Probleme avec winfixer 2005

[yanou]

re! stomagel j'ai quelques soucis, ou je capte pas trés bien

 

donc les etapes jusqu'à easy cleaner ça le fait même si je trouve pas tout à cochés.

mais easy cleaner dans registre il me trouve 91 keys en vert, je ne sais pas quoi faire? supprimer tout? J'ai pas osé. pour les inutiles j'ai viré.

pour le dossier l2mfix je trouve pas le fichier .bat

je mets mon rapport quand même, désolé pour le reste

 

 

Logfile of HijackThis v1.99.1

Scan saved at 18:13:01, on 25/08/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Office keyboard utility\1.1\nhksrv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Inventel\Gateway\wlancfg.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\jxymrd.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\PowerArchiver\POWERARC.EXE

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_PA322\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fr/0SEFRFR/SAOS02

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: Barre d'outils MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\fr\msntb.dll

O4 - HKLM\..\Run: [hxnjkd] C:\WINDOWS\system32\jxymrd.exe r

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\cwyptdlg.dll

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Fichiers communs\AOL\AOL Spyware Protection\\aolserv.exe (file missing)

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Office keyboard utility\1.1\nhksrv.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe

Modifié le 25 août 2005 par yanou

[Invité Stonangel]

Re, télécharge et lance cet utilitaire:

http://www.mypctuneup.com/

 

Redémarre

 

Lance L2Mfix ( commence par extaire tous les fichiers)

 

Double clique sur l2mfix et entre 1 > copie colle le rapport

 

Double clique sur l2mfix et choisis l'option 2> copie colle le rapport avec un nouveau rapport Hijackthis.

 

Pour EasyCleaner tu peux tout supprimer.

[yanou]

C:\WINDOWS\system32\cwyptdlg.dll

 

Pour celui la impossible de virer, parce que ce programme est utilisé

[Invité Stonangel]

C'est pour ça que je te demande d'utiliser L2Mfix: infections multiples: Look2Me, Epolvy.

[yanou]

Donc j'ai télechargé et installé mypctuneup et je l'ai lancé, j'ai redémarré, j'ai fait l'extraction des fichiers l2mfix, et voilà le rapport

 

L2MFIX find log 1.04

These are the registry keys present

**********************************************************************************

Winlogon/notify:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

"Asynchronous"=dword:00000000

"DllName"=""

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NetCache]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\cwyptdlg.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

**********************************************************************************

useragent:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{ED22557C-041A-2065-2E46-BFFA495350F8}"=""

 

**********************************************************************************

Shell Extension key:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{E72CC6DE-8769-4FC8-BF90-9BA776F8042D}"=""

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

"{51917337-5113-4EC2-9CB6-C6212D0EF3E9}"="BPS Shredder Context Menu"

"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Dossiers Web"

"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"

"{B8AB3565-B0C8-4880-A8D4-DBA8DD979F1A}"=""

"{FE7FEB63-5E3B-4190-8659-4309350B8B33}"=""

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{2567539F-9FB8-4BC4-9D53-9FD54BD5E9BC}"=""

"{944A220B-F02D-41DD-806A-B1D8B7753DFB}"=""

"{7BED816E-9AC1-495C-A690-EF479F568948}"=""

"{1BAC3341-7518-4522-B72C-E353B4E22060}"=""

"{67965746-42A9-4278-A4BA-44B5EF2E7B1E}"=""

"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="P‚riph‚riques Plug and Play universels"

"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"

 

**********************************************************************************

HKEY ROOT CLASSIDS:

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{944A220B-F02D-41DD-806A-B1D8B7753DFB}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{944A220B-F02D-41DD-806A-B1D8B7753DFB}\Implemented Categories]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{944A220B-F02D-41DD-806A-B1D8B7753DFB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{944A220B-F02D-41DD-806A-B1D8B7753DFB}\InprocServer32]

@="C:\\WINDOWS\\system32\\rypwsx.dll"

"ThreadingModel"="Apartment"

 

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{67965746-42A9-4278-A4BA-44B5EF2E7B1E}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{67965746-42A9-4278-A4BA-44B5EF2E7B1E}\Implemented Categories]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{67965746-42A9-4278-A4BA-44B5EF2E7B1E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{67965746-42A9-4278-A4BA-44B5EF2E7B1E}\InprocServer32]

@="C:\\WINDOWS\\system32\\pfwave.dll"

"ThreadingModel"="Apartment"

 

**********************************************************************************

Files Found are not all bad files:

Locate .tmp files:

**********************************************************************************

Directory Listing of system files:

Le volume dans le lecteur C n'a pas de nom.

Le num‚ro de s‚rie du volume est 6062-82C8

 

R‚pertoire de C:\WINDOWS\System32

 

25/08/2005 18:29 417ÿ792 pfwave.dll

25/08/2005 17:14 417ÿ792 mhjter40.dll

25/08/2005 14:13 417ÿ792 mmafd.dll

25/08/2005 10:10 417ÿ792 dqnlobby.dll

25/08/2005 00:48 417ÿ792 CHMCAT.DLL

25/08/2005 00:02 417ÿ792 iass.dll

24/08/2005 23:52 417ÿ792 WA5Inf32.DLL

24/08/2005 23:34 417ÿ792 cigwin1.dll

24/08/2005 23:29 417ÿ792 lkcmgr10.dll

24/08/2005 22:58 417ÿ792 SjmpleRegistry.dll

24/08/2005 22:29 417ÿ792 ksdest.dll

24/08/2005 21:21 417ÿ792 kmdur.dll

24/08/2005 20:54 417ÿ792 kydic.dll

24/08/2005 20:46 417ÿ792 fZultrep.dll

24/08/2005 20:22 417ÿ792 mogentr.dll

24/08/2005 20:18 417ÿ792 wdvcore.dll

24/08/2005 19:57 417ÿ792 qjap.dll

23/08/2005 13:00 <REP> dllcache

23/08/2005 11:14 11ÿ270 KGyGaAvL.sys

21/08/2005 12:16 417ÿ792 ivsecsvc.dll

11/08/2005 02:46 417ÿ792 duloader.dll

11/08/2005 01:56 417ÿ792 ovecnv32.dll

10/08/2005 19:39 417ÿ792 rypwsx.dll

10/08/2005 19:27 417ÿ792 guard.tmp

10/08/2005 12:16 417ÿ792 cwyptdlg.dll

02/01/2005 18:46 <REP> Microsoft

24 fichier(s) 9ÿ620ÿ486 octets

2 R‚p(s) 11ÿ164ÿ468ÿ224 octets libres

 

 

 

Je fait quoi ensuite?

[yanou]

Donc j'ai voulu lancer le 2 mais il me met que windows ne trouve pas "reboot.exe" alors qu'il est présent dans mes fichiers

[Invité Stonangel]

Bonsoir, réinstalle L2Mfix et reprends la procédure.

[yanou]

Bonsoir, réinstalle L2Mfix et reprends la procédure.

559375[/snapback]

OK merci, sinon le premier rapport de L2MFIX ne te donne rien de précis?

[Invité Stonangel]

Non yanou, c'est dans le deuxième que tu vois si l'utilitaire a travaillé.

[yanou]

Non yanou, c'est dans le deuxième que tu vois si l'utilitaire a travaillé.

559394[/snapback]

Bon voilà j'ai réinstallé L2MFIX impecale ça a fait comme tu l'a ecrit.

ya un paquet de truc

 

 

L2Mfix 1.04

 

Running From:

C:\Documents and Settings\Administrateur\Bureau\l2mfix

 

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de'>http://www.heysoft.de'>http://www.heysoft.de'>http://www.heysoft.de'>http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(NI) ALLOW Full access AUTORITE NT\SYSTEM

(IO) ALLOW Full access AUTORITE NT\SYSTEM

(NI) ALLOW Full access AUTORITE NT\SYSTEM

(IO) ALLOW Full access AUTORITE NT\SYSTEM

(ID-NI) ALLOW Read BUILTIN\Utilisateurs

(ID-IO) ALLOW Read BUILTIN\Utilisateurs

(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir

(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir

(ID-NI) ALLOW Full access BUILTIN\Administrateurs

(ID-IO) ALLOW Full access BUILTIN\Administrateurs

(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM

(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM

(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

 

 

 

Setting registry permissions:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

 

Denying C(CI) access for predefined group "Administrators"

- adding new ACCESS DENY entry

 

 

Registry Permissions set too:

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(CI) DENY --C------- BUILTIN\Administrateurs

(NI) ALLOW Full access AUTORITE NT\SYSTEM

(IO) ALLOW Full access AUTORITE NT\SYSTEM

(NI) ALLOW Full access AUTORITE NT\SYSTEM

(IO) ALLOW Full access AUTORITE NT\SYSTEM

(ID-NI) ALLOW Read BUILTIN\Utilisateurs

(ID-IO) ALLOW Read BUILTIN\Utilisateurs

(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir

(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir

(ID-NI) ALLOW Full access BUILTIN\Administrateurs

(ID-IO) ALLOW Full access BUILTIN\Administrateurs

(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM

(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM

(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

 

 

 

Setting up for Reboot

 

 

Starting Reboot!

 

C:\Documents and Settings\Administrateur\Bureau\l2mfix

System Rebooted!

 

Running From:

C:\Documents and Settings\Administrateur\Bureau\l2mfix

 

killing explorer and rundll32.exe

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 1228 'explorer.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 896 'rundll32.exe'

Killing PID 1876 'rundll32.exe'

 

Scanning First Pass. Please Wait!

 

First Pass Completed

 

Second Pass Scanning

 

Second pass Completed!

Backing Up: C:\WINDOWS\system32\CHMCAT.DLL

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\CHMCAT.DLL

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\cigwin1.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\cigwin1.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\cwyptdlg.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\cwyptdlg.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\dqnlobby.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\dqnlobby.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\duloader.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\duloader.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\fZultrep.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\fZultrep.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\iass.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\iass.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\ivsecsvc.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\ivsecsvc.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\kmdur.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\kmdur.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\ksdest.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\ksdest.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\kydic.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\kydic.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\lkcmgr10.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\lkcmgr10.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\mhjter40.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\mhjter40.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\mmafd.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\mmafd.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\mogentr.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\mogentr.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\ovecnv32.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\ovecnv32.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\pfwave.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\pfwave.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\qjap.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\qjap.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\rypwsx.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\rypwsx.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\SjmpleRegistry.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\SjmpleRegistry.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\smcbase.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\smcbase.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\WA5Inf32.DLL

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\WA5Inf32.DLL

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\wdvcore.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\wdvcore.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\guard.tmp

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\guard.tmp

1 fichier(s) copi‚(s).

deleting: C:\WINDOWS\system32\CHMCAT.DLL

Successfully Deleted: C:\WINDOWS\system32\CHMCAT.DLL

deleting: C:\WINDOWS\system32\CHMCAT.DLL

Successfully Deleted: C:\WINDOWS\system32\CHMCAT.DLL

deleting: C:\WINDOWS\system32\cigwin1.dll

Successfully Deleted: C:\WINDOWS\system32\cigwin1.dll

deleting: C:\WINDOWS\system32\cigwin1.dll

Successfully Deleted: C:\WINDOWS\system32\cigwin1.dll

deleting: C:\WINDOWS\system32\cwyptdlg.dll

Successfully Deleted: C:\WINDOWS\system32\cwyptdlg.dll

deleting: C:\WINDOWS\system32\cwyptdlg.dll

Successfully Deleted: C:\WINDOWS\system32\cwyptdlg.dll

deleting: C:\WINDOWS\system32\dqnlobby.dll

Successfully Deleted: C:\WINDOWS\system32\dqnlobby.dll

deleting: C:\WINDOWS\system32\dqnlobby.dll

Successfully Deleted: C:\WINDOWS\system32\dqnlobby.dll

deleting: C:\WINDOWS\system32\duloader.dll

Successfully Deleted: C:\WINDOWS\system32\duloader.dll

deleting: C:\WINDOWS\system32\duloader.dll

Successfully Deleted: C:\WINDOWS\system32\duloader.dll

deleting: C:\WINDOWS\system32\fZultrep.dll

Successfully Deleted: C:\WINDOWS\system32\fZultrep.dll

deleting: C:\WINDOWS\system32\fZultrep.dll

Successfully Deleted: C:\WINDOWS\system32\fZultrep.dll

deleting: C:\WINDOWS\system32\iass.dll

Successfully Deleted: C:\WINDOWS\system32\iass.dll

deleting: C:\WINDOWS\system32\iass.dll

Successfully Deleted: C:\WINDOWS\system32\iass.dll

deleting: C:\WINDOWS\system32\ivsecsvc.dll

Successfully Deleted: C:\WINDOWS\system32\ivsecsvc.dll

deleting: C:\WINDOWS\system32\ivsecsvc.dll

Successfully Deleted: C:\WINDOWS\system32\ivsecsvc.dll

deleting: C:\WINDOWS\system32\kmdur.dll

Successfully Deleted: C:\WINDOWS\system32\kmdur.dll

deleting: C:\WINDOWS\system32\kmdur.dll

Successfully Deleted: C:\WINDOWS\system32\kmdur.dll

deleting: C:\WINDOWS\system32\ksdest.dll

Successfully Deleted: C:\WINDOWS\system32\ksdest.dll

deleting: C:\WINDOWS\system32\ksdest.dll

Successfully Deleted: C:\WINDOWS\system32\ksdest.dll

deleting: C:\WINDOWS\system32\kydic.dll

Successfully Deleted: C:\WINDOWS\system32\kydic.dll

deleting: C:\WINDOWS\system32\kydic.dll

Successfully Deleted: C:\WINDOWS\system32\kydic.dll

deleting: C:\WINDOWS\system32\lkcmgr10.dll

Successfully Deleted: C:\WINDOWS\system32\lkcmgr10.dll

deleting: C:\WINDOWS\system32\lkcmgr10.dll

Successfully Deleted: C:\WINDOWS\system32\lkcmgr10.dll

deleting: C:\WINDOWS\system32\mhjter40.dll

Successfully Deleted: C:\WINDOWS\system32\mhjter40.dll

deleting: C:\WINDOWS\system32\mhjter40.dll

Successfully Deleted: C:\WINDOWS\system32\mhjter40.dll

deleting: C:\WINDOWS\system32\mmafd.dll

Successfully Deleted: C:\WINDOWS\system32\mmafd.dll

deleting: C:\WINDOWS\system32\mmafd.dll

Successfully Deleted: C:\WINDOWS\system32\mmafd.dll

deleting: C:\WINDOWS\system32\mogentr.dll

Successfully Deleted: C:\WINDOWS\system32\mogentr.dll

deleting: C:\WINDOWS\system32\mogentr.dll

Successfully Deleted: C:\WINDOWS\system32\mogentr.dll

deleting: C:\WINDOWS\system32\ovecnv32.dll

Successfully Deleted: C:\WINDOWS\system32\ovecnv32.dll

deleting: C:\WINDOWS\system32\ovecnv32.dll

Successfully Deleted: C:\WINDOWS\system32\ovecnv32.dll

deleting: C:\WINDOWS\system32\pfwave.dll

Successfully Deleted: C:\WINDOWS\system32\pfwave.dll

deleting: C:\WINDOWS\system32\pfwave.dll

Successfully Deleted: C:\WINDOWS\system32\pfwave.dll

deleting: C:\WINDOWS\system32\qjap.dll

Successfully Deleted: C:\WINDOWS\system32\qjap.dll

deleting: C:\WINDOWS\system32\qjap.dll

Successfully Deleted: C:\WINDOWS\system32\qjap.dll

deleting: C:\WINDOWS\system32\rypwsx.dll

Successfully Deleted: C:\WINDOWS\system32\rypwsx.dll

deleting: C:\WINDOWS\system32\rypwsx.dll

Successfully Deleted: C:\WINDOWS\system32\rypwsx.dll

deleting: C:\WINDOWS\system32\SjmpleRegistry.dll

Successfully Deleted: C:\WINDOWS\system32\SjmpleRegistry.dll

deleting: C:\WINDOWS\system32\SjmpleRegistry.dll

Successfully Deleted: C:\WINDOWS\system32\SjmpleRegistry.dll

deleting: C:\WINDOWS\system32\smcbase.dll

Successfully Deleted: C:\WINDOWS\system32\smcbase.dll

deleting: C:\WINDOWS\system32\smcbase.dll

Successfully Deleted: C:\WINDOWS\system32\smcbase.dll

deleting: C:\WINDOWS\system32\WA5Inf32.DLL

Successfully Deleted: C:\WINDOWS\system32\WA5Inf32.DLL

deleting: C:\WINDOWS\system32\WA5Inf32.DLL

Successfully Deleted: C:\WINDOWS\system32\WA5Inf32.DLL

deleting: C:\WINDOWS\system32\wdvcore.dll

Successfully Deleted: C:\WINDOWS\system32\wdvcore.dll

deleting: C:\WINDOWS\system32\wdvcore.dll

Successfully Deleted: C:\WINDOWS\system32\wdvcore.dll

deleting: C:\WINDOWS\system32\guard.tmp

Successfully Deleted: C:\WINDOWS\system32\guard.tmp

deleting: C:\WINDOWS\system32\guard.tmp

Successfully Deleted: C:\WINDOWS\system32\guard.tmp

 

Desktop.ini sucessfully removed

 

 

Zipping up files for submission:

adding: CHMCAT.DLL (164 bytes security) (deflated 48%)

adding: cigwin1.dll (164 bytes security) (deflated 48%)

adding: cwyptdlg.dll (164 bytes security) (deflated 48%)

adding: dqnlobby.dll (164 bytes security) (deflated 48%)

adding: duloader.dll (164 bytes security) (deflated 48%)

adding: fZultrep.dll (164 bytes security) (deflated 48%)

adding: iass.dll (164 bytes security) (deflated 48%)

adding: ivsecsvc.dll (164 bytes security) (deflated 48%)

adding: kmdur.dll (164 bytes security) (deflated 48%)

adding: ksdest.dll (164 bytes security) (deflated 48%)

adding: kydic.dll (164 bytes security) (deflated 48%)

adding: lkcmgr10.dll (164 bytes security) (deflated 48%)

adding: mhjter40.dll (164 bytes security) (deflated 48%)

adding: mmafd.dll (164 bytes security) (deflated 48%)

adding: mogentr.dll (164 bytes security) (deflated 48%)

adding: ovecnv32.dll (164 bytes security) (deflated 48%)

adding: pfwave.dll (164 bytes security) (deflated 48%)

adding: qjap.dll (164 bytes security) (deflated 48%)

adding: rypwsx.dll (164 bytes security) (deflated 48%)

adding: SjmpleRegistry.dll (164 bytes security) (deflated 48%)

adding: smcbase.dll (164 bytes security) (deflated 48%)

adding: WA5Inf32.DLL (164 bytes security) (deflated 48%)

adding: wdvcore.dll (164 bytes security) (deflated 48%)

adding: guard.tmp (164 bytes security) (deflated 48%)

adding: clear.reg (164 bytes security) (deflated 2%)

adding: echo.reg (164 bytes security) (deflated 10%)

adding: desktop.ini (164 bytes security) (stored 0%)

adding: direct.txt (164 bytes security) (stored 0%)

adding: lo2.txt (164 bytes security) (deflated 89%)

adding: readme.txt (164 bytes security) (deflated 52%)

adding: test.txt (164 bytes security) (deflated 89%)

adding: test2.txt (164 bytes security) (stored 0%)

adding: test3.txt (164 bytes security) (stored 0%)

adding: test5.txt (164 bytes security) (stored 0%)

adding: xfind.txt (164 bytes security) (deflated 85%)

adding: backregs/notibac.reg (164 bytes security) (deflated 87%)

adding: backregs/shell.reg (164 bytes security) (deflated 63%)

 

Restoring Registry Permissions:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

 

Revoking access for predefined group "Administrators"

Inherited ACE can not be revoked here!

Inherited ACE can not be revoked here!

 

 

Registry permissions set too:

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(NI) ALLOW Full access AUTORITE NT\SYSTEM

(IO) ALLOW Full access AUTORITE NT\SYSTEM

(NI) ALLOW Full access AUTORITE NT\SYSTEM

(IO) ALLOW Full access AUTORITE NT\SYSTEM

(ID-NI) ALLOW Read BUILTIN\Utilisateurs

(ID-IO) ALLOW Read BUILTIN\Utilisateurs

(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir

(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir

(ID-NI) ALLOW Full access BUILTIN\Administrateurs

(ID-IO) ALLOW Full access BUILTIN\Administrateurs

(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM

(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM

(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE

 

 

Restoring Sedebugprivilege:

 

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

 

Restoring Windows Update Certificates.:

 

deleting local copy: CHMCAT.DLL

deleting local copy: CHMCAT.DLL

deleting local copy: cigwin1.dll

deleting local copy: cigwin1.dll

deleting local copy: cwyptdlg.dll

deleting local copy: cwyptdlg.dll

deleting local copy: dqnlobby.dll

deleting local copy: dqnlobby.dll

deleting local copy: duloader.dll

deleting local copy: duloader.dll

deleting local copy: fZultrep.dll

deleting local copy: fZultrep.dll

deleting local copy: iass.dll

deleting local copy: iass.dll

deleting local copy: ivsecsvc.dll

deleting local copy: ivsecsvc.dll

deleting local copy: kmdur.dll

deleting local copy: kmdur.dll

deleting local copy: ksdest.dll

deleting local copy: ksdest.dll

deleting local copy: kydic.dll

deleting local copy: kydic.dll

deleting local copy: lkcmgr10.dll

deleting local copy: lkcmgr10.dll

deleting local copy: mhjter40.dll

deleting local copy: mhjter40.dll

deleting local copy: mmafd.dll

deleting local copy: mmafd.dll

deleting local copy: mogentr.dll

deleting local copy: mogentr.dll

deleting local copy: ovecnv32.dll

deleting local copy: ovecnv32.dll

deleting local copy: pfwave.dll

deleting local copy: pfwave.dll

deleting local copy: qjap.dll

deleting local copy: qjap.dll

deleting local copy: rypwsx.dll

deleting local copy: rypwsx.dll

deleting local copy: SjmpleRegistry.dll

deleting local copy: SjmpleRegistry.dll

deleting local copy: smcbase.dll

deleting local copy: smcbase.dll

deleting local copy: WA5Inf32.DLL

deleting local copy: WA5Inf32.DLL

deleting local copy: wdvcore.dll

deleting local copy: wdvcore.dll

deleting local copy: guard.tmp

deleting local copy: guard.tmp

 

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]

"DLLName"="wzcdlg.dll"

"Logon"="WZCEventLogon"

"Logoff"="WZCEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000000

 

 

The following are the files found:

****************************************************************************

C:\WINDOWS\system32\CHMCAT.DLL

C:\WINDOWS\system32\CHMCAT.DLL

C:\WINDOWS\system32\cigwin1.dll

C:\WINDOWS\system32\cigwin1.dll

C:\WINDOWS\system32\cwyptdlg.dll

C:\WINDOWS\system32\cwyptdlg.dll

C:\WINDOWS\system32\dqnlobby.dll

C:\WINDOWS\system32\dqnlobby.dll

C:\WINDOWS\system32\duloader.dll

C:\WINDOWS\system32\duloader.dll

C:\WINDOWS\system32\fZultrep.dll

C:\WINDOWS\system32\fZultrep.dll

C:\WINDOWS\system32\iass.dll

C:\WINDOWS\system32\iass.dll

C:\WINDOWS\system32\ivsecsvc.dll

C:\WINDOWS\system32\ivsecsvc.dll

C:\WINDOWS\system32\kmdur.dll

C:\WINDOWS\system32\kmdur.dll

C:\WINDOWS\system32\ksdest.dll

C:\WINDOWS\system32\ksdest.dll

C:\WINDOWS\system32\kydic.dll

C:\WINDOWS\system32\kydic.dll

C:\WINDOWS\system32\lkcmgr10.dll

C:\WINDOWS\system32\lkcmgr10.dll

C:\WINDOWS\system32\mhjter40.dll

C:\WINDOWS\system32\mhjter40.dll

C:\WINDOWS\system32\mmafd.dll

C:\WINDOWS\system32\mmafd.dll

C:\WINDOWS\system32\mogentr.dll

C:\WINDOWS\system32\mogentr.dll

C:\WINDOWS\system32\ovecnv32.dll

C:\WINDOWS\system32\ovecnv32.dll

C:\WINDOWS\system32\pfwave.dll

C:\WINDOWS\system32\pfwave.dll

C:\WINDOWS\system32\qjap.dll

C:\WINDOWS\system32\qjap.dll

C:\WINDOWS\system32\rypwsx.dll

C:\WINDOWS\system32\rypwsx.dll

C:\WINDOWS\system32\SjmpleRegistry.dll

C:\WINDOWS\system32\SjmpleRegistry.dll

C:\WINDOWS\system32\smcbase.dll

C:\WINDOWS\system32\smcbase.dll

C:\WINDOWS\system32\WA5Inf32.DLL

C:\WINDOWS\system32\WA5Inf32.DLL

C:\WINDOWS\system32\wdvcore.dll

C:\WINDOWS\system32\wdvcore.dll

C:\WINDOWS\system32\guard.tmp

C:\WINDOWS\system32\guard.tmp

 

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

****************************************************************************

Desktop.ini Contents:

****************************************************************************

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

****************************************************************************