00000000 "Sort"=dword:00000000 "SortDir"=dword:00000001 "Col"=dword:ffffffff "ColInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,fd,df,df,fd,0f,.. "ItemPos800x600(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,dc,02,00,00,e8,.. "ScrollPos1024x768(1).x"=dword:00000000 "ScrollPos1024x768(1).y"=dword:00000000 "ItemPos1024x768(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,c1,03,00,00,92,.. "ScrollPos320x240(1).x"=dword:00000000 "ScrollPos320x240(1).y"=dword:00000000 "ItemPos320x240(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f9,00,00,00,6b,.. "ScrollPos400x300(1).x"=dword:00000000 "ScrollPos400x300(1).y"=dword:00000000 "ItemPos400x300(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ea,00,00,00,5c,.. "ScrollPos720x480(1).x"=dword:00000000 "ScrollPos720x480(1).y"=dword:00000000 "ItemPos720x480(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,d1,00,00,00,4d,.. "ScrollPos640x480(1).x"=dword:00000000 "ScrollPos640x480(1).y"=dword:00000000 "ItemPos640x480(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,c1,03,00,00,92,.. "ScrollPos720x576(1).x"=dword:00000000 "ScrollPos720x576(1).y"=dword:00000000 "ItemPos720x576(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,d1,00,00,00,50,.. "ScrollPos2048x1536(1).x"=dword:00000000 "ScrollPos2048x1536(1).y"=dword:00000000 "ItemPos2048x1536(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,c4,00,00,00,4d,.. "ScrollPos1152x864(1).x"=dword:00000000 "ScrollPos1152x864(1).y"=dword:00000000 "ItemPos1152x864(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,3c,04,00,00,f0,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU] "NodeSlot"=dword:00000003 [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\] "NodeSlot"=dword:00000001 "MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff "0"=hex:1e,00,71,2d,00,00,00,00,00,00,00,00,00,00,80,a2,27,22,ea,3a,69,.. "1"=hex:1e,00,71,80,00,00,00,00,00,00,00,00,00,00,e1,a4,0e,d2,57,39,d2,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\] "NodeSlot"=dword:0000001b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\\1] "NodeSlot"=dword:0000008c "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1] "0"=hex:3c,00,31,00,00,00,00,00,48,36,e0,89,30,00,57,49,4e,44,4f,57,53,.. "MRUListEx"=hex:01,00,00,00,02,00,00,00,03,00,00,00,05,00,00,00,04,00,00,00,00,.. "NodeSlot"=dword:00000004 "1"=hex:5c,00,31,00,00,00,00,00,48,36,91,89,10,00,44,4f,43,55,4d,45,7e,.. "2"=hex:4a,00,31,00,00,00,00,00,69,36,01,7e,11,00,50,52,4f,47,52,41,7e,.. "3"=hex:54,00,31,00,00,00,00,00,69,36,01,7e,10,00,42,38,41,46,37,39,7e,.. "4"=hex:30,00,31,00,00,00,00,00,75,36,82,72,10,00,4e,65,6f,00,1e,00,03,.. "5"=hex:36,00,31,00,00,00,00,00,74,36,b2,95,10,00,47,61,6d,65,73,00,22,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1] "NodeSlot"=dword:0000000a "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:40,00,31,00,00,00,00,00,48,36,1b,8a,10,00,73,79,73,74,65,6d,33,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\] "0"=hex:36,00,31,00,00,00,00,00,6f,33,bc,19,10,00,73,70,6f,6f,6c,00,22,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\] "0"=hex:3c,00,31,00,00,00,00,00,6f,33,bc,19,10,00,64,72,69,76,65,72,73,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\\] "0"=hex:36,00,31,00,00,00,00,00,6f,33,bc,19,10,00,63,6f,6c,6f,72,00,22,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\\] "NodeSlot"=dword:00000002 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1] "0"=hex:52,00,31,00,00,00,00,00,69,36,f2,8e,10,00,48,50,5f,41,44,4d,7e,.. "MRUListEx"=hex:00,00,00,00,01,00,00,00,02,00,00,00,ff,ff,ff,ff "NodeSlot"=dword:00000071 "1"=hex:42,00,31,00,00,00,00,00,23,34,f9,03,10,00,41,4c,4c,55,53,45,7e,.. "2"=hex:4c,00,31,00,00,00,00,00,77,36,d4,62,10,00,41,44,4d,49,4e,49,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1] "0"=hex:5e,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,45,4e,55,44,4d,7e,.. "MRUListEx"=hex:01,00,00,00,00,00,00,00,02,00,00,00,ff,ff,ff,ff "1"=hex:78,00,31,00,00,00,00,00,6d,36,60,88,11,00,4d,45,53,44,4f,43,7e,.. "NodeSlot"=dword:00000072 "2"=hex:4c,00,31,00,00,00,00,00,6f,33,d9,12,12,00,4c,4f,43,41,4c,53,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\] "0"=hex:58,00,31,00,00,00,00,00,69,36,07,8e,11,00,50,52,4f,47,52,41,7e,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "NodeSlot"=dword:0000001d [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\] "NodeSlot"=dword:0000001c "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3a,00,31,00,00,00,00,00,00,00,00,00,10,00,57,69,6e,52,41,52,00,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\\] "NodeSlot"=dword:00000029 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1] "0"=hex:54,00,31,00,00,00,00,00,6d,36,77,95,10,00,4d,45,53,46,49,43,7e,.. "MRUListEx"=hex:03,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,ff,ff,ff,ff "NodeSlot"=dword:00000073 "1"=hex:6c,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,45,53,56,49,44,7e,.. "2"=hex:72,00,31,00,00,00,00,00,b4,36,41,69,11,00,4d,41,4d,55,53,49,7e,.. "3"=hex:72,00,31,00,00,00,00,00,77,36,b3,7d,11,00,4d,45,53,49,4d,41,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1] "NodeSlot"=dword:0000002b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\1] "NodeSlot"=dword:00000074 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\2] "NodeSlot"=dword:000000a4 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\3] "NodeSlot"=dword:000000ab "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2] "0"=hex:34,00,31,00,00,00,00,00,a4,36,2e,63,10,00,54,65,6d,70,00,00,20,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2] "NodeSlot"=dword:00000084 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1] "0"=hex:66,00,35,00,00,00,00,00,71,36,40,8b,11,00,4d,00,65,00,6e,00,75,.. "MRUListEx"=hex:00,00,00,00,02,00,00,00,01,00,00,00,ff,ff,ff,ff "NodeSlot"=dword:0000009f "1"=hex:3a,00,31,00,00,00,00,00,a9,36,04,57,10,00,42,75,72,65,61,75,00,.. "2"=hex:56,00,31,00,00,00,00,00,49,36,bc,95,11,00,44,4f,43,55,4d,45,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1] "0"=hex:58,00,31,00,00,00,00,00,b4,36,3d,6a,11,00,50,52,4f,47,52,41,7e,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "NodeSlot"=dword:000000a3 [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\] "0"=hex:6c,00,31,00,00,00,00,00,b4,36,40,6a,10,00,50,4f,57,45,52,51,7e,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\] "NodeSlot"=dword:0000009a "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\1] "NodeSlot"=dword:000000a0 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\2] "NodeSlot"=dword:000000a1 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:58,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,41,4d,55,53,49,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\2] "NodeSlot"=dword:000000a2 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2] "NodeSlot"=dword:0000009b "MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff "0"=hex:4a,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,45,53,44,4f,43,7e,.. "1"=hex:66,00,35,00,00,00,00,00,41,34,49,58,11,00,4d,00,65,00,6e,00,75,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2] "NodeSlot"=dword:0000009c "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:44,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,41,4d,55,53,49,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2\] "NodeSlot"=dword:0000009d "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2\1] "NodeSlot"=dword:0000009e "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2] "NodeSlot"=dword:0000001e "MRUListEx"=hex:02,00,00,00,0a,00,00,00,09,00,00,00,08,00,00,00,07,00,00,00,06,.. "0"=hex:4e,00,31,00,00,00,00,00,69,36,80,92,10,00,4d,4f,5a,49,4c,4c,7e,.. "1"=hex:7e,00,31,00,00,00,00,00,69,36,bc,93,10,00,4d,49,43,52,4f,53,7e,.. "2"=hex:36,00,31,00,00,00,00,00,00,00,00,00,10,00,65,4d,75,6c,65,00,22,.. "3"=hex:42,00,31,00,00,00,00,00,6e,36,14,a4,10,00,4d,52,50,4f,53,54,7e,.. "4"=hex:34,00,31,00,00,00,00,00,00,00,00,00,10,00,4a,61,76,61,00,00,20,.. "5"=hex:44,00,31,00,00,00,00,00,22,34,a3,ba,10,00,46,52,45,4e,43,48,7e,.. "6"=hex:5e,00,31,00,00,00,00,00,23,34,d6,00,10,00,50,43,2d,44,4f,43,7e,.. "7"=hex:44,00,31,00,00,00,00,00,6a,36,9c,92,10,00,46,52,45,45,50,4c,7e,.. "8"=hex:58,00,31,00,00,00,00,00,72,36,c5,82,10,00,57,49,4e,44,4f,57,7e,.. "9"=hex:d9,00,31,00,00,00,00,00,8f,36,03,85,10,00,4d,45,44,49,41,4d,7e,.. "10"=hex:44,00,31,00,00,00,00,00,b4,36,3a,6a,10,00,50,4f,57,45,52,51,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2] "NodeSlot"=dword:0000001f "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\1] "NodeSlot"=dword:00000021 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\10] "NodeSlot"=dword:000000a5 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:56,00,31,00,00,00,00,00,b4,36,40,6a,10,00,50,41,52,54,49,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\10] "NodeSlot"=dword:000000a6 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2] "0"=hex:40,00,31,00,00,00,00,00,00,00,00,00,10,00,49,6e,63,6f,6d,69,6e,.. "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2] "0"=hex:e6,01,32,00,00,00,00,00,00,00,00,00,20,00,41,6c,6c,20,4d,69,63,.. "MRUListEx"=hex:0b,00,00,00,0a,00,00,00,09,00,00,00,08,00,00,00,06,00,00,00,07,.. "1"=hex:e0,01,32,00,00,00,00,00,00,00,00,00,20,00,41,6c,6c,20,4d,69,63,.. "2"=hex:2a,01,32,00,00,00,00,00,00,00,00,00,20,00,5b,41,70,70,73,5d,20,.. "NodeSlot"=dword:0000002c "3"=hex:70,00,31,00,00,00,00,00,6d,36,03,96,10,00,43,4f,4d,50,49,4c,7e,.. "4"=hex:6c,00,31,00,00,00,00,00,73,36,8d,9b,10,00,4d,41,52,54,49,4e,7e,.. "5"=hex:86,00,31,00,00,00,00,00,74,36,4f,95,10,00,5f,50,43,47,41,4d,7e,.. "6"=hex:8c,00,31,00,00,00,00,00,99,36,ca,4c,10,00,43,48,52,49,53,54,7e,.. "7"=hex:b4,00,31,00,00,00,00,00,99,36,2e,4f,10,00,53,45,52,49,41,4c,7e,.. "8"=hex:80,00,31,00,00,00,00,00,9b,36,6a,9a,10,00,44,49,41,4d,27,53,7e,.. "9"=hex:58,00,31,00,00,00,00,00,af,36,81,6a,10,00,4c,45,4a,45,55,44,7e,.. "10"=hex:cc,00,31,00,00,00,00,00,af,36,38,96,10,00,41,4d,42,49,41,4e,7e,.. "11"=hex:70,00,31,00,00,00,00,00,b4,36,d6,69,10,00,50,41,52,54,49,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\] "NodeSlot"=dword:00000023 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\1] "NodeSlot"=dword:00000024 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\10] "NodeSlot"=dword:0000008a "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:58,00,31,00,00,00,00,00,5c,32,65,39,10,00,30,38,2d,4d,55,53,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\10] "NodeSlot"=dword:0000008b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11] "NodeSlot"=dword:00000094 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:70,00,31,00,00,00,00,00,b4,36,d8,69,30,00,50,41,52,54,49,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11] "NodeSlot"=dword:00000095 "MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff "0"=hex:3a,00,31,00,00,00,00,00,b4,36,d8,69,30,00,73,65,72,69,61,6c,00,.. "1"=hex:86,00,31,00,00,00,00,00,b4,36,0d,6a,10,00,50,41,52,54,49,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\] "NodeSlot"=dword:00000096 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:5a,00,31,00,00,00,00,00,b4,36,d8,69,30,00,46,52,45,45,57,41,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\] "NodeSlot"=dword:00000097 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\1] "NodeSlot"=dword:00000098 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:36,00,31,00,00,00,00,00,b4,36,0a,6a,10,00,53,65,74,75,70,00,22,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\1] "NodeSlot"=dword:00000099 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\2] "NodeSlot"=dword:00000025 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:74,00,16,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,10,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\2] "NodeSlot"=dword:0000002a "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\3] "NodeSlot"=dword:0000002d "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:50,00,31,00,00,00,00,00,b6,32,1b,4f,10,00,50,45,54,49,54,53,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\3] "NodeSlot"=dword:0000002e "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\4] "NodeSlot"=dword:0000004d "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:6c,00,31,00,00,00,00,00,84,35,9d,8b,10,00,4d,41,52,54,49,4e,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\4] "NodeSlot"=dword:0000004e "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5] "NodeSlot"=dword:00000058 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:86,00,31,00,00,00,00,00,74,36,4f,95,10,00,5f,50,43,47,41,4d,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5] "NodeSlot"=dword:00000059 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:7a,00,31,00,00,00,00,00,74,36,4f,95,30,00,5f,50,43,5f,43,4f,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5\] "NodeSlot"=dword:0000005a "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:5a,00,31,00,00,00,00,00,74,36,5b,95,10,00,43,4f,4c,44,46,45,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5\] "NodeSlot"=dword:0000005b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\6] "NodeSlot"=dword:0000007d "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:8c,00,31,00,00,00,00,00,8d,36,ca,50,10,00,43,48,52,49,53,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\6] "NodeSlot"=dword:0000007e "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\7] "NodeSlot"=dword:0000007f "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\8] "NodeSlot"=dword:00000082 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:6a,00,31,00,00,00,00,00,44,34,ce,56,10,00,44,49,41,4d,27,53,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\8] "NodeSlot"=dword:00000083 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\9] "NodeSlot"=dword:00000089 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3] "NodeSlot"=dword:00000031 "MRUListEx"=hex:04,00,00,00,03,00,00,00,00,00,00,00,02,00,00,00,01,00,00,00,ff,.. "0"=hex:40,00,31,00,00,00,00,00,6e,36,14,a4,10,00,6a,61,76,61,5f,63,75,.. "1"=hex:30,00,31,00,00,00,00,00,6e,36,13,a4,10,00,45,44,55,00,1e,00,03,.. "2"=hex:2e,00,31,00,00,00,00,00,6e,36,14,a4,10,00,65,6e,00,00,1c,00,03,.. "3"=hex:40,00,31,00,00,00,00,00,6e,36,17,a4,10,00,4d,45,54,41,2d,49,4e,.. "4"=hex:30,00,31,00,00,00,00,00,6e,36,14,a4,10,00,6f,72,67,00,1e,00,03,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3] "NodeSlot"=dword:00000032 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3c,00,31,00,00,00,00,00,6e,36,14,a4,10,00,72,75,6e,74,69,6d,65,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\] "NodeSlot"=dword:0000003b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1] "NodeSlot"=dword:00000033 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3a,00,31,00,00,00,00,00,6e,36,13,a4,10,00,6f,73,77,65,67,6f,00,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1] "NodeSlot"=dword:00000034 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:2e,00,31,00,00,00,00,00,6e,36,13,a4,10,00,63,73,00,00,1c,00,03,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\] "NodeSlot"=dword:00000035 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:2e,00,31,00,00,00,00,00,6e,36,13,a4,10,00,64,6c,00,00,1c,00,03,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\] "NodeSlot"=dword:00000036 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:34,00,31,00,00,00,00,00,6e,36,13,a4,10,00,75,74,69,6c,00,00,20,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\\] "NodeSlot"=dword:00000037 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:44,00,31,00,00,00,00,00,6e,36,14,a4,10,00,43,4f,4e,43,55,52,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\\] "NodeSlot"=dword:00000038 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\2] "NodeSlot"=dword:00000039 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3c,00,31,00,00,00,00,00,6e,36,14,a4,10,00,68,6f,74,6d,61,69,6c,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\2] "NodeSlot"=dword:0000003a "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\3] "NodeSlot"=dword:0000003c "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\4] "NodeSlot"=dword:0000003d "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\4] "NodeSlot"=dword:0000003f "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:48,00,31,00,00,00,00,00,22,34,4f,bb,10,00,4a,52,45,31,35,7e,31,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\4] "NodeSlot"=dword:00000040 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\5] "NodeSlot"=dword:00000043 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\6] "NodeSlot"=dword:00000044 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\7] "NodeSlot"=dword:0000004a "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\8] "NodeSlot"=dword:0000004b "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\9] "NodeSlot"=dword:00000077 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\3] "NodeSlot"=dword:00000020 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\4] "NodeSlot"=dword:0000006d "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3a,00,31,00,00,00,00,00,75,36,5d,89,10,00,48,69,74,6d,61,6e,00,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\4] "NodeSlot"=dword:0000006e "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\5] "NodeSlot"=dword:0000006f "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:4a,00,31,00,00,00,00,00,74,36,4f,96,10,00,44,45,4c,55,58,45,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\5] "NodeSlot"=dword:00000070 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2] "NodeSlot"=dword:0000005d "MRUListEx"=hex:04,00,00,00,01,00,00,00,03,00,00,00,02,00,00,00,00,00,00,00,ff,.. "0"=hex:72,00,31,00,00,00,00,00,b4,36,f1,6d,11,00,4d,41,4d,55,53,49,7e,.. "1"=hex:6a,00,31,00,00,00,00,00,b4,36,f1,6d,11,00,4d,75,73,69,71,75,65,.. "2"=hex:3c,00,31,00,00,00,00,00,b4,36,65,6f,10,00,50,61,70,69,65,72,73,.. "3"=hex:6c,00,31,00,00,00,00,00,b4,36,c6,70,11,00,4d,45,53,56,49,44,7e,.. "4"=hex:60,00,31,00,00,00,00,00,b4,36,e2,70,11,00,56,49,44,4f,7e,31,00,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2] "NodeSlot"=dword:000000a7 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1] "NodeSlot"=dword:000000a8 "MRUListEx"=hex:12,00,00,00,11,00,00,00,10,00,00,00,0f,00,00,00,0d,00,00,00,0e,.. "0"=hex:3e,00,31,00,00,00,00,00,b4,36,dd,6c,10,00,52,41,50,48,41,4c,7e,.. "1"=hex:50,00,31,00,00,00,00,00,b4,36,d8,6c,10,00,56,52,4f,4e,49,51,7e,.. "2"=hex:3c,00,31,00,00,00,00,00,b4,36,cd,7c,10,00,42,61,72,62,61,72,61,.. "3"=hex:44,00,31,00,00,00,00,00,b5,36,e0,71,10,00,45,44,49,54,48,50,7e,.. "4"=hex:42,00,31,00,00,00,00,00,b4,36,c2,6d,10,00,4b,45,52,45,4e,41,7e,.. "5"=hex:42,00,31,00,00,00,00,00,b5,36,ee,73,10,00,4d,41,4e,4f,53,4f,7e,.. "6"=hex:4a,00,31,00,00,00,00,00,b4,36,43,6d,10,00,4d,59,4c,45,4e,45,7e,.. "7"=hex:44,00,31,00,00,00,00,00,b4,36,e1,6c,10,00,50,4f,52,54,49,53,7e,.. "8"=hex:56,00,31,00,00,00,00,00,b4,36,f1,6d,10,00,43,48,52,49,53,54,7e,.. "9"=hex:46,00,31,00,00,00,00,00,b5,36,31,7f,10,00,46,52,41,4e,43,45,7e,.. "10"=hex:36,00,31,00,00,00,00,00,b4,36,70,78,10,00,54,65,78,61,73,00,22,.. "11"=hex:3a,00,31,00,00,00,00,00,b4,36,e8,6d,10,00,44,69,76,65,72,73,00,.. "12"=hex:48,00,31,00,00,00,00,00,b5,36,95,6b,10,00,4c,49,4c,49,41,4e,7e,.. "13"=hex:44,00,31,00,00,00,00,00,b4,36,ee,79,10,00,4c,49,41,4e,45,46,7e,.. "14"=hex:4e,00,31,00,00,00,00,00,b5,36,e1,83,10,00,56,41,4e,45,53,53,7e,.. "15"=hex:50,00,31,00,00,00,00,00,b4,36,47,6d,10,00,4d,49,43,48,45,4c,7e,.. "16"=hex:36,00,31,00,00,00,00,00,b5,36,3d,7c,10,00,5a,61,7a,69,65,00,22,.. "17"=hex:46,00,31,00,00,00,00,00,b5,36,74,5c,10,00,4c,41,52,41,46,41,7e,.. "18"=hex:4a,00,31,00,00,00,00,00,b5,36,ef,82,10,00,4c,45,53,49,4e,4e,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1] "NodeSlot"=dword:000000bd "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:58,00,31,00,00,00,00,00,b5,36,33,6c,10,00,52,41,50,48,41,4c,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\] "NodeSlot"=dword:000000be "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:68,00,31,00,00,00,00,00,b5,36,33,6c,10,00,52,41,50,48,41,45,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\] "NodeSlot"=dword:000000bf "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\1] "NodeSlot"=dword:000000c0 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:42,00,31,00,00,00,00,00,b5,36,7a,79,10,00,4c,45,4d,41,55,44,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\1] "NodeSlot"=dword:000000ca "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\10] "NodeSlot"=dword:000000d1 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:44,00,31,00,00,00,00,00,b4,36,02,79,10,00,52,49,43,4b,53,52,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\10] "NodeSlot"=dword:000000d2 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\11] "NodeSlot"=dword:000000d3 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\12] "NodeSlot"=dword:000000d4 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:52,00,31,00,00,00,00,00,b5,36,ad,6b,10,00,4c,45,53,50,45,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\12] "NodeSlot"=dword:000000d7 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\13] "NodeSlot"=dword:000000d5 "MRUListEx"=hex:00,00,00,00,01,00,00,00,ff,ff,ff,ff "0"=hex:52,00,31,00,00,00,00,00,b5,36,96,6b,10,00,4c,45,53,50,45,54,7e,.. "1"=hex:44,00,31,00,00,00,00,00,b5,36,a5,89,10,00,41,43,4f,55,53,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\13] "NodeSlot"=dword:000000d6 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\13\1] "NodeSlot"=dword:000000da "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\14] "NodeSlot"=dword:000000d8 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:36,00,31,00,00,00,00,00,b4,36,da,72,10,00,4d,26,4a,7e,31,00,22,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\14] "NodeSlot"=dword:000000d9 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\15] "NodeSlot"=dword:000000db "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:50,00,31,00,00,00,00,00,b4,36,4a,6d,10,00,4c,49,56,45,41,54,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\15] "NodeSlot"=dword:000000dc "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\16] "NodeSlot"=dword:000000dd "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\17] "NodeSlot"=dword:000000de "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\18] "NodeSlot"=dword:000000df "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:4a,00,31,00,00,00,00,00,b5,36,8c,83,10,00,4c,45,53,49,4e,4e,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\18] "NodeSlot"=dword:000000e0 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\2] "NodeSlot"=dword:000000c1 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3c,00,31,00,00,00,00,00,b5,36,cd,6e,10,00,42,61,72,62,61,72,61,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\2] "NodeSlot"=dword:000000c2 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\3] "NodeSlot"=dword:000000c3 "MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff "0"=hex:3e,00,31,00,00,00,00,00,b5,36,ed,71,10,00,42,45,53,54,4f,46,7e,.. "1"=hex:60,00,31,00,00,00,00,00,b5,36,e0,71,10,00,4e,4f,4e,5f,4a,45,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\3] "NodeSlot"=dword:000000c4 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\3\1] "NodeSlot"=dword:000000c5 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\4] "NodeSlot"=dword:000000c6 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\5] "NodeSlot"=dword:000000c7 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\6] "NodeSlot"=dword:000000c8 "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:6a,00,31,00,00,00,00,00,b4,36,0a,6d,10,00,30,39,2d,4c,45,53,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\6] "NodeSlot"=dword:000000c9 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\7] "NodeSlot"=dword:000000cb "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3c,00,31,00,00,00,00,00,b5,36,c0,7a,10,00,49,6e,63,6f,6e,6e,75,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\7] "NodeSlot"=dword:000000cc "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:3c,00,31,00,00,00,00,00,b5,36,c2,7a,10,00,49,6e,63,6f,6e,6e,75,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\7\] "NodeSlot"=dword:000000cd "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\8] "NodeSlot"=dword:000000ce "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\9] "NodeSlot"=dword:000000cf "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff "0"=hex:60,00,31,00,00,00,00,00,b5,36,0d,80,10,00,4c,45,53,50,4c,55,7e,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\9] "NodeSlot"=dword:000000d0 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\2] "NodeSlot"=dword:000000ac "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\3] "NodeSlot"=dword:000000af "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\4] "NodeSlot"=dword:000000b0 "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\3] "NodeSlot"=dword:000000ae "MRUListEx"=hex:ff,ff,ff,ff [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\10\Shell] "Mode"=dword:00000006 "ScrollPos800x600(1).x"=dword:00000000 "ScrollPos800x600(1).y"=dword:00000000 "Sort"=dword:00000000 "SortDir"=dword:00000001 "Col"=dword:ffffffff "ColInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,fd,df,df,fd,0f,.. "MinPos800x600(1).x"=dword:ffff8300 "MinPos800x600(1).y"=dword:ffff8300 "MaxPos800x600(1).x"=dword:ffffffff "MaxPos800x600(1).y"=dword:ffffffff "WinPos800x600(1).left"=dword:00000016 "WinPos800x600(1).top"=dword:0000001d "WinPos800x600(1).right"=dword:0000026e "WinPos800x600(1).bottom"=dword:000001b1 "Rev"=dword:00000000 "WFlags"=dword:00000002 "ShowCmd"=dword:00000003 "FFlags"=dword:00000001 "HotKey"=dword:00000000 "Buttons"=dword:ffffffff "Status"=dword:00000000 "Links"=dword:00000000 "Address"=dword:ffffffff "Vid"="{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" "FolderType"="Documents" scanning hidden files ... scan completed successfully hidden services: 0 hidden files: 0 KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg) Process list by traversal of KiWaitListHead 4 - System 476 - sched.exe 488 - avguard.exe 604 - IAANTmon.exe 708 - firefox.exe 736 - csrss.exe 760 - winlogon.exe 804 - services.exe 816 - lsass.exe 992 - svchost.exe 1060 - svchost.exe 1100 - lxcrcoms.exe 1148 - nvsvc32.exe 1156 - svchost.exe 1196 - svchost.exe 1328 - svchost.exe 1404 - vsmon.exe 1460 - svchost.exe 1624 - explorer.exe 1836 - mcrdsvc.exe 1972 - aawservice.exe 2468 - dllhost.exe 2792 - alg.exe 3220 - avgnt.exe 3236 - PCBooster.exe 3244 - rundll32.exe 3260 - zlclient.exe 3272 - lxcrmon.exe 3288 - ezprint.exe 3332 - itype.exe 3436 - ipoint.exe 3520 - SweetIM.exe 3532 - ctfmon.exe 4068 - cmd.exe Total number of processes = 34 NOTE: Under WinXP, this will not show all processes. KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg) Driver/Module list by traversal of PsLoadedModuleList 804D7000 - \WINDOWS\system32\ntkrnlpa.exe 806E2000 - \WINDOWS\system32\hal.dll F7B10000 - \WINDOWS\system32\KDCOM.DLL F7A20000 - \WINDOWS\system32\BOOTVID.dll F74E0000 - ACPI.sys F7B12000 - \WINDOWS\system32\DRIVERS\WMILIB.SYS F74CF000 - pci.sys F7610000 - isapnp.sys F7620000 - ohci1394.sys F7630000 - \WINDOWS\system32\DRIVERS\1394BUS.SYS F7BD8000 - pciide.sys F7890000 - \WINDOWS\system32\DRIVERS\PCIIDEX.SYS F7B14000 - viaide.sys F7B16000 - intelide.sys F7640000 - MountMgr.sys F74B0000 - ftdisk.sys F7B18000 - dmload.sys F748A000 - dmio.sys F7898000 - PartMgr.sys F7650000 - VolSnap.sys F73CA000 - iastor.sys F73B2000 - atapi.sys F736F000 - ftsata2.sys F7357000 - \WINDOWS\system32\DRIVERS\SCSIPORT.SYS F7660000 - disk.sys F7670000 - \WINDOWS\system32\DRIVERS\CLASSPNP.SYS F7337000 - fltMgr.sys F7325000 - sr.sys F7680000 - bb-run.sys F7690000 - PxHelp20.sys F730E000 - KSecDD.sys F72FB000 - WudfPf.sys F726E000 - Ntfs.sys F7241000 - NDIS.sys F722D000 - srescan.sys F7212000 - Mup.sys F78A0000 - BTHidMgr.sys F7800000 - \SystemRoot\system32\DRIVERS\intelppm.sys F7918000 - \SystemRoot\system32\DRIVERS\ELacpi.sys F660F000 - \SystemRoot\system32\DRIVERS\nv4_mini.sys F65FB000 - \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS F65D6000 - \SystemRoot\system32\DRIVERS\HDAudBus.sys F7920000 - \SystemRoot\system32\DRIVERS\usbuhci.sys F65B3000 - \SystemRoot\system32\DRIVERS\USBPORT.SYS F7928000 - \SystemRoot\system32\DRIVERS\usbehci.sys F658B000 - \SystemRoot\system32\DRIVERS\e100b325.sys F6577000 - \SystemRoot\system32\DRIVERS\parport.sys F7810000 - \SystemRoot\system32\DRIVERS\i8042prt.sys F7930000 - \SystemRoot\system32\DRIVERS\point32.sys F7938000 - \SystemRoot\system32\DRIVERS\mouclass.sys F7B52000 - \??\C:\WINDOWS\System32\Drivers\Elmou.sys F7940000 - \SystemRoot\system32\DRIVERS\PS2.sys F7948000 - \SystemRoot\system32\DRIVERS\kbdclass.sys F7B54000 - \??\C:\WINDOWS\System32\Drivers\Elkbd.sys F7820000 - \SystemRoot\system32\DRIVERS\imapi.sys F7830000 - \SystemRoot\system32\DRIVERS\cdrom.sys F7840000 - \SystemRoot\system32\DRIVERS\redbook.sys F6554000 - \SystemRoot\system32\DRIVERS\ks.sys F7C76000 - \SystemRoot\system32\DRIVERS\audstub.sys F7860000 - \SystemRoot\system32\DRIVERS\rasl2tp.sys F71DE000 - \SystemRoot\system32\DRIVERS\ndistapi.sys F651A000 - \SystemRoot\system32\DRIVERS\ndiswan.sys F7870000 - \SystemRoot\system32\DRIVERS\raspppoe.sys F7880000 - \SystemRoot\system32\DRIVERS\raspptp.sys F7950000 - \SystemRoot\system32\DRIVERS\TDI.SYS F64E5000 - \SystemRoot\system32\DRIVERS\psched.sys F77B0000 - \SystemRoot\system32\DRIVERS\msgpc.sys F79F0000 - \SystemRoot\system32\DRIVERS\ptilink.sys F79F8000 - \SystemRoot\system32\DRIVERS\raspti.sys F5E09000 - \SystemRoot\system32\DRIVERS\rdpdr.sys F77C0000 - \SystemRoot\system32\DRIVERS\termdd.sys F7B5C000 - \SystemRoot\system32\DRIVERS\swenum.sys F57D8000 - \SystemRoot\system32\DRIVERS\update.sys F71A6000 - \SystemRoot\system32\DRIVERS\mssmbios.sys F61B8000 - \SystemRoot\System32\Drivers\NDProxy.SYS EE630000 - \SystemRoot\system32\drivers\RtkHDAud.sys EE60E000 - \SystemRoot\system32\drivers\portcls.sys F2634000 - \SystemRoot\system32\drivers\drmk.sys ED202000 - \SystemRoot\system32\DRIVERS\usbhub.sys F7BCE000 - \SystemRoot\system32\DRIVERS\USBD.SYS ECF0A000 - \SystemRoot\system32\DRIVERS\klif.sys F0029000 - \SystemRoot\system32\DRIVERS\usbccgp.sys F7B8E000 - \SystemRoot\System32\Drivers\Fs_Rec.SYS F1160000 - \SystemRoot\System32\Drivers\Null.SYS F7B90000 - \SystemRoot\System32\Drivers\Beep.SYS F0021000 - \SystemRoot\System32\drivers\vga.sys F7B92000 - \SystemRoot\System32\Drivers\mnmdd.SYS F7B94000 - \SystemRoot\System32\DRIVERS\RDPCDD.sys F0019000 - \SystemRoot\System32\Drivers\Msfs.SYS F0011000 - \SystemRoot\System32\Drivers\Npfs.SYS F030B000 - \SystemRoot\system32\DRIVERS\rasacd.sys EB1C4000 - \SystemRoot\system32\DRIVERS\ipsec.sys EB16C000 - \SystemRoot\system32\DRIVERS\tcpip.sys EB144000 - \SystemRoot\system32\DRIVERS\netbt.sys EB123000 - \SystemRoot\system32\DRIVERS\ipnat.sys EFD75000 - \SystemRoot\system32\DRIVERS\wanarp.sys EB0C3000 - \SystemRoot\System32\vsdatant.sys EB0A1000 - \SystemRoot\System32\drivers\afd.sys EFD65000 - \SystemRoot\system32\DRIVERS\netbios.sys F0009000 - \SystemRoot\System32\Drivers\StarOpen.SYS EB076000 - \SystemRoot\system32\DRIVERS\rdbss.sys EB42F000 - \SystemRoot\system32\DRIVERS\mrxsmb.sys EFD55000 - \SystemRoot\System32\Drivers\Fips.SYS F7B9E000 - \??\C:\WINDOWS\System32\Drivers\Elmon.sys F0C90000 - \??\C:\WINDOWS\System32\Drivers\Elhid.sys EFFF9000 - \??\C:\WINDOWS\System32\Drivers\HIDPARSE.SYS F7BA0000 - \??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys EB053000 - \SystemRoot\System32\Drivers\Fastfat.SYS F1072000 - \SystemRoot\system32\DRIVERS\USBSTOR.SYS F0C74000 - \SystemRoot\system32\DRIVERS\usbscan.sys F106A000 - \SystemRoot\system32\DRIVERS\usbprint.sys F0C70000 - \SystemRoot\system32\DRIVERS\hidusb.sys EFD35000 - \SystemRoot\system32\DRIVERS\HIDCLASS.SYS EB36F000 - \SystemRoot\System32\Drivers\dump_iaStor.sys BF800000 - \SystemRoot\System32\win32k.sys F0F33000 - \SystemRoot\System32\drivers\Dxapi.sys F105A000 - \SystemRoot\System32\watchdog.sys BF9C3000 - \SystemRoot\System32\drivers\dxg.sys F7D09000 - \SystemRoot\System32\drivers\dxgthk.sys BF9D5000 - \SystemRoot\System32\nv4_disp.dll EC991000 - \SystemRoot\system32\DRIVERS\ndisuio.sys BA523000 - \SystemRoot\system32\drivers\wdmaud.sys ECBF0000 - \SystemRoot\system32\drivers\sysaudio.sys BA4A8000 - \SystemRoot\system32\DRIVERS\mrxdav.sys BA417000 - \SystemRoot\System32\Drivers\HTTP.sys BA375000 - \SystemRoot\system32\DRIVERS\srv.sys B9FA2000 - \??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys B9CCA000 - \SystemRoot\System32\Drivers\Cdfs.SYS BA5E0000 - \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys F2168000 - \SystemRoot\System32\DRIVERS\KProcCheck.sys Total number of drivers = 130 Liste des programmes installes a-squared Free 2.1 ABBYY FineReader 6.0 Sprint Ad-Aware 2007 Adobe Reader 8.1.0 - Français AIDA32 v3.93 Apple Software Update Archiveur WinRAR Avira AntiVir PersonalEdition Classic BeClean BitTorrent 5.0.9 BufferChm CCleaner (remove only) CDBurnerXP Pro 3 Correctif n° 2 pour Windows XP Édition Media Center 2005 Correctif pour Lecteur Windows Media 10 (KB910393) Correctif pour Lecteur Windows Media 11 (KB939683) Correctif pour Windows XP (KB888795) Correctif pour Windows XP (KB891593) Correctif pour Windows XP (KB893357) Correctif pour Windows XP (KB899337) Correctif pour Windows XP (KB899510) Correctif pour Windows XP (KB902841) Correctif pour Windows XP (KB906569) Correctif pour Windows XP (KB912024) Correctif pour Windows XP (KB914440) Correctif pour Windows XP (KB935448) Correctif Windows XP - KB873339 Correctif Windows XP - KB883667 Correctif Windows XP - KB885250 Correctif Windows XP - KB885835 Correctif Windows XP - KB885836 Correctif Windows XP - KB885884 Correctif Windows XP - KB886185 Correctif Windows XP - KB887472 Correctif Windows XP - KB887742 Correctif Windows XP - KB888113 Correctif Windows XP - KB888302 Correctif Windows XP - KB890175 Correctif Windows XP - KB890859 Correctif Windows XP - KB891781 Correctif Windows XP - KB892050 Correctif Windows XP - KB893066 Correctif Windows XP - KB895961 CP_AtenaShokunin1Config CP_CalendarTemplates1 cp_LightScribeConfig cp_OnlineProjectsConfig CP_Package_Basic1 CP_Package_Variety1 CP_Package_Variety2 CP_Package_Variety3 CP_Panorama1Config cp_PosterPrintConfig cp_UpdateProjectsConfig CueTour Destinations DeviceManagementQFolder EasyCleaner Enhanced Multimedia Keyboard Solution Freeplayer FullDPAppQFolder G-Force GemMaster Mystic HaxFix 4.57 High Definition Audio - KB888111 HijackThis 1.99.1 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 10 (KB903157) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) HP Boot Optimizer HP DigitalMedia Archive HP DVD Play 2.1 HP Imaging Device Functions 7.0 HP Photosmart for Media Center PC HP Photosmart Premier Software 6.5 hp psc 1200 series HP Software Update HPPhotoSmartExpress HpSdpAppCoreApp InstantShareDevices Intel® Matrix Storage Manager Intel® PRO Network Connections Drivers Intel® Quick Resume Technology Drivers IrfanView (remove only) IsoBuster 2.0 J2SE Runtime Environment 5.0 Update 11 J2SE Runtime Environment 5.0 Update 6 Java 6 Update 2 Java 6 Update 3 Java SE Runtime Environment 6 Update 1 jv16 PowerTools 1.3 Le logiciel Intel® Viiv™ Lecteur Windows Media 11 Lexmark 2400 Series Lexmark Barre d'outils LightScribe 1.4.105.1 Macrogaming SweetIM 2.1 Microsoft .NET Framework 1.0 Hotfix (KB887998) Microsoft .NET Framework 1.0 Hotfix (KB930494) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 French Language Pack Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Compression Client Pack 1.0 for Windows XP Microsoft IntelliPoint 6.1 Microsoft IntelliType Pro 6.1 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Access MUI (French) 2007 Microsoft Office Excel MUI (French) 2007 Microsoft Office InfoPath MUI (French) 2007 Microsoft Office Outlook MUI (French) 2007 Microsoft Office PowerPoint MUI (French) 2007 Microsoft Office Professional Plus 2007 Microsoft Office Professional Plus 2007 Microsoft Office Proof (Arabic) 2007 Microsoft Office Proof (Dutch) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (German) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (French) 2007 Microsoft Office Publisher MUI (French) 2007 Microsoft Office Shared MUI (French) 2007 Microsoft Office Word MUI (French) 2007 Microsoft Software Update for Web Folders (French) 12 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Works Mise à jour de sécurité pour Lecteur Windows Media 10 (KB911565) Mise à jour de sécurité pour Lecteur Windows Media 10 (KB917734) Mise à jour de sécurité pour Lecteur Windows Media 11 (KB936782) Mise à jour de sécurité pour Lecteur Windows Media 6.4 (KB925398) Mise à jour de sécurité pour Step by Step Interactive Training (KB923723) Mise à jour de sécurité pour Windows XP (KB893756) Mise à jour de sécurité pour Windows XP (KB896358) Mise à jour de sécurité pour Windows XP (KB896422) Mise à jour de sécurité pour Windows XP (KB896423) Mise à jour de sécurité pour Windows XP (KB896424) Mise à jour de sécurité pour Windows XP (KB896428) Mise à jour de sécurité pour Windows XP (KB899587) Mise à jour de sécurité pour Windows XP (KB899591) Mise à jour de sécurité pour Windows XP (KB900725) Mise à jour de sécurité pour Windows XP (KB901017) Mise à jour de sécurité pour Windows XP (KB901214) Mise à jour de sécurité pour Windows XP (KB902400) Mise à jour de sécurité pour Windows XP (KB904706) Mise à jour de sécurité pour Windows XP (KB905414) Mise à jour de sécurité pour Windows XP (KB905749) Mise à jour de sécurité pour Windows XP (KB908519) Mise à jour de sécurité pour Windows XP (KB908531) Mise à jour de sécurité pour Windows XP (KB911562) Mise à jour de sécurité pour Windows XP (KB911927) Mise à jour de sécurité pour Windows XP (KB912812) Mise à jour de sécurité pour Windows XP (KB912919) Mise à jour de sécurité pour Windows XP (KB913580) Mise à jour de sécurité pour Windows XP (KB914388) Mise à jour de sécurité pour Windows XP (KB914389) Mise à jour de sécurité pour Windows XP (KB917344) Mise à jour de sécurité pour Windows XP (KB917422) Mise à jour de sécurité pour Windows XP (KB917953) Mise à jour de sécurité pour Windows XP (KB918118) Mise à jour de sécurité pour Windows XP (KB918439) Mise à jour de sécurité pour Windows XP (KB919007) Mise à jour de sécurité pour Windows XP (KB920213) Mise à jour de sécurité pour Windows XP (KB920670) Mise à jour de sécurité pour Windows XP (KB920683) Mise à jour de sécurité pour Windows XP (KB920685) Mise à jour de sécurité pour Windows XP (KB921503) Mise à jour de sécurité pour Windows XP (KB922819) Mise à jour de sécurité pour Windows XP (KB923191) Mise à jour de sécurité pour Windows XP (KB923414) Mise à jour de sécurité pour Windows XP (KB923689) Mise à jour de sécurité pour Windows XP (KB923694) Mise à jour de sécurité pour Windows XP (KB923980) Mise à jour de sécurité pour Windows XP (KB924191) Mise à jour de sécurité pour Windows XP (KB924270) Mise à jour de sécurité pour Windows XP (KB924496) Mise à jour de sécurité pour Windows XP (KB924667) Mise à jour de sécurité pour Windows XP (KB925902) Mise à jour de sécurité pour Windows XP (KB926255) Mise à jour de sécurité pour Windows XP (KB926436) Mise à jour de sécurité pour Windows XP (KB927779) Mise à jour de sécurité pour Windows XP (KB927802) Mise à jour de sécurité pour Windows XP (KB928090) Mise à jour de sécurité pour Windows XP (KB928255) Mise à jour de sécurité pour Windows XP (KB928843) Mise à jour de sécurité pour Windows XP (KB929123) Mise à jour de sécurité pour Windows XP (KB930178) Mise à jour de sécurité pour Windows XP (KB931261) Mise à jour de sécurité pour Windows XP (KB931784) Mise à jour de sécurité pour Windows XP (KB932168) Mise à jour de sécurité pour Windows XP (KB933566) Mise à jour de sécurité pour Windows XP (KB933729) Mise à jour de sécurité pour Windows XP (KB935839) Mise à jour de sécurité pour Windows XP (KB935840) Mise à jour de sécurité pour Windows XP (KB936021) Mise à jour de sécurité pour Windows XP (KB937143) Mise à jour de sécurité pour Windows XP (KB938127) Mise à jour de sécurité pour Windows XP (KB938829) Mise à jour de sécurité pour Windows XP (KB939653) Mise à jour de sécurité pour Windows XP (KB943460) Mise à jour pour Lecteur Windows Media 10 (KB913800) Mise à jour pour Lecteur Windows Media 10 (KB926251) Mise à jour pour Windows XP (KB898461) Mise à jour pour Windows XP (KB900485) Mise à jour pour Windows XP (KB904942) Mise à jour pour Windows XP (KB910437) Mise à jour pour Windows XP (KB911280) Mise à jour pour Windows XP (KB912945) Mise à jour pour Windows XP (KB916595) Mise à jour pour Windows XP (KB920342) Mise à jour pour Windows XP (KB920872) Mise à jour pour Windows XP (KB922582) Mise à jour pour Windows XP (KB927891) Mise à jour pour Windows XP (KB929338) Mise à jour pour Windows XP (KB930916) Mise à jour pour Windows XP (KB931836) Mise à jour pour Windows XP (KB933360) Mise à jour pour Windows XP (KB936357) Mise à jour pour Windows XP (KB938828) Mozilla Firefox (2.0.0.9) MSN MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) muvee autoProducer 5.0 muvee autoProducer unPlugged 2.0 NVIDIA Drivers OptionalContentQFolder Otto PC-Doctor 5 pour Windows PC Booster Photo et imagerie HP 2.0 - All-in-One Pilote Photo et imagerie HP 2.0 - All-in-One Series Photo et imagerie HP 2.0 - hp psc 1200 series PhotoGallery Python 2.2 pywin32 extensions (build 203) Python 2.2.3 QuickTime RandMap RealPlayer Realtek High Definition Audio Driver SAMSUNG CDMA Modem Driver Set SAMSUNG Mobile USB Modem ^^ SAMSUNG Mobile USB Modem 1.0 Software SAMSUNG Mobile USB Modem Software Samsung PC Studio Samsung PC Studio Samsung PC Studio 3 USB Driver Installer Security Update for CAPICOM (KB931906) Security Update for CAPICOM (KB931906) Services Internet Services Internet SkinsHP1 SlideShow SlideShowMusic SoftSkies Solutions de télécopie Lexmark Sonic Express Labeler Sonic MyDVD Plus Sonic RecordNow Audio Sonic RecordNow Copy Sonic RecordNow Data Sonic Update Manager Sonic_PrimoSDK Spybot - Search & Destroy 1.4 SpywareBlaster v3.5.1 SweetIM For Internet Explorer 3.0b Unload Unlocker 1.8.5 VideoLAN VLC media player 0.8.6a WebFldrs XP Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Installer 3.1 (KB893803) Windows Live Messenger Windows Live Sign-in Assistant Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player Firefox Plugin Windows XP Media Center Edition 2005 KB925766 ZoneAlarm Le volume dans le lecteur C s'appelle HP_PAVILION Le numéro de série du volume est 005A-6CCF Répertoire de C:\Program Files 14/11/2007 15:54 <REP> . 14/11/2007 15:54 <REP> .. 09/10/2007 17:51 <REP> Abbyy FineReader 6.0 Sprint 25/07/2007 10:39 <REP> Adobe 26/10/2007 11:04 <REP> AIDA32 - Personal System Information 13/11/2007 22:27 <REP> AntiVir PersonalEdition Classic 03/11/2007 21:42 <REP> Apple Software Update 04/11/2007 20:51 <REP> a-squared Free 25/07/2007 22:34 86 autoclean.ini 09/10/2007 17:06 <REP> Backup 04/11/2007 19:09 <REP> BeClean 22/10/2007 10:52 <REP> BitTorrent 13/03/2007 20:12 <REP> CCleaner 24/05/2007 21:00 <REP> CDBurnerXP Pro 3 12/11/2005 01:09 <REP> ComPlus Applications 03/01/2006 01:10 <REP> EasyBits 14/11/2007 00:43 <REP> eMule1 09/10/2007 19:06 <REP> Fichiers communs 30/10/2007 21:22 <REP> Freeplayer 03/01/2006 00:21 <REP> FrenchOtto 03/01/2006 00:21 <REP> GemMasterFrench 07/11/2007 12:02 <REP> Google 01/06/2007 22:14 <REP> Grisoft 14/11/2007 15:56 <REP> HaxFix 03/01/2006 01:10 <REP> Hewlett-Packard 14/11/2007 12:22 <REP> hijackthis 09/10/2007 16:28 0 history.txt 03/01/2006 00:52 <REP> HP 03/01/2006 00:49 <REP> HP DigitalMedia Archive 26/07/2007 21:49 <REP> inKline Global 03/01/2006 00:40 <REP> Intel 10/10/2007 21:00 <REP> Internet Explorer 08/11/2007 02:43 <REP> IrfanView 06/07/2007 18:23 <REP> IVT Corporation 15/10/2007 08:31 <REP> Java 22/05/2007 15:45 <REP> jv16 PowerTools 25/07/2007 22:35 95 lang.ini 13/03/2007 20:13 <REP> Languages 19/08/2007 12:05 <REP> Lavasoft 09/10/2007 17:36 <REP> Lexmark 2400 Series 09/10/2007 17:36 <REP> Lexmark Fax Solutions 09/10/2007 17:39 <REP> Lexmark Toolbar 14/11/2007 12:21 <REP> lx_cats 07/11/2007 21:56 <REP> Macrogaming 08/11/2007 02:13 <REP> Messenger 09/05/2007 11:48 <REP> Microsoft CAPICOM 2.1.0.2 15/11/2005 03:24 <REP> microsoft frontpage 06/11/2007 19:33 <REP> Microsoft IntelliPoint 06/11/2007 19:32 <REP> Microsoft IntelliType Pro 09/10/2007 19:06 <REP> Microsoft Office 09/10/2007 19:06 <REP> Microsoft Visual Studio 09/10/2007 19:07 <REP> Microsoft Works 09/10/2007 19:05 <REP> Microsoft.NET 15/11/2005 03:24 <REP> Movie Maker 14/11/2007 15:49 <REP> Mozilla Firefox 09/10/2007 19:07 <REP> MSBuild 30/05/2007 18:49 <REP> MSN 15/11/2005 03:25 <REP> MSN Gaming Zone 24/05/2007 14:19 <REP> MSN Messenger 09/03/2007 16:48 <REP> MSXML 4.0 03/01/2006 00:55 <REP> muvee Technologies 15/11/2005 03:25 <REP> NetMeeting 15/11/2005 03:25 <REP> Online Services 13/06/2007 11:17 <REP> Outlook Express 03/01/2006 01:06 <REP> PC-Doctor 5 for Windows 03/08/2007 16:01 <REP> QuickTime 03/01/2006 00:49 <REP> Real 22/05/2007 15:59 <REP> RegCleaner 25/07/2007 22:35 0 regfav.ini 25/04/2007 11:33 <REP> Samsung 03/01/2006 01:12 <REP> Services en ligne 24/05/2007 21:25 <REP> Smart Projects 03/01/2006 00:50 <REP> Sonic 24/08/2007 13:10 <REP> SoundSpectrum 04/11/2007 20:05 <REP> Spybot - Search & Destroy 19/08/2007 11:52 <REP> SpywareBlaster 19/08/2007 11:58 <REP> SpywareGuard 13/03/2007 20:11 <REP> ToniArts 22/08/2007 17:04 <REP> Unlocker 19/03/2007 17:34 <REP> VideoLAN 18/03/2007 17:22 <REP> Windows Media Connect 2 28/05/2007 14:28 <REP> Windows Media Player 15/11/2005 03:25 <REP> Windows NT 15/11/2005 03:25 <REP> Windows Plus 07/11/2007 22:14 <REP> WinRAR 15/11/2005 03:26 <REP> xerox 09/10/2007 17:06 <REP> Yahoo! 14/03/2007 22:46 <REP> Zone Labs 4 fichier(s) 181 octets 84 Rép(s) 112 704 102 400 octets libres Le volume dans le lecteur C s'appelle HP_PAVILION Le numéro de série du volume est 005A-6CCF Répertoire de C:\Program Files\fichiers communs 09/10/2007 19:06 <REP> . 09/10/2007 19:06 <REP> .. 16/06/2007 21:43 <REP> Adobe 09/10/2007 19:06 <REP> DESIGNER 13/03/2007 18:47 <REP> Hewlett-Packard 03/01/2006 00:45 <REP> HP 03/01/2006 01:08 <REP> InstallShield 03/01/2006 00:26 <REP> Java 03/01/2006 00:51 <REP> LightScribe 03/01/2006 00:51 <REP> LS Getting Started 09/10/2007 19:07 <REP> Microsoft Shared 15/11/2005 03:24 <REP> MSSoap 03/01/2006 00:54 <REP> muvee Technologies 15/11/2005 03:24 <REP> ODBC 03/01/2006 00:49 <REP> Real 15/11/2005 03:24 <REP> Services 03/01/2006 00:50 <REP> Sonic Shared 15/11/2005 03:24 <REP> SpeechEngines 03/01/2006 00:50 <REP> SureThing Shared 14/03/2007 22:40 <REP> Symantec Shared 09/10/2007 19:02 <REP> System 03/01/2006 00:50 <REP> TiVo Shared 19/08/2007 12:05 <REP> Wise Installation Wizard 03/01/2006 00:49 <REP> xing shared 0 fichier(s) 0 octets 24 Rép(s) 112 704 102 400 octets libres Le volume dans le lecteur C s'appelle HP_PAVILION Le numéro de série du volume est 005A-6CCF Répertoire de C:\Program Files\fichiers communs\Microsoft Shared\Web Folders 09/10/2007 19:06 <REP> . 09/10/2007 19:06 <REP> .. 13/03/2007 19:58 <REP> 1033 09/10/2007 19:01 <REP> 1036 26/10/2006 18:49 970 528 MSONSEXT.DLL 26/10/2006 19:12 40 256 MSOSV.DLL 03/06/1999 10:09 122 937 MSOWS409.DLL 07/03/2001 05:00 127 033 MSOWS40c.DLL 22/01/2001 05:25 86 016 PKMWS.DLL 5 fichier(s) 1 346 770 octets 4 Rép(s) 112 704 098 304 octets libres c:\Documents and Settings\All Users\Application Data\Hewlett-Packard\HP Boot Optimizer\InstMsiA.Exe c:\Documents and Settings\All Users\Application Data\Hewlett-Packard\HP Boot Optimizer\InstMsiW.Exe c:\Documents and Settings\All Users\Application Data\Hewlett-Packard\HP Boot Optimizer\Setup.Exe c:\Documents and Settings\HP_Administrateur\.limewire\.NetworkShare\LimeWireWinInstaller 1.exe c:\Documents and Settings\HP_Administrateur\.limewire\.NetworkShare\LimeWireWinInstaller.exe c:\Documents and Settings\HP_Administrateur\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr709_fr_FR.exe c:\Documents and Settings\HP_Administrateur\Application Data\Microsoft\Installer\{F6D63A65-BD23-46F3-B9A3-87F442423481}\ARPPRODUCTICON.exe c:\Documents and Settings\HP_Administrateur\Bureau\haxfix.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\catchme.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\diff.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\dumphive.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\FilesInfoCmd.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\find2.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\Fport.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\grep.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\gzip.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\KProcCheck.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\LFiles.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\LISTDLLS.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\md5sums.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\pslist.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\sigcheck.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\streams.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\swreg.exe c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\tar.exe c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\RegSeeker.exe c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\OFFICE12\SaveAsPDFandXPS.exe c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\OFFICE12\SETUP.EXE c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\OFFICE12\OFFICE.FR-FR\DW20.EXE c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\OFFICE12\OFFICE.FR-FR\DWTRIG20.EXE c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\OFFICE12\PROPLUS.WW\OSE.EXE c:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\BACKUP\FAILSAFE\avewin32.dll c:\Documents and Settings\All Users\Application Data\Grisoft\AVG Anti-Spyware 7.5\Downloads\help.dll c:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig.dll c:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll c:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll c:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll ****** Fin du rapport DiagHelp Veuillez svp envoyer le fichier C:\upload_moi_MAYKE.tar.gz a l'adresse http://upload.malekal.com
  12. cimone
    Merci a toi! Je continue ici alors, vu que tu es le premier a m avoir repondu! merci beaucoup
  13. cimone
    Bonjour a tous, On m a dit que je pourrais trouver de l aide ici et que les conseils etaient bons en general! J ai remarque depuis qq jours que mon pc merde un peu. J ai suivi la procedure de nettoyage, je vous joint donc les rapports antivir et hijackthis, si qq1 a le temps d y jeter un coup d oeil! Merci beaucoup d avance! AntiVir PersonalEdition Classic Report file date: mercredi 14 novembre 2007 01:48 Scanning for 928098 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Username: HP_Administrateur Computer name: MAYKE Version information: BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00 AVSCAN.EXE : 7.0.6.1 290856 Bytes 05/09/2007 17:32:46 AVSCAN.DLL : 7.0.6.0 49192 Bytes 05/09/2007 17:32:46 LUKE.DLL : 7.0.5.3 147496 Bytes 05/09/2007 17:32:47 LUKERES.DLL : 7.0.6.1 10280 Bytes 05/09/2007 17:32:47 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 17:29:20 ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 13/09/2007 18:47:07 ANTIVIR2.VDF : 7.0.0.198 1206272 Bytes 11/11/2007 21:28:08 ANTIVIR3.VDF : 7.0.0.210 45568 Bytes 13/11/2007 21:28:00 AVEWIN32.DLL : 7.6.0.34 3125760 Bytes 06/11/2007 16:06:37 AVWINLL.DLL : 1.0.0.7 14376 Bytes 20/04/2007 10:06:42 AVPREF.DLL : 7.0.2.2 25640 Bytes 05/09/2007 17:32:46 AVREP.DLL : 7.0.0.1 155688 Bytes 20/04/2007 10:06:44 AVPACK32.DLL : 7.3.0.15 360488 Bytes 04/08/2007 14:49:43 AVREG.DLL : 7.0.1.6 30760 Bytes 05/09/2007 17:32:46 AVARKT.DLL : 1.0.0.20 278568 Bytes 05/09/2007 17:32:44 AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 05/09/2007 17:32:45 NETNT.DLL : 7.0.0.0 7720 Bytes 20/04/2007 10:06:43 RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 05/09/2007 17:32:40 RCTEXT.DLL : 7.0.62.0 86056 Bytes 05/09/2007 17:32:40 SQLITE3.DLL : 3.3.17.1 339968 Bytes 05/09/2007 17:32:48 Configuration settings for the scan: Jobname..........................: Local Drives Configuration file...............: c:\program files\antivir personaledition classic\alldrives.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: off Scan boot sector.................: on Boot sectors.....................: E:, Scan memory......................: on Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: Intelligent file selection Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Start of the scan: mercredi 14 novembre 2007 01:48 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'aawservice.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 12 processes with 12 modules were scanned Start scanning boot sectors: Boot sector 'C:\' [NOTE] No virus was found! Boot sector 'D:\' [NOTE] No virus was found! Boot sector 'J:\' [NOTE] No virus was found! Boot sector 'F:\' [NOTE] In the drive 'F:\' no data medium is inserted! Boot sector 'G:\' [NOTE] In the drive 'G:\' no data medium is inserted! Boot sector 'H:\' [NOTE] In the drive 'H:\' no data medium is inserted! Boot sector 'I:\' [NOTE] In the drive 'I:\' no data medium is inserted! Starting to scan the registry. C:\WINDOWS\system32\imjputyc32.dll [DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen [WARNING] The file could not be deleted! C:\WINDOWS\system32\imjputyc32.dll [DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen The registry was scanned ( '31' files ). Starting the file scan: Begin scan in 'C:\' <HP_PAVILION> C:\pagefile.sys [WARNING] The file could not be opened! C:\WINDOWS\system32\imjputyc32.dll [DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen [WARNING] The file could not be deleted! Begin scan in 'D:\' <HP_RECOVERY> Begin scan in 'J:\' <Musique, Vidéo, Photos, Papiers> Begin scan in 'F:\' Search path F:\ could not be opened! Le périphérique n'est pas prêt. Begin scan in 'G:\' Search path G:\ could not be opened! Le périphérique n'est pas prêt. Begin scan in 'H:\' Search path H:\ could not be opened! Le périphérique n'est pas prêt. Begin scan in 'I:\' Search path I:\ could not be opened! Le périphérique n'est pas prêt. Begin scan in 'E:\' Search path E:\ could not be opened! Le périphérique n'est pas prêt. End of the scan: mercredi 14 novembre 2007 02:27 Used time: 39:42 min The scan has been done completely. 7464 Scanning directories 472682 Files were scanned 2 viruses and/or unwanted programs were found 0 Files were classified as suspicious: 0 files were deleted 0 files were repaired 0 files were moved to quarantine 0 files were renamed 1 Files cannot be scanned 472680 Files not concerned 16798 Archives were scanned 3 Warnings 3 Notes Logfile of HijackThis v1.99.1 Scan saved at 12:22:43, on 14/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\a-squared free\a2service.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe C:\WINDOWS\system32\lxcrcoms.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\inKline Global\PC Booster\PCBooster.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Lexmark 2400 Series\lxcrmon.exe C:\Program Files\Lexmark 2400 Series\ezprint.exe C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Macrogaming\SweetIM\SweetIM.exe C:\WINDOWS\system32\ctfmon.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\system32\wuauclt.exe c:\windows\system\hpsysdrv.exe C:\Program Files\hijackthis\Maykiki.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Lexmark Barre d'outils - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\Macrogaming\SweetIMBarForIE\toolbar.dll O2 - BHO: (no name) - {2B10E1CF-4991-4CD5-B6BE-273350BC06EA} - C:\WINDOWS\system32\fmifs32.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Lexmark Barre d'outils - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\PCBooster.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe" O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: Aide à la connexion - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Aide à la connexion - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [iNTERNATIONAL] International* O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Fichiers communs\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FICHIE~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: imjputyc32 - imjputyc32.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
×
×
  • Créer...