[Résolu] Présence de trojan sur mon PC !

cimone · le 14 novembre 2007

Alors, pour info, aucune des dll indiquees n etaient presentes!

Voila le rapport antivir (hier, apres mon premier rapport, j avais deja supprimer des fichiers, peut etre ceux en question!). Aujourd hui, il ne trouve rien.

Le kaspersky est en cours!

Thanos · le 14 novembre 2007

ok ca marche! en attente du rapport Kaspersky alors et du rapport Hijackthis

cimone · le 14 novembre 2007

OKI§

mALGRE LE FAIT DE NE PAS AVOIR DE VIRUS TROUVE PAR ANTIVIR? CELUI CI VIENT DE S ALERTER POUR M INDIQUER LA TRACE DU MEME TROJAN!

a tout et merci

Thanos · le 14 novembre 2007

oui poste le rapport kaspersky stp

cimone · le 14 novembre 2007

voila les 2 rapports!

KASPERSKY ONLINE SCANNER REPORT

Wednesday, November 14, 2007 10:37:16 PM

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 14/11/2007

Kaspersky Anti-Virus database records: 459583

Scan Settings

Scan using the following antivirus database extended

Scan Archives true

Scan Mail Bases true

Scan Target My Computer

C:\

D:\

E:\

F:\

G:\

H:\

I:\

J:\

Scan Statistics

Total number of scanned objects 106196

Number of viruses found 3

Number of infected objects 8

Number of suspicious objects 0

Duration of the scan process 02:03:22

Infected Object Name Virus Name Last Action

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\cert8.db Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\formhistory.dat Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\history.dat Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\key3.db Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\parent.lock Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Local Settings\Historique\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Local Settings\Historique\History.IE5\MSHist012007111420071115\index.dat Object is locked skipped

C:\Documents and Settings\HP_Administrateur\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\HP_Administrateur\ntuser.dat Object is locked skipped

C:\Documents and Settings\HP_Administrateur\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Historique\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\hijackthis\backups\backup-20071114-182338-902.dll Infected: not-a-virus:AdWare.Win32.Stud.a skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP143\A0041368.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP143\A0041369.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP143\A0041370.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP143\A0041531.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP143\A0041549.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP143\A0041557.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP212\A0084487.dll Infected: not-a-virus:AdWare.Win32.Stud.a skipped

C:\System Volume Information\_restore{512DF77D-45B5-4AE1-9C2A-EC48B0F584C1}\RP212\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\MAYKE.ldb Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8A22ED84-A4C0-4FEC-B11F-C058138277BB}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\ZLT0472b.TMP Object is locked skipped

C:\WINDOWS\Temp\ZLT0472e.TMP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1

Scan saved at 22:38:25, on 14/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\a-squared free\a2service.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\lxcrcoms.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\inKline Global\PC Booster\PCBooster.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Lexmark 2400 Series\lxcrmon.exe

C:\Program Files\Lexmark 2400 Series\ezprint.exe

C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Macrogaming\SweetIM\SweetIM.exe

C:\HP\KBD\KBD.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\hijackthis\Maykiki.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll

O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Lexmark Barre d'outils - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\Macrogaming\SweetIMBarForIE\toolbar.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Lexmark Barre d'outils - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\PCBooster.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: Aide à la connexion - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Aide à la connexion - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Fichiers communs\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FICHIE~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe

O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanos · le 14 novembre 2007

ok c'est tout bon

Je détaille: ceci >

C:\Program Files\hijackthis\backups\backup-20071114-182338-902.dll Infected: not-a-virus:AdWare.Win32.Stud.a skipped

Ca correspond à la ligne qu'on a fait fixer dans hijackthis. C'est confiné dans un dossier de sauvegarde, donc c'est bon.

Le reste, c'est des détections faites dans la restauration système: on va t'en débarrasser d'une manière très simple

1) Désactive puis réactive la restauration système comme ceci => aide visuelle

Clique sur Démarrer.
Clique avec le bouton droit sur l'icône Poste de travail, puis cliquez sur Propriétés.

Clique sur l'onglet «Restauration du système».

Sélectionne «Désactiver la Restauration du système» ou «Désactiver la Restauration du système sur tous les lecteurs»

Clique sur "Appliquer".

Comme le dit le message, ceci supprimera tous les points de restauration existants. Pour faire cela, clique sur Oui.

Clique sur OK.Redémarre ton PC. Fais l'opération inverse, et réactive la restauration:un nouveau point sera automatiquement créé.

2) Poste voir un dernier rapport DiagHelp stp pour vérification

cimone · le 14 novembre 2007

voila, cé fé! et voila donc le rapport! impossible de' l envoyer toujours!

DiagHelp version v1.4 - http://www.malekal.com

excute le 14/11/2007 à 23:37:51,84

Liste des derniers fichies modifies/crees dans windir\system32 et prefetch

C:\WINDOWS\prefetch\CMD.EXE-087B4001.pf -->14/11/2007 23:37:49

C:\WINDOWS\prefetch\CHCP.COM-18156052.pf -->14/11/2007 23:37:49

C:\WINDOWS\prefetch\RUNDLL32.EXE-147710F4.pf -->14/11/2007 23:37:24

C:\WINDOWS\prefetch\WUAUCLT.EXE-399A8E72.pf -->14/11/2007 23:37:23

C:\WINDOWS\prefetch\WGATRAY.EXE-0ED38BED.pf -->14/11/2007 23:37:22

C:\WINDOWS\prefetch\SWEETIM.EXE-2E64256A.pf -->14/11/2007 23:37:22

C:\WINDOWS\prefetch\RUNDLL32.EXE-30908AFF.pf -->14/11/2007 23:37:22

C:\WINDOWS\prefetch\NTOSBOOT-B00DFAAD.pf -->14/11/2007 23:37:22

C:\WINDOWS\prefetch\LXCRTIME.EXE-0399C77B.pf -->14/11/2007 23:37:22

C:\WINDOWS\prefetch\KBD.EXE-2AF7866F.pf -->14/11/2007 23:37:22

C:\WINDOWS\System32\drivers\fidbox.dat -->14/11/2007 23:36:24

C:\WINDOWS\System32\drivers\fidbox.idx -->14/11/2007 23:34:59

C:\WINDOWS\System32\drivers\avipbb.sys -->10/10/2007 20:55:13

C:\WINDOWS\System32\drivers\NSDriver.sys -->19/08/2007 12:08:03

C:\WINDOWS\System32\drivers\AWRTRD.sys -->19/08/2007 12:08:03

C:\WINDOWS\System32\drivers\klif.sys -->19/07/2007 14:10:28

C:\WINDOWS\System32\drivers\StarOpen.sys -->20/06/2007 14:49:59

C:\WINDOWS\System32\wpa.dbl -->14/11/2007 23:36:47

C:\WINDOWS\System32\nvapps.xml -->14/11/2007 23:36:36

C:\WINDOWS\System32\vsconfig.xml -->14/11/2007 23:36:33

C:\WINDOWS\System32\FNTCACHE.DAT -->04/11/2007 20:55:35

C:\WINDOWS\System32\perfh00C.dat -->03/11/2007 23:38:58

C:\WINDOWS\System32\perfh009.dat -->03/11/2007 23:38:58

C:\WINDOWS\System32\perfc00C.dat -->03/11/2007 23:38:58

C:\WINDOWS\System32\perfc009.dat -->03/11/2007 23:38:58

C:\WINDOWS\System32\PerfStringBackup.INI -->03/11/2007 23:38:57

C:\WINDOWS\System32\MRT.exe -->02/11/2007 08:12:57

C:\WINDOWS\System32\settings.aaw -->30/10/2007 17:20:33

C:\WINDOWS\System32\history.aaw -->30/10/2007 17:20:33

C:\WINDOWS\System32\xpsp3res.dll -->29/10/2007 16:07:16

C:\WINDOWS\System32\shell32.dll -->25/10/2007 17:43:25

C:\WINDOWS\System32\jupdate-1.6.0_03-b05.log -->15/10/2007 08:31:45

C:\WINDOWS\System32\catchme.exe -->11/10/2007 10:59:50

C:\WINDOWS\System32\LexFiles.ulf -->09/10/2007 17:37:12

C:\WINDOWS\System32\javaws.exe -->24/09/2007 22:31:42

C:\WINDOWS\System32\javacpl.cpl -->24/09/2007 22:31:42

C:\WINDOWS\System32\javaw.exe -->24/09/2007 21:30:30

C:\WINDOWS\System32\java.exe -->24/09/2007 21:30:28

C:\WINDOWS\System32\zllictbl.dat -->19/09/2007 19:32:08

C:\WINDOWS\System32\vsdatant.sys -->06/09/2007 15:14:28

C:\WINDOWS\System32\zpeng24.dll -->06/09/2007 15:14:12

C:\WINDOWS\System32\zlcommdb.dll -->06/09/2007 15:14:08

C:\WINDOWS\WindowsUpdate.log -->14/11/2007 23:37:14

C:\WINDOWS.log -->14/11/2007 23:36:31

C:\WINDOWS\wiadebug.log -->14/11/2007 23:36:29

C:\WINDOWS\wiaservc.log -->14/11/2007 23:36:28

C:\WINDOWS\bootstat.dat -->14/11/2007 23:36:09

C:\WINDOWS\SchedLgU.Txt -->14/11/2007 23:34:54

C:\WINDOWS\setupapi.log -->14/11/2007 20:22:24

C:\WINDOWS\ntbtlog.txt -->14/11/2007 20:15:17

C:\WINDOWS\setuperr.log -->14/11/2007 01:45:42

C:\WINDOWS\setupact.log -->14/11/2007 01:45:42

C:\WINDOWS\tsoc.log -->14/11/2007 01:39:51

C:\WINDOWS\tabletoc.log -->14/11/2007 01:39:51

C:\WINDOWS\ocmsn.log -->14/11/2007 01:39:51

C:\WINDOWS\ntdtcsetup.log -->14/11/2007 01:39:51

C:\WINDOWS\MedCtrOC.log -->14/11/2007 01:39:51

winlogon.exe

Verified: Signed

svchost.exe

Verified: Signed

ws2_32.dll

Verified: Signed

user32.dll

Verified: Signed

tcpip.sys

Verified: Unsigned

ndis.sys

Verified: Signed

null.sys

Verified: Signed

ListDLLs v2.25 - DLL lister for Win9x/NT

Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------

explorer.exe pid: 1616

Command line: C:\WINDOWS\Explorer.EXE

Base Size Version Path

0x58b50000 0x9a000 5.82.2900.2982 C:\WINDOWS\system32\comctl32.dll

0x76f80000 0x7f000 2001.12.4414.0308 C:\WINDOWS\system32\CLBCATQ.DLL

0x77000000 0xd4000 2001.12.4414.0258 C:\WINDOWS\system32\COMRes.dll

0x76ac0000 0x11000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL

0x7d200000 0x2be000 3.01.4000.4039 C:\WINDOWS\system32\msi.dll

0x10000000 0x16f000 6.14.0010.11040 C:\WINDOWS\system32\nview.dll

0x017c0000 0x50000 6.14.0010.11040 C:\WINDOWS\system32\NVWRSFR.DLL

0x164a0000 0x23000 5.02.5721.5145 C:\WINDOWS\system32\WPDShServiceObj.dll

0x109c0000 0x2c000 5.02.5721.5145 C:\WINDOWS\system32\PortableDeviceTypes.dll

0x10930000 0x49000 5.02.5721.5145 C:\WINDOWS\system32\PortableDeviceApi.dll

0x01180000 0x9000 2.01.0000.0020 C:\Program Files\Macrogaming\SweetIM\mgAdaptersProxy.dll

0x7c360000 0x56000 7.10.6030.0000 C:\Program Files\Macrogaming\SweetIM\MSVCR71.dll

0x52200000 0xb000 7.00.0408.0000 C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll

0x01c60000 0x2b000 C:\Program Files\WinRAR\rarext.dll

0x02090000 0x6000 C:\Program Files\Unlocker\UnlockerCOM.dll

0x020a0000 0x11000 7.00.0000.0010 C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll

0x7c250000 0x102000 7.10.3077.0000 C:\Program Files\AntiVir PersonalEdition Classic\MFC71U.DLL

0x5d360000 0xf000 7.10.3077.0000 C:\WINDOWS\system32\MFC71FRA.DLL

0x78130000 0x9b000 8.00.50727.0163 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\MSVCR80.dll

0x02bb0000 0x5b000 8.01.0000.0000 C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.dll

0x02c10000 0x4c000 8.00.0000.0000 C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.FRA

0x60980000 0x7000 3.01.4000.1823 C:\WINDOWS\system32\MSISIP.DLL

0x74e10000 0x10000 5.06.0000.8820 C:\WINDOWS\system32\wshext.dll

0x73d20000 0xfe000 6.02.4131.0000 C:\WINDOWS\system32\MFC42.DLL

0x61d70000 0xe000 6.00.8665.0000 C:\WINDOWS\system32\MFC42LOC.DLL

0x59000000 0xe000 5.06.0000.6626 C:\WINDOWS\system32\wshFR.DLL

0x02d80000 0x15000 6.14.0010.9132 C:\WINDOWS\system32\nvwddi.dll

ListDLLs v2.25 - DLL lister for Win9x/NT

Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------

winlogon.exe pid: 760

Command line: winlogon.exe

Base Size Version Path

0x01000000 0x81000 \??\C:\WINDOWS\system32\winlogon.exe

0x58b50000 0x9a000 5.82.2900.2982 C:\WINDOWS\system32\COMCTL32.dll

0x74730000 0x3d000 3.525.1117.0000 C:\WINDOWS\system32\ODBC32.dll

0x20000000 0x18000 3.525.1117.0000 C:\WINDOWS\system32\odbcint.dll

0x01220000 0x3b000 1.07.0017.0000 C:\WINDOWS\system32\WgaLogon.dll

0x76f80000 0x7f000 2001.12.4414.0308 C:\WINDOWS\system32\CLBCATQ.DLL

0x77000000 0xd4000 2001.12.4414.0258 C:\WINDOWS\system32\COMRes.dll

Le volume dans le lecteur C s'appelle HP_PAVILION

Le numéro de série du volume est 005A-6CCF

Répertoire de C:\WINDOWS\system

07/05/1998 17:04 52 736 hpsysdrv.exe

1 fichier(s) 52 736 octets

0 Rép(s) 121 579 454 464 octets libres

Le volume dans le lecteur C s'appelle HP_PAVILION

Le numéro de série du volume est 005A-6CCF

Répertoire de C:\WINDOWS\system32

10/08/2004 12:00 6 144 csrss.exe

1 fichier(s) 6 144 octets

0 Rép(s) 121 579 454 464 octets libres

Contenu de Downloaded Program Files

Le volume dans le lecteur C s'appelle HP_PAVILION

Le numéro de série du volume est 005A-6CCF

Répertoire de C:\WINDOWS\Downloaded Program Files

14/11/2007 20:22 <REP> .

14/11/2007 20:22 <REP> ..

10/10/2005 12:32 65 desktop.ini

07/01/2007 12:55 2 305 kavwebscan.inf

2 fichier(s) 2 370 octets

Total des fichiers listés :

2 fichier(s) 2 370 octets

2 Rép(s) 121 579 454 464 octets libres

Recherche de rootkit! (Merci S!Ri)

Recherche d'infections connues

Export des clefs sensibles..

Liste des fichiers en exception sur le pare-feu XP SP2

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

"C:\\WINDOWS\\system32\\lxcrcoms.exe"="C:\\WINDOWS\\system32\\lxcrcoms.exe:*:Enabled:Lexmark Communications System"

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Export de la clef SharedTaskScheduler

[sharedTaskScheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant"

exports des policies

REGEDIT4

[system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\

63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\

6d,73,73,74,79,6c,65,73,00

"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\

73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

Export des clefs sensibles..

Rechercher adresses sensibles dans le fichier HOSTS...

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-14 23:38:30

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\E100B]

"EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll;%SystemRoot%\System32\e100bmsg.dll"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\NtServicePack]

"EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\nv]

"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\nv4_mini.sys"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\PS2]

"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\PS2.sys"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\Windows Installer 3.1]

"EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\WindowsMedia]

"EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\E100B]

"EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll;%SystemRoot%\System32\e100bmsg.dll"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\NtServicePack]

"EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\nv]

"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\nv4_mini.sys"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\PS2]

"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\PS2.sys"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\Windows Installer 3.1]

"EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll"

"TypesSupported"=dword:00000007

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\WindowsMedia]

"EventMessageFile"=str(2):"%SystemRoot%\System32\spmsg.dll"

"TypesSupported"=dword:00000007

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows\CurrentVersion]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{11DF0055-8BF6-475C-B0D6-9BC20C840229}"="EL04 Power Management Ext"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop]

"FFlags"=dword:00000224

"Mode"=dword:00000001

"ScrollPos800x600(1).x"=dword:00000000

"ScrollPos800x600(1).y"=dword:00000000

"Sort"=dword:00000000

"SortDir"=dword:00000001

"Col"=dword:ffffffff

"ColInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,fd,df,df,fd,0f,..

"ItemPos800x600(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,dc,02,00,00,e8,..

"ScrollPos1024x768(1).x"=dword:00000000

"ScrollPos1024x768(1).y"=dword:00000000

"ItemPos1024x768(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,c1,03,00,00,92,..

"ScrollPos320x240(1).x"=dword:00000000

"ScrollPos320x240(1).y"=dword:00000000

"ItemPos320x240(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f9,00,00,00,6b,..

"ScrollPos400x300(1).x"=dword:00000000

"ScrollPos400x300(1).y"=dword:00000000

"ItemPos400x300(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ea,00,00,00,5c,..

"ScrollPos720x480(1).x"=dword:00000000

"ScrollPos720x480(1).y"=dword:00000000

"ItemPos720x480(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,d1,00,00,00,4d,..

"ScrollPos640x480(1).x"=dword:00000000

"ScrollPos640x480(1).y"=dword:00000000

"ItemPos640x480(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,c1,03,00,00,92,..

"ScrollPos720x576(1).x"=dword:00000000

"ScrollPos720x576(1).y"=dword:00000000

"ItemPos720x576(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,d1,00,00,00,50,..

"ScrollPos2048x1536(1).x"=dword:00000000

"ScrollPos2048x1536(1).y"=dword:00000000

"ItemPos2048x1536(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,c4,00,00,00,4d,..

"ScrollPos1152x864(1).x"=dword:00000000

"ScrollPos1152x864(1).y"=dword:00000000

"ItemPos1152x864(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,3c,04,00,00,f0,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU]

"NodeSlot"=dword:00000003

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\]

"NodeSlot"=dword:00000001

"MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff

"0"=hex:1e,00,71,2d,00,00,00,00,00,00,00,00,00,00,80,a2,27,22,ea,3a,69,..

"1"=hex:1e,00,71,80,00,00,00,00,00,00,00,00,00,00,e1,a4,0e,d2,57,39,d2,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\]

"NodeSlot"=dword:0000001b

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\\1]

"NodeSlot"=dword:0000008c

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1]

"0"=hex:3c,00,31,00,00,00,00,00,48,36,e0,89,30,00,57,49,4e,44,4f,57,53,..

"MRUListEx"=hex:01,00,00,00,02,00,00,00,03,00,00,00,05,00,00,00,04,00,00,00,00,..

"NodeSlot"=dword:00000004

"1"=hex:5c,00,31,00,00,00,00,00,48,36,91,89,10,00,44,4f,43,55,4d,45,7e,..

"2"=hex:4a,00,31,00,00,00,00,00,69,36,01,7e,11,00,50,52,4f,47,52,41,7e,..

"3"=hex:54,00,31,00,00,00,00,00,69,36,01,7e,10,00,42,38,41,46,37,39,7e,..

"4"=hex:30,00,31,00,00,00,00,00,75,36,82,72,10,00,4e,65,6f,00,1e,00,03,..

"5"=hex:36,00,31,00,00,00,00,00,74,36,b2,95,10,00,47,61,6d,65,73,00,22,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1]

"NodeSlot"=dword:0000000a

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:40,00,31,00,00,00,00,00,48,36,1b,8a,10,00,73,79,73,74,65,6d,33,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\]

"0"=hex:36,00,31,00,00,00,00,00,6f,33,bc,19,10,00,73,70,6f,6f,6c,00,22,..

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\]

"0"=hex:3c,00,31,00,00,00,00,00,6f,33,bc,19,10,00,64,72,69,76,65,72,73,..

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\\]

"0"=hex:36,00,31,00,00,00,00,00,6f,33,bc,19,10,00,63,6f,6c,6f,72,00,22,..

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\\]

"NodeSlot"=dword:00000002

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1]

"0"=hex:52,00,31,00,00,00,00,00,69,36,f2,8e,10,00,48,50,5f,41,44,4d,7e,..

"MRUListEx"=hex:00,00,00,00,01,00,00,00,02,00,00,00,ff,ff,ff,ff

"NodeSlot"=dword:00000071

"1"=hex:42,00,31,00,00,00,00,00,23,34,f9,03,10,00,41,4c,4c,55,53,45,7e,..

"2"=hex:4c,00,31,00,00,00,00,00,77,36,d4,62,10,00,41,44,4d,49,4e,49,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1]

"0"=hex:5e,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,45,4e,55,44,4d,7e,..

"MRUListEx"=hex:01,00,00,00,00,00,00,00,02,00,00,00,ff,ff,ff,ff

"1"=hex:78,00,31,00,00,00,00,00,6d,36,60,88,11,00,4d,45,53,44,4f,43,7e,..

"NodeSlot"=dword:00000072

"2"=hex:4c,00,31,00,00,00,00,00,6f,33,d9,12,12,00,4c,4f,43,41,4c,53,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\]

"0"=hex:58,00,31,00,00,00,00,00,69,36,07,8e,11,00,50,52,4f,47,52,41,7e,..

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"NodeSlot"=dword:0000001d

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\]

"NodeSlot"=dword:0000001c

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:3a,00,31,00,00,00,00,00,00,00,00,00,10,00,57,69,6e,52,41,52,00,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\\]

"NodeSlot"=dword:00000029

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1]

"0"=hex:54,00,31,00,00,00,00,00,6d,36,77,95,10,00,4d,45,53,46,49,43,7e,..

"MRUListEx"=hex:03,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,ff,ff,ff,ff

"NodeSlot"=dword:00000073

"1"=hex:6c,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,45,53,56,49,44,7e,..

"2"=hex:72,00,31,00,00,00,00,00,b4,36,41,69,11,00,4d,41,4d,55,53,49,7e,..

"3"=hex:72,00,31,00,00,00,00,00,77,36,b3,7d,11,00,4d,45,53,49,4d,41,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1]

"NodeSlot"=dword:0000002b

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\1]

"NodeSlot"=dword:00000074

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\2]

"NodeSlot"=dword:000000a4

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\3]

"NodeSlot"=dword:000000ab

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2]

"0"=hex:34,00,31,00,00,00,00,00,a4,36,2e,63,10,00,54,65,6d,70,00,00,20,..

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2]

"NodeSlot"=dword:00000084

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1]

"0"=hex:66,00,35,00,00,00,00,00,71,36,40,8b,11,00,4d,00,65,00,6e,00,75,..

"MRUListEx"=hex:00,00,00,00,02,00,00,00,01,00,00,00,ff,ff,ff,ff

"NodeSlot"=dword:0000009f

"1"=hex:3a,00,31,00,00,00,00,00,a9,36,04,57,10,00,42,75,72,65,61,75,00,..

"2"=hex:56,00,31,00,00,00,00,00,49,36,bc,95,11,00,44,4f,43,55,4d,45,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1]

"0"=hex:58,00,31,00,00,00,00,00,b4,36,3d,6a,11,00,50,52,4f,47,52,41,7e,..

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"NodeSlot"=dword:000000a3

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\]

"0"=hex:6c,00,31,00,00,00,00,00,b4,36,40,6a,10,00,50,4f,57,45,52,51,7e,..

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\]

"NodeSlot"=dword:0000009a

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\1]

"NodeSlot"=dword:000000a0

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\2]

"NodeSlot"=dword:000000a1

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:58,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,41,4d,55,53,49,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\1\2]

"NodeSlot"=dword:000000a2

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2]

"NodeSlot"=dword:0000009b

"MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff

"0"=hex:4a,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,45,53,44,4f,43,7e,..

"1"=hex:66,00,35,00,00,00,00,00,41,34,49,58,11,00,4d,00,65,00,6e,00,75,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2]

"NodeSlot"=dword:0000009c

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:44,00,31,00,00,00,00,00,41,34,49,58,11,00,4d,41,4d,55,53,49,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2\]

"NodeSlot"=dword:0000009d

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1\2\1]

"NodeSlot"=dword:0000009e

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2]

"NodeSlot"=dword:0000001e

"MRUListEx"=hex:02,00,00,00,0a,00,00,00,09,00,00,00,08,00,00,00,07,00,00,00,06,..

"0"=hex:4e,00,31,00,00,00,00,00,69,36,80,92,10,00,4d,4f,5a,49,4c,4c,7e,..

"1"=hex:7e,00,31,00,00,00,00,00,69,36,bc,93,10,00,4d,49,43,52,4f,53,7e,..

"2"=hex:36,00,31,00,00,00,00,00,00,00,00,00,10,00,65,4d,75,6c,65,00,22,..

"3"=hex:42,00,31,00,00,00,00,00,6e,36,14,a4,10,00,4d,52,50,4f,53,54,7e,..

"4"=hex:34,00,31,00,00,00,00,00,00,00,00,00,10,00,4a,61,76,61,00,00,20,..

"5"=hex:44,00,31,00,00,00,00,00,22,34,a3,ba,10,00,46,52,45,4e,43,48,7e,..

"6"=hex:5e,00,31,00,00,00,00,00,23,34,d6,00,10,00,50,43,2d,44,4f,43,7e,..

"7"=hex:44,00,31,00,00,00,00,00,6a,36,9c,92,10,00,46,52,45,45,50,4c,7e,..

"8"=hex:58,00,31,00,00,00,00,00,72,36,c5,82,10,00,57,49,4e,44,4f,57,7e,..

"9"=hex:d9,00,31,00,00,00,00,00,8f,36,03,85,10,00,4d,45,44,49,41,4d,7e,..

"10"=hex:44,00,31,00,00,00,00,00,b4,36,3a,6a,10,00,50,4f,57,45,52,51,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2]

"NodeSlot"=dword:0000001f

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\1]

"NodeSlot"=dword:00000021

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\10]

"NodeSlot"=dword:000000a5

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:56,00,31,00,00,00,00,00,b4,36,40,6a,10,00,50,41,52,54,49,54,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\10]

"NodeSlot"=dword:000000a6

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2]

"0"=hex:40,00,31,00,00,00,00,00,00,00,00,00,10,00,49,6e,63,6f,6d,69,6e,..

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2]

"0"=hex:e6,01,32,00,00,00,00,00,00,00,00,00,20,00,41,6c,6c,20,4d,69,63,..

"MRUListEx"=hex:0b,00,00,00,0a,00,00,00,09,00,00,00,08,00,00,00,06,00,00,00,07,..

"1"=hex:e0,01,32,00,00,00,00,00,00,00,00,00,20,00,41,6c,6c,20,4d,69,63,..

"2"=hex:2a,01,32,00,00,00,00,00,00,00,00,00,20,00,5b,41,70,70,73,5d,20,..

"NodeSlot"=dword:0000002c

"3"=hex:70,00,31,00,00,00,00,00,6d,36,03,96,10,00,43,4f,4d,50,49,4c,7e,..

"4"=hex:6c,00,31,00,00,00,00,00,73,36,8d,9b,10,00,4d,41,52,54,49,4e,7e,..

"5"=hex:86,00,31,00,00,00,00,00,74,36,4f,95,10,00,5f,50,43,47,41,4d,7e,..

"6"=hex:8c,00,31,00,00,00,00,00,99,36,ca,4c,10,00,43,48,52,49,53,54,7e,..

"7"=hex:b4,00,31,00,00,00,00,00,99,36,2e,4f,10,00,53,45,52,49,41,4c,7e,..

"8"=hex:80,00,31,00,00,00,00,00,9b,36,6a,9a,10,00,44,49,41,4d,27,53,7e,..

"9"=hex:58,00,31,00,00,00,00,00,af,36,81,6a,10,00,4c,45,4a,45,55,44,7e,..

"10"=hex:cc,00,31,00,00,00,00,00,af,36,38,96,10,00,41,4d,42,49,41,4e,7e,..

"11"=hex:70,00,31,00,00,00,00,00,b4,36,d6,69,10,00,50,41,52,54,49,54,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\]

"NodeSlot"=dword:00000023

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\1]

"NodeSlot"=dword:00000024

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\10]

"NodeSlot"=dword:0000008a

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:58,00,31,00,00,00,00,00,5c,32,65,39,10,00,30,38,2d,4d,55,53,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\10]

"NodeSlot"=dword:0000008b

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11]

"NodeSlot"=dword:00000094

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:70,00,31,00,00,00,00,00,b4,36,d8,69,30,00,50,41,52,54,49,54,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11]

"NodeSlot"=dword:00000095

"MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff

"0"=hex:3a,00,31,00,00,00,00,00,b4,36,d8,69,30,00,73,65,72,69,61,6c,00,..

"1"=hex:86,00,31,00,00,00,00,00,b4,36,0d,6a,10,00,50,41,52,54,49,54,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\]

"NodeSlot"=dword:00000096

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:5a,00,31,00,00,00,00,00,b4,36,d8,69,30,00,46,52,45,45,57,41,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\]

"NodeSlot"=dword:00000097

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\1]

"NodeSlot"=dword:00000098

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:36,00,31,00,00,00,00,00,b4,36,0a,6a,10,00,53,65,74,75,70,00,22,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\11\1]

"NodeSlot"=dword:00000099

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\2]

"NodeSlot"=dword:00000025

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:74,00,16,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,10,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\2]

"NodeSlot"=dword:0000002a

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\3]

"NodeSlot"=dword:0000002d

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:50,00,31,00,00,00,00,00,b6,32,1b,4f,10,00,50,45,54,49,54,53,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\3]

"NodeSlot"=dword:0000002e

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\4]

"NodeSlot"=dword:0000004d

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:6c,00,31,00,00,00,00,00,84,35,9d,8b,10,00,4d,41,52,54,49,4e,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\4]

"NodeSlot"=dword:0000004e

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5]

"NodeSlot"=dword:00000058

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:86,00,31,00,00,00,00,00,74,36,4f,95,10,00,5f,50,43,47,41,4d,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5]

"NodeSlot"=dword:00000059

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:7a,00,31,00,00,00,00,00,74,36,4f,95,30,00,5f,50,43,5f,43,4f,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5\]

"NodeSlot"=dword:0000005a

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:5a,00,31,00,00,00,00,00,74,36,5b,95,10,00,43,4f,4c,44,46,45,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\5\]

"NodeSlot"=dword:0000005b

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\6]

"NodeSlot"=dword:0000007d

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:8c,00,31,00,00,00,00,00,8d,36,ca,50,10,00,43,48,52,49,53,54,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\6]

"NodeSlot"=dword:0000007e

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\7]

"NodeSlot"=dword:0000007f

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\8]

"NodeSlot"=dword:00000082

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:6a,00,31,00,00,00,00,00,44,34,ce,56,10,00,44,49,41,4d,27,53,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\8]

"NodeSlot"=dword:00000083

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\2\9]

"NodeSlot"=dword:00000089

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3]

"NodeSlot"=dword:00000031

"MRUListEx"=hex:04,00,00,00,03,00,00,00,00,00,00,00,02,00,00,00,01,00,00,00,ff,..

"0"=hex:40,00,31,00,00,00,00,00,6e,36,14,a4,10,00,6a,61,76,61,5f,63,75,..

"1"=hex:30,00,31,00,00,00,00,00,6e,36,13,a4,10,00,45,44,55,00,1e,00,03,..

"2"=hex:2e,00,31,00,00,00,00,00,6e,36,14,a4,10,00,65,6e,00,00,1c,00,03,..

"3"=hex:40,00,31,00,00,00,00,00,6e,36,17,a4,10,00,4d,45,54,41,2d,49,4e,..

"4"=hex:30,00,31,00,00,00,00,00,6e,36,14,a4,10,00,6f,72,67,00,1e,00,03,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3]

"NodeSlot"=dword:00000032

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:3c,00,31,00,00,00,00,00,6e,36,14,a4,10,00,72,75,6e,74,69,6d,65,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\]

"NodeSlot"=dword:0000003b

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1]

"NodeSlot"=dword:00000033

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:3a,00,31,00,00,00,00,00,6e,36,13,a4,10,00,6f,73,77,65,67,6f,00,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1]

"NodeSlot"=dword:00000034

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:2e,00,31,00,00,00,00,00,6e,36,13,a4,10,00,63,73,00,00,1c,00,03,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\]

"NodeSlot"=dword:00000035

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:2e,00,31,00,00,00,00,00,6e,36,13,a4,10,00,64,6c,00,00,1c,00,03,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\]

"NodeSlot"=dword:00000036

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:34,00,31,00,00,00,00,00,6e,36,13,a4,10,00,75,74,69,6c,00,00,20,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\\]

"NodeSlot"=dword:00000037

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:44,00,31,00,00,00,00,00,6e,36,14,a4,10,00,43,4f,4e,43,55,52,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\1\\]

"NodeSlot"=dword:00000038

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\2]

"NodeSlot"=dword:00000039

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:3c,00,31,00,00,00,00,00,6e,36,14,a4,10,00,68,6f,74,6d,61,69,6c,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\2]

"NodeSlot"=dword:0000003a

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\3]

"NodeSlot"=dword:0000003c

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\3\4]

"NodeSlot"=dword:0000003d

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\4]

"NodeSlot"=dword:0000003f

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:48,00,31,00,00,00,00,00,22,34,4f,bb,10,00,4a,52,45,31,35,7e,31,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\4]

"NodeSlot"=dword:00000040

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\5]

"NodeSlot"=dword:00000043

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\6]

"NodeSlot"=dword:00000044

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\7]

"NodeSlot"=dword:0000004a

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\8]

"NodeSlot"=dword:0000004b

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\9]

"NodeSlot"=dword:00000077

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\3]

"NodeSlot"=dword:00000020

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\4]

"NodeSlot"=dword:0000006d

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:3a,00,31,00,00,00,00,00,75,36,5d,89,10,00,48,69,74,6d,61,6e,00,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\4]

"NodeSlot"=dword:0000006e

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\5]

"NodeSlot"=dword:0000006f

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:4a,00,31,00,00,00,00,00,74,36,4f,96,10,00,44,45,4c,55,58,45,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\5]

"NodeSlot"=dword:00000070

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2]

"NodeSlot"=dword:0000005d

"MRUListEx"=hex:04,00,00,00,01,00,00,00,03,00,00,00,02,00,00,00,00,00,00,00,ff,..

"0"=hex:72,00,31,00,00,00,00,00,b4,36,f1,6d,11,00,4d,41,4d,55,53,49,7e,..

"1"=hex:6a,00,31,00,00,00,00,00,b4,36,f1,6d,11,00,4d,75,73,69,71,75,65,..

"2"=hex:3c,00,31,00,00,00,00,00,b4,36,65,6f,10,00,50,61,70,69,65,72,73,..

"3"=hex:6c,00,31,00,00,00,00,00,b4,36,c6,70,11,00,4d,45,53,56,49,44,7e,..

"4"=hex:60,00,31,00,00,00,00,00,b4,36,e2,70,11,00,56,49,44,4f,7e,31,00,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2]

"NodeSlot"=dword:000000a7

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1]

"NodeSlot"=dword:000000a8

"MRUListEx"=hex:12,00,00,00,11,00,00,00,10,00,00,00,0f,00,00,00,0d,00,00,00,0e,..

"0"=hex:3e,00,31,00,00,00,00,00,b4,36,dd,6c,10,00,52,41,50,48,41,4c,7e,..

"1"=hex:50,00,31,00,00,00,00,00,b4,36,d8,6c,10,00,56,52,4f,4e,49,51,7e,..

"2"=hex:3c,00,31,00,00,00,00,00,b4,36,cd,7c,10,00,42,61,72,62,61,72,61,..

"3"=hex:44,00,31,00,00,00,00,00,b5,36,e0,71,10,00,45,44,49,54,48,50,7e,..

"4"=hex:42,00,31,00,00,00,00,00,b4,36,c2,6d,10,00,4b,45,52,45,4e,41,7e,..

"5"=hex:42,00,31,00,00,00,00,00,b5,36,ee,73,10,00,4d,41,4e,4f,53,4f,7e,..

"6"=hex:4a,00,31,00,00,00,00,00,b4,36,43,6d,10,00,4d,59,4c,45,4e,45,7e,..

"7"=hex:44,00,31,00,00,00,00,00,b4,36,e1,6c,10,00,50,4f,52,54,49,53,7e,..

"8"=hex:56,00,31,00,00,00,00,00,b4,36,f1,6d,10,00,43,48,52,49,53,54,7e,..

"9"=hex:46,00,31,00,00,00,00,00,b5,36,31,7f,10,00,46,52,41,4e,43,45,7e,..

"10"=hex:36,00,31,00,00,00,00,00,b4,36,70,78,10,00,54,65,78,61,73,00,22,..

"11"=hex:3a,00,31,00,00,00,00,00,b4,36,e8,6d,10,00,44,69,76,65,72,73,00,..

"12"=hex:48,00,31,00,00,00,00,00,b5,36,95,6b,10,00,4c,49,4c,49,41,4e,7e,..

"13"=hex:44,00,31,00,00,00,00,00,b4,36,ee,79,10,00,4c,49,41,4e,45,46,7e,..

"14"=hex:4e,00,31,00,00,00,00,00,b5,36,e1,83,10,00,56,41,4e,45,53,53,7e,..

"15"=hex:50,00,31,00,00,00,00,00,b4,36,47,6d,10,00,4d,49,43,48,45,4c,7e,..

"16"=hex:36,00,31,00,00,00,00,00,b5,36,3d,7c,10,00,5a,61,7a,69,65,00,22,..

"17"=hex:46,00,31,00,00,00,00,00,b5,36,74,5c,10,00,4c,41,52,41,46,41,7e,..

"18"=hex:4a,00,31,00,00,00,00,00,b5,36,ef,82,10,00,4c,45,53,49,4e,4e,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1]

"NodeSlot"=dword:000000bd

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:58,00,31,00,00,00,00,00,b5,36,33,6c,10,00,52,41,50,48,41,4c,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\]

"NodeSlot"=dword:000000be

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:68,00,31,00,00,00,00,00,b5,36,33,6c,10,00,52,41,50,48,41,45,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\]

"NodeSlot"=dword:000000bf

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\1]

"NodeSlot"=dword:000000c0

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:42,00,31,00,00,00,00,00,b5,36,7a,79,10,00,4c,45,4d,41,55,44,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\1]

"NodeSlot"=dword:000000ca

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\10]

"NodeSlot"=dword:000000d1

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:44,00,31,00,00,00,00,00,b4,36,02,79,10,00,52,49,43,4b,53,52,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\10]

"NodeSlot"=dword:000000d2

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\11]

"NodeSlot"=dword:000000d3

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\12]

"NodeSlot"=dword:000000d4

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:52,00,31,00,00,00,00,00,b5,36,ad,6b,10,00,4c,45,53,50,45,54,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\12]

"NodeSlot"=dword:000000d7

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\13]

"NodeSlot"=dword:000000d5

"MRUListEx"=hex:00,00,00,00,01,00,00,00,ff,ff,ff,ff

"0"=hex:52,00,31,00,00,00,00,00,b5,36,96,6b,10,00,4c,45,53,50,45,54,7e,..

"1"=hex:44,00,31,00,00,00,00,00,b5,36,a5,89,10,00,41,43,4f,55,53,54,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\13]

"NodeSlot"=dword:000000d6

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\13\1]

"NodeSlot"=dword:000000da

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\14]

"NodeSlot"=dword:000000d8

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:36,00,31,00,00,00,00,00,b4,36,da,72,10,00,4d,26,4a,7e,31,00,22,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\14]

"NodeSlot"=dword:000000d9

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\15]

"NodeSlot"=dword:000000db

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:50,00,31,00,00,00,00,00,b4,36,4a,6d,10,00,4c,49,56,45,41,54,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\15]

"NodeSlot"=dword:000000dc

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\16]

"NodeSlot"=dword:000000dd

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\17]

"NodeSlot"=dword:000000de

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\18]

"NodeSlot"=dword:000000df

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:4a,00,31,00,00,00,00,00,b5,36,8c,83,10,00,4c,45,53,49,4e,4e,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\18]

"NodeSlot"=dword:000000e0

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\2]

"NodeSlot"=dword:000000c1

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:3c,00,31,00,00,00,00,00,b5,36,cd,6e,10,00,42,61,72,62,61,72,61,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\2]

"NodeSlot"=dword:000000c2

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\3]

"NodeSlot"=dword:000000c3

"MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff

"0"=hex:3e,00,31,00,00,00,00,00,b5,36,ed,71,10,00,42,45,53,54,4f,46,7e,..

"1"=hex:60,00,31,00,00,00,00,00,b5,36,e0,71,10,00,4e,4f,4e,5f,4a,45,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\3]

"NodeSlot"=dword:000000c4

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\3\1]

"NodeSlot"=dword:000000c5

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\4]

"NodeSlot"=dword:000000c6

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\5]

"NodeSlot"=dword:000000c7

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\6]

"NodeSlot"=dword:000000c8

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:6a,00,31,00,00,00,00,00,b4,36,0a,6d,10,00,30,39,2d,4c,45,53,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\6]

"NodeSlot"=dword:000000c9

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\7]

"NodeSlot"=dword:000000cb

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:3c,00,31,00,00,00,00,00,b5,36,c0,7a,10,00,49,6e,63,6f,6e,6e,75,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\7]

"NodeSlot"=dword:000000cc

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:3c,00,31,00,00,00,00,00,b5,36,c2,7a,10,00,49,6e,63,6f,6e,6e,75,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\7\]

"NodeSlot"=dword:000000cd

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\8]

"NodeSlot"=dword:000000ce

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\9]

"NodeSlot"=dword:000000cf

"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

"0"=hex:60,00,31,00,00,00,00,00,b5,36,0d,80,10,00,4c,45,53,50,4c,55,7e,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\1\9]

"NodeSlot"=dword:000000d0

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\2]

"NodeSlot"=dword:000000ac

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\3]

"NodeSlot"=dword:000000af

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2\4]

"NodeSlot"=dword:000000b0

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\3]

"NodeSlot"=dword:000000ae

"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\10\Shell]

"Mode"=dword:00000006

"ScrollPos800x600(1).x"=dword:00000000

"ScrollPos800x600(1).y"=dword:00000000

"Sort"=dword:00000000

"SortDir"=dword:00000001

"Col"=dword:ffffffff

"ColInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,fd,df,df,fd,0f,..

"MinPos800x600(1).x"=dword:ffff8300

"MinPos800x600(1).y"=dword:ffff8300

"MaxPos800x600(1).x"=dword:ffffffff

"MaxPos800x600(1).y"=dword:ffffffff

"WinPos800x600(1).left"=dword:00000016

"WinPos800x600(1).top"=dword:0000001d

"WinPos800x600(1).right"=dword:0000026e

"WinPos800x600(1).bottom"=dword:000001b1

"Rev"=dword:00000000

"WFlags"=dword:00000002

"ShowCmd"=dword:00000003

"FFlags"=dword:00000001

"HotKey"=dword:00000000

"Buttons"=dword:ffffffff

"Status"=dword:00000000

"Links"=dword:00000000

"Address"=dword:ffffffff

"Vid"="{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"

"FolderType"="Documents"

scanning hidden files ...

scan completed successfully

hidden services: 0

hidden files: 0

KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

Process list by traversal of KiWaitListHead

4 - System

160 - spoolsv.exe

436 - a2service.exe

476 - sched.exe

488 - avguard.exe

548 - ehSched.exe

568 - cmd.exe

608 - IAANTmon.exe

736 - csrss.exe

760 - winlogon.exe

804 - services.exe

816 - lsass.exe

984 - svchost.exe

1060 - svchost.exe

1104 - lxcrcoms.exe

1144 - nvsvc32.exe

1156 - svchost.exe

1196 - svchost.exe

1324 - svchost.exe

1400 - vsmon.exe

1420 - svchost.exe

1520 - svchost.exe

1616 - explorer.exe

1716 - ELService.exe

1896 - mcrdsvc.exe

1968 - aawservice.exe

2144 - wmiprvse.exe

2452 - dllhost.exe

2804 - alg.exe

3120 - RTHDCPL.EXE

3128 - IAAnotif.exe

3144 - HPBootOp.exe

3152 - avgnt.exe

3184 - PCBooster.exe

3216 - zlclient.exe

3224 - lxcrmon.exe

3232 - ezprint.exe

3260 - realsched.exe

3272 - itype.exe

3292 - ipoint.exe

3300 - rundll32.exe

3404 - ctfmon.exe

3428 - SweetIM.exe

3880 - kbd.exe

3960 - wuauclt.exe

Total number of processes = 45

NOTE: Under WinXP, this will not show all processes.

KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

Driver/Module list by traversal of PsLoadedModuleList

804D7000 - \WINDOWS\system32\ntkrnlpa.exe

806E2000 - \WINDOWS\system32\hal.dll

F7B10000 - \WINDOWS\system32\KDCOM.DLL

F7A20000 - \WINDOWS\system32\BOOTVID.dll

F74E0000 - ACPI.sys

F7B12000 - \WINDOWS\system32\DRIVERS\WMILIB.SYS

F74CF000 - pci.sys

F7610000 - isapnp.sys

F7620000 - ohci1394.sys

F7630000 - \WINDOWS\system32\DRIVERS\1394BUS.SYS

F7BD8000 - pciide.sys

F7890000 - \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

F7B14000 - viaide.sys

F7B16000 - intelide.sys

F7640000 - MountMgr.sys

F74B0000 - ftdisk.sys

F7B18000 - dmload.sys

F748A000 - dmio.sys

F7898000 - PartMgr.sys

F7650000 - VolSnap.sys

F73CA000 - iastor.sys

F73B2000 - atapi.sys

F736F000 - ftsata2.sys

F7357000 - \WINDOWS\system32\DRIVERS\SCSIPORT.SYS

F7660000 - disk.sys

F7670000 - \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

F7337000 - fltMgr.sys

F7680000 - bb-run.sys

F7690000 - PxHelp20.sys

F7320000 - KSecDD.sys

F730D000 - WudfPf.sys

F7280000 - Ntfs.sys

F7253000 - NDIS.sys

F723F000 - srescan.sys

F7224000 - Mup.sys

F78A0000 - BTHidMgr.sys

F77D0000 - \SystemRoot\system32\DRIVERS\intelppm.sys

F7928000 - \SystemRoot\system32\DRIVERS\ELacpi.sys

F662F000 - \SystemRoot\system32\DRIVERS\nv4_mini.sys

F661B000 - \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

F65F6000 - \SystemRoot\system32\DRIVERS\HDAudBus.sys

F7930000 - \SystemRoot\system32\DRIVERS\usbuhci.sys

F65D3000 - \SystemRoot\system32\DRIVERS\USBPORT.SYS

F7938000 - \SystemRoot\system32\DRIVERS\usbehci.sys

F65AB000 - \SystemRoot\system32\DRIVERS\e100b325.sys

F6597000 - \SystemRoot\system32\DRIVERS\parport.sys

F77E0000 - \SystemRoot\system32\DRIVERS\i8042prt.sys

F7940000 - \SystemRoot\system32\DRIVERS\point32.sys

F7948000 - \SystemRoot\system32\DRIVERS\mouclass.sys

F7B52000 - \??\C:\WINDOWS\System32\Drivers\Elmou.sys

F7950000 - \SystemRoot\system32\DRIVERS\PS2.sys

F7958000 - \SystemRoot\system32\DRIVERS\kbdclass.sys

F7B54000 - \??\C:\WINDOWS\System32\Drivers\Elkbd.sys

F77F0000 - \SystemRoot\system32\DRIVERS\imapi.sys

F7800000 - \SystemRoot\system32\DRIVERS\cdrom.sys

F7810000 - \SystemRoot\system32\DRIVERS\redbook.sys

F6574000 - \SystemRoot\system32\DRIVERS\ks.sys

F7C18000 - \SystemRoot\system32\DRIVERS\audstub.sys

F7820000 - \SystemRoot\system32\DRIVERS\rasl2tp.sys

F71EC000 - \SystemRoot\system32\DRIVERS\ndistapi.sys

F655D000 - \SystemRoot\system32\DRIVERS\ndiswan.sys

F7830000 - \SystemRoot\system32\DRIVERS\raspppoe.sys

F7850000 - \SystemRoot\system32\DRIVERS\raspptp.sys

F7960000 - \SystemRoot\system32\DRIVERS\TDI.SYS

F6529000 - \SystemRoot\system32\DRIVERS\psched.sys

F7860000 - \SystemRoot\system32\DRIVERS\msgpc.sys

F7A08000 - \SystemRoot\system32\DRIVERS\ptilink.sys

F7A10000 - \SystemRoot\system32\DRIVERS\raspti.sys

F5E5A000 - \SystemRoot\system32\DRIVERS\rdpdr.sys

F77B0000 - \SystemRoot\system32\DRIVERS\termdd.sys

F7B5E000 - \SystemRoot\system32\DRIVERS\swenum.sys

F580F000 - \SystemRoot\system32\DRIVERS\update.sys

F7AC4000 - \SystemRoot\system32\DRIVERS\mssmbios.sys

F61E8000 - \SystemRoot\System32\Drivers\NDProxy.SYS

EE962000 - \SystemRoot\system32\drivers\RtkHDAud.sys

EE940000 - \SystemRoot\system32\drivers\portcls.sys

F28D1000 - \SystemRoot\system32\drivers\drmk.sys

ED50D000 - \SystemRoot\system32\DRIVERS\usbhub.sys

F7BD2000 - \SystemRoot\system32\DRIVERS\USBD.SYS

EB045000 - \SystemRoot\system32\DRIVERS\klif.sys

EFC32000 - \SystemRoot\system32\DRIVERS\usbccgp.sys

F7B7E000 - \SystemRoot\System32\Drivers\Fs_Rec.SYS

F054B000 - \SystemRoot\System32\Drivers\Null.SYS

F7B80000 - \SystemRoot\System32\Drivers\Beep.SYS

EFC2A000 - \SystemRoot\System32\drivers\vga.sys

F7B82000 - \SystemRoot\System32\Drivers\mnmdd.SYS

F7B84000 - \SystemRoot\System32\DRIVERS\RDPCDD.sys

EFC1A000 - \SystemRoot\System32\Drivers\Msfs.SYS

EFC12000 - \SystemRoot\System32\Drivers\Npfs.SYS

EF56D000 - \SystemRoot\system32\DRIVERS\rasacd.sys

EB3E0000 - \SystemRoot\system32\DRIVERS\ipsec.sys

EB388000 - \SystemRoot\system32\DRIVERS\tcpip.sys

EB360000 - \SystemRoot\system32\DRIVERS\netbt.sys

EB33F000 - \SystemRoot\system32\DRIVERS\ipnat.sys

EF276000 - \SystemRoot\system32\DRIVERS\wanarp.sys

EB2DF000 - \SystemRoot\System32\vsdatant.sys

EB2BD000 - \SystemRoot\System32\drivers\afd.sys

EF266000 - \SystemRoot\system32\DRIVERS\netbios.sys

EFC0A000 - \SystemRoot\System32\Drivers\StarOpen.SYS

EB292000 - \SystemRoot\system32\DRIVERS\rdbss.sys

EB223000 - \SystemRoot\system32\DRIVERS\mrxsmb.sys

EF256000 - \SystemRoot\System32\Drivers\Fips.SYS

F7B8A000 - \??\C:\WINDOWS\System32\Drivers\Elmon.sys

F0511000 - \??\C:\WINDOWS\System32\Drivers\Elhid.sys

EFBFA000 - \??\C:\WINDOWS\System32\Drivers\HIDPARSE.SYS

F7B8C000 - \??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys

EB200000 - \SystemRoot\System32\Drivers\Fastfat.SYS

F0290000 - \SystemRoot\system32\DRIVERS\USBSTOR.SYS

F04F5000 - \SystemRoot\system32\DRIVERS\usbscan.sys

F0288000 - \SystemRoot\system32\DRIVERS\usbprint.sys

F04F1000 - \SystemRoot\system32\DRIVERS\hidusb.sys

EF236000 - \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

EB140000 - \SystemRoot\System32\Drivers\dump_iaStor.sys

BF800000 - \SystemRoot\System32\win32k.sys

F00A2000 - \SystemRoot\System32\drivers\Dxapi.sys

F0278000 - \SystemRoot\System32\watchdog.sys

BF9C3000 - \SystemRoot\System32\drivers\dxg.sys

F7CAC000 - \SystemRoot\System32\drivers\dxgthk.sys

BF9D5000 - \SystemRoot\System32\nv4_disp.dll

EE130000 - \SystemRoot\system32\DRIVERS\ndisuio.sys

BA523000 - \SystemRoot\system32\drivers\wdmaud.sys

EFF3A000 - \SystemRoot\system32\drivers\sysaudio.sys

BA4A8000 - \SystemRoot\system32\DRIVERS\mrxdav.sys

BA417000 - \SystemRoot\System32\Drivers\HTTP.sys

BA375000 - \SystemRoot\system32\DRIVERS\srv.sys

B9EDA000 - \??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys

B9E52000 - \SystemRoot\System32\Drivers\Cdfs.SYS

B9975000 - \SystemRoot\system32\DRIVERS\sr.sys

F7D2D000 - \SystemRoot\System32\DRIVERS\KProcCheck.sys

Total number of drivers = 129

Liste des programmes installes

a-squared Free 2.1

ABBYY FineReader 6.0 Sprint

Ad-Aware 2007

Adobe Reader 8.1.0 - Français

AIDA32 v3.93

Apple Software Update

Archiveur WinRAR

Avira AntiVir PersonalEdition Classic

BeClean

BitTorrent 5.0.9

BufferChm

CCleaner (remove only)

CDBurnerXP Pro 3

Correctif n° 2 pour Windows XP Édition Media Center 2005

Correctif pour Lecteur Windows Media 10 (KB910393)

Correctif pour Lecteur Windows Media 11 (KB939683)

Correctif pour Windows XP (KB888795)

Correctif pour Windows XP (KB891593)

Correctif pour Windows XP (KB893357)

Correctif pour Windows XP (KB899337)

Correctif pour Windows XP (KB899510)

Correctif pour Windows XP (KB902841)

Correctif pour Windows XP (KB906569)

Correctif pour Windows XP (KB912024)

Correctif pour Windows XP (KB914440)

Correctif pour Windows XP (KB935448)

Correctif Windows XP - KB873339

Correctif Windows XP - KB883667

Correctif Windows XP - KB885250

Correctif Windows XP - KB885835

Correctif Windows XP - KB885836

Correctif Windows XP - KB885884

Correctif Windows XP - KB886185

Correctif Windows XP - KB887472

Correctif Windows XP - KB887742

Correctif Windows XP - KB888113

Correctif Windows XP - KB888302

Correctif Windows XP - KB890175

Correctif Windows XP - KB890859

Correctif Windows XP - KB891781

Correctif Windows XP - KB892050

Correctif Windows XP - KB893066

Correctif Windows XP - KB895961

CP_AtenaShokunin1Config

CP_CalendarTemplates1

cp_LightScribeConfig

cp_OnlineProjectsConfig

CP_Package_Basic1

CP_Package_Variety1

CP_Package_Variety2

CP_Package_Variety3

CP_Panorama1Config

cp_PosterPrintConfig

cp_UpdateProjectsConfig

CueTour

Destinations

DeviceManagementQFolder

EasyCleaner

Enhanced Multimedia Keyboard Solution

Freeplayer

FullDPAppQFolder

G-Force

GemMaster Mystic

HaxFix 4.57

High Definition Audio - KB888111

HijackThis 1.99.1

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows XP (KB915865)

Hotfix for Windows XP (KB926239)

HP Boot Optimizer

HP DigitalMedia Archive

HP DVD Play 2.1

HP Imaging Device Functions 7.0

HP Photosmart for Media Center PC

HP Photosmart Premier Software 6.5

hp psc 1200 series

HP Software Update

HPPhotoSmartExpress

HpSdpAppCoreApp

InstantShareDevices

Intel® Matrix Storage Manager

Intel® PRO Network Connections Drivers

Intel® Quick Resume Technology Drivers

IrfanView (remove only)

IsoBuster 2.0

J2SE Runtime Environment 5.0 Update 11

J2SE Runtime Environment 5.0 Update 6

Java 6 Update 2

Java 6 Update 3

Java SE Runtime Environment 6 Update 1

jv16 PowerTools 1.3

Kaspersky Online Scanner

Le logiciel Intel® Viiv™

Lecteur Windows Media 11

Lexmark 2400 Series

Lexmark Barre d'outils

LightScribe 1.4.105.1

Macrogaming SweetIM 2.1

Microsoft .NET Framework 1.0 Hotfix (KB887998)

Microsoft .NET Framework 1.0 Hotfix (KB930494)

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 French Language Pack

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft IntelliPoint 6.1

Microsoft IntelliType Pro 6.1

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Access MUI (French) 2007

Microsoft Office Excel MUI (French) 2007

Microsoft Office InfoPath MUI (French) 2007

Microsoft Office Outlook MUI (French) 2007

Microsoft Office PowerPoint MUI (French) 2007

Microsoft Office Professional Plus 2007

Microsoft Office Proof (Arabic) 2007

Microsoft Office Proof (Dutch) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (German) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (French) 2007

Microsoft Office Publisher MUI (French) 2007

Microsoft Office Shared MUI (French) 2007

Microsoft Office Word MUI (French) 2007

Microsoft Software Update for Web Folders (French) 12

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Works

Mise à jour de sécurité pour Lecteur Windows Media 10 (KB911565)

Mise à jour de sécurité pour Lecteur Windows Media 10 (KB917734)

Mise à jour de sécurité pour Lecteur Windows Media 11 (KB936782)

Mise à jour de sécurité pour Lecteur Windows Media 6.4 (KB925398)

Mise à jour de sécurité pour Step by Step Interactive Training (KB923723)

Mise à jour de sécurité pour Windows XP (KB893756)

Mise à jour de sécurité pour Windows XP (KB896358)

Mise à jour de sécurité pour Windows XP (KB896422)

Mise à jour de sécurité pour Windows XP (KB896423)

Mise à jour de sécurité pour Windows XP (KB896424)

Mise à jour de sécurité pour Windows XP (KB896428)

Mise à jour de sécurité pour Windows XP (KB899587)

Mise à jour de sécurité pour Windows XP (KB899591)

Mise à jour de sécurité pour Windows XP (KB900725)

Mise à jour de sécurité pour Windows XP (KB901017)

Mise à jour de sécurité pour Windows XP (KB901214)

Mise à jour de sécurité pour Windows XP (KB902400)

Mise à jour de sécurité pour Windows XP (KB904706)

Mise à jour de sécurité pour Windows XP (KB905414)

Mise à jour de sécurité pour Windows XP (KB905749)

Mise à jour de sécurité pour Windows XP (KB908519)

Mise à jour de sécurité pour Windows XP (KB908531)

Mise à jour de sécurité pour Windows XP (KB911562)

Mise à jour de sécurité pour Windows XP (KB911927)

Mise à jour de sécurité pour Windows XP (KB912812)

Mise à jour de sécurité pour Windows XP (KB912919)

Mise à jour de sécurité pour Windows XP (KB913580)

Mise à jour de sécurité pour Windows XP (KB914388)

Mise à jour de sécurité pour Windows XP (KB914389)

Mise à jour de sécurité pour Windows XP (KB917344)

Mise à jour de sécurité pour Windows XP (KB917422)

Mise à jour de sécurité pour Windows XP (KB917953)

Mise à jour de sécurité pour Windows XP (KB918118)

Mise à jour de sécurité pour Windows XP (KB918439)

Mise à jour de sécurité pour Windows XP (KB919007)

Mise à jour de sécurité pour Windows XP (KB920213)

Mise à jour de sécurité pour Windows XP (KB920670)

Mise à jour de sécurité pour Windows XP (KB920683)

Mise à jour de sécurité pour Windows XP (KB920685)

Mise à jour de sécurité pour Windows XP (KB921503)

Mise à jour de sécurité pour Windows XP (KB922819)

Mise à jour de sécurité pour Windows XP (KB923191)

Mise à jour de sécurité pour Windows XP (KB923414)

Mise à jour de sécurité pour Windows XP (KB923689)

Mise à jour de sécurité pour Windows XP (KB923694)

Mise à jour de sécurité pour Windows XP (KB923980)

Mise à jour de sécurité pour Windows XP (KB924191)

Mise à jour de sécurité pour Windows XP (KB924270)

Mise à jour de sécurité pour Windows XP (KB924496)

Mise à jour de sécurité pour Windows XP (KB924667)

Mise à jour de sécurité pour Windows XP (KB925902)

Mise à jour de sécurité pour Windows XP (KB926255)

Mise à jour de sécurité pour Windows XP (KB926436)

Mise à jour de sécurité pour Windows XP (KB927779)

Mise à jour de sécurité pour Windows XP (KB927802)

Mise à jour de sécurité pour Windows XP (KB928090)

Mise à jour de sécurité pour Windows XP (KB928255)

Mise à jour de sécurité pour Windows XP (KB928843)

Mise à jour de sécurité pour Windows XP (KB929123)

Mise à jour de sécurité pour Windows XP (KB930178)

Mise à jour de sécurité pour Windows XP (KB931261)

Mise à jour de sécurité pour Windows XP (KB931784)

Mise à jour de sécurité pour Windows XP (KB932168)

Mise à jour de sécurité pour Windows XP (KB933566)

Mise à jour de sécurité pour Windows XP (KB933729)

Mise à jour de sécurité pour Windows XP (KB935839)

Mise à jour de sécurité pour Windows XP (KB935840)

Mise à jour de sécurité pour Windows XP (KB936021)

Mise à jour de sécurité pour Windows XP (KB937143)

Mise à jour de sécurité pour Windows XP (KB938127)

Mise à jour de sécurité pour Windows XP (KB938829)

Mise à jour de sécurité pour Windows XP (KB939653)

Mise à jour de sécurité pour Windows XP (KB943460)

Mise à jour pour Lecteur Windows Media 10 (KB913800)

Mise à jour pour Lecteur Windows Media 10 (KB926251)

Mise à jour pour Windows XP (KB898461)

Mise à jour pour Windows XP (KB900485)

Mise à jour pour Windows XP (KB904942)

Mise à jour pour Windows XP (KB910437)

Mise à jour pour Windows XP (KB911280)

Mise à jour pour Windows XP (KB912945)

Mise à jour pour Windows XP (KB916595)

Mise à jour pour Windows XP (KB920342)

Mise à jour pour Windows XP (KB920872)

Mise à jour pour Windows XP (KB922582)

Mise à jour pour Windows XP (KB927891)

Mise à jour pour Windows XP (KB929338)

Mise à jour pour Windows XP (KB930916)

Mise à jour pour Windows XP (KB931836)

Mise à jour pour Windows XP (KB933360)

Mise à jour pour Windows XP (KB936357)

Mise à jour pour Windows XP (KB938828)

Mozilla Firefox (2.0.0.9)

MSN

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

muvee autoProducer 5.0

muvee autoProducer unPlugged 2.0

NVIDIA Drivers

OptionalContentQFolder

Otto

PC-Doctor 5 pour Windows

PC Booster

Photo et imagerie HP 2.0 - All-in-One Pilote

Photo et imagerie HP 2.0 - All-in-One Series

Photo et imagerie HP 2.0 - hp psc 1200 series

PhotoGallery

Python 2.2 pywin32 extensions (build 203)

Python 2.2.3

QuickTime

RandMap

RealPlayer

Realtek High Definition Audio Driver

SAMSUNG CDMA Modem Driver Set

SAMSUNG Mobile USB Modem ^^

SAMSUNG Mobile USB Modem 1.0 Software

SAMSUNG Mobile USB Modem Software

Samsung PC Studio

Samsung PC Studio 3 USB Driver Installer

Security Update for CAPICOM (KB931906)

Services Internet

SkinsHP1

SlideShow

SlideShowMusic

SoftSkies

Solutions de télécopie Lexmark

Sonic Express Labeler

Sonic MyDVD Plus

Sonic RecordNow Audio

Sonic RecordNow Copy

Sonic RecordNow Data

Sonic Update Manager

Sonic_PrimoSDK

Spybot - Search & Destroy 1.4

SpywareBlaster v3.5.1

SweetIM For Internet Explorer 3.0b

Unload

Unlocker 1.8.5

VideoLAN VLC media player 0.8.6a

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Installer 3.1 (KB893803)

Windows Live Messenger

Windows Live Sign-in Assistant

Windows Media Format 11 runtime

Windows Media Player 11

Windows Media Player Firefox Plugin

Windows XP Media Center Edition 2005 KB925766

ZoneAlarm

Le volume dans le lecteur C s'appelle HP_PAVILION

Le numéro de série du volume est 005A-6CCF

Répertoire de C:\Program Files

14/11/2007 15:54 <REP> .

14/11/2007 15:54 <REP> ..

09/10/2007 17:51 <REP> Abbyy FineReader 6.0 Sprint

25/07/2007 10:39 <REP> Adobe

26/10/2007 11:04 <REP> AIDA32 - Personal System Information

14/11/2007 22:27 <REP> AntiVir PersonalEdition Classic

03/11/2007 21:42 <REP> Apple Software Update

04/11/2007 20:51 <REP> a-squared Free

25/07/2007 22:34 86 autoclean.ini

09/10/2007 17:06 <REP> Backup

04/11/2007 19:09 <REP> BeClean

22/10/2007 10:52 <REP> BitTorrent

13/03/2007 20:12 <REP> CCleaner

24/05/2007 21:00 <REP> CDBurnerXP Pro 3

12/11/2005 01:09 <REP> ComPlus Applications

03/01/2006 01:10 <REP> EasyBits

14/11/2007 00:43 <REP> eMule1

09/10/2007 19:06 <REP> Fichiers communs

30/10/2007 21:22 <REP> Freeplayer

03/01/2006 00:21 <REP> FrenchOtto

03/01/2006 00:21 <REP> GemMasterFrench

07/11/2007 12:02 <REP> Google

01/06/2007 22:14 <REP> Grisoft

14/11/2007 15:56 <REP> HaxFix

03/01/2006 01:10 <REP> Hewlett-Packard

14/11/2007 22:38 <REP> hijackthis

09/10/2007 16:28 0 history.txt

03/01/2006 00:52 <REP> HP

03/01/2006 00:49 <REP> HP DigitalMedia Archive

26/07/2007 21:49 <REP> inKline Global

03/01/2006 00:40 <REP> Intel

10/10/2007 21:00 <REP> Internet Explorer

08/11/2007 02:43 <REP> IrfanView

06/07/2007 18:23 <REP> IVT Corporation

15/10/2007 08:31 <REP> Java

22/05/2007 15:45 <REP> jv16 PowerTools

25/07/2007 22:35 95 lang.ini

13/03/2007 20:13 <REP> Languages

19/08/2007 12:05 <REP> Lavasoft

09/10/2007 17:36 <REP> Lexmark 2400 Series

09/10/2007 17:36 <REP> Lexmark Fax Solutions

09/10/2007 17:39 <REP> Lexmark Toolbar

14/11/2007 23:36 <REP> lx_cats

07/11/2007 21:56 <REP> Macrogaming

08/11/2007 02:13 <REP> Messenger

09/05/2007 11:48 <REP> Microsoft CAPICOM 2.1.0.2

15/11/2005 03:24 <REP> microsoft frontpage

06/11/2007 19:33 <REP> Microsoft IntelliPoint

06/11/2007 19:32 <REP> Microsoft IntelliType Pro

09/10/2007 19:06 <REP> Microsoft Office

09/10/2007 19:06 <REP> Microsoft Visual Studio

09/10/2007 19:07 <REP> Microsoft Works

09/10/2007 19:05 <REP> Microsoft.NET

15/11/2005 03:24 <REP> Movie Maker

14/11/2007 23:33 <REP> Mozilla Firefox

09/10/2007 19:07 <REP> MSBuild

30/05/2007 18:49 <REP> MSN

15/11/2005 03:25 <REP> MSN Gaming Zone

24/05/2007 14:19 <REP> MSN Messenger

09/03/2007 16:48 <REP> MSXML 4.0

03/01/2006 00:55 <REP> muvee Technologies

15/11/2005 03:25 <REP> NetMeeting

15/11/2005 03:25 <REP> Online Services

13/06/2007 11:17 <REP> Outlook Express

03/01/2006 01:06 <REP> PC-Doctor 5 for Windows

03/08/2007 16:01 <REP> QuickTime

03/01/2006 00:49 <REP> Real

22/05/2007 15:59 <REP> RegCleaner

25/07/2007 22:35 0 regfav.ini

25/04/2007 11:33 <REP> Samsung

03/01/2006 01:12 <REP> Services en ligne

24/05/2007 21:25 <REP> Smart Projects

03/01/2006 00:50 <REP> Sonic

24/08/2007 13:10 <REP> SoundSpectrum

04/11/2007 20:05 <REP> Spybot - Search & Destroy

19/08/2007 11:52 <REP> SpywareBlaster

19/08/2007 11:58 <REP> SpywareGuard

13/03/2007 20:11 <REP> ToniArts

22/08/2007 17:04 <REP> Unlocker

19/03/2007 17:34 <REP> VideoLAN

18/03/2007 17:22 <REP> Windows Media Connect 2

28/05/2007 14:28 <REP> Windows Media Player

15/11/2005 03:25 <REP> Windows NT

15/11/2005 03:25 <REP> Windows Plus

07/11/2007 22:14 <REP> WinRAR

15/11/2005 03:26 <REP> xerox

09/10/2007 17:06 <REP> Yahoo!

14/03/2007 22:46 <REP> Zone Labs

4 fichier(s) 181 octets

84 Rép(s) 121 579 257 856 octets libres

Le volume dans le lecteur C s'appelle HP_PAVILION

Le numéro de série du volume est 005A-6CCF

Répertoire de C:\Program Files\fichiers communs

09/10/2007 19:06 <REP> .

09/10/2007 19:06 <REP> ..

16/06/2007 21:43 <REP> Adobe

09/10/2007 19:06 <REP> DESIGNER

13/03/2007 18:47 <REP> Hewlett-Packard

03/01/2006 00:45 <REP> HP

03/01/2006 01:08 <REP> InstallShield

03/01/2006 00:26 <REP> Java

03/01/2006 00:51 <REP> LightScribe

03/01/2006 00:51 <REP> LS Getting Started

09/10/2007 19:07 <REP> Microsoft Shared

15/11/2005 03:24 <REP> MSSoap

03/01/2006 00:54 <REP> muvee Technologies

15/11/2005 03:24 <REP> ODBC

03/01/2006 00:49 <REP> Real

15/11/2005 03:24 <REP> Services

03/01/2006 00:50 <REP> Sonic Shared

15/11/2005 03:24 <REP> SpeechEngines

03/01/2006 00:50 <REP> SureThing Shared

14/03/2007 22:40 <REP> Symantec Shared

09/10/2007 19:02 <REP> System

03/01/2006 00:50 <REP> TiVo Shared

19/08/2007 12:05 <REP> Wise Installation Wizard

03/01/2006 00:49 <REP> xing shared

0 fichier(s) 0 octets

24 Rép(s) 121 579 257 856 octets libres

Le volume dans le lecteur C s'appelle HP_PAVILION

Le numéro de série du volume est 005A-6CCF

Répertoire de C:\Program Files\fichiers communs\Microsoft Shared\Web Folders

09/10/2007 19:06 <REP> .

09/10/2007 19:06 <REP> ..

13/03/2007 19:58 <REP> 1033

09/10/2007 19:01 <REP> 1036

26/10/2006 18:49 970 528 MSONSEXT.DLL

26/10/2006 19:12 40 256 MSOSV.DLL

03/06/1999 10:09 122 937 MSOWS409.DLL

07/03/2001 05:00 127 033 MSOWS40c.DLL

22/01/2001 05:25 86 016 PKMWS.DLL

5 fichier(s) 1 346 770 octets

4 Rép(s) 121 579 253 760 octets libres

c:\Documents and Settings\All Users\Application Data\Hewlett-Packard\HP Boot Optimizer\InstMsiA.Exe

c:\Documents and Settings\All Users\Application Data\Hewlett-Packard\HP Boot Optimizer\InstMsiW.Exe

c:\Documents and Settings\All Users\Application Data\Hewlett-Packard\HP Boot Optimizer\Setup.Exe

c:\Documents and Settings\HP_Administrateur\.limewire\.NetworkShare\LimeWireWinInstaller 1.exe

c:\Documents and Settings\HP_Administrateur\.limewire\.NetworkShare\LimeWireWinInstaller.exe

c:\Documents and Settings\HP_Administrateur\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr709_fr_FR.exe

c:\Documents and Settings\HP_Administrateur\Application Data\Microsoft\Installer\{F6D63A65-BD23-46F3-B9A3-87F442423481}\ARPPRODUCTICON.exe

c:\Documents and Settings\HP_Administrateur\Bureau\haxfix.exe

c:\Documents and Settings\HP_Administrateur\Bureau\OTMoveIt.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\catchme.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\diff.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\dumphive.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\FilesInfoCmd.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\find2.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\Fport.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\grep.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\gzip.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\KProcCheck.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\LFiles.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\LISTDLLS.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\md5sums.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\pslist.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\sigcheck.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\streams.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\swreg.exe

c:\Documents and Settings\HP_Administrateur\Bureau\DiagHelp\tar.exe

c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\RegSeeker.exe

c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\OFFICE12\SaveAsPDFandXPS.exe

c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\OFFICE12\SETUP.EXE

c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\OFFICE12\OFFICE.FR-FR\DW20.EXE

c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\OFFICE12\OFFICE.FR-FR\DWTRIG20.EXE

c:\Documents and Settings\HP_Administrateur\Bureau\Sécurité\OFFICE12\PROPLUS.WW\OSE.EXE

c:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\BACKUP\FAILSAFE\avewin32.dll

c:\Documents and Settings\All Users\Application Data\Grisoft\AVG Anti-Spyware 7.5\Downloads\help.dll

c:\Documents and Settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig.dll

c:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll

c:\Documents and Settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\rffaey11.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll

c:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

****** Fin du rapport DiagHelp

Veuillez svp envoyer le fichier C:\upload_moi_MAYKE.tar.gz a l'adresse http://upload.malekal.com

Thanos · le 15 novembre 2007

Ok le rapport ne montre rien de mauvais: j'aimerai qu'on revienne à cette dll stp >

Je t'ai demandé plus haut de faire analyser le fichier tcpip.sys, tu m'a dit >

alors, j ai bien envoye le fichier. Analyse terminé 0/32

Mais j'aurais bien aimé jeter un oeil au rapport stp!

Refais le scan chez Virustotal : le fichier se trouve donc dans C:\WINDOWS\System32\drivers

Passe par Démarrer > Panneau de Configuration > Ajouter/Supprimer des Programmes et désinstalle >

HaxFix 4.57

J2SE Runtime Environment 5.0 Update 11

J2SE Runtime Environment 5.0 Update 6

Javaâ„¢ 6 Update 2

Javaâ„¢ SE Runtime Environment 6 Update 1

Comment fonctionne ton pc ?

@+

Modifié le 15 novembre 2007 par charles ingals

cimone · le 15 novembre 2007

hello!

je n ai plus le fichier tcpip.sys

Je n ai que tcpip ou tcpip.sys.original!!

je fais le reste et te tien au courant!

@+

cimone · le 15 novembre 2007

ca y est le reste est fait!

Je te tiens au courant du fonctionnement.

Dis moi koi pour virustotal!

merci a toi

Cimone

Connexion

Pas encore inscrit ?

[Résolu] Présence de trojan sur mon PC !

Messages recommandés

cimone

Lien vers le commentaire

Partager sur d’autres sites

Thanos

Lien vers le commentaire

Partager sur d’autres sites

cimone

Lien vers le commentaire

Partager sur d’autres sites

Thanos

Lien vers le commentaire

Partager sur d’autres sites

cimone

Lien vers le commentaire

Partager sur d’autres sites

Thanos

Lien vers le commentaire

Partager sur d’autres sites

cimone

Lien vers le commentaire

Partager sur d’autres sites

Thanos

Lien vers le commentaire

Partager sur d’autres sites

cimone

Lien vers le commentaire

Partager sur d’autres sites

cimone

Lien vers le commentaire

Partager sur d’autres sites

Rejoindre la conversation

En ligne récemment 0 membre est en ligne

Zebulon

Outils en ligne

Naviguer