Aller au contenu

  • Pas encore inscrit ?

    Pourquoi ne pas vous inscrire ? C'est simple, rapide et gratuit.
    Pour en savoir plus, lisez Les avantages de l'inscription... et la Charte de Zébulon.
    De plus, les messages que vous postez en tant qu'invité restent invisibles tant qu'un modérateur ne les a pas validés. Inscrivez-vous, ce sera un gain de temps pour tout le monde, vous, les helpeurs et les modérateurs ! :wink:

rapport HijackThis

elsekri

Par elsekri
dans Analyses et éradication malwares

 Partager

Messages recommandés

elsekri Junior Member

elsekri

Posté(e)
Posté(e)

Salut à tous,

 

voila la suite des événements:

 

Je double clique un exe non recommandable, puis

- Avast me préviens qu'un certain hoaxalrm-k fout le souk

- j'éradique comme je peux les processus lancés, notamment un c:\windows\tool2.exe, et les écrasent du disque, ainsi que l'exe malveillant

- Deux programmes plus avast tournaient à ce moment : Giganews et iexplore

- Reboot : tout marche apparament, sauf que: quand je lance Giganews, "l'application n'a pas pu s'initialiser correctement 0xc000000005", quand je lance iexplore, ca pédale dans la semoule et puis... rien.

- Je vire Giganews, je redémarre : écran bleu à l'arret, vidange mémoire physique, un certain driver cert64.sys est évoqué; en le cherchant sur mon disque, je ne le trouve pas.

- je désinstalle ma connexion (livebox), lance un full system scan avast, rien, désinstallation avast, reboot, écran bleu

- je réinstalle ma connexion, lance firefox, me renseigne sur hoaxalarm, pas grand chose à part une page en allemand que je ne maitrise pas trop : http://board.protecus.de/t20153.htm ca a l'air intéressant mais je pige que tchi

- j'applique la procédure des forums (+ un ad-aware), pas vraiment de saloperies trouvés, voici le log hijackThis:

 

logfile of HijackThis v1.99.1

Scan saved at 12:25:00, on 14/11/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\hijack\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.clara.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL (file missing)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)

O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.clara.net/

O20 - Winlogon Notify: cert32 - C:\WINloDOWS\SYSTEM32\avpx32.dll

O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professionnel 2005\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professionnel 2005\RpcSandraSrv.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

 

 

Je pense que avast était complétement comment dire euh, infesté?

En ce qui concerne le rapport, j'ai jamais entendu parler de clara.net (R1, O14) et du plugin iexplore (O12).

Voili voilo.

Bravo pour votre boulot en tout cas, et merci d'avance.

BipBip07 Extrem Member

BipBip07

Posté(e)
Posté(e)

Bienvenu elsekri,

 

Télécharger http://www.bleepingcomputer.com/files/regsearch.php

 

- dézipper dans un répertoire dédié tel que C:\Program Files

- double clique sur RegSearch.exe

- copie colle le nom du « programme malicieux* » Service dans la zone de recherche et clique sur OK

- après recherche, le bloc-notes ouvre une fenêtre avec toutes les instances trouvées

- le fichier est en outre sauvegardé dans le même répertoire que celui de RegSearch

- copie-colle le contenu de la fenêtre dans un post, ici

- ferme le bloc-notes

- ferme RegSearch par Cancel

 

* faire cette manipulation pour les mots suivant:

  • avpx32
  • cert64
  • avpx64
  • qy
  • qz

Et une fois le résultat communiqué nous commencerons le nettoyage.

elsekri Junior Member

elsekri

Posté(e)
  • Auteur
Posté(e)

re,

 

je farfouillais déja sur bleeping :P

 

Voila le premier log, avec cert64, avpx32, avpx64 et qy: (y'a du monde)

 

REGEDIT4

 

; Registry Search by Bobbi Flekman

; Version: 1.0.2.1

 

; Results at 14/11/2005 13:54:06 for strings:

; 'avpx32'

; 'cert64'

; 'avpx64'

; 'qy'

; Strings excluded from search:

; (None)

; Search in:

; Registry Keys Registry Values Registry Data

; HKEY_LOCAL_MACHINE HKEY_USERS

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dqy]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dqy]

@="dqyfile"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.iqy]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.iqy]

@="iqyfile"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.iqy]

"Content Type"="text/x-ms-iqy"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.oqy]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.oqy]

@="oqyfile"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rqy]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rqy]

@="rqyfile"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rqy]

"Content Type"="text/x-ms-rqy"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dqyfile]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dqyfile\DefaultIcon]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dqyfile\Shell]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dqyfile\Shell\Edit_Query_in_Notepad]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dqyfile\Shell\Edit_Query_in_Notepad\command]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dqyfile\Shell\open]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dqyfile\Shell\open\command]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dqyfile\Shell\open\ddeexec]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dqyfile\Shell\open\ddeexec\Application]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dqyfile\Shell\open\ddeexec\topic]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Components\6AE70DAE671F3D11D83300054038183D]

"msiquote.iqy"=hex(7):43,38,34,44,56,6e,2d,7d,66,28,59,52,5d,65,41,52,36,2e,6a,\

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iqyfile]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iqyfile\DefaultIcon]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iqyfile\Shell]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iqyfile\Shell\Edit_Query_in_Notepad]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iqyfile\Shell\Edit_Query_in_Notepad\command]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iqyfile\Shell\open]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iqyfile\Shell\open\command]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iqyfile\Shell\open\ddeexec]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iqyfile\Shell\open\ddeexec\Application]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iqyfile\Shell\open\ddeexec\topic]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-ms-iqy]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-ms-iqy]

"Extension"=".iqy"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-ms-rqy]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-ms-rqy]

"Extension"=".rqy"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\oqyfile]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\oqyfile\DefaultIcon]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\oqyfile\Shell]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\oqyfile\Shell\Edit_Query_in_Notepad]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\oqyfile\Shell\Edit_Query_in_Notepad\command]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\oqyfile\Shell\open]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\oqyfile\Shell\open\command]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\oqyfile\Shell\open\ddeexec]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\oqyfile\Shell\open\ddeexec\Application]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\oqyfile\Shell\open\ddeexec\topic]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rqyfile]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rqyfile\DefaultIcon]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rqyfile\Shell]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rqyfile\Shell\Edit_Query_in_Notepad]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rqyfile\Shell\Edit_Query_in_Notepad\command]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rqyfile\Shell\open]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rqyfile\Shell\open\command]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rqyfile\Shell\open\ddeexec]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rqyfile\Shell\open\ddeexec\Application]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rqyfile\Shell\open\ddeexec\topic]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Software\RealNetworks\RealPlayer\6.0\Preferences\PluginHandlerData\PluginInfo0]

@="{PluginFilename~Sembd3260.dll~ComponentCLSID~XYECIN3SoaUWbf9utVc9RvA==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XgOZpQdC+SEWsq9SN/Op5RQ==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XFDdHvbNxHkqT4BuHjkzt+A==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XczBEpUJvU02oAvL4iVlNcw==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XgqT4AiKWCk+PybAXCGifDg==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XL2RxoqZeCUeHgGP36kqTTw==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XYK0zn7y88E22vsF6Byr6nA==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~X8FzB82X+0hGn5gDA8DGKWQ==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XXA2J8mqqhkWpwJW26g33yw==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XTIwar04ck0qIPBYr5jNMEQ==}{ComponentName~Shttp://ns.real.com/gemini.v1:_rpsystemsettingsdb~PluginFilename~Srpcl3260.dll~ComponentCLSID~XFOBygqvLQU6ZywcWJeycTA==}{ComponentName~Shttp://ns.real.com/gemini.v1:_rpregistrydb~PluginFilename~Srpcl3260.dll~ComponentCLSID~XGrzsEgIhi06aucWRl86Pww==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~X/WH7sw5ow0+A/xDfxgcPyA==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XBpDcEXSyPkiVJc4PM7umig==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XBRQiAUmJZU2lHB48kePS/Q==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XIjUyT2m3ekex63CnHUdTqw==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XZhwZyHMNf067q2b4nIJnOw==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~X5SpD4VMbpkGeXpxiTEl/Mg==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~X7KRU02R7Nk2cDmFSFg44vw==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XDKRe4zjTzECcT2YRTzLr4A==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XAcANo9F01RGttgDA8ECmGg==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XNeJ5c+I/mUCVwo6BPHFqww==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~X9T6V8ARhG0C7EC99zfzJag==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XFAO0kbReVE+bDCa1RKL1mQ==}{PluginFilename~Srpcl3260.dll~ComponentCLSID~XrO9TAK+y9E24XPD+e65wMQ==}{ComponentName~Shttp://ns.real.com/gemini.v1:firstrunactor~PluginFilename~Srpgu3260.dll~ComponentCLSID~XIHcOIocn/0OuiwdiMmz1WA==}{ComponentName~Shttp://ns.real.com/gemini.v1:rpbubbleactor~PluginFilename~Srpgu3260.dll~ComponentCLSID~XO73hIAmGfkepRD+iSWvGOw==}{PluginFilename~Srpgu3260.dll~ComponentCLSID~XtanxWFEX6UaOn0X+JEA4QA==}{ComponentName~Shttp://ns.real.com/gemini.v1:viewportwindowactor~PluginFilename~Srpgu3260.dll~ComponentCLSID~XVYQkLOcBFEiTghoKOG2JMQ==}{PluginFilename~Srpgu3260.dll~ComponentCLSID~XK7jUcv+oFEKADaWSakhqAA==}{ComponentName~Shttp://ns.real.com/gemini.v1:rpfindactor~PluginFilename~Srpgu3260.dll~ComponentCLSID~XK8ioeCmmkk6ONeACkFWvww==}{PluginFilename~Srpgu3260.dll~ComponentCLSID~X3gQ5xsf90U+W4cCJ+TgOwQ==}{ComponentName~Shttp://ns.real.com/gemini.v1:rpcontrolbarsactor~PluginFilename~Srpgu3260.dll~ComponentCLSID~X5il6Uschek2mEH5XYQz7Kg==}{ComponentName~Shttp://ns.real.com/gemini.v1:rpseektopositionactor~PluginFilename~Srpgu3260.dll~ComponentCLSID~XL9X5X3SJVUW1fIaiMWqEkw==}{ComponentName~Shttp://ns.real.com/gemini.v1:rppreviewplaybackactor~PluginFilename~Srpgu3260.dll~ComponentCLSID~XzxwQ/+T5MkGC1Ms6tPvc0g==}{PluginFilename~Srpgu3260.dll~ComponentCLSID~Xsh/iP2RR9kKeT5PvpzY1Aw==}{IRCAPreferencable~SPrefPage~PluginFilename~Srput3260.dll~ComponentCLSID~X5vxVOzgNcUqpoyl7Q7e0sw==}{IRCAPreferencable~SPrefPage~PluginFilename~Srput3260.dll~ComponentCLSID~XLhowymlOkUO/leM+ZNYDBg==}{IRCAPreferencable~SPrefPage~PluginFilename~Srput3260.dll~ComponentCLSID~XCDDv6eb43EevaeRqMzs4cg==}{IRCAPreferencable~SPrefPage~PluginFilename~Srput3260.dll~ComponentCLSID~X5RNh5lFrkUuwvVv3j6kayA==}{IRCAPreferencable~SPrefPage~PluginFilename~Srput3260.dll~ComponentCLSID~X1+Ptp0tU+ESxTIvEQynMcg==}{IRCAPreferencable~SPrefPage~PluginFilename~Srput3260.dll~ComponentCLSID~Xg/DDX94p2U6LKMuuDjbFRw==}{IRCAPreferencable~SPrefPage~PluginFilename~Srput3260.dll~ComponentCLSID~XwahR37unTUGktUnlFpYBqg==}{IRCAPreferencable~SPrefPage~PluginFilename~Srput3260.dll~ComponentCLSID~XJUngz8UC10i3u+p68xDosg==}{IRCAPreferencable~SPrefPage~PluginFilename~Srput3260.dll~ComponentCLSID~Xt+SFQz/Bt0ajeaWzxN28Pw==}{IRCAPreferencable~SPrefPage~PluginFilename~Srput3260.dll~ComponentCLSID~XPsT956LGwECRvLYogoMblA==}{IRCAPreferencable~SPrefPage~PluginFilename~Srput3260.dll~ComponentCLSID~XsBhB/KkYDEO1rxLKpRCsgQ==}{ComponentName~Shttp://ns.real.com/gemini.v1:RPPrefsDlgActor~PluginFilename~Srput3260.dll~ComponentCLSID~Xuf7Gi0Q4AESxtEeaQT5Pfw==}{ComponentName~Shttp://ns.real.com/gemini.v1:RPBrokenLinkDialog~PluginFilename~Srput3260.dll~ComponentCLSID~X+T2E6JierkSC+HWwZakp5A==}{ComponentName~Shttp://ns.real.com/gemini.v1:RPExpiredTrackDialog~PluginFilename~Srput3260.dll~ComponentCLSID~XccK4Ax6N1RGtvwDA8ECmGg==}{ComponentName~Shttp://ns.real.com/gemini.v1:RPExpiredLicenseDialog~PluginFilename~Srput3260.dll~ComponentCLSID~XK9Ugkb97rkybfsXDJ47MRA==}{ComponentName~Shttp://ns.real.com/gemini.v1:RPActivateOfflineDialog~PluginFilename~Srput3260.dll~ComponentCLSID~XfGb5vcYBvUmm/OwwScZufg==}{PluginFilename~Srput3260.dll~ComponentCLSID~Xv1pmZVWVxk6gxbtfEsO3cw==}{PluginFilename~Srput3260.dll~ComponentCLSID~XxluxbMl4kkyfpgkcgyX2Zw==}{PluginFilename~Srput3260.dll~ComponentCLSID~Xs8tdAIibNkyNJqUEgH9P6w==}{PluginFilename~Srput3260.dll~ComponentCLSID~XWZMlMEhe0U6hvd3KvjYchA==}{PluginFilename~Srput3260.dll~ComponentCLSID~XzTigFguAlEG2Ds3IG7VONQ==}{PluginFilename~Srput3260.dll~ComponentCLSID~X1j1AfirEbkmxjw4Y89IJoA==}{PluginFilename~Srput3260.dll~ComponentCLSID~X66z+5aHb+0mvxbIzLJAaHg==}{PluginFilename~Srput3260.dll~ComponentCLSID~XhFiqIL+6iUWZctgF/K/Keg==}{PluginFilename~Srput3260.dll~ComponentCLSID~XscQ1qEZdxUaFEGxLfCi6IA==}{ComponentName~Shttp://ns.real.com/gemini.v1:RPConnectionChangedDlg~PluginFilename~Srput3260.dll~ComponentCLSID~X2myp1NnXTUW49+ytC5pr+A==}{ComponentName~Shttp://ns.real.com/gemini.v1:RPViewingTimeExpiredDialog~PluginFilename~Srput3260.dll~ComponentCLSID~XX0P3FD62Uk+wG3gSA21LAw==}5796"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\28427C49BCFE3D118A6E000680F38D3D]

"9040820900063D11C8EF00054038389C"="C:\\Program Files\\Microsoft Office\\Office10\\Queries\\MSN MoneyCentral Investor Stock Quotes.iqy"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\32418F9EE1126B64A90E8365B85CFCF6\Features]

"Main_programs"="k8)9dDGaYAq$HvhQjHHr?D)gc@6ka8`fHdT?]R62UWxLi+~ro8ZN_B$=N%-a2)pOYVY*@=4_!JKN`bYWBI65F0IIK=z20Rz~csn+.',=j&88]=sq?Kz-O8itmLn%3ATa-A]{CEGC]VZ%`.FyNy]gw=caI9LQc*wXTWQ)nqKCAAse[uTrGrKTavO`mWVKq=iU%^`jp-D`W$G~V5Umr88YQtVXet`3-Bg^k-AVRA&5*rL.}&0i4VyZUjFCt8BXIInL+7gT_C5VW)R3??A5Ov1%z*'eH.=C0}31)AU8xyvSQ{?J__v}KqY%W9cs*D0_LGhrolbp^eM}n@d3iRoz-LKYPNN%Ijuhl=Ul49=AIz-^5LMi_@if}?$[Zoqz7a+$[r,jBhEWq=@T_nB78*}LZ!&hDq4{p8uc+-7TKMCG"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\32418F9EE1126B64A90E8365B85CFCF6\Features]

"MultiLanguage_files"="%xz71hkWR90%MUps,YEgWCwN'~QYM9zfH1z]-QGbkBvSMAmhZA.dyE3s0H.j!w2OxuGB^92h93OzCNRuq*xvyC`o$?=g=^z^QvQK}oQ&54^w4@R@_55WRU^m1R]7yKo`o@G9XoczVzVU*8jW@52t.AOD8-hO9o6pogzlbPB`h?}QDpnvB(*fDIp{4OoBa?C3xwn1E6C.lHL=H{mqL?fTq{?nTsr^?$Qp!@b%y9!1hwBu6fMHKe&q=$hX.?@jPi-uOI1vPgQJvW-zq=(MdbJ~0W2v4WW@0RTG=ASKKVGJJA4v8FRKyPGd-=`q~urXtkQ7}X9_QtL~D@Cd0FMaey0rck12K8-o1?&8*cIOP@j31)6RHSzH29.o&K[*5tu!8_5DUMEjQ?uR~%nJ*{.afErPmVk`J?YTq]S{rx_nKRx[d{0*K?8b`See?q&iyGSvT!w8W=Oq)LmkRGnvhX%Loszg'=mf)Q?PKV+(KuJYP$d~p=PnoZ^eR'Y-jM'?n_ryw=F8@s7f?m4PJRGZHMQB)?}A5UZc6O6)"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040820900063D11C8EF00054038389C\Features]

"InternationalSupportFiles_CHS"=",yl6QYqlf(%C&!!f'ie.InternationalSupportFiles"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040820900063D11C8EF00054038389C\Features]

"InternationalSupportFiles_CHT"="ZQy1tgdnf(Z.&!!6fwY-InternationalSupportFiles"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040820900063D11C8EF00054038389C\Features]

"OUTLOOKFiles"="B-mgZ!Sy{@Ax5Fk-~+CG'K2Qps't@=3LoeW%lTmKR4w%$c}pf(Ed)L[lj+'(4Y6=uaLqf(kfbqFgkW_B)4E9*E}mf(y-A__qm]R2V%b^I)BnN@V5n{x*Ii(X!{a8k3L+F?}Sc7o6@!+_rI9&Z2]b+?YGXs4KmNqYB4Y!j][0]@mOOOM`8W0f+j2r_[e$g(S)9ef,$29%o]_fBKm(g(?u$!!6~97FDzBkuInpf(Ed)L[lj+'(&bTm$}Kkf(jZ@__qm]R2+ol~6Z`$g(*s@efxfq6EProductFiles"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040820900063D11C8EF00054038389C\Features]

"InternationalSupportFiles_ArialUni"=".yl6QYqlf(%C&!!f'ie.InternationalSupportFiles"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\DDE7F2BCF1D91C3409CFF425AE1E271A\Features]

"NETFX_SBS_Setup"=".8Y4q6??g9[RWCme&-?MMr.Nv(0L$?7bB2OFAziy%d]9W_wQv?[svhWdOZkVzoyD6cu(QA7]k+Nbtwj]=50G.'^?g(Z1z?VXB]2d15vDMnj5K@+p9aTIjo6u6zD$)a]L$?x}$H]mFv38CcrN@u^yx8*?-Ej!*hUlv1'Mr2pak=Yyt`i[6D&yBX(+Bx%`DA%Pn`cwzS0A0acd0Sh4K=jQ0Foh5VouiNOkvsp8H@vERMmqfNJ[)&Q!olKfD?.l.Zh~pzh`r`pYQQPb)AD%9A)g2DLsEiqyM`UpX=Qcgdte4PVSw&uag$yhR=A4}9XEtPCtbP^X2~)Sw8$OXktzpKRBA*d0`!UGZA}D3$kdR==O]G!@EDh{)?tvLxS,t5_k"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-4036164967-79857088-4218871072-1005\Products\1BDDCFC5C6A8D23489B790ECF1F2171D\Features]

"DATA_GAME_GRAPHICS_PICTURES_KITS"="F^0%TTL{Q?rk8ER0mD9E&XS2LT)E3@_{4%V8DpI%3E47r`$h^=wg[ud+R5eWlg3sL1c(t?^*O_9OOZjI6EUH]I%Aq8[4FyN=dW~dL^sOWqfB_@(kpbf@B[7Q~2vB311kN9Fhq@yPSEdSW[leSrfX?@Nr?o3D[z[T(Hi%Qst4??NzX41s75wo&459ImH0U=hEkpvIcf[PNvB9D'Sq+91(WQbTD1}?l0Omoqv.H=tXof=5TOMv66)9eaF119tu}1xZ?&*sCM^pe(GaN=Y}*W2AhF%ydI{UB{j8}9AiZ6oAmvxr{Z3@x)h?{8^BTh.M7*+Y)=)(BwuRy?[gd{L9_b3xcUR4=34GY?^{nBVQ=6[C1^Z_Qg`y.9O.[etM%'iILSqwJ~!1&9*$kq8^u_l,!XNB2**kW9Bn8@`KrQDZ$N0M(I%h1?{?OtxDE}vq-OcZWu3x]=5UcDtcB+MYHcX!6e?P}=RU.$fT?_Q2xzUh_d*GCA(riMLxU07^Oo5^XZ`.O@boe6)@C!I?}UXT4-y1I?^0,CT@'FKuw7Y&i.SCm@G}QS15jc.iy2OM)(_8`A[]mmUS2XG,}JP)5EZaJ?Dv{zqy@1GR"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-4036164967-79857088-4218871072-1005\Products\1BDDCFC5C6A8D23489B790ECF1F2171D\Features]

"DATA_GAME_GRAPHICS_PICTURES_PLAYERS"="80^hIC%xJ@AeG&Y_ix&*Ie,go'wH*?UfC5_oDA%nR]@w'UrsP=J~`KL&Yu}]cf1T`zVL.?s,0lZmZkZUsc9m-Y`-b?@vxhR^2x1,!oQvI4a0m8[=i=GkR%(yOq?+bg%~r@Cu$^-t'prQQg5Eq(PLy9ar_al`dO`E@r*e=gNl7AckLt]B3oGZ*cSEBEhrg9]Lj~Q%lihZyDFl.~@Vb@z9?dk^8Fj@8udz8qvJ}=pfqW9mgQ}xhp{=(m~h+A+l-VeA?($[^..OUxTk}9]&7k!@4]0CV3.vQ0==c9N-s?Gz84=tz%Dyk7cc@@L9baOZ=J[umJP~eXJ%V?QMQ?{FEl'*bKk7K$~fc8p9U~$YBN1k}1!`!ikQ]8VYJC^(~r(ls[OZQ1v&+=J=RJG=@L[0~w&Dg@{WL@]-Gh?EOIVR90]i&)Kpz?H4F^hkFLayUGPcVr{pz=X+YcA'K[KH12vVTmL+E?%F372-).cW[~Z+n{%K692`Qi8[=a2(q3^@QZ3C!?,EnLK{LLPnYq]0_@y{x=iY5HIdJF8Bu{q%69hkO97g~*{{G6i&j&L]D?$Q]9$(5o6&PTpULDOCGPl1a8[dXjwr*T*?70Hir40GB9aIsGl&$hZ16slwj~dYl=VNTfxev',.l&7-iuK!0?u~hH8CxI{nk2RJDxAqY8gos_xj1K]Cls%9PI.VQ@_u0[l^e-1HisS_bZVDL=h!jlBhizagzIVyq]+1Q9EWZ]k[R%@8UGU4yYVa+=Bi{oHo9J^y$[_Nj=&q59LriYu@^xbyQxtvsyGY6?]*Em56{%P6)^,ES6V}t=nY@*%-cKR[r8'~f2`,n@1XMe]HAK[3TJr3XD5LJA14zMYP!AAAza2Ad+c3J=A2_=68^8lt[GZT!%&9w=AoglD$TI)HwKrb'E?p79bPoEkhOaG+!eSs`!iD6AI's!5yej8cy2dMBwZ]OAFg9c9)pED?W0SVU(c]^8UhQhOm&,6EBXUwL%JKF@e2lJ,pkRZ&?_.2]Z}U1=9!`FrLwf%O^(FW$d=C89iK&h'C8rOrU4SlsY^1o9&%(3ES,yLpUVa{kJ3QD@(R&iI0j3Ef$]H62dPLc?G-{IyNSh%I?ri{g[OaA@OaSeP9VF@dB52lowCPG@nXhMETsj2$9L3kpXg~i81gch^~@iV]I9nglLT*x=MWF_Afm[Jh]xfoeBE+j8_wWun[~]O`DU_Gz6tg*@?(]OXv+K.N.)~w]q!=J?TWZJ)z6o4=$`[fCb{.A=cD`qcj=y2vV+S!Il%*$=CYWds@xRddhzb(Gdh^y?vU0y^skew!HvM0?-~+U=5HgrWml,dvUeK)7er]E@SLjc[uA3d7~tYewOaR1?8X=O@gBrwI+]C5@.H4??MZ)o'[sc]1*JxhQA4UB?Dp`=v4~YR[dLotT?T`1@6[.PU--Y5dd&mSq(a^V?Hb-BN^fCZF8HV3FQ8(g8I}eVLv8*v[&K}`XUEhSA-[od3T$V1D'MeC)O+6b9oHNNBxWM5D-,]2Gmgxr9]^gXxe&_x4M-2pJ40@p8W9u+)]5$WFA3S4]*31~?DW)LlO{0+=%pUXL8Sr99UrMyd%aijk{UxW!b6LH9TWW^T10V1NsC*3iCbqb?tSo6{a=^b.OL`S22PLE?P0=ssSeW{)y{387Yi!q8N}`0rw7F34@xYasD1DJ9*mxQh,frCc&GwXo1z8r=LM[R]pWI3K-b1afAzD$A&K!G%y0Hs(3,WUStX'8=z)4ub5AjaPQndzcMLJe=GXWlc{`aDdGJYrjyVH29vAB56lQ9oN({SJ^PuKn?gle0MqV@ol(V%}NREf,A'1c+YXOXp,bxPWjCACk8UM!(e2`'M4[?Zwy.4Gh@'X0iSxshkGju6DV4K=R@MiLd9P4T3-F2f3EAizR9z?$a+oPzE9)kXq.b4Bt8M0~9y+TTg]=$1p7)^V]8Rf5fzb}xb(8[i.(*XtA=JsS^,wm0'P)qYBghhpY9K*c5Z()q?ho-~.ZJ1?d?'FWf.'=2@,)XNkpji~p@D`qmsHq}8a]+(D^g{o`A!e}-Yc-Kr.Os4(HrRq)?54Gv!j*kc?yiS&i*Y+I9@0}L^@S7=-,s@Zfa0]J@MAYtVGrhM_%6()9FurX@cX?6q3TcY5{YUWRko30?I{!pGwwD}7Q^${%^q}=AR2*ePW'_[*8'P8?~pq)9'PiEU9kJ}v}r)$?kj[@AepS=V%q+v*5WgTe]+.s97b*^pm~zu'^CKNRJq]a9OOKP.1+2YccJ3ULS5k5@w@,5SWcVzLBsh_bx'vm@[)6$+PZj&?{,=YFTVS&=mA$n1KLKLdtvKV]JfS?AD0f-260DBiLYA]A@!9X=[&V'3ZDSbkFL_]Q]Nxq=B4~e]XWzk5qBUvU7-Ei@B`MTX(,o}1}!pligO'@=b}-dRB)*KN8R[ra+?*}8ZdvWfV_1MT?]v4tc]s3?9Zo5hw8YnA8FR_$S%[7AZWaMm@}G%YLFq@=,58^@4@mN['JJ3z!XlEi=Jbg?0{F^^VBCsMCUnh2J+ny=7Ng)@DK[pGJ2}=NW^-3?xg3n@BQQ`6BGK_Lkw.8@TwCg)%jpIoB[,.B0y$_AOKvFO]s?]78Cx,,jWm6@dxVld,g{*AuJ?Y(tFbo=52h@PimHj+QMQwp{LR~9iPFSuqCPZ*9}Ty@Vg~??%bPR1gsBXML^e[f?&wc@DDNgi9.Xf22tQKsmMLZ8oPU8.hO&k^HQr6[YK~D?jnA),9M]nA]G&6?_L(E913_3^a3{S+BfjA,iNM8A_CR?n-Ya--'u8n*=&R0@N9s3X[JJPC5OYPUAPxY9K,]*l-qBfn!mqu*QJWm?fb^Q^P2wezke3ltWP0ZAB^]qC`g'Alsvol,AD-q8[eD?B,tv9(ihwGi`KFR=G1o9,dXJn&UgK]7[2tN@QBl)bLT=j=2_=%G[x%8At*tU^U,@+!Subtc'gNp?-oI]VnJ6C.HRX0_*v{*@pDC]wIP=s9J{M6Kf'(6=ZXf*Q7a0jB}NSAV^-3`?a~45p,)Kb&u']21~j+h8ULY4dDaq+TcHx8b)K=X=@+]0iyQrDt)Xs*2YI&l?2RYR]d9!g.[R_qo_N&{=$MSP*,8zZyln}m%qhBi@mq?0Xm$0BOzgOSQIaHLAT2IG8BuptC4?M-Gj)nd9azUIY)kX_9AwEjr3C*995Pt.0NGU2?xGULZa*_J9$EVgbBalAn(=HJb^@IF?3z=kPRllg@riC&dm_-a?nj5WrzBnn4V_w)M`G3n=esWNN9KmjvCb@RKfkkR?V{Nx^.VHM0,k5Ud[`CN=cuY*SXckI+^vxgl+(aJ@Jkc%8g(J_eq}~5zlI%4A.oa1a29$0g+7!y_P`===5m+L5EB@fFtk[JjTjop?YH`VYG,z7_2!6BCr.8p@i,BGO[e?tF.$N6FVDPVA6&t,9&$Br6K!oGtXG=_87ksIZOi}qF44YK(8c9G@^~2bu{~M]EfTd-xHJf_A-UPI)_&9qTy,ql^IHzE9{p8D3xBtmv1&0CshLi-=~F.vPG=$*cA4{F3Iw7??zm6kCH9)fqhFf$Dr1u+?YB%%hG},hs8v7-Kwij{87=QFDDP*my]2RiovP!6@AZi*v1'bQ?2K7fK`l_&@v*HCg{`667.rY1)w1k+?EVQ)e-B*V.0w]]SE@-Q=!%9A7nM4^VMY(z4r+]P9T,-QKpT,69w,+1TwGIx@T`,Tuts0)c='5mSFb[-=HcfD$NisGvi7BGJM'~k=mAX=wwUEAl!p}]&T,^!=p@WL^=C59ti4[eCNZr{@Tii~cc6X9jU`Kay7_*g=+JQ170T)KPq}p7%qk209S2Nh-iFKLGCythQr*he8@kBSz~52!-*,~GQ846H=yWls0@`tIvCrjBZXV+S@ZpBfx4UVHs(_i]LZV`SAx%2wbl{?K=)t^&BQKO-=06Jp[Z239w*8uh%Om-i8g&8jti`-=+KLrC1s01*=OQq=M=tnKLwS!0iVoCP?LOa=FY]oyZjEo''h%=)=]X!+&Jv+68@aA7o9OX)9h%MdV$@k}Sj0ce?Y{qG?`Y=4J*J,K.4`v&8'Whk8@Qo7xNeM=l%3Aio6+jNAmtkFOR.~KX4j7fZF~vt=d_3Hr_Z,S%`m&xx5*Fz@-uV^B=rhj16rvJFL^zh?XB,ZxvIyOR"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-4036164967-79857088-4218871072-1005\Products\1BDDCFC5C6A8D23489B790ECF1F2171D\Features]

"DATA_GAME_GRAPHICS"=".~[1[!qZ_@K8q0qvKa)Bb6X.y(LCu=&z3b2eUOvSn]2@V==+8=id*2lP)+,rN@kso`u~H@@mwn8@UJhs!bgz'z{T2=RbN0YhbiA*_.~9Pi!D8?!YdaTVvE[ie^Hj!-DeL93&%H6hyeZbIChBwRCT^AB'JE$(wQEGxUQK@FN+)9T,KwZO?.An_RXqF@Tm??+AD$4UTM5ILwDmAJ(MUA.71MXNsnS5CjEGnm=z=A7.oJ*V+smgQv6+YUF1K9nOxEz1Q@GR}!'D?gczK@BkL$M}z.c-{$l2-VPDB?)7'[ifgNa)Z!=x8(g0o@PyQT`HQ_1*UwU%_b!_=A*hM1Q&XN+HCmIXWA]DN=CAE(f]~c6HlzKi@310~9dB}kN58eSeYU})gs'7eA}Yj@3i'-xaJ@1&8Gz2}?XAMJGLivXXO4`C4PWxQA0NL?$r7jCvT!p$zN`A~@%u]@^A[4pM=c]C.?xt4A0yEdj~xtLjr,!kncV_X9sWahR]3&qSY)V4m_m9[9FVK*BZ0i&1M_gQ5.4ZF@$VL@Ks^s[q&YGLgebna@6r&CaI*^{j-=Efl2@$t8eR)Soc{-n(k+2Sr)n[@=tf9f?wWAZR-oNSDO(u%@,I`$Qf3WZ`v[Al6F_Fa=-{CQTVsp+CDn5rLyh^q@g}G7G2H`5Bnvd.r__j}9Vxi3s`p'n[+q304mE1q?zO.]5A9NAyVHL{'o}d@9@`M}sbOuQ7-@aXp@SQA=+,N$[Q4oq29A1!,]xy4?})6^s$_c+JWKdVxXVhB=S8asVEBDVk=yh6ki$-i@jMwq!iy,SqkYU@A!h*b=hccUM8SII]]OlJg1*'WAqZT4vxi?tKgsZwWskN7@XvEs-TaHx)1JVREYCpt9iYjrE@Py(.Y!QY[YfX0=wMkbJQIe32gPP@v(70y9bv!57p9rblhmoVSUnF`8mnQWI`aDY_qcM2LSt~@=PLNns_5z,bK)BTl0-Qq@f*zsr2%[T`e%-}H,6P[@6?}h7HG4{l}uZ-yU(o+=*f@i2e-r]W&2@rsH.)s=~0t[JIsBT-!`VgZe][u=k'a{SteawQiF)3jsH3@@WZU'psbz,XG$e`2GgDv=,Ep14{z,}2lW)RsTWoa?i]2oUGij9=c_ss8u_rC=r?Q@[e_sP,CSX=FeO((9h=f''0'T}+-JuG5,d98A9J2YPpR,sMfBv2.g1~8?$qMeVRC$F&OoCPXMcz3A-1NYTcNfl8+S0%]'yGu=o}'2ttj9ETIfgSPae{m9v@n!&vF^sgC`iMm?cT}9+Mjry2iOAfdrsQ`vTE,?Ug[wv8'SyppeePEUl53=.S^45A=q]0x]}PNmc3K=06`bP,AK2[rc_V`^w0'9*+_~N[Em-f'?2+hQSAQ=?5JEu{PJgtEF[(s%Zka9fJ*)?W1Z]ro{=^$_7Q%93oEcvCxec'4-bG6&ai.=7NA1N]GFtc_Dr`uJ@=g8F.gOjFryL!%_Z}8Ln]^9}@,6'-y-Y.{H[+D7.A,@%v!U(lH-}TJRNfrf?yn?s9W!?}lj{hXtg2`t*4,@HEObrHp(dR1laoHp)s5@armF08gg3fY.Ew$jn`k=klYQ_@,w1E5K}9(ZHu[Ax-]0_]VTv2aKOzw3V?99qRk]^ir,!.-~nZaP-n~=HXWHe13dWI6=ki@qms?9(=]5`THodR9LrQGb)]f=T)CU*HPN8p}OOanQZ4%@J008yKPDfB@MmBggB?49]srF?1`'jWHjQc-Byu7AF3yuDAenQZ=Rqr*{0(h8cXN%,iQ,S]$oM09SVTB@r]0C6HMydb'SZLWinR(@7ZV&z'Vzv-M9%W$!?kr8gAVPa,v1pR?y?f2r%jO9D2]9OVk$zq`i&1*vSH6=,c16LGN=P-QhNE&s3$P=@Q6[2d6%3'3'oB`lItC9kbp=i=OxzmjW~@D2c_`A.j7%dHopTVA.C+1oWhH@`Dwhl=tB^_kYsG=h1%[8&Ay?0ZF`amljbhi.3Bx=t_V20@SY^T(h}n@[*p}==P^4hQ@b(x6VCZ@=Ot!@%1ef%pv-UFK]7sBmj08@AWv3tPTBqz0ab?7?tX,@8RAIr$E6a$Ha,'V2AoVA[?h=Gtk0[Q5c(H86AZH=mU2Rb7'TcCvLa-43K~&=PT`-(921vX)(=fCvTOi9Cc).t2S3VT3k-,zv[(v@M{vpeEovniV]BB+y`rW?d?1ROz5eT7E7clu_N=QA_*xvA]X7xQ}l*NYZb)g=.sZVf]k+y[trQH6'Uf(@On.r^Pq%Quc+D^U2(a8ADhbOgj4hLEH+S5bKhb2?loQA')CGx2n+a)s@-Sa8o@OL61+9L*+*@I4^T4j8@jNqjJ@p.le0fJs1'On=yid!B5]c8TIVl-kpZtv@,ojG&GVyEzFr6]8r!_x9`2s.R'.SiA()N6x=4o`A5vc!cxg5-0*-wnG5MB-@NNymRFbk&zrB_PtBFpQ=vs&0YNk3-KFdLmRdX+&?QH3`k0^PN-^GVi0}!io?'ex~[K1=r?,%sTfKOky@8mjUqStO6G"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-4036164967-79857088-4218871072-1005\Products\1BDDCFC5C6A8D23489B790ECF1F2171D\Features]

"DATA_GAME_SKINS_CAPPUCCINO"="M=w%Eh~lJ9(X~H_^F4tqa8A]Na68c8jt6nMZrT'*_cjjUt7UI=v@lHw&L]{CJo{0=SprPAJcU'9F~ghu-hpx]TH(s9mi}GwFe_X90}SGx*F6V=SzQ@sD~=(8-}(zRQ-?.ACbL@Q(]+qR]FP5o}.^3ABIW.8eaHl=-2(xT1J=k=!XD[s'Mm0$Q,W,3L]y@9FQk4T]kbVrCDtA8`}Qe=Zgovz}~&M.aYmkRDKJg@aR6kQ7*t7]I$c)qH*2Z9-J~`^)acBE~6NZ+S0+{9+-beOtEaUMYk*'9}C8{9JRx}cEs0{3[4s-Zcmy=95c_O)dtfKjAC1.FSyL)A`cV8T'~[5%$1`m,z%tI?44P2Dh?DnGN9vfHC3@89{-YD[5[+wBo+0j*1Dr%@`?%R3F^t8avWANNFUYw=_-LK'(j0Cw9`N^$5Wjl@VR+R8=z[4RsDysI4mOh8O{Z0jV'uu@Om%h=8kB^8_~CgRsZ.h^J-cx1MCj09MEWy=Q52lT9-Ib@KYPU@=O(WjS0~e)LO)=eh&q]8RO~'1PDq}54,KksLf0XAmtY4aw(5GJOU]U*Z@OZ9WOf@C-]!obH}_7x4gCH=gQn(C5+Vft06v@4'f!e=.~oerHabVmw38SSU*iD?b!+an-Xa{+}}O71q?D(A-hC-ya'`)Dft.~Y2+0FA5]okns'RXRu$3fBk~Q(=3(m1IVFo2?oNGtNhnP}?!pWmni{+AQ5}ZARh@%Y8?_`-=8BwuY?$9MHDY`v9Lj'$)q6,V&Wy'F9a2Zv9Lg{KD'A`8F!,,=H!Ntg?@{j`d^]L}rs(*(QoM4b8[Gr6vMEDK_h+RbatO]69`(h0+$a1{o1bL^=R?Pf@YWGJ9&vIeXkG$^p]'T6AMZap.u=B^'q@Yk*EAGz?EGS@(~[D@W=yMbR*1-i90adompAWM!cLqpC~xUK?Bz.5h!,oIR^M@+!?mc'?U?x4A&0{7wzTS$8Du,N@GH*.pb7Iyx%b[lij8^.@]8QS'GFk21gzX@@gI^l=%]dk7,^,vP6G@^YY&AB9&[QWjU_oVoN)`CIFanQ=,ahL.Z8v!JLR@gwN9+m8qbB[QZ^X{4MSroHg8S(=+x^~5L@Y@=)Tpy0xGt8=i(NQ%_v^(GBrv85Q`j3=-hhJpMgw3Ua'xC,yTJ7?oLg,,]0b&=QHNE(56O'AjS`$L1=,,wy2{8AU(K~@sxEBhq)9n`1B[qR+OAM@n@]i2M?!5GZ2[YFrR&S=mY))Nczj]))3g%xb$p&9eY{A5!iWHpy@Lq5r0iY9M]dgC3d5aNEC(_99E`T=Q3j1t^rC(%Fr?i89B=,@$jnss^nJ&l9`1rl-io4=T9qq?H}Q}zeHv=8(Fg+=!=,!D+0GR]5E2%]n}HNA$q_M_p[7-WSvG&_M1bL@mfq*n2C+!S)N^UioR?*?Z`0,NlK[~3jILPbEwz19{zHlXKM63V)sEF2y@Lg8eupi4&08KpRPv3,A@H8@ijuydcTyRNR6wjem5BJAlrpcSu39SnSfT6v9BaZ?!5$5j8y6p%doPz3D]fz8gj1C`na8?I-v5DhRQ$PAp^mp-ZR7$MQy.br2HKb?jn9&zv=@)PYyNHq1rU=9vS&1AVY,wp0CI5FNp!n8OKs-m%$to@h$]T,~@([?2mUAdbQ9ECSUFG1vYaf@eh2%hK8Q*MNWHKH+31i@*z5n]e^qIb$Dw7k{'ZP@3$A5m$x0@oZ.AyI+VB2=vZ$bIMyjA]f^1`Rk7y!9r%i55ZWBardDx~h=inO9imTJ6O*uhH$`16juVba8WnFoE?tMKqkPRUtIE](@Jc@9uMNFyy!vwpv,7C]=UycJr,*$~LE6p-b8*O4AivgU35&X!wSP2}ngf@19,k4]]sIhCK&-9PW*$,c9wM,9P1dYIY3P]L2kyAH?yAAz+nVSEnj,fri~sr,?PqR,1f'gI3C`'ra$JA*@-LML!2[R0?41?gHSmQ)9ToF3SiP]Wxl06sC!Gd%9plGb%B[aKPD{cvq6zJ}8kQW$e{`qUi{Q=QG&wY,?qPDiuJ}_dyO7rfDVS{HAY^^2R%&wB0,M!S6OUxt?E3n+*h+y'7WRmcnv,z'9m4Yijrnw&j{*nS6ZCFA=~k,`T6}[P2!cPKyND?I9Se&9JooshP!.oqWuq?+9zKfSXQyvEQg5{SU`_+w?N^kolv2r1IEra,$nYvz@ZeoS`E?fQ6-qdt)VTPo=Y%l+_5Go.U)87?]AD649J{hFTYD5*t@CpJQLM]'?Bhv005bL!me~n4UMi{~8c=3FB=XPeAiC%wMu@YJ@I+DPZu'BYJK-8F@ovy.9xWozig8CQ[+3+0o']R_?Z8VctG]T6d.Y~%BN.0c96C_vf{G[`3.f~yY$vBy8Q1o^(Kk2FiyB_3z8?6%A$h=5fDy_@DGE!Bx@=@^?qmLgbp(YO&Ov{Lv&KgN=FdfKtBuiQLwP^6X+uap9$LCG*dncD(v^Tg7V9LS?6Jb1JrvYi@nIjp)qecK9(d(KGudx@i@2{$d_@hK@MMX,)X=XU34ohfnp@cQ?hM0NvE0!J]D'zbWc!L.=sk0bE?M6O6s*YBZU)oV9{g8PlGu`'WOa7!ia_-m?h5Mcd)]*M[}XfL.'9yLAUA(8e5T$O]D_)J*t]s7AD_=cYhxcMej4gB=u+}z=&[fmUndToP"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-4036164967-79857088-4218871072-1005\Products\1BDDCFC5C6A8D23489B790ECF1F2171D\Features]

"DATA_GAME_GRAPHICS_PICTURES_CLUBS"="~5QWBO+nPAt1'OHxl3k.I=i84AV)(9p0&!n&z$41[`jP'+%BT@lK&+h)&J4&X{~no0Iu5@wAwLyiG`mRRmJ(!]G3s@7gQy'^n9_m1AUC8kBI0?vBO`EBc(7xy6T{TFl5Q9DcX3hMB)U)m+lci=,qZ9nu}cwME(GOdLQ5ygYs^86)Ip.gI,ytR(JGo~F)eArnbzPncR+*Sm9y`VNsR?0c*7H_1ZkoL.pPv1o'd8+dpAO(ePb2q{uM%sd_}=IblAejGkwZv$~%LIxbn9=fb'IZ'yU5O@T~PymrM@fZzPqeYnR!)`(]KJT6IAClI7%w'oV'YG=t[TApd@xbXVKtohI.3VGO'e0=U?GcV[Ve(r*KSm$nbn-(%@A]a9iHW@M(WfgSY.I,N?f=qIu5ifQoX}W$LL}yg?LUYS8S[1,5vwswW1@C+At)Mun'xn*E4M})Y7PM,AN9-~kYGthqY74P=OCc1@lN'Nn%,v,_s?Stz0!Jx@ZKS(.&!rJ!`~1C?M)7i?12G_jmXXi?+EHkQn(UG=6h1zC2Aq8,!(7AfAx7P=_N+GKEL.it$aM5iExbEAJd?%!+-@Vo"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-4036164967-79857088-4218871072-1005\Products\9D5DFC94655073047B6D1EE34DEB4A5C\Features]

"DATA_GAME_GRAPHICS_PICTURES_KITS"="F^0%TTL{Q?rk8ER0mD9E7V=+b?ukG=gyxp9*9h)Ynz0DMj6X6?3&vDZBHYmAav_qqRA-U@ZJ?w$Xytg]x0.iKNxA}?'h,wo&3a1D_am~p3Hu^?^[w0Bo*y%h~{Y3t[h~Z@N,b7N4[eA3vtTiPc49X@m=?&777,wMUim0=G_qy=2MGXg6~dp'5QWth6*SE?CeGrRcM@s-3{uvU@yB=@&d+T@sK*d(83laDS%E(?.C91LkZndJdu!?+0yfM9(4P3@Cx&r2r70Tk5zSQAmmGlq$%lKKd^PR,RvmC=A2r?v7*1B]3cl6z6PRB9-BmOI_&Kdv=OaOWE[Z{9OG_GosddY^ets'eJ+c4?1bI.,5yEZQf!$&rz}?o@FNYs(J.(9xQ+_,WOf]b9$u.8Go9Ds_G%?0{5?4X9EGU%%-gI6dmrY]FdKEE=xVIJHVEQn-Pp8lGgq)l@x.t+hwf68.{_Y4!3Of3=cb?cx^QD'!JtyfK(o}(ApFyiK1qNDTVpu^?Zu9i=MRFl*cECI=AiVKetlmS?uzaD4[dy~qKGbI8`XR~=mCB,)yc_nFQhs&xT8j2@9-Mk-lh5cxP2u5DLhq~=E^$.WZNpd6"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-4036164967-79857088-4218871072-1005\Products\9D5DFC94655073047B6D1EE34DEB4A5C\Features]

"DATA_GAME_GRAPHICS"=".~[1[!qZ_@K8q0qvKa)Bb6X.y(LCu=&z3b2eUOvSn]2@V==+8=id*2lP)+,rN@kso`u~H@@mwn8@UJhs!bgz'z{T2=RbN0YhbiA*_.~9Pi!D8?!YdaTVvE[ie^Hj!-DeL93&%H6hyeZbIChBwRCT^AB'JE$(wQEGxUQK@FN+)9T,KwZO?.An_RXqF@Tm??+AD$4UTM5ILwDmAJ(MUA.71MXNsnS5CjEGnm=z=A7.oJ*V+smgQv6+YUF1K9nOxEz1Q@GR}!'D?gczK@BkL$M}z.c-{$l2-VPDB?)7'[ifgNa)Z!=x8(g0o@PyQT`HQ_1*L`'~0_95G@G=o^@^PyKdun_jqKui)@MJ~=ULkhzpq_E~xH2Rr={5_.WZx-zs[oMA6+m}w==wZ3^-*fEFj]7FqsJa.=SG1!3U*8tEt{?xgKyAIA!k.*$ki%S`=.U+vQr%{8B_zUziIWq')Dr@sqLY6A2^T$l=JGJnGUVsvtfQH@&cK4adadXe~DlpMh)'t@4z`P(mJvfmugqeu?f{^=CO*7D0EOQkfA*&zfn{s?z)v{Qm~M?BduAlFGoqm@-bT9(6fn+z2MjhZx&a*?!0a_sT(*OAfZ6'!GkW'={[R~D@COvLieGLHB$Fk8qC9Y699aT5TmUcNByN{@jLaUs_'Bh]tN}2lXSkL?@6Kr[&b+_e'aVm,Dg[G@jZS)ZSu)rLP@5J)1`GYA8M-5,sq1LVDeTW,,Qb0AI9@f^cjtWwkJ@Ln6j_ZA5Eqk5B~Hmv0ir^eSD8^9H~1Hc@$`PpcIP+,j`9f=E^CWT+iDubywMK+4e2e=z3LT@jcUziTBR!NG-jp?gIdL1`PmOCSDtf)?]gj9k5S+di!5B'O$_,BjQ&I90iFc1N1dN9jb8aS2pVGAY83$Z,^F!'utrxFt-(4=O$Zq69+FHAM=D@kBvXV@t_2vzIfOjSXwo5n-jiK@LW.^oQjQt8nZk6HF9id8]NSw1oyQrZoHnNN&GIf@TDWKf'3O=yQ**]wsE_q@N..oJ117jy=O]!fbg0f?{1]$.^%HIR2!2P%REQ}=P1'u-dFj=z6fT$AGaJd@ANJYt)HJMwkbhx9lA&Q?clH!B=hy4OZ}[g7W538@_gSsV4!BrNT$(__^&f8@zL*VHDQ2H?tVM6C3h*R?N&L'd@JA)ye6~jCzQS894yDbR~{lPy0!7rKxKqe8dK7=H]pyi.EU4lhkFjs?r.CK0MjmhXLSm(xxHj+9~i838?`z!4e..H@~!9SAYwoV(Q^vSNks&EZ=qT%@BfP5.'!SGISDSzXsG9]9cQEDeZBk8]6snPBC_!=9mSrWKw}q.3ss2GXDZvk?ukYtOn4&9A0Jw5to[FH?,&YuywJ^^_JiAFyDuEG9%[?R'7$uML*1s+T_adi9(3'RdL`K+hg6+2*18&J9GxSBCTbXQjNz[kD1%8l8((=%7YkM$NuYD!,@ldIA+)u]JdN*SCxQNnkZjG%?!UpaO.L(Nw3.mCtE[%P9&I6I1IYMt+hulAGxkPP@Rh_(L?9tWG9}-+4`,(5AH=s6E@hiaZTZH2zn=eE9Un%3HlW`Xi*{'($cv?v8peqkb?hrjt)oBc,=Gwm8jlb&ZjrSZe$u{UJrIrv=S3V&ba6(6LWLo{?Gly2=I[TH`i9l{$mlvKQ0fuRAZbveFYKj7t77FqvAHQQAR@)$vWb=GANrN5mKpsE@=E)n27z&=$Q{+kAf7we96X0ue55M?`VM3$ou@L298Kbg?P$([pD}3yiB+Ap8?(62-K33Wj+`eLeYA43=F+x8PTcGj[O4D8W3L%g97.x+8]$0~6.'@(w*wf_8TNHWHARa`1}QF.IUF@Q@b-63HkzA).KM1Sl&ndDAnH(cL.-FuZjPWicQLoa8Oh_LXA2Ht0rUA8`D[pf=Wp?8KOI*iff!}OiMQ,U=QReiBAu8x,?alJMh9C.9sW0Kk+*1B-Uz$rUZsN_9.{lFh5JWH5Y+4tdV7Wz=F{kE2~omjkKYC7[bQtA9LzPe){k+sw9DhVd%HaK?6pSPb+M$syk&[G$Wj8cAxOkpLHeI*jUU*C[vU4_ATAfEV7kTlbg2F?nnVbj?tNly^?me~PyD}4-UezW@$Sch12d9M*kvq9X@FTLAWC-%TEh'$)$(*oh)EG,=G]KJ?5(Sf9W.!d'K)Ea8M'geg+q?6zHHRIp0STe8l5H.o*KuZbNfJbzYX_o8wf(H_mKn}'YQVuhdFSO=-[gRLBObQ4iK!8.wO~r?W!=TYSr*^%ZaV%PE~{@@Y_YI`k@tgqL7epF6[6`8mnf3z$%h6hFgrjQEsr&9,t-fpu?2[4`6{Y^XKZm@RmodnIQt@r$K%9biG%8=tQQw609%yon-I0Mk~M=9*2%(tjPQ`rp~1oPlgnXAHyl$1neSvF8Qhl'cHuB?VpJV5O7,(L)mP,m^{[i@fhj9Jy9[q?oE[&kK}Cy8h'6h'To,lIv%41ry5cr=,&vqY+Fmtrj_w,+Gt~!?s{-_qZGbxa3R=@E?'GL@TnRwLW-YFz"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-4036164967-79857088-4218871072-1005\Products\9D5DFC94655073047B6D1EE34DEB4A5C\Features]

"DATA_GAME_SKINS_CAPPUCCINO"="M=w%Eh~lJ9(X~H_^F4tqa8A]Na68c8jt6nMZrT'*Q`'+t5D(w9,OYcw'vs,DH{U'O1$M$AOXRWM5e+c*}cF4&=PK-AjOEU[oWs$1gS3vmlFvC@VhxO'[u4cuL({*C{88J92?Sp9~32Or6^$Xav{[M9~zQCQ[iNL%&}R'Z[7aM@WkB[ec$fgrmWHN(k300=bb+MrG3}v9zi$[Xq}Dz=dGhy?yij(1,W2W5s4dx=W$P*IR@1HM^&+)q@gM,=Mm&vzCj)R,{30m-8@`H998dOP{78M4a9&r.3B`b?r?6Uji0IyJi}0LXGVkJACNJrt8024gb99pB{'wS9a!iGuTN6S@M}.1*+3,I=%MAY_o,5gz[OPKprVXt=z='bGh]sbCWI8-{]z,C?W7Ehy2atXvkTQh_FzmB9!X^xnP=[knc}EIv[swH9e8'9yEc]zIxvbleb6n3=~0^VLG*XfPvV7vAkAd}9Z.Qb8sT!ex3rL7PGa=.=@t`sgTXxWe*%1z8o&[.?Sb6P.gRB7wZ(3MLWtlX8iX*IA8LUYZiNw4YOh$x=NE=op(P9hmCU'1f@Wed8B)~JD'2Qt8)vWLE~w109]q&(K.{ilTC9~1n2O,CA[g?AJf&G!6Zmwd(.]T[8IHBHDJzNEf]]`S6(k4R=n)[)rbeb='Onj}Jx?2V?uLyvKBtkGBpzseW%$$@AjvTJes+iR6ah'?p{0D{=J1*r&W!Bm@+cGCD(6}_8.]8QOR+sLkBW*ez6k@q=0[xC&7R{e6B6jf??+8]@$+ZF`KbK..O09RB~$K]='*W3OnDB-?{!5u's!bj@$ssZv1^'$=LuBJ$1TMl=Eg'~DVdNNd-HXySQPdy=%@$XE'z~c(E7(c&7uY^8bG%S]=RyJGg,wN8`Rf)?-E$whIv(Cj-Vw-7aGSNA23%uYy-P*A4rNcT_kS(9^J.dEL?d2[2{Z}0JVg+?c5REGCx=VDg!2n!%^eK?P$*G?ymNj@}JZU7)j-E9-JIi$%$Ksa(.cD^(%Mw@bNU7s5LbT^]__j'=N4P?9bt.aKNWA=+Ca96=?7)9G]**0LH0qmPm=xUS!H5=zx37=_g55@[im%.'2Tm?XteTD66fbU6)}8bhXNl8SsTCmYGHt.o%l9w-Y&U?CqVJgqTd?n%.W!43t*}=V]?e.egd&!x-bfunKj!A!G?6Me~VMAVPWcW8cYE9sVSKf9g}NsSS'R'kZ-0ApMMGsJ(cdS]aXDDe=!q@mEwOKTE=&*ywdqyvKpb?F1]+X35MCYSmpp_rJYO@OCb?@{b?XU4Xyj3Rf^K=)fPlJb&0~b$ov6],CR3@?WG{Rt_J4&.ZnccDW{V9c,]6H@,W6%]e~zfOpC(Agyn8]Qm5}&,r8)'%%}[8^nW}UD_@*qX'3jIqWjj=o!F1SMijS)Ps7WTx5.}={.8z=*P(PqDk50dAHoDAhlJL)'GhabEft4?DSOd88a2WQaOuV=SIMQtOzm}9AjQKJf.`lI46b[MpO3`9oxmDfDyBK*U3z@=Akcy@ZAkfL,M'5iS&2i=]_+WABkV3h3XA_1`rm}*@yhi=~3lgBkVV'jN+O5`V's09wL6}uxd6hBJ9jvQG)eY9`Tc?W*^e5tm($D[}1uG97VxF8wWog'HiuCEC=e&?V9m7^!57'`Mtt[z!&KA?Lb&uJpsChiO6nk2cux%=T%Ys[.pQIusl%=-*tu*?-LYs,W7QIXKokTtvc@G9J6,tKH,8DJn=H279{Ft@'9DWYg7Zoz`Vi(zb2.a=)^ay+'XE9jyE^CkaKO$=C]$)3?[Cg$w-gX2nxfYAq[5M_hv)@d=iIWDEee0AT[DoWdE}5*Tw,D5H?$e97Pww's00r.Ewz)OC'kI9kJ?kI~&asj'D[vmo4NL?%TDSEYbNGintQ4Vp.1WAT~_I-Eq2w4XbAgR[d&I9)i)jL[~KSHy_PajjO0y8f$AmGeBWEE]c[TrLgGK?PO=d`htaI`uY?24,Mrk9CKW%WLS}trD9TVI?8Q+=bie!tvI,0.)S3{pZU{J?y93Fyq+-te{IVb_j-?WA0k6IsQiD6rj+BcJ!1yL=i=%HBDFZmn^gQ$XVUhb9,p-q&__T%gin95=(z)c?7Lvb.Igo)XH]A9G}=1Y?riR,T63hQx2sgU*068}@P55q%0!h%yOzxb`kFBg?5%+Ya7][+G&uu+,}l@'AwUQY'Dz4stnOyMP9P,B9gz}su.zJaMt&=8&'LaZ@ONwA[$9BUxn)M5CR=2C9&]Ang]@ibE4I^IBNKD}8Cb.fn2}]IwD'y9DfC~Y=QEK?'h(q*AcMEZ@Vx$Q@&DwpfQ!TJ_ysGX*gI'z?.-TLU!Ol}c0KHWRLuy*@C?VK_*3kB1ukeu_rPJ?98i-Lt3,JS9)8fvzuI]P91Sz-zj%ZPX0Ll%kH=!d@[pUXW7{8oh4]ryBXsEt=l5bC1ajOl[DC3{N8sl+9eDK??-q%hp!og3UDsC&@DLrY?)Q48&VO8&]_(mN=b`v=$A_MT=0~Y]LXsEB9.ytJLf5cRR[l@h,JRCd@4aTT%C!YTwc{k+,^JK[@41Utg~)&TEMCM'5fqlA=H8r`^OdVQfUYZ{o7fgA=HNp!)`hI&43p%GJvkqs?QbGD^&@NQy2aTGg_]}f8UggS0ekNt.Rut&Bgkj5=0QoRobFf!c"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-4036164967-79857088-4218871072-1005\Products\FF41E933CDF89084AA2F78AB2209C5F7\Features]

"InstallManagedDX"=")qMARNvz5=bOe]jtsB8+I02=3-p'`=X]Uwt.NXQc@gF_Hvl3bAsxo7Y+8j9{bHQtWrc(u=OAQNgs?FD1JFgE-0PQy=cHY[ZehPMNJT[Pdi&NX8_J?_OR@_jt%_SF69,o`9fU.%){q](tv``V0b4VJ9mx8Nh.hPL[@ERvJv{dbArc]0WF]*j*5&CFnk.P`9tJ$u68yh0lr.Y2Uch7m?zgfkmp'w%jD.aiPr_H19v,$]]1]bNbpfauM3n-m?0h.Hx}Z{]=_][jV-[d^83AE'!.k!3Y1bXy*_dct9y5i,O~*DZlQERXjf&-!=Y?o,BLKWvodQDD4Ivhu@gKcCFjR!-l"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\cert64.sys]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\cert64.sys]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64\0000]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64\0000]

"Service"="cert64"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64\0000]

"DeviceDesc"="cert64 TCP"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64\0000\Control]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64\0000\Control]

"ActiveService"="cert64"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64]

"DisplayName"="cert64 TCP"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64\Security]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64\Enum]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64\Enum]

"0"="Root\\LEGACY_CERT64\\0000"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\cert64.sys]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\cert64.sys]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT64]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT64\0000]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT64\0000]

"Service"="cert64"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT64\0000]

"DeviceDesc"="cert64 TCP"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cert64]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cert64]

"DisplayName"="cert64 TCP"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cert64\Security]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cert64.sys]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cert64.sys]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64\0000]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64\0000]

"Service"="cert64"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64\0000]

"DeviceDesc"="cert64 TCP"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64\0000\Control]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64\0000\Control]

"ActiveService"="cert64"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64]

"DisplayName"="cert64 TCP"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64\Security]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64\Enum]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64\Enum]

"0"="Root\\LEGACY_CERT64\\0000"

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\ZFA.pbz.hey"=hex:0c,00,00,00,00,00,00,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Ibvyn.hey"=hex:0c,00,00,00,00,00,00,00,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Thvqr qrf fgngvbaf qr enqvb.hey"=hex:0c,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Pyho qrf Cneenvaf.hey"=hex:0c,00,00,00,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Rpurpf.pbz - Npphrvy.hey"=hex:15,00,00,00,02,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Yr Zbaqr.se N yn Har.hey"=hex:1a,00,00,00,02,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Tbbtyr.hey"=hex:1c,00,00,00,02,00,00,00,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\NyybPvar Pvarzn.hey"=hex:36,00,00,00,02,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\Bcra-svyrf.pbz Nvqrf, Ghgbevnhk rzhyr rqbaxrl birearg.hey"=hex:45,0\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Pbasvthere fn pbaarkvba NQFY.hey"=hex:46,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\uggc--nozqserapu.serr.se-cntr=ppz.hey"=hex:7d,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\Zrgrb Senapr - Cerivfvbaf - Bofreingvba - Pyvzngbybtvr - Ihytnevfngv\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\NACR - Npphrvy.hey"=hex:88,00,00,00,02,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\Cyna qr Senapr, pnegr Senapr, cynaf rg pnegrf qr Senapr.hey"=hex:bd,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Tnzrf"=hex:d0,00,00,00,00,00,00,00,00,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Y'RDHVCR.hey"=hex:e1,00,00,00,02,00,00,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\jjj.Nyy-ArjM.se.fg - yr zbaqr qr y'vasbezngvdhr yvoer.hey"=hex:ef,00\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\vgvaéenverf ra Îyr-qr-Senapr, genafcbegf ra pbzzha, cyna qr zégeb, g\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Rpurpf ra qverpg - Rfcnpr Zrzoer ''.hey"=hex:1f,01,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\N Fznyy .FUA naq .ZQ5 SND.hey"=hex:27,01,00,00,02,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Abhirnh qbffvre"=hex:2e,01,00,00,00,00,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\erprggr\\Erprggrf pnaanovdhrf.hey"=hex:2e,01,00,00,02,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\erprggr\\[ ploreqvar genafvg phvfvar zragnyr ].hey"=hex:2e,01,00,0\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Lnubb! Senapr.hey"=hex:33,01,00,00,02,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Lnubb! Znvy - Yr zrvyyrhe znvy tenghvg.hey"=hex:33,01,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Genafsreg.hey"=hex:3a,01,00,00,02,00,00,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Yrf freivprf Jvaqbjf - Mrohyba.se.hey"=hex:3a,01,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\YN PBHCR QH ZBAQR QR EHTOL 2003.hey"=hex:58,01,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\Frpgvba Fpvraprf rg Vatéavrevr qr y'Raivebaarzrag - FFVR - Npphrvy.h\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\Fgengrtvhz-Nyyvnapr Yr Cbegnvy Senapbcubar qrf FFGE.hey"=hex:3b,02,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\nyncntr.pbz Cnpx KOBK.hey"=hex:3c,02,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\Bcraqvfp® - Abgrf grpuavdhrf - Fbzznver.hey"=hex:4e,02,00,00,02,00,0\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Erprggr - Pnvyyrggr.hey"=hex:61,02,00,00,02,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\cntrfwnharf.se, qrznaqrm p'rfg gebhié !.hey"=hex:68,02,00,00,02,00,0\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Znva Cntr - FhcerzrJvxv.hey"=hex:6d,02,00,00,02,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\Fhcerzr Ehyre 2010 ol OnggyrTbng Fghqvbf.hey"=hex:70,02,00,00,02,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Hagvgyrq Qbphzrag.hey"=hex:85,02,00,00,02,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Yvsr Yrkvpba.hey"=hex:a5,02,00,00,02,00,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\Npphrvy - Jvxvcéqvn, y'raplpybcéqvr yvoer rg tenghvgr.hey"=hex:a9,02\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\GbeeragObk.pbz - Gbeerag Yvfgvatf.hey"=hex:ac,02,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Nytbevguzvp Obgnal Ubzr.hey"=hex:b7,02,00,00,02,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\OVYYRGF QVFPBHAG - Yrf ovyyrgf q'nivbaf nhk zrvyyrhef cevk.hey"=hex:\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Yn Cbfvgvba fhe iéyb.hey"=hex:ba,02,00,00,02,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\QbpIéyb.hey"=hex:ba,02,00,00,02,00,00,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\300 Zhygvcyr Pubvprf.hey"=hex:bf,02,00,00,02,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Flfvasb.hey"=hex:bf,02,00,00,02,00,00,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Gventr cubgb - ZrvyyrhePubvk.hey"=hex:d6,02,00,00,02,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\nhqerl rnh.hey"=hex:f7,02,00,00,02,00,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\nhqerl rnh 2.hey"=hex:f7,02,00,00,02,00,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\YR DHBGVQVRA RA YVTAR - Y'RDHVCR.hey"=hex:0e,03,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\Sbezhyr Sbbg Ibve yr Sbehz - Sz2006 yrf wbhrhef.hey"=hex:20,03,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\Tbbtyr gvcf Nfghprf rg sbapgvbaf qr erpurepur Tbbtyr.hey"=hex:25,03\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pf\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

vqy6%\\Vagryyvtrapr Pragre Irvyyr - Erpurepur q'vasbezngvbaf fhe yr arg-Va\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]

"HRZR_EHACVQY:%pfvqy6%\\Gbeeragfcl.hey"=hex:25,03,00,00,02,00,00,00,00,00,00,\

 

[HKEY_USERS\S-1-5-21-4036164967-79857088-4218871072-1005\Software\Microsoft\Windows\CurrentVe

BipBip07 Extrem Member

BipBip07

Posté(e)
Posté(e)

C'est parti :P

 

1-Supprimer la restauration système : ( aide visuelle ):

Clique sur Démarrer.

Clique avec le bouton droit sur l'icône Poste de travail, puis clique sur Propriétés.

Clique sur l'onglet «Restauration du système».

Sélectionne «Désactiver la Restauration du système» ou «Désactiver la Restauration du système sur tous les lecteurs»

Clique sur Appliquer.

Comme le dit le message, ceci supprimera tous les points de restauration existants. Pour faire cela, clique sur Oui.

Clique sur OK, redémarre ton PC

 

2-Copier la citation ci-dessous dans un fichier fix.txt (bloc notes) l’enregistrer sous c:\ puis changer l’extension en fix.reg et double cliquer sur fix.reg

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CERT64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LEGACY_CERT64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cert64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cert64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\cert64.sys]

 

 

3-Démarrer le logiciel HijackThis hijackthis_big.gif et lancer un scan "Do a system scan only".

Puis cocher les lignes suivantes (dans HijackThis):

 

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O14 - IERESET.INF: START_PAGE_URL=http://www.clara.net/

O20 - Winlogon Notify: cert32 - C:\WINloDOWS\SYSTEM32\avpx32.dll

 

Fermer toutes les fenêtres Windows, Internet explorer, Outlook,…sauf le logiciel Hijackthis et cliquer sur « Fix checked »

 

Redémarrer en mode sans echec (appuyer sur F8 ou F5 lors du démarrage ; aide visuelle )

 

4-Aller vérifier manuellement ces clés de registre si elles sont encore présentes, les supprimer à nouveau comme ceci :

démarrer > exécuter > tape regedit

là, tu navigues jusqu'à ces clés et tu les supprimes manuellement:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CERT64

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT64

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cert64

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cert64

 

il se peut que tu sois obligé de modifier les autorisations clic droit sur la clé autorisation > autoriser > "control total" doit être coché. puis ensuite OK puis supprimer.

 

5-Ensuite aller dans l’ Explorateur Windows et afficher tous les fichiers cachés:

Dans une fenêtre de l'explorateur Windows, cliquez sur le menu "Outils" et choisissez "Options des dossiers...".

Affichez l'onglet "Affichage" et sélectionnez l'option "Afficher les fichiers et dossiers cachés"

caches.gif

Cliquer sur « Appliquer ». Fermer la fenêtre d'options en cliquant "OK".

En image ici

 

et supprimer les fichiers ci dessous si ils sont présent :

 

C:\WINloDOWS\SYSTEM32\avpx32.dll

C:\WINloDOWS\SYSTEM32\avpx32.sys

C:\WINloDOWS\SYSTEM32\avpx64.sys

C:\WINloDOWS\SYSTEM32\klogini.dll

C:\WINloDOWS\SYSTEM32\p3.ini

C:\WINloDOWS\SYSTEM32\qy.sys

C:\WINloDOWS\SYSTEM32\qz.dll

C:\WINloDOWS\SYSTEM32\qz.sys

C:\WINDOWS\ms3.exe

C:\WINDOWS\tool2.exe

C\temp\ <-- supprimer tout le contenu du dossier

C:\windows\temp\ <-- supprimer tout le contenu du dossier

C:\windows\Downloaded Program Files\ <-- supprimer tout le contenu du dossier

C:\Documents and settings\Tous les identifiants\application data\Sun\Java\Deployment\cache\javapi1.0\jar\ <-- supprimer tout le contenu du dossier

C:\Documents and Settings\Tous les identifiants\Local Settings\Temp\ <-- supprimer tout le contenu du dossier

C:\Documents and Settings\ Tous les identifiants\Local Settings\Temporary Internet Files\ <-- supprimer tout le contenu du dossier

Fichier temporaire internet:

Démarrer/panneau de configuration/options internet

--> button supprimer cookies

--> button supprimer fichier temporaire internet

Fichiers temporaries : Démarrer/exécuter " CleanMgr "

Cocher tout sauf :

Compression des fichiers non utilisés

Fichiers catalogue d’indexation du contenu

/ OK / OUI

 

Dans l'Explorateur Windows recacher les fichiers systeme afin de ne pas faire d'erreur a l'avenir:

Retournez à la fenêtre <Paramètres de dossier> et sélectionnez <Ne pas afficher les fichiers cachés ou les fichiers système>.

 

Redémarrer normalement,

 

6-Télécharger et éxécuter cwshredder: http://www.trendmicro.com/cwshredder/

 

7-Nettois ton PC avec Adawre et Spybot. Tu trouvera le nécéssaire dans ma signature "consignes de sécurité".

 

8-Nettoie ton PC avec Easycleaner:

http://personal.inet.fi/business/toniarts/ecleane.htm

 

9-Remettre la restauration système:

Clique sur Démarrer.

Clique avec le bouton droit sur Poste de travail, puis clique sur Propriétés.

Clique sur l'onglet «Restauration du système».

Désélectionne «Désactiver la Restauration du système» ou «Désactiver la Restauration du système sur tous les lecteurs».

Clique sur Appliquer puis sur OK. Redémarre.

 

10-regsearch

 

- dézippe dans un répertoire dédié tel que C:\Program Files

- double clique sur RegSearch.exe

- copie colle le nom du « cert64 » Service dans la zone de recherche et clique sur OK

- après recherche, le bloc-notes ouvre une fenêtre avec toutes les instances trouvées

- le fichier est en outre sauvegardé dans le même répertoire que celui de RegSearch

- copie-colle le contenu de la fenêtre dans un post, ici

- ferme le bloc-notes

- ferme RegSearch par Cancel

 

11-Puis revenir mettre un rapport Hijackthis smiley_520.gif

elsekri Junior Member

elsekri

Posté(e)
  • Auteur
Posté(e)

Hola l'ardechois,

 

je crois avoir tout fait nickel, mais cette verole de cert64 me pourri toujours:

 

REGEDIT4

 

; Registry Search by Bobbi Flekman

; Version: 1.0.2.1

 

; Results at 14/11/2005 16:24:59 for strings:

; 'cert64'

; Strings excluded from search:

; (None)

; Search in:

; Registry Keys Registry Values Registry Data

; HKEY_LOCAL_MACHINE HKEY_USERS

 

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64\0000]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64\0000]

"Service"="cert64"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64\0000]

"DeviceDesc"="cert64 TCP"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64\0000\Control]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64\0000\Control]

"ActiveService"="cert64"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64]

"DisplayName"="cert64 TCP"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64\Security]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64\Enum]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64\Enum]

"0"="Root\\LEGACY_CERT64\\0000"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT64]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT64\0000]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT64\0000]

"Service"="cert64"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT64\0000]

"DeviceDesc"="cert64 TCP"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cert64]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cert64]

"DisplayName"="cert64 TCP"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cert64\Security]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64\0000]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64\0000]

"Service"="cert64"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64\0000]

"DeviceDesc"="cert64 TCP"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64\0000\Control]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64\0000\Control]

"ActiveService"="cert64"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64]

"DisplayName"="cert64 TCP"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64\Security]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64\Enum]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64\Enum]

"0"="Root\\LEGACY_CERT64\\0000"

 

; End Of The Log...

 

 

 

 

... et le hijack:

 

Logfile of HijackThis v1.99.1

Scan saved at 16:31:43, on 14/11/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\FTRTSVC.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\TPWRTRAY.EXE

C:\WINDOWS\System32\00THotkey.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\hijack\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)

O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professionnel 2005\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professionnel 2005\RpcSandraSrv.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

 

je précise que lorsque j'arrete la machine, blue screen et tralala vidange

 

merci de ta patience en tout cas

BipBip07 Extrem Member

BipBip07

Posté(e)
Posté(e)

Nous allons utiliser une autre méthode :P

 

1/ Télécharger (tu les utilisera le moment venu):

- Process Explorer de Systernals

- KillBox

 

2/Dézipper dans un repertoire valide (ex: C:\program files\...) Process Explorer puis exécuter procexp.exe .

Double cliquer sur "winlogon.exe" dans la liste des process pour faire apparaitre la fenetre des propriété de celui ci. Selectionner l'onglet "Threads" puis selectionner une par une les "cert32.dll" et cliquer sur "kill".

Ensuite idem,

Double cliquer sur "explorer.exe" dans la liste des process pour faire apparaitre la fenetre des propriétés de celui ci. Selectionner l'onglet "Threads" puis selectionner une par une les "cert32.dll" et cliquer sur "kill".

Fermer Process Explorer

 

3/Démarrer le logiciel HijackThis hijackthis_big.gif et lancer un scan "Do a system scan only".

Puis cocher les lignes suivantes (dans HijackThis):

 

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O14 - IERESET.INF: START_PAGE_URL=http://www.clara.net/

O20 - Winlogon Notify: cert32 - C:\WINloDOWS\SYSTEM32\avpx32.dll

 

Fermer toutes les fenêtres Windows, Internet explorer, Outlook,…sauf le logiciel Hijackthis et cliquer sur « Fix checked »

 

4/supprésssion des clés dans la base de registre:

 

Copier la citation ci-dessous dans un fichier fix.txt (bloc notes) l’enregistrer sous c:\ puis changer l’extension en fix.reg et double cliquer sur fix.reg

 

Attention il ne doit pas avoir de ligne vierge avant REGEDIT4 et il doit y en avoir une aprés la derniere ligne de ton dans ton fichier .txt

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CERT64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LEGACY_CERT64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cert64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cert64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\cert64.sys]

 

 

5/Lancer killbox.exe

Cocher le bouton"Delete on Reboot "

Coller la première ligne ci-dessous

C:\WINloDOWS\SYSTEM32\avpx32.dll

Cliquer sur la croix rouge

« will be Deleted on Next Reboot » Répondre OUI

« File will be Removed on Reboot, Do you want to reboot now ? » Répondre NON

Ainsi de suite jusqu'à la dernière ligne ci dessous:

C:\WINloDOWS\SYSTEM32\avpx32.sys

C:\WINloDOWS\SYSTEM32\avpx64.sys

C:\WINloDOWS\SYSTEM32\klogini.dll

C:\WINloDOWS\SYSTEM32\p3.ini

C:\WINloDOWS\SYSTEM32\qy.sys

C:\WINloDOWS\SYSTEM32\qz.dll

C:\WINloDOWS\SYSTEM32\qz.sys

C:\WINDOWS\ms3.exe

Et enfin pour la derniere, coller la ligne ci-dessous:

C:\WINDOWS\tool2.exe

Cliquer sur la croix rouge

« will be Deleted on Next Reboot » Répondre OUI

« File will be Removed on Reboot, Do you want to reboot now ? » Répondre OUI

Le PC va redémarrer et supprimer les fichiers de la liste.

 

Puis reviens mettre un rapport Regsearch avec cert64,

 

Puis reviens mettre un rapport Hijackthis smiley_520.gif

elsekri Junior Member

elsekri

Posté(e)
  • Auteur
Posté(e)

Re ami de de la cailette et de la chataigne,

 

tu vas rire, procexp ne se lance pas, c'est la bonne version XP, je comprends pas, y'a pas un autre explorer de ce genre?

 

en attendant, je refait la première procédure en prenant garde aux lignes blanches de fix.reg

 

je te tiens au jus, merci...

elsekri Junior Member

elsekri

Posté(e)
  • Auteur
Posté(e)

'lut,

 

je suis bien en 32 bits. En mode sans echec, procexpl se lance, mais la procédure n'y fait rien... par contre, il me demande les MS debugging tools, je les installe et recommence?

 

plusieurs remarques:

 

-avec hijack, ce n'est plus avpx32 qui pose problème mais cert32. Les éclater comme cert64 dans la bdr est une fausse bonne idée ou ca se tente?

-quand je supprime les fichiers en mode sans échecs, je n'ai pas de répertoire WINloDOWS, donc je ne vire rien; par contre, les fichiers sont bien présents sur c:\windows, mais je n'y ai pas touché... à creuser?

-que penses tu de ca: http://www-cu.symantec.com/avcenter/venc/d....haxdoor.e.html, à adapter avec cert64?

-Asquared n'y change rien, malheureusement...

- sinon, le systeme est stable si ce n'est que je ne peux plus utiliser IE ni giganews...

 

merci encore, si tu as des pistes ou des infos, je prend bien sur... au pire, je lance un nouveau post, je pense qu'un germanophone (http://board.protecus.de/t20153.htm) pourra m'aider, apparament le mec avait l'air content du résultat... jette un coup d'oeil, peut etre la methode te dira qqch.

 

A plus

BipBip07 Extrem Member

BipBip07

Posté(e)
Posté(e) (modifié)

-avec hijack, ce n'est plus avpx32 qui pose problème mais cert32. Les éclater comme cert64 dans la bdr est une fausse bonne idée ou ca se tente?

Effectivement j'étais passé a coté !!!!

 

refait les manip ci dessus en changeant le fichier reg par celui ci:

 

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CERT64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LEGACY_CERT64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cert64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cert64]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\cert64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CERT32]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CERT32]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CERT32]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CERT32]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LEGACY_CERT32]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cert32.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\cert32.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\cert32.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\cert32.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cert32]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cert32]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cert32]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cert32]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cert32.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\cert32.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\cert32.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\cert32.sys]

 

 

 

----------------

 

merci encore, si tu as des pistes ou des infos, je prend bien sur... au pire, je lance un nouveau post, je pense qu'un germanophone (http://board.protecus.de/t20153.htm) pourra m'aider, apparament le mec avait l'air content du résultat... jette un coup d'oeil, peut etre la methode te dira qqch.

Ceci n'est q'une partie de ton probleme Look2me infection (qui est partiellement présente sur ton PC mais pas active) qui est la plus simple a résoudre rien a voir avec la ligne 020 certXX.dll

Modifié par BipBip07

Rejoindre la conversation

Vous pouvez publier maintenant et vous inscrire plus tard. Si vous avez un compte, connectez-vous maintenant pour publier avec votre compte.
Remarque : votre message nécessitera l’approbation d’un modérateur avant de pouvoir être visible.

Invité
Répondre à ce sujet…

×   Collé en tant que texte enrichi.   Coller en tant que texte brut à la place

  Seulement 75 émoticônes maximum sont autorisées.

×   Votre lien a été automatiquement intégré.   Afficher plutôt comme un lien

×   Votre contenu précédent a été rétabli.   Vider l’éditeur

×   Vous ne pouvez pas directement coller des images. Envoyez-les depuis votre ordinateur ou insérez-les depuis une URL.

×
 Partager
Aller sur la liste des sujets

  • En ligne récemment   0 membre est en ligne

    • Aucun utilisateur enregistré regarde cette page.
×
×
  • Créer...