probleme de popup winfixer

herisson38 · le 9 décembre 2005

Salut !! je suis victime de winfixer comment se debarrasse de ces popups qui bloque tout ??

merci d'avance

voici mon log :

Logfile of HijackThis v1.99.1

Scan saved at 19:04:43, on 09/12/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\atievxx.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\helper.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\Documents and Settings\Mes documents\HijackThis.exe

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\System32\byxxx.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\RunServices: [MSN Checker] msnchecker.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\RunServices: [MSN Checker] msnchecker.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: byxxx - C:\WINDOWS\System32\byxxx.dll

O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\o4ns0e57eh.dll

O21 - SSODL: winmgmt - {07CB7C7A-90D4-A868-EED7-E7E77B138A44} - C:\WINDOWS\help\clipbrd.hlp

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: MS Ins Config (MSiCFG) - Unknown owner - C:\WINDOWS\msiconfig.exe (file missing)

O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe (file missing)

Jack_Burton · le 9 décembre 2005

Bonsoir et bienvenu sur le forum sécurité de zebulon,

Ton rapport montre des signes d infection!

Je t invite dans un premier temps a suivre notre procédure préliminaire :

HIJACKTHIS

Procédure préliminaire à toute demande d'analyse de rapport HijackThis.

Phase 1

- faire un copier/coller de ces instructions dans un fichier texte car la seconde partie de cette procédure va être effectuée en mode sans échec et donc, hors connexion.

- télécharger Antivir ( http://www.free-av.com ) et le paramétrer selon les indications de tesgaz ( http://speedweb1.free.fr/frames2.php?page=tuto5 )

nb: le choix d'Antivir comme antivirus a utiliser dans le cadre de cette procédure, a reposé sur les critères suivants : --- failles de votre antivirus qui a laissé passer des malwares --- Antivir peut-être installé et désinstallé facilement --- Antivir est reconnu pour son efficacité en mode sans échec --- le tutorial de tesgaz permet de le paramétrer sans problème

- télécharger la dernière version d'HijackThis ( http://www.merijn.org/files/hijackthis.zip ou http://telechargement.zebulon.fr/138-hijackthis-1991.html en cas d'indisponibilité !)

Phase 2

- redémarrer le PC, impérativement en mode sans échec, (n'ayant pas accès à Internet, vous avez préalablement copié ces instructions dans un fichier texte)

-- au redémarrage de l'ordinateur, une fois le chargement du BIOS terminé, il y a un écran noir qui apparaît rapidement, appuyer sur la touche [F8] ou [F5] jusqu'à l'affichage du menu des options avancées de Windows. Sélectionner "Mode sans échec" et appuyer sur [Entrée].

NB : en cas de problème pour sélectionner le mode sans échec, appliquer la procédure de Symantec "Comment démarrer l'ordinateur en mode sans échec" (http://service1.symantec.com/support/inter/tsgeninfointl.nsf/fr_docid/20020905112131924 )

-- à l'ouverture de session, choisir la session courante et non celle de l'administrateur

- Afficher tous les fichiers par cette modification des options de l'explorateur Windows :

Menu "Outils", "Option des dossiers", onglet "Affichage" :

Activer la case : "Afficher les fichiers et dossiers cachés"

Désactiver la case : "Masquer les extensions des fichiers dont le type est connu"

Désactiver la case : "Masquer les fichiers protégés du système d'exploitation"

Puis, cliquer sur "Appliquer".

Maintenant, vous avez accès à tous les fichiers et dossiers du système d'exploitation.

Phase 3

- nettoyage rapide du disque dur :

Démarrer / Exécuter / taper CleanMgr et valider

Cette fonction cleanmgr génére parfois un bug sous système Windows 2000, effectuer dans ce cas un nettoyage manuel : suppression de tous les fichiers contenus dans les dossiers

C:\TEMP

C:\WINDOWS\TEMP

C:\Documents And Settings\Session utilisateur\Local Settings\Temp

C:\Documents And Settings\Session utilisateur\Local Settings\Temporary internet files

Vider la corbeille

- recherche et élimination des parasites avec Antivir

lancer un scan complet du, ou des disques dur, et supprimer tous les fichiers infectés (s'ils existent)

- installation et utilisation d'HijackThis

-- créer un nouveau dossier à la racine de C:\Program Files\HijackThis (double clic sur poste de travail/double clic sur l'icone de C/double clic sur le répertoire Program Files/clic droit dans la fenêtre, choisir nouveau dossier et le nommer HijackThis) ; dézipper le programme précédemment téléchargé lors de la phase 1 dans ce nouveau dossier HijackThis, créer un raccourci sur le bureau.

Important: surtout, ne pas créer ce dossier HijackThis dans un répertoire temporaire

-- arrêter tous les programmes en cours et fermer toutes les fenêtres

-- lancer HijackThis à l'aide du raccourci et cliquer sur le bouton "Do a system scan and save a logfile"

-- le rapport HijackThis (fichier log) va être enregistré dans C:\Program Files\HijackThis (penser à ajouter un chiffre à la suite du nom du rapport si vous voulez conserver un historique de vos rapports ex : HijackThis 1, HijackThis 2...)

NB : en cas de problème, appliquer le Tutorial de BipBip (http://sitethemacs.free.fr/aide_enregistrement_de_hijackthi.htm avec copies d'écran).

- désinstallation d'Antivir

-- arrêter les processus suivants dans le gestionnaire des tâches (faire Ctrl+Alt+Suppr pour ouvrir la fenêtre) : AVGUARD.EXE - AVWUPSRV.EXE et AVGNT.EXE puis, désinstaller Antivir dans ajout/suppression de programmes (vous pourrez le réinstaller ensuite si vous souhaitez le conserver en lieu et place de votre antivirus résident qu'il conviendra dans ce cas de désinstaller proprement, surtout s'il s'agit de Norton).

Phase 4

- redémarrer en mode normal

- ouvrir le rapport HijackThis précédemment sauvegardé et faire : Ctrl-A, Ctrl-C puis, le coller dans un nouveau post que vous créez sur le forum sécurité (Ctrl-V) de manière à ce que nous vous disions ce qu'il faut faire.

- attendre l'analyse et la réponse.

Auteur : megataupe

Edit : ton systeme n est pas du tout a jour! Il a 5 ans de retard et autant de failles de sécurité!

Modifié le 9 décembre 2005 par Jack_Burton

herisson38 · le 9 décembre 2005

Bonsoir et bienvenu sur le forum sécurité de zebulon,

Ton rapport montre des signes d infection!

Je t invite dans un premier temps a suivre notre procédure préliminaire :

Edit : ton systeme n est pas du tout a jour! Il a 5 ans de retard et autant de failles de sécurité!

tout d'abord un grand merci pour la reponse ultra rapide de mes soucis de popup.

Quel talent !!!! je pars de suite avec mes remedes et reviendrais afin d'avoir vos

conseils pour eviter que sa ne se reproduisent a bientot et merci encore...

HERISSON

herisson38 · le 11 décembre 2005

tout d'abord un grand merci pour la reponse ultra rapide de mes soucis de popup.

Quel talent !!!! je pars de suite avec mes remedes et reviendrais afin d'avoir vos

conseils pour eviter que sa ne se reproduisent a bientot et merci encore...

HERISSON

j'ai appliquer a la lettre vos procedure jusqu'au mode sans echec

j'arrive bien a le relancer mais le bureau n'apparait pas alors je ne

peu aller sur l'exploreur windows l'ecran reste noir avec sur les 4 coins

le l'ecran ecrit "mode sans echec" ????? j'ai aussi essayer avec le lien

que vous m'avez donner et sa fais la meme chose ?? j'espere que sa

n'est pas trop grave?

Mark · le 11 décembre 2005

Salut Herisson

On va s'adapter ; j'analyse le tout, et réponse dans un p'tit 30 minutes..

Mark · le 11 décembre 2005

Bon ; pour le Sans Échec, on va faire avec pour l'instant (Vundo est le coupable..). On s'attaquera à Look2Me dans un deuxième temps. Ça risque de nécessiter quelques interventions (pas grave.. ).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Imprime ces instructions, ou colle les dans un fichier texte (pour lecture en mode Sans Échec).

Clique sur "Démarrer" >> "Exécuter", puis tape ceci dans la petite boîte :

services.msc

..puis clique "Ok". Dans la liste des services, trouve celui-ci : MS Ins Config (MSiCFG) ; double-clique dessus et clique sur "Arrêter", puis dans la petite boîte au-dessus, choisis "Désactivé". Répète ces étapes (Arrêter et mettre à Désactivé) pour ce service-ci :

MS Dns Service (WinNet). Ferme toutes les fenêtres lorsque complété.

Télécharge VundoFix.exe sur ton Bureau.

Double-clique VundoFix.exe afin d'en extraire les fichiers.
Ceci va créer un nouveau dossier VundoFix sur ton Bureau.
Ouvre le dossier VundoFix et double-clique sur KillVundo.bat
Tu verras cet avertissement :
VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....
Appuie sur "Entrée" une fois.
Tu verras ceci :
Please Type in the filepath as instructed by the forum staff
and then press enter:
À ce moment-ci, tape le chemin du fichier complet, tel que ci-dessous :
- C:\WINDOWS\System32\byxxx.dll
[*]Appuie sur Entrée pour la suite.

[*] Tu verras ceci :

Please type in the second filepath as instructed by the forum
staff then press enter:

[*]À ce moment-ci, tape le chemin du fichier complet, tel que ci-dessous :
- C:\WINDOWS\System32\xxxyb.*
[*]Appuie sur Entrée pour la suite.

[*]L'outil va faire son travail, puis HijackThis! devrait se lancer ; s'il ne se lance pas automatiquement, prière de le lancer. Clique sur "Do a system scan only".

[*]Coche ces lignes (possible que la ligne O2 n'y soit plus), puis clique FIX CHECKED:
- O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\System32\byxxx.dll
  
  O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  
  O20 - Winlogon Notify: byxxx - C:\WINDOWS\System32\byxxx.dll
  
  O23 - Service: MS Ins Config (MSiCFG) - Unknown owner - C:\WINDOWS\msiconfig.exe (file missing)
  O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe (file missing)
[*]Ferme HijackThis!.

[*]Appuie sur "Entrée" pour fermer le programme, puis redémarre ton PC.

[*]Lorsque redémarré, continue avec les instructions qui suivent :

Télécharge CleanUp! sur ton Bureau.

Lance Cleanup! en double-cliquant sur le fichier téléchargé.

Clique sur le bouton CleanUp! pour lancer le programme.

S'il te demande de redémarrer, clique NO.

Fait un scan en ligne chez Panda ici : ActiveScan ;

Tu dois utiliser Internet Explorer pour faire ce scan ; on te demandera d'installer un contrôle ActiveX ; Accepte.
Coche "My Computer" pour le scan
Lorsque terminé, clique "See report", puis "Save report" ; sauvegarde le rapport.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Télécharge L2mfix (de Shadowwar) de l'un de ces liens :

http://www.atribune.org/downloads/l2mfix.exe

http://www.downloads.subratam.org/l2mfix.exe

Sauvegarde-le sur ton Bureau et double-clique l2mfix.exe. Clique sur le bouton Install pour en extraire le contenu et suis les directives, puis ouvre le nouveau dossier "l2mfix" qui se trouve sur le Bureau. Double-clique l2mfix.bat et choisis l'option #1 pour Run Find Log en tapant 1 et ensuite Entrée. Le scan débutera sans générer d'indications, puis, après une minute ou deux, un fichier texte apparaîtra. Copie/colle le contenu de ce rapport ("report.txt") dans ta prochaine réponse.

IMPORTANT : NE PAS lancer l'option #2 OU autres fichiers situés dans le dossier "l2mfix" sans l'avis d'un conseiller !

Par contre, si une erreur s'affiche en lançant l'option #1, similaire à ceci : ''C:\windows\system32\cmd.exe

C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. Choose close to terminate the application.."...alors utilise l'option #5 ou le lien web fourni dans le dossier "l2mfix" afin de résoudre cette erreur. Ne pas lancer d'autres options avant d'avoir réglé ce pépin.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copie/colle le rapport de Panda ActiveScan également dans ta prochaine réponse, puis poste un nouveau rapport HijackThis! ainsi que le rapport de VundoFix situé dans le dossier Vundofix (vundofix.txt).

Utilise plus d'une réponse si les rapports sont trop volumineux. Bon courage !!

Modifié le 11 décembre 2005 par Qc001

herisson38 · le 11 décembre 2005

salut ! merci pour tes infos et voici les rapports demander

Logfile of HijackThis v1.99.1

Scan saved at 00:04:06, on 12/12/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\System32\atievxx.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Seabra Alvaro\Mes documents\HijackThis.exe

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\System32\byxxx.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] ntsfd.exe

O4 - HKLM\..\RunServices: [MSN Checker] msnchecker.exe

O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] ntsfd.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] ntsfd.exe

O4 - HKCU\..\RunServices: [MSN Checker] msnchecker.exe

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: byxxx - C:\WINDOWS\System32\byxxx.dll

O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\l82s0if7e82.dll

O21 - SSODL: winmgmt - {07CB7C7A-90D4-A868-EED7-E7E77B138A44} - C:\WINDOWS\help\clipbrd.hlp

O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe

O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)

VundoFix V2.15 by Atri

--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.

--------------------------------------------------------------------------------------

killvundo.bat

process.exe

ReadMe.txt

vundo.reg

vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered

--------------------------------------------------------------------------------------

The filepath entered was c:\windows\system32\byxxx.dll

The second filepath entered was c:\windows\system32\xxxyb.*

--------------------------------------------------------------------------------------

Log from Process

--------------------------------------------------------------------------------------

Killing PID 532 'smss.exe'

Error 0x6 : Descripteur non valide

Killing PID 1840 'explorer.exe'

Killing PID 620 'winlogon.exe'

Error 0x6 : Descripteur non valide

--------------------------------------------------------------------------------------

Could not delete c:\windows\system32\byxxx.dll.

c:\windows\system32\xxxyb.* Deleted sucessfully.

Fixing Registry

--------------------------------------------------------------------------------------

en effet c'est tres long!!!!!

L2MFIX find log 120905

These are the registry keys present

**********************************************************************************

Winlogon/notify:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

"Asynchronous"=dword:00000000

"DllName"=""

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxxx]

"Asynchronous"=dword:00000001

"DllName"="C:\\WINDOWS\\System32\\byxxx.dll"

"Impersonate"=dword:00000000

"Startup"="SysLogon"

"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\l82s0if7e82.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

**********************************************************************************

useragent:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{F4D51973-BE69-D07E-56B8-16E88D967762}"=""

**********************************************************************************

Shell Extension key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{00022613-0000-0000-C000-000000000046}"="Feuille de propri‚t‚s du fichier multim‚dia"

"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM"

"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de s‚curit‚ NTFS"

"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des propri‚t‚s de OLE DocFile"

"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'environnement pour le partage"

"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"

"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration"

"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage ?cran du Panneau de configuration"

"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Panorama du Panneau de configuration"

"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Page de s‚curit‚ DS"

"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Page de compatibilit‚"

"{56117100-C0CD-101B-81E2-00AA004AE837}"="Gestionnaire de donn‚es endommag‚es de l'environnement"

"{59099400-57FF-11CE-BD94-0020AF85B590}"="Extension copie de disquette"

"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensions de l'environnement pour les objets r‚seau de Microsoft Windows"

"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gestion d'‚cran ICM"

"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gestion d'imprimante ICM"

"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensions de l'environnement de compression de fichiers"

"{77597368-7b15-11d0-a0c2-080036af3f03}"="Extension de l'environnement d'imprimante Web"

"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"

"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu contextuel de cryptage"

"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porte-documents"

"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Extension ic“ne HyperTerminal"

"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"

"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profil ICC"

"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Page de s‚curit‚ des imprimantes"

"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensions de l'environnement pour le partage"

"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"

"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie PKO"

"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie Sign"

"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Connexions r‚seau"

"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Connexions r‚seau"

"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&Scanneurs et appareils photo"

"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&Scanneurs et appareils photo"

"{905667aa-acd6-11d2-8080-00805f6596d2}"="&Scanneurs et appareils photo"

"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&Scanneurs et appareils photo"

"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&Scanneurs et appareils photo"

"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Extension de la page de propri‚t‚s de mise … jour automatique"

"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensions de l'interpr‚teur de commandes pour l'environnement d'ex‚cution de scripts Windows"

"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Liaison de donn‚es Microsoft"

"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"

"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"

"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tƒches planifi‚es"

"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barre des tƒches et menu D‚marrer"

"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Rechercher"

"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"

"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"

"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ex‚cuter..."

"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"

"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Courrier ‚lectronique"

"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Polices"

"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Outils d'administration"

"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"

"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"

"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"

"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"

"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"

"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"

"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barre d'outils Internet Microsoft"

"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="?tat du t‚l‚chargement"

"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Dossier Bureau ‚tendu"

"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Dossier du shell augment‚"

"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"

"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Bande du navigateur Microsoft"

"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Bande de recherche"

"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"

"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Volet int‚gr‚ de recherche"

"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Recherche Web"

"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilitaire des options de l'arborescence du Registre"

"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"

"{A08C11D2-A228-11d0-825B-00AA005B4383}"="BoŒte d'entr‚e de l'adresse"

"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Saisie semi-automatique Microsoft"

"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"

"{6756A641-DE71-11d0-831B-00AA005B4383}"="Liste de saisie semi-automatique MRU"

"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Liste de saisie semi-automatique personnalis‚e MRU"

"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"

"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barre de progrŠs auto-ouvrante"

"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analyseur de la barre d'adresses"

"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Liste de saisie semi-automatique de l'historique Microsoft"

"{03C036F1-A186-11D0-824A-00AA005B4383}"="Liste de saisie semi-automatique du dossier Shell Microsoft"

"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Conteneur de la liste de saisie semi-automatique multiple Microsoft"

"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu Site de bandes"

"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"

"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Barre du Bureau"

"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"

"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistance utilisateur"

"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="ParamŠtres du dossier global"

"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"

"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"

"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"

"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"

"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"

"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"

"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historique"

"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"

"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Image de d‚marrage de la Suite IE4"

"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"

"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"

"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"

"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"

"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"

"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{88C6C381-2E85-11D0-94DE-444553540000}"="Dossier ActiveX Cache"

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"

"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"

"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Dossier Inscription"

"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"

"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"

"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"

"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"

"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"

"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"

"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gestionnaire d'applications d'environnement"

"{0B124F8F-91F0-11D1-B8B5-006008059382}"="?num‚rateur d'applications install‚es"

"{CFCCC7A0-A282-11D1-9082-006008059382}"="Publication d'application Darwin"

"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"

"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"

"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extracteur de miniatures de fichier + GDI"

"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Gestionnaire de miniatures - Informations de r‚sum‚ (DOCFILES)"

"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extracteur de miniatures HTML"

"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"

"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Assistant Publication de sites Web"

"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Commande d'impressions via le Web"

"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objet Assistant de publication Shell"

"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Assistant Obtenir une identit‚ Passport"

"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Comptes d'utilisateurs"

"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"

"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"

"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"

"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"

"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"

"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"

"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"

"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"

"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"

"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"

"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"

"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"

"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"

"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"

"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"

"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"

"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"

"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"

"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"

"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"

"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Dossier Fichiers hors connexion"

"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"

"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"

"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"

"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"

"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"

"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Des &personnes..."

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"

"{4CCC8988-6CEF-4494-B633-C551730DEB29}"=""

"{A3442736-583A-4F68-ACBE-650C04BAA1AB}"=""

"{16F1002D-7D86-42F1-8770-0E8755BA68F8}"=""

"{33E8DEDB-D688-4FA1-AE36-744F51269326}"=""

"{8E1DE036-EF66-4FD6-B3FC-398B782D0ED5}"=""

"{B0F0AAA9-69A6-43E3-A002-0900BA9C4E61}"=""

"{9FC45132-AAAB-4328-B124-8A5366DFCD81}"=""

"{396075C5-B8F2-423F-A317-E8323C80FA69}"=""

"{59313572-04CB-4296-A477-8AD21B4CBEC4}"=""

"{A5B83E36-5D16-47E8-BADB-6EE748B33093}"="TZ Shredder Context Menu"

"{806942EE-5FA0-48CB-8201-837C94435456}"=""

"{DB8067A6-6836-4F0F-AB38-E9E570B91332}"=""

"{AE2A350D-33AE-4264-AB24-C39DA44959E9}"=""

"{1A133A57-03B5-4945-A142-88B51138DEB8}"=""

"{B4D3C635-A656-46BD-8316-D58FD52946BA}"=""

"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"="Shell Extension for Malware scanning"

"{DC024900-3F54-4180-834B-93D055B53E48}"=""

"{E3254A37-8CEC-4F58-A8AB-7553B07883BD}"=""

"{988B51C4-149B-4FEE-975B-293EFE301662}"=""

"{0E7B6F1F-FECD-403E-9C3B-7CE56BAF4F56}"=""

"{4F035F34-7489-450C-9355-399B2CCA7114}"=""

"{9F0048CC-0118-4FEB-9E51-3117F58881CF}"=""

"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Fichier de chaŒne"

"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Raccourci de chaŒne"

"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"

"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"

"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

"{880F2FF9-D15B-45E3-B62B-BFEE14092CF6}"=""

"{350DEE64-F7BB-4699-9CD4-1BDECE32F540}"=""

**********************************************************************************

HKEY ROOT CLASSIDS:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A3442736-583A-4F68-ACBE-650C04BAA1AB}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{A3442736-583A-4F68-ACBE-650C04BAA1AB}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{A3442736-583A-4F68-ACBE-650C04BAA1AB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{A3442736-583A-4F68-ACBE-650C04BAA1AB}\InprocServer32]

@="C:\\WINDOWS\\system32\\winotify.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{16F1002D-7D86-42F1-8770-0E8755BA68F8}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{16F1002D-7D86-42F1-8770-0E8755BA68F8}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{16F1002D-7D86-42F1-8770-0E8755BA68F8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{16F1002D-7D86-42F1-8770-0E8755BA68F8}\InprocServer32]

@="C:\\WINDOWS\\system32\\cgseqchk.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{33E8DEDB-D688-4FA1-AE36-744F51269326}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{33E8DEDB-D688-4FA1-AE36-744F51269326}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{33E8DEDB-D688-4FA1-AE36-744F51269326}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{33E8DEDB-D688-4FA1-AE36-744F51269326}\InprocServer32]

@="C:\\WINDOWS\\system32\\dCvclnt.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8E1DE036-EF66-4FD6-B3FC-398B782D0ED5}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{8E1DE036-EF66-4FD6-B3FC-398B782D0ED5}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{8E1DE036-EF66-4FD6-B3FC-398B782D0ED5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{8E1DE036-EF66-4FD6-B3FC-398B782D0ED5}\InprocServer32]

@="C:\\WINDOWS\\system32\\dfwsock.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B0F0AAA9-69A6-43E3-A002-0900BA9C4E61}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{B0F0AAA9-69A6-43E3-A002-0900BA9C4E61}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{B0F0AAA9-69A6-43E3-A002-0900BA9C4E61}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{B0F0AAA9-69A6-43E3-A002-0900BA9C4E61}\InprocServer32]

@="C:\\WINDOWS\\system32\\vkajet32.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{396075C5-B8F2-423F-A317-E8323C80FA69}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{396075C5-B8F2-423F-A317-E8323C80FA69}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{396075C5-B8F2-423F-A317-E8323C80FA69}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{396075C5-B8F2-423F-A317-E8323C80FA69}\InprocServer32]

@="C:\\WINDOWS\\system32\\teappcmp.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{59313572-04CB-4296-A477-8AD21B4CBEC4}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{59313572-04CB-4296-A477-8AD21B4CBEC4}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{59313572-04CB-4296-A477-8AD21B4CBEC4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{59313572-04CB-4296-A477-8AD21B4CBEC4}\InprocServer32]

@="C:\\WINDOWS\\system32\\guard.tmp"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{806942EE-5FA0-48CB-8201-837C94435456}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{806942EE-5FA0-48CB-8201-837C94435456}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{806942EE-5FA0-48CB-8201-837C94435456}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{806942EE-5FA0-48CB-8201-837C94435456}\InprocServer32]

@="C:\\WINDOWS\\system32\\scgina.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DB8067A6-6836-4F0F-AB38-E9E570B91332}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{DB8067A6-6836-4F0F-AB38-E9E570B91332}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{DB8067A6-6836-4F0F-AB38-E9E570B91332}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{DB8067A6-6836-4F0F-AB38-E9E570B91332}\InprocServer32]

@="C:\\WINDOWS\\system32\\pSutoenr.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AE2A350D-33AE-4264-AB24-C39DA44959E9}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{AE2A350D-33AE-4264-AB24-C39DA44959E9}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{AE2A350D-33AE-4264-AB24-C39DA44959E9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{AE2A350D-33AE-4264-AB24-C39DA44959E9}\InprocServer32]

@="C:\\WINDOWS\\system32\\uorv80a.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1A133A57-03B5-4945-A142-88B51138DEB8}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{1A133A57-03B5-4945-A142-88B51138DEB8}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{1A133A57-03B5-4945-A142-88B51138DEB8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{1A133A57-03B5-4945-A142-88B51138DEB8}\InprocServer32]

@="C:\\WINDOWS\\system32\\guard.tmp"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B4D3C635-A656-46BD-8316-D58FD52946BA}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{B4D3C635-A656-46BD-8316-D58FD52946BA}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{B4D3C635-A656-46BD-8316-D58FD52946BA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{B4D3C635-A656-46BD-8316-D58FD52946BA}\InprocServer32]

@="C:\\WINDOWS\\system32\\kmdkaz.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DC024900-3F54-4180-834B-93D055B53E48}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{DC024900-3F54-4180-834B-93D055B53E48}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{DC024900-3F54-4180-834B-93D055B53E48}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{DC024900-3F54-4180-834B-93D055B53E48}\InprocServer32]

@="C:\\WINDOWS\\system32\\damsvinn.dLL"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E3254A37-8CEC-4F58-A8AB-7553B07883BD}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{E3254A37-8CEC-4F58-A8AB-7553B07883BD}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{E3254A37-8CEC-4F58-A8AB-7553B07883BD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{E3254A37-8CEC-4F58-A8AB-7553B07883BD}\InprocServer32]

@="C:\\WINDOWS\\system32\\lqexpand.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{988B51C4-149B-4FEE-975B-293EFE301662}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{988B51C4-149B-4FEE-975B-293EFE301662}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{988B51C4-149B-4FEE-975B-293EFE301662}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{988B51C4-149B-4FEE-975B-293EFE301662}\InprocServer32]

@="C:\\WINDOWS\\system32\\iZssam.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0E7B6F1F-FECD-403E-9C3B-7CE56BAF4F56}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{0E7B6F1F-FECD-403E-9C3B-7CE56BAF4F56}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{0E7B6F1F-FECD-403E-9C3B-7CE56BAF4F56}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{0E7B6F1F-FECD-403E-9C3B-7CE56BAF4F56}\InprocServer32]

@="C:\\WINDOWS\\system32\\mql_hp.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4F035F34-7489-450C-9355-399B2CCA7114}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{4F035F34-7489-450C-9355-399B2CCA7114}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{4F035F34-7489-450C-9355-399B2CCA7114}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{4F035F34-7489-450C-9355-399B2CCA7114}\InprocServer32]

@="C:\\WINDOWS\\system32\\fnntext.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9F0048CC-0118-4FEB-9E51-3117F58881CF}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{9F0048CC-0118-4FEB-9E51-3117F58881CF}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{9F0048CC-0118-4FEB-9E51-3117F58881CF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{9F0048CC-0118-4FEB-9E51-3117F58881CF}\InprocServer32]

@="C:\\WINDOWS\\system32\\mvdtctm.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{880F2FF9-D15B-45E3-B62B-BFEE14092CF6}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{880F2FF9-D15B-45E3-B62B-BFEE14092CF6}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{880F2FF9-D15B-45E3-B62B-BFEE14092CF6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{880F2FF9-D15B-45E3-B62B-BFEE14092CF6}\InprocServer32]

@="C:\\WINDOWS\\system32\\guard.tmp"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{350DEE64-F7BB-4699-9CD4-1BDECE32F540}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{350DEE64-F7BB-4699-9CD4-1BDECE32F540}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{350DEE64-F7BB-4699-9CD4-1BDECE32F540}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{350DEE64-F7BB-4699-9CD4-1BDECE32F540}\InprocServer32]

@="C:\\WINDOWS\\system32\\ksdes.dll"

"ThreadingModel"="Apartment"

**********************************************************************************

Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\

ahvpack.dll Sat 10 Dec 2005 9:26:30 A.S.R 235 790 230,26 K

byxxx.dll Tue 6 Dec 2005 19:35:44 ..... 557 108 544,05 K

cbawx.dll Mon 5 Dec 2005 19:54:04 A.SH. 557 108 544,05 K

cbaxw.dll Mon 5 Dec 2005 22:45:56 A.SH. 27 661 27,01 K

cgseqchk.dll Sun 4 Dec 2005 16:01:36 A.S.R 234 525 229,03 K

cugmgr32.dll Fri 9 Dec 2005 23:43:50 A.S.R 233 807 228,32 K

damsvinn.dll Fri 9 Dec 2005 23:26:58 A.S.R 233 807 228,32 K

dcvclnt.dll Sun 4 Dec 2005 18:10:16 A.S.R 234 272 228,78 K

ddaba.dll Mon 5 Dec 2005 21:01:44 A.SH. 27 661 27,01 K

dfwsock.dll Mon 5 Dec 2005 20:56:18 A.S.R 235 856 230,33 K

efcaw.dll Mon 5 Dec 2005 20:05:06 A.SH. 27 661 27,01 K

ennsl1~1.dll Sun 4 Dec 2005 23:45:18 A.S.R 234 272 228,78 K

f8j20i~1.dll Mon 5 Dec 2005 19:46:10 A.S.R 235 912 230,38 K

f8l00i~1.dll Sun 4 Dec 2005 20:50:16 A.S.R 234 525 229,03 K

fcyax.dll Sun 4 Dec 2005 19:38:32 A.SH. 27 661 27,01 K

fnntext.dll Sun 11 Dec 2005 14:41:14 A.S.R 234 353 228,86 K

gttuname.dll Sat 10 Dec 2005 10:13:44 A.S.R 233 480 228,01 K

hgdcy.dll Sun 4 Dec 2005 22:39:32 A.SH. 27 661 27,01 K

hggda.dll Mon 5 Dec 2005 19:51:02 A.SH. 27 661 27,01 K

hqd.dll Tue 6 Dec 2005 21:59:10 A.S.R 236 980 231,43 K

hrrq05~1.dll Sun 11 Dec 2005 17:29:50 A.... 236 959 231,40 K

igseng.dll Sat 10 Dec 2005 9:56:38 A.S.R 235 790 230,26 K

ir2ml5~1.dll Fri 9 Dec 2005 23:19:30 A.S.R 236 968 231,41 K

izssam.dll Sun 11 Dec 2005 12:23:02 A.S.R 233 508 228,04 K

kcdhe.dll Sun 11 Dec 2005 18:39:44 ..S.R 234 353 228,86 K

khfcy.dll Mon 5 Dec 2005 23:08:22 A.SH. 27 661 27,01 K

kmdkaz.dll Fri 9 Dec 2005 17:59:18 A.S.R 236 968 231,41 K

ksdes.dll Sun 11 Dec 2005 23:39:38 ..S.R 234 353 228,86 K

l0p2la~1.dll Sun 11 Dec 2005 20:38:22 ..S.R 234 361 228,87 K

l48mle~1.dll Sat 10 Dec 2005 10:13:42 A.S.R 234 664 229,16 K

l82s0i~1.dll Sun 11 Dec 2005 19:15:32 ..S.R 234 353 228,86 K

lqexpand.dll Fri 9 Dec 2005 23:57:36 A.S.R 234 921 229,41 K

lv2209~1.dll Mon 5 Dec 2005 22:56:26 A.S.R 234 076 228,59 K

lvns09~1.dll Sun 11 Dec 2005 22:24:06 ..S.R 234 353 228,86 K

m0rmla~1.dll Sun 11 Dec 2005 23:16:02 ..S.R 234 353 228,86 K

m4ls0e~1.dll Sun 11 Dec 2005 22:14:22 ..S.R 234 353 228,86 K

m8rm0i~1.dll Sun 11 Dec 2005 13:04:02 A.S.R 233 508 228,04 K

maoa.dll Sun 11 Dec 2005 17:12:30 A.S.R 234 353 228,86 K

mknetobj.dll Sat 10 Dec 2005 0:21:18 A.S.R 233 807 228,32 K

mljgg.dll Mon 5 Dec 2005 22:18:28 A.SH. 27 661 27,01 K

mql_hp.dll Sun 11 Dec 2005 13:10:56 A.S.R 234 353 228,86 K

msvcp71.dll Sun 4 Dec 2005 12:12:14 A.... 499 712 488,00 K

msvcr71.dll Sun 4 Dec 2005 12:12:14 A.... 348 160 340,00 K

mvdtctm.dll Sun 11 Dec 2005 19:19:16 ..S.R 234 361 228,87 K

n0p4la~1.dll Sat 10 Dec 2005 10:19:10 A.S.R 234 978 229,47 K

n46q0e~1.dll Sat 10 Dec 2005 0:34:46 A.S.R 236 354 230,81 K

n4l80e~1.dll Sat 10 Dec 2005 0:29:44 A.S.R 235 790 230,26 K

psutoenr.dll Thu 8 Dec 2005 21:56:00 A.S.R 236 968 231,41 K

qomjj.dll Sun 4 Dec 2005 14:24:30 A.SH. 27 661 27,01 K

qopnl.dll Sun 4 Dec 2005 23:32:28 A.SH. 27 661 27,01 K

r8r60i~1.dll Tue 6 Dec 2005 22:03:12 A.S.R 236 980 231,43 K

scgina.dll Thu 8 Dec 2005 21:09:28 A.S.R 236 968 231,41 K

sirenacm.dll Thu 13 Oct 2005 0:11:06 A.... 118 784 116,00 K

ssqpq.dll Mon 5 Dec 2005 22:56:28 A.SH. 27 661 27,01 K

teappcmp.dll Tue 6 Dec 2005 19:46:28 A.S.R 236 968 231,41 K

uorv80a.dll Thu 8 Dec 2005 22:37:26 A.S.R 236 968 231,41 K

urqon.dll Sun 4 Dec 2005 13:02:00 A.SH. 27 661 27,01 K

uurdpa.dll Sun 11 Dec 2005 17:09:00 A.S.R 235 137 229,63 K

vkajet32.dll Mon 5 Dec 2005 22:41:54 A.S.R 236 419 230,88 K

vnpodbc.dll Fri 9 Dec 2005 23:37:08 A.S.R 234 921 229,41 K

vtssq.dll Tue 6 Dec 2005 19:33:12 A.SH. 27 661 27,01 K

vwajet32.dll Sun 11 Dec 2005 17:15:08 A.S.R 236 364 230,82 K

winotify.dll Sun 4 Dec 2005 14:20:52 A.S.R 234 272 228,78 K

wvhfr.dll Sat 10 Dec 2005 0:29:44 A.S.R 234 956 229,45 K

wvwtt.dll Sun 4 Dec 2005 16:04:34 A.SH. 27 661 27,01 K

65 items found: 65 files (60 H/S), 0 directories.

Total of file sizes: 13 284 463 bytes 12,67 M

Locate .tmp files:

C:\WINDOWS\SYSTEM32\

xxxyb.tmp Sun 11 Dec 2005 23:56:46 ..SH. 373 742 364,98 K

1 item found: 1 file (1 H/S), 0 directories.

Total of file sizes: 373 742 bytes 364,98 K

**********************************************************************************

Directory Listing of system files:

Le volume dans le lecteur C n'a pas de nom.

Le num‚ro de s‚rie du volume est DC61-48BB

R‚pertoire de C:\WINDOWS\System32

12/12/2005 00:37 373ÿ742 xxxyb.ini2

11/12/2005 23:56 373ÿ742 xxxyb.tmp

11/12/2005 23:46 373ÿ099 xxxyb.bak1

11/12/2005 23:39 234ÿ353 ksdes.dll

11/12/2005 23:16 234ÿ353 m0rmla911d.dll

11/12/2005 22:24 234ÿ353 lvns0957e.dll

11/12/2005 22:14 234ÿ353 m4ls0e37eh.dll

11/12/2005 20:38 234ÿ361 l0p2la7o1d.dll

11/12/2005 19:19 234ÿ361 mvdtctm.dll

11/12/2005 19:15 234ÿ353 l82s0if7e82.dll

11/12/2005 18:39 234ÿ353 kcdhe.dll

11/12/2005 18:34 <REP> dllcache

11/12/2005 17:15 236ÿ364 vwajet32.dll

11/12/2005 17:12 234ÿ353 maoa.dll

11/12/2005 17:08 235ÿ137 uurdpa.dll

11/12/2005 14:41 234ÿ353 fnntext.dll

11/12/2005 13:10 234ÿ353 mql_hp.dll

11/12/2005 13:04 233ÿ508 m8rm0i91e8.dll

11/12/2005 12:23 233ÿ508 iZssam.dll

10/12/2005 10:19 234ÿ978 n0p4la7q1d.dll

10/12/2005 10:13 233ÿ480 gttuname.dll

10/12/2005 10:13 234ÿ664 l48mlel11hq.dll

10/12/2005 09:56 235ÿ790 igseng.dll

10/12/2005 09:26 235ÿ790 ahvpack.dll

10/12/2005 00:34 236ÿ354 n46q0ej5eho.dll

10/12/2005 00:29 234ÿ956 wvhfr.dll

10/12/2005 00:29 235ÿ790 n4l80e3ueh.dll

10/12/2005 00:21 233ÿ807 mknetobj.dll

09/12/2005 23:57 234ÿ921 lqexpand.dll

09/12/2005 23:43 233ÿ807 cugmgr32.dll

09/12/2005 23:37 234ÿ921 vnpodbc.dll

09/12/2005 23:26 233ÿ807 damsvinn.dLL

09/12/2005 23:19 236ÿ968 ir2ml5f11.dll

09/12/2005 17:59 236ÿ968 kmdkaz.dll

08/12/2005 22:37 236ÿ968 uorv80a.dll

08/12/2005 21:55 236ÿ968 pSutoenr.dll

08/12/2005 21:09 236ÿ968 scgina.dll

06/12/2005 22:03 236ÿ980 r8r60i9se8.dll

06/12/2005 21:59 236ÿ980 hqd.dll

06/12/2005 19:46 236ÿ968 teappcmp.dll

06/12/2005 19:33 27ÿ661 vtssq.dll

05/12/2005 23:08 27ÿ661 khfcy.dll

05/12/2005 22:56 27ÿ661 ssqpq.dll

05/12/2005 22:56 234ÿ076 lv2209foe.dll

05/12/2005 22:45 27ÿ661 cbaxw.dll

05/12/2005 22:41 236ÿ419 vkajet32.dll

05/12/2005 22:18 27ÿ661 mljgg.dll

05/12/2005 21:01 27ÿ661 ddaba.dll

05/12/2005 20:56 235ÿ856 dfwsock.dll

05/12/2005 20:05 27ÿ661 efcaw.dll

05/12/2005 19:56 338 xwabc.ini

05/12/2005 19:54 557ÿ108 cbawx.dll

05/12/2005 19:51 27ÿ661 hggda.dll

05/12/2005 19:46 235ÿ912 f8j20i1oe8.dll

04/12/2005 23:45 234ÿ272 ennsl1571.dll

04/12/2005 23:32 27ÿ661 qopnl.dll

04/12/2005 22:39 27ÿ661 hgdcy.dll

04/12/2005 20:50 234ÿ525 f8l00i3me8.dll

04/12/2005 19:38 27ÿ661 fcyax.dll

04/12/2005 18:10 234ÿ272 dCvclnt.dll

04/12/2005 16:04 27ÿ661 wvwtt.dll

04/12/2005 16:01 234ÿ525 cgseqchk.dll

04/12/2005 14:24 27ÿ661 qomjj.dll

04/12/2005 14:20 234ÿ272 winotify.dll

04/12/2005 13:03 <REP> Microsoft

04/12/2005 13:01 27ÿ661 urqon.dll

64 fichier(s) 12ÿ644ÿ661 octets

2 R‚p(s) 4ÿ527ÿ767ÿ552 octets libres

voila !! du charrabia pour moi

au faite dans ms ins config et ms dns service etaient deja arreter mais pas desactivees

alors j'ai seulement desactiver j'espere que j'ai pas fais de betises?

Mark · le 12 décembre 2005

Ca va..

VundoFix ne peut éradiquer son dll à cause de Look2Me, alors nous devons attaquer ce dernier en premier. Prière de bien lire les instructions qui suivent, avant d'appliquer la procédure (histoire de se familiariser un peu..) :

Ferme toutes les applications en cours, car cette étape nécessite un redémarrage.

Du dossier l2mfix situé sur ton Bureau, double-clique l2mfix.bat et choisis l'option #2 pour Run Fix en tapant 2 et ensuite "Entrée". Les icônes du Bureau vont disparaître (tout à fait normal). L2mfix poursuivra le scan et lorsque terminé, il sera prêt à redémarrer le PC. Appuie sur n'importe quelle touche pour redémarrer. Après le redémarrage, un fichier texte devrait apparaître. Copie/colle le contenu de ce rapport dans ta prochaine réponse, et poste un nouveau rapport HijackThis! également.

IMPORTANT: NE PAS lancer d'autres fichiers situés dans le dossier "l2mfix" sans l'avis d'un conseiller ! Ne pas lancer cet outil en mode Sans Échec !!

**Si le fichier texte (rapport) n'apparaît pas au redémarrage, double-clique sur le fichier texte ("log.txt") situé dans le dossier "l2mfix".

herisson38 · le 12 décembre 2005

Bonjour,

voila !! j'ai suivi a la lettre !!!

1ER RAPPORT :

L2mfix Beta 120905

Creating Account.

La commande s'est termin‚e correctement.

Adding Administrative privleges.

Checking for L2MFix account(0=no 1=yes):

1

Granting SeDebugPrivilege to L2MFIX ... successful

Running From:

C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Killing PID 532 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Killing PID 620 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Killing PID 1708 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Killing PID 1416 'rundll32.exe'

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

Granting SeDebugPrivilege to Administrateurs ... successful

Granting SeDebugPrivilege to Administrat÷rer ... failed (GetAccountSid(Administrat÷rer)=1332

Granting SeDebugPrivilege to Administradores ... failed (GetAccountSid(Administradores)=1332

Granting SeDebugPrivilege to Amministratore ... failed (GetAccountSid(Amministratore)=1332

Granting SeDebugPrivilege to Administratoren ... failed (GetAccountSid(Administratoren)=1332

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Backing Up: C:\WINDOWS\system32\ahvpack.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\cgseqchk.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\cugmgr32.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\damsvinn.dLL

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\dCvclnt.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\dfwsock.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\ennsl1571.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\f8j20i1oe8.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\f8l00i3me8.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\fnntext.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\gttuname.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\hqd.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\hrrq0595e.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\igseng.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\ir2ml5f11.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\irnol5531.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\iZssam.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\kcdhe.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\kmdkaz.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\l0p2la7o1d.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\l48mlel11hq.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\lqexpand.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\lv2209foe.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\lvns0957e.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\m0rmla911d.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\m4ls0e37eh.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\m8rm0i91e8.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\maoa.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\mknetobj.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\mql_hp.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\mvdtctm.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\n0p4la7q1d.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\n46q0ej5eho.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\n4l80e3ueh.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\nTl80e3ueh.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\pSutoenr.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\r8r60i9se8.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\scgina.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\teappcmp.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\uorv80a.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\uurdpa.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\vkajet32.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\vnpodbc.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\vwajet32.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\winotify.dll

1 fichier(s) copi‚(s).

Backing Up: C:\WINDOWS\system32\wvhfr.dll

1 fichier(s) copi‚(s).

deleting: C:\WINDOWS\system32\ahvpack.dll

Successfully Deleted: C:\WINDOWS\system32\ahvpack.dll

deleting: C:\WINDOWS\system32\cgseqchk.dll

Successfully Deleted: C:\WINDOWS\system32\cgseqchk.dll

deleting: C:\WINDOWS\system32\cugmgr32.dll

Successfully Deleted: C:\WINDOWS\system32\cugmgr32.dll

deleting: C:\WINDOWS\system32\damsvinn.dLL

Successfully Deleted: C:\WINDOWS\system32\damsvinn.dLL

deleting: C:\WINDOWS\system32\dCvclnt.dll

Successfully Deleted: C:\WINDOWS\system32\dCvclnt.dll

deleting: C:\WINDOWS\system32\dfwsock.dll

Successfully Deleted: C:\WINDOWS\system32\dfwsock.dll

deleting: C:\WINDOWS\system32\ennsl1571.dll

Successfully Deleted: C:\WINDOWS\system32\ennsl1571.dll

deleting: C:\WINDOWS\system32\f8j20i1oe8.dll

Successfully Deleted: C:\WINDOWS\system32\f8j20i1oe8.dll

deleting: C:\WINDOWS\system32\f8l00i3me8.dll

Successfully Deleted: C:\WINDOWS\system32\f8l00i3me8.dll

deleting: C:\WINDOWS\system32\fnntext.dll

Successfully Deleted: C:\WINDOWS\system32\fnntext.dll

deleting: C:\WINDOWS\system32\gttuname.dll

Successfully Deleted: C:\WINDOWS\system32\gttuname.dll

deleting: C:\WINDOWS\system32\hqd.dll

Successfully Deleted: C:\WINDOWS\system32\hqd.dll

deleting: C:\WINDOWS\system32\hrrq0595e.dll

Successfully Deleted: C:\WINDOWS\system32\hrrq0595e.dll

deleting: C:\WINDOWS\system32\igseng.dll

Successfully Deleted: C:\WINDOWS\system32\igseng.dll

deleting: C:\WINDOWS\system32\ir2ml5f11.dll

Successfully Deleted: C:\WINDOWS\system32\ir2ml5f11.dll

deleting: C:\WINDOWS\system32\irnol5531.dll

Successfully Deleted: C:\WINDOWS\system32\irnol5531.dll

deleting: C:\WINDOWS\system32\iZssam.dll

Successfully Deleted: C:\WINDOWS\system32\iZssam.dll

deleting: C:\WINDOWS\system32\kcdhe.dll

Successfully Deleted: C:\WINDOWS\system32\kcdhe.dll

deleting: C:\WINDOWS\system32\kmdkaz.dll

Successfully Deleted: C:\WINDOWS\system32\kmdkaz.dll

deleting: C:\WINDOWS\system32\l0p2la7o1d.dll

Successfully Deleted: C:\WINDOWS\system32\l0p2la7o1d.dll

deleting: C:\WINDOWS\system32\l48mlel11hq.dll

Successfully Deleted: C:\WINDOWS\system32\l48mlel11hq.dll

deleting: C:\WINDOWS\system32\lqexpand.dll

Successfully Deleted: C:\WINDOWS\system32\lqexpand.dll

deleting: C:\WINDOWS\system32\lv2209foe.dll

Successfully Deleted: C:\WINDOWS\system32\lv2209foe.dll

deleting: C:\WINDOWS\system32\lvns0957e.dll

Successfully Deleted: C:\WINDOWS\system32\lvns0957e.dll

deleting: C:\WINDOWS\system32\m0rmla911d.dll

Successfully Deleted: C:\WINDOWS\system32\m0rmla911d.dll

deleting: C:\WINDOWS\system32\m4ls0e37eh.dll

Successfully Deleted: C:\WINDOWS\system32\m4ls0e37eh.dll

deleting: C:\WINDOWS\system32\m8rm0i91e8.dll

Successfully Deleted: C:\WINDOWS\system32\m8rm0i91e8.dll

deleting: C:\WINDOWS\system32\maoa.dll

Successfully Deleted: C:\WINDOWS\system32\maoa.dll

deleting: C:\WINDOWS\system32\mknetobj.dll

Successfully Deleted: C:\WINDOWS\system32\mknetobj.dll

deleting: C:\WINDOWS\system32\mql_hp.dll

Successfully Deleted: C:\WINDOWS\system32\mql_hp.dll

deleting: C:\WINDOWS\system32\mvdtctm.dll

Successfully Deleted: C:\WINDOWS\system32\mvdtctm.dll

deleting: C:\WINDOWS\system32\n0p4la7q1d.dll

Successfully Deleted: C:\WINDOWS\system32\n0p4la7q1d.dll

deleting: C:\WINDOWS\system32\n46q0ej5eho.dll

Successfully Deleted: C:\WINDOWS\system32\n46q0ej5eho.dll

deleting: C:\WINDOWS\system32\n4l80e3ueh.dll

Successfully Deleted: C:\WINDOWS\system32\n4l80e3ueh.dll

deleting: C:\WINDOWS\system32\nTl80e3ueh.dll

Successfully Deleted: C:\WINDOWS\system32\nTl80e3ueh.dll

deleting: C:\WINDOWS\system32\pSutoenr.dll

Successfully Deleted: C:\WINDOWS\system32\pSutoenr.dll

deleting: C:\WINDOWS\system32\r8r60i9se8.dll

Successfully Deleted: C:\WINDOWS\system32\r8r60i9se8.dll

deleting: C:\WINDOWS\system32\scgina.dll

Successfully Deleted: C:\WINDOWS\system32\scgina.dll

deleting: C:\WINDOWS\system32\teappcmp.dll

Successfully Deleted: C:\WINDOWS\system32\teappcmp.dll

deleting: C:\WINDOWS\system32\uorv80a.dll

Successfully Deleted: C:\WINDOWS\system32\uorv80a.dll

deleting: C:\WINDOWS\system32\uurdpa.dll

Successfully Deleted: C:\WINDOWS\system32\uurdpa.dll

deleting: C:\WINDOWS\system32\vkajet32.dll

Successfully Deleted: C:\WINDOWS\system32\vkajet32.dll

deleting: C:\WINDOWS\system32\vnpodbc.dll

Successfully Deleted: C:\WINDOWS\system32\vnpodbc.dll

deleting: C:\WINDOWS\system32\vwajet32.dll

Successfully Deleted: C:\WINDOWS\system32\vwajet32.dll

deleting: C:\WINDOWS\system32\winotify.dll

Successfully Deleted: C:\WINDOWS\system32\winotify.dll

deleting: C:\WINDOWS\system32\wvhfr.dll

Successfully Deleted: C:\WINDOWS\system32\wvhfr.dll

Zipping up files for submission:

zip warning: name not matched: guard.tmp

zip error: Nothing to do! (backup.zip)

adding: Documents and Settings/Seabra Alvaro/Bureau/l2mfix/backregs/notibac.reg (164 bytes security) (deflated 87%)

adding: Documents and Settings/Seabra Alvaro/Bureau/l2mfix/backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Sedebugprivilege:

Restoring Windows Update Certificates.:

deleting local copy: ahvpack.dll

deleting local copy: cgseqchk.dll

deleting local copy: cugmgr32.dll

deleting local copy: damsvinn.dLL

deleting local copy: dCvclnt.dll

deleting local copy: dfwsock.dll

deleting local copy: ennsl1571.dll

deleting local copy: f8j20i1oe8.dll

deleting local copy: f8l00i3me8.dll

deleting local copy: fnntext.dll

deleting local copy: gttuname.dll

deleting local copy: hqd.dll

deleting local copy: hrrq0595e.dll

deleting local copy: igseng.dll

deleting local copy: ir2ml5f11.dll

deleting local copy: irnol5531.dll

deleting local copy: iZssam.dll

deleting local copy: kcdhe.dll

deleting local copy: kmdkaz.dll

deleting local copy: l0p2la7o1d.dll

deleting local copy: l48mlel11hq.dll

deleting local copy: lqexpand.dll

deleting local copy: lv2209foe.dll

deleting local copy: lvns0957e.dll

deleting local copy: m0rmla911d.dll

deleting local copy: m4ls0e37eh.dll

deleting local copy: m8rm0i91e8.dll

deleting local copy: maoa.dll

deleting local copy: mknetobj.dll

deleting local copy: mql_hp.dll

deleting local copy: mvdtctm.dll

deleting local copy: n0p4la7q1d.dll

deleting local copy: n46q0ej5eho.dll

deleting local copy: n4l80e3ueh.dll

deleting local copy: nTl80e3ueh.dll

deleting local copy: pSutoenr.dll

deleting local copy: r8r60i9se8.dll

deleting local copy: scgina.dll

deleting local copy: teappcmp.dll

deleting local copy: uorv80a.dll

deleting local copy: uurdpa.dll

deleting local copy: vkajet32.dll

deleting local copy: vnpodbc.dll

deleting local copy: vwajet32.dll

deleting local copy: winotify.dll

deleting local copy: wvhfr.dll

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\m0rmla911d.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxxx]

"Asynchronous"=dword:00000001

"DllName"="C:\\WINDOWS\\System32\\byxxx.dll"

"Impersonate"=dword:00000000

"Startup"="SysLogon"

"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]

"DLLName"="wzcdlg.dll"

"Logon"="WZCEventLogon"

"Logoff"="WZCEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000000

The following are the files found:

****************************************************************************

C:\WINDOWS\system32\ahvpack.dll

C:\WINDOWS\system32\cgseqchk.dll

C:\WINDOWS\system32\cugmgr32.dll

C:\WINDOWS\system32\damsvinn.dLL

C:\WINDOWS\system32\dCvclnt.dll

C:\WINDOWS\system32\dfwsock.dll

C:\WINDOWS\system32\ennsl1571.dll

C:\WINDOWS\system32\f8j20i1oe8.dll

C:\WINDOWS\system32\f8l00i3me8.dll

C:\WINDOWS\system32\fnntext.dll

C:\WINDOWS\system32\gttuname.dll

C:\WINDOWS\system32\hqd.dll

C:\WINDOWS\system32\hrrq0595e.dll

C:\WINDOWS\system32\igseng.dll

C:\WINDOWS\system32\ir2ml5f11.dll

C:\WINDOWS\system32\irnol5531.dll

C:\WINDOWS\system32\iZssam.dll

C:\WINDOWS\system32\kcdhe.dll

C:\WINDOWS\system32\kmdkaz.dll

C:\WINDOWS\system32\l0p2la7o1d.dll

C:\WINDOWS\system32\l48mlel11hq.dll

C:\WINDOWS\system32\lqexpand.dll

C:\WINDOWS\system32\lv2209foe.dll

C:\WINDOWS\system32\lvns0957e.dll

C:\WINDOWS\system32\m0rmla911d.dll

C:\WINDOWS\system32\m4ls0e37eh.dll

C:\WINDOWS\system32\m8rm0i91e8.dll

C:\WINDOWS\system32\maoa.dll

C:\WINDOWS\system32\mknetobj.dll

C:\WINDOWS\system32\mql_hp.dll

C:\WINDOWS\system32\mvdtctm.dll

C:\WINDOWS\system32\n0p4la7q1d.dll

C:\WINDOWS\system32\n46q0ej5eho.dll

C:\WINDOWS\system32\n4l80e3ueh.dll

C:\WINDOWS\system32\nTl80e3ueh.dll

C:\WINDOWS\system32\pSutoenr.dll

C:\WINDOWS\system32\r8r60i9se8.dll

C:\WINDOWS\system32\scgina.dll

C:\WINDOWS\system32\teappcmp.dll

C:\WINDOWS\system32\uorv80a.dll

C:\WINDOWS\system32\uurdpa.dll

C:\WINDOWS\system32\vkajet32.dll

C:\WINDOWS\system32\vnpodbc.dll

C:\WINDOWS\system32\vwajet32.dll

C:\WINDOWS\system32\winotify.dll

C:\WINDOWS\system32\wvhfr.dll

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A3442736-583A-4F68-ACBE-650C04BAA1AB}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{A3442736-583A-4F68-ACBE-650C04BAA1AB}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{A3442736-583A-4F68-ACBE-650C04BAA1AB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{A3442736-583A-4F68-ACBE-650C04BAA1AB}\InprocServer32]

@="C:\\WINDOWS\\system32\\winotify.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{16F1002D-7D86-42F1-8770-0E8755BA68F8}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{16F1002D-7D86-42F1-8770-0E8755BA68F8}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{16F1002D-7D86-42F1-8770-0E8755BA68F8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{16F1002D-7D86-42F1-8770-0E8755BA68F8}\InprocServer32]

@="C:\\WINDOWS\\system32\\cgseqchk.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{33E8DEDB-D688-4FA1-AE36-744F51269326}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{33E8DEDB-D688-4FA1-AE36-744F51269326}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{33E8DEDB-D688-4FA1-AE36-744F51269326}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{33E8DEDB-D688-4FA1-AE36-744F51269326}\InprocServer32]

@="C:\\WINDOWS\\system32\\dCvclnt.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8E1DE036-EF66-4FD6-B3FC-398B782D0ED5}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{8E1DE036-EF66-4FD6-B3FC-398B782D0ED5}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{8E1DE036-EF66-4FD6-B3FC-398B782D0ED5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{8E1DE036-EF66-4FD6-B3FC-398B782D0ED5}\InprocServer32]

@="C:\\WINDOWS\\system32\\dfwsock.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B0F0AAA9-69A6-43E3-A002-0900BA9C4E61}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{B0F0AAA9-69A6-43E3-A002-0900BA9C4E61}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{B0F0AAA9-69A6-43E3-A002-0900BA9C4E61}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{B0F0AAA9-69A6-43E3-A002-0900BA9C4E61}\InprocServer32]

@="C:\\WINDOWS\\system32\\vkajet32.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{396075C5-B8F2-423F-A317-E8323C80FA69}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{396075C5-B8F2-423F-A317-E8323C80FA69}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{396075C5-B8F2-423F-A317-E8323C80FA69}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{396075C5-B8F2-423F-A317-E8323C80FA69}\InprocServer32]

@="C:\\WINDOWS\\system32\\teappcmp.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{59313572-04CB-4296-A477-8AD21B4CBEC4}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{59313572-04CB-4296-A477-8AD21B4CBEC4}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{59313572-04CB-4296-A477-8AD21B4CBEC4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{59313572-04CB-4296-A477-8AD21B4CBEC4}\InprocServer32]

@="C:\\WINDOWS\\system32\\guard.tmp"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{806942EE-5FA0-48CB-8201-837C94435456}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{806942EE-5FA0-48CB-8201-837C94435456}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{806942EE-5FA0-48CB-8201-837C94435456}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{806942EE-5FA0-48CB-8201-837C94435456}\InprocServer32]

@="C:\\WINDOWS\\system32\\scgina.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DB8067A6-6836-4F0F-AB38-E9E570B91332}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{DB8067A6-6836-4F0F-AB38-E9E570B91332}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{DB8067A6-6836-4F0F-AB38-E9E570B91332}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{DB8067A6-6836-4F0F-AB38-E9E570B91332}\InprocServer32]

@="C:\\WINDOWS\\system32\\pSutoenr.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AE2A350D-33AE-4264-AB24-C39DA44959E9}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{AE2A350D-33AE-4264-AB24-C39DA44959E9}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{AE2A350D-33AE-4264-AB24-C39DA44959E9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{AE2A350D-33AE-4264-AB24-C39DA44959E9}\InprocServer32]

@="C:\\WINDOWS\\system32\\uorv80a.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1A133A57-03B5-4945-A142-88B51138DEB8}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{1A133A57-03B5-4945-A142-88B51138DEB8}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{1A133A57-03B5-4945-A142-88B51138DEB8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{1A133A57-03B5-4945-A142-88B51138DEB8}\InprocServer32]

@="C:\\WINDOWS\\system32\\guard.tmp"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B4D3C635-A656-46BD-8316-D58FD52946BA}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{B4D3C635-A656-46BD-8316-D58FD52946BA}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{B4D3C635-A656-46BD-8316-D58FD52946BA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{B4D3C635-A656-46BD-8316-D58FD52946BA}\InprocServer32]

@="C:\\WINDOWS\\system32\\kmdkaz.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DC024900-3F54-4180-834B-93D055B53E48}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{DC024900-3F54-4180-834B-93D055B53E48}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{DC024900-3F54-4180-834B-93D055B53E48}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{DC024900-3F54-4180-834B-93D055B53E48}\InprocServer32]

@="C:\\WINDOWS\\system32\\damsvinn.dLL"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E3254A37-8CEC-4F58-A8AB-7553B07883BD}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{E3254A37-8CEC-4F58-A8AB-7553B07883BD}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{E3254A37-8CEC-4F58-A8AB-7553B07883BD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{E3254A37-8CEC-4F58-A8AB-7553B07883BD}\InprocServer32]

@="C:\\WINDOWS\\system32\\lqexpand.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{988B51C4-149B-4FEE-975B-293EFE301662}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{988B51C4-149B-4FEE-975B-293EFE301662}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{988B51C4-149B-4FEE-975B-293EFE301662}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{988B51C4-149B-4FEE-975B-293EFE301662}\InprocServer32]

@="C:\\WINDOWS\\system32\\iZssam.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0E7B6F1F-FECD-403E-9C3B-7CE56BAF4F56}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{0E7B6F1F-FECD-403E-9C3B-7CE56BAF4F56}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{0E7B6F1F-FECD-403E-9C3B-7CE56BAF4F56}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{0E7B6F1F-FECD-403E-9C3B-7CE56BAF4F56}\InprocServer32]

@="C:\\WINDOWS\\system32\\mql_hp.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4F035F34-7489-450C-9355-399B2CCA7114}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{4F035F34-7489-450C-9355-399B2CCA7114}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{4F035F34-7489-450C-9355-399B2CCA7114}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{4F035F34-7489-450C-9355-399B2CCA7114}\InprocServer32]

@="C:\\WINDOWS\\system32\\fnntext.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9F0048CC-0118-4FEB-9E51-3117F58881CF}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{9F0048CC-0118-4FEB-9E51-3117F58881CF}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{9F0048CC-0118-4FEB-9E51-3117F58881CF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{9F0048CC-0118-4FEB-9E51-3117F58881CF}\InprocServer32]

@="C:\\WINDOWS\\system32\\mvdtctm.dll"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{880F2FF9-D15B-45E3-B62B-BFEE14092CF6}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{880F2FF9-D15B-45E3-B62B-BFEE14092CF6}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{880F2FF9-D15B-45E3-B62B-BFEE14092CF6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{880F2FF9-D15B-45E3-B62B-BFEE14092CF6}\InprocServer32]

@="C:\\WINDOWS\\system32\\guard.tmp"

"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{350DEE64-F7BB-4699-9CD4-1BDECE32F540}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{350DEE64-F7BB-4699-9CD4-1BDECE32F540}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{350DEE64-F7BB-4699-9CD4-1BDECE32F540}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{350DEE64-F7BB-4699-9CD4-1BDECE32F540}\InprocServer32]

@="C:\\WINDOWS\\system32\\nTl80e3ueh.dll"

"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{4CCC8988-6CEF-4494-B633-C551730DEB29}"=

"{A3442736-583A-4F68-ACBE-650C04BAA1AB}"=

"{16F1002D-7D86-42F1-8770-0E8755BA68F8}"=

"{33E8DEDB-D688-4FA1-AE36-744F51269326}"=

"{8E1DE036-EF66-4FD6-B3FC-398B782D0ED5}"=

"{B0F0AAA9-69A6-43E3-A002-0900BA9C4E61}"=

"{9FC45132-AAAB-4328-B124-8A5366DFCD81}"=

"{396075C5-B8F2-423F-A317-E8323C80FA69}"=

"{59313572-04CB-4296-A477-8AD21B4CBEC4}"=

"{806942EE-5FA0-48CB-8201-837C94435456}"=

"{DB8067A6-6836-4F0F-AB38-E9E570B91332}"=

"{AE2A350D-33AE-4264-AB24-C39DA44959E9}"=

"{1A133A57-03B5-4945-A142-88B51138DEB8}"=

"{B4D3C635-A656-46BD-8316-D58FD52946BA}"=

"{DC024900-3F54-4180-834B-93D055B53E48}"=

"{E3254A37-8CEC-4F58-A8AB-7553B07883BD}"=

"{988B51C4-149B-4FEE-975B-293EFE301662}"=

"{0E7B6F1F-FECD-403E-9C3B-7CE56BAF4F56}"=

"{4F035F34-7489-450C-9355-399B2CCA7114}"=

"{9F0048CC-0118-4FEB-9E51-3117F58881CF}"=

"{880F2FF9-D15B-45E3-B62B-BFEE14092CF6}"=

"{350DEE64-F7BB-4699-9CD4-1BDECE32F540}"=

[-HKEY_CLASSES_ROOT\CLSID\{4CCC8988-6CEF-4494-B633-C551730DEB29}]

[-HKEY_CLASSES_ROOT\CLSID\{A3442736-583A-4F68-ACBE-650C04BAA1AB}]

[-HKEY_CLASSES_ROOT\CLSID\{16F1002D-7D86-42F1-8770-0E8755BA68F8}]

[-HKEY_CLASSES_ROOT\CLSID\{33E8DEDB-D688-4FA1-AE36-744F51269326}]

[-HKEY_CLASSES_ROOT\CLSID\{8E1DE036-EF66-4FD6-B3FC-398B782D0ED5}]

[-HKEY_CLASSES_ROOT\CLSID\{B0F0AAA9-69A6-43E3-A002-0900BA9C4E61}]

[-HKEY_CLASSES_ROOT\CLSID\{9FC45132-AAAB-4328-B124-8A5366DFCD81}]

[-HKEY_CLASSES_ROOT\CLSID\{396075C5-B8F2-423F-A317-E8323C80FA69}]

[-HKEY_CLASSES_ROOT\CLSID\{59313572-04CB-4296-A477-8AD21B4CBEC4}]

[-HKEY_CLASSES_ROOT\CLSID\{806942EE-5FA0-48CB-8201-837C94435456}]

[-HKEY_CLASSES_ROOT\CLSID\{DB8067A6-6836-4F0F-AB38-E9E570B91332}]

[-HKEY_CLASSES_ROOT\CLSID\{AE2A350D-33AE-4264-AB24-C39DA44959E9}]

[-HKEY_CLASSES_ROOT\CLSID\{1A133A57-03B5-4945-A142-88B51138DEB8}]

[-HKEY_CLASSES_ROOT\CLSID\{B4D3C635-A656-46BD-8316-D58FD52946BA}]

[-HKEY_CLASSES_ROOT\CLSID\{DC024900-3F54-4180-834B-93D055B53E48}]

[-HKEY_CLASSES_ROOT\CLSID\{E3254A37-8CEC-4F58-A8AB-7553B07883BD}]

[-HKEY_CLASSES_ROOT\CLSID\{988B51C4-149B-4FEE-975B-293EFE301662}]

[-HKEY_CLASSES_ROOT\CLSID\{0E7B6F1F-FECD-403E-9C3B-7CE56BAF4F56}]

[-HKEY_CLASSES_ROOT\CLSID\{4F035F34-7489-450C-9355-399B2CCA7114}]

[-HKEY_CLASSES_ROOT\CLSID\{9F0048CC-0118-4FEB-9E51-3117F58881CF}]

[-HKEY_CLASSES_ROOT\CLSID\{880F2FF9-D15B-45E3-B62B-BFEE14092CF6}]

[-HKEY_CLASSES_ROOT\CLSID\{350DEE64-F7BB-4699-9CD4-1BDECE32F540}]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

****************************************************************************

Desktop.ini Contents:

****************************************************************************

C:\WINDOWS\System32\0E7B6F1F-FECD-403E-9C3B-7CE56BAF4F56.reg

C:\WINDOWS\System32\16F1002D-7D86-42F1-8770-0E8755BA68F8.reg

C:\WINDOWS\System32\1A133A57-03B5-4945-A142-88B51138DEB8.reg

C:\WINDOWS\System32\33E8DEDB-D688-4FA1-AE36-744F51269326.reg

C:\WINDOWS\System32\350DEE64-F7BB-4699-9CD4-1BDECE32F540.reg

C:\WINDOWS\System32\396075C5-B8F2-423F-A317-E8323C80FA69.reg

C:\WINDOWS\System32\4F035F34-7489-450C-9355-399B2CCA7114.reg

C:\WINDOWS\System32\59313572-04CB-4296-A477-8AD21B4CBEC4.reg

C:\WINDOWS\System32\806942EE-5FA0-48CB-8201-837C94435456.reg

C:\WINDOWS\System32\880F2FF9-D15B-45E3-B62B-BFEE14092CF6.reg

C:\WINDOWS\System32\8E1DE036-EF66-4FD6-B3FC-398B782D0ED5.reg

C:\WINDOWS\System32\988B51C4-149B-4FEE-975B-293EFE301662.reg

C:\WINDOWS\System32\9F0048CC-0118-4FEB-9E51-3117F58881CF.reg

C:\WINDOWS\System32\A3442736-583A-4F68-ACBE-650C04BAA1AB.reg

C:\WINDOWS\System32\AE2A350D-33AE-4264-AB24-C39DA44959E9.reg

C:\WINDOWS\System32\B0F0AAA9-69A6-43E3-A002-0900BA9C4E61.reg

C:\WINDOWS\System32\B4D3C635-A656-46BD-8316-D58FD52946BA.reg

C:\WINDOWS\System32\DB8067A6-6836-4F0F-AB38-E9E570B91332.reg

C:\WINDOWS\System32\DC024900-3F54-4180-834B-93D055B53E48.reg

C:\WINDOWS\System32\E3254A37-8CEC-4F58-A8AB-7553B07883BD.reg

Checking for L2MFix account(0=no 1=yes):

0

adding: dlls/ahvpack.dll (164 bytes security) (deflated 5%)

adding: dlls/cgseqchk.dll (164 bytes security) (deflated 4%)

adding: dlls/cugmgr32.dll (164 bytes security) (deflated 4%)

adding: dlls/damsvinn.dLL (164 bytes security) (deflated 4%)

adding: dlls/dCvclnt.dll (164 bytes security) (deflated 4%)

adding: dlls/dfwsock.dll (164 bytes security) (deflated 5%)

adding: dlls/ennsl1571.dll (164 bytes security) (deflated 4%)

adding: dlls/f8j20i1oe8.dll (164 bytes security) (deflated 5%)

adding: dlls/f8l00i3me8.dll (164 bytes security) (deflated 4%)

adding: dlls/fnntext.dll (164 bytes security) (deflated 5%)

adding: dlls/gttuname.dll (164 bytes security) (deflated 4%)

adding: dlls/hqd.dll (164 bytes security) (deflated 5%)

adding: dlls/hrrq0595e.dll (164 bytes security) (deflated 6%)

adding: dlls/igseng.dll (164 bytes security) (deflated 5%)

adding: dlls/ir2ml5f11.dll (164 bytes security) (deflated 5%)

adding: dlls/irnol5531.dll (164 bytes security) (deflated 5%)

adding: dlls/iZssam.dll (164 bytes security) (deflated 4%)

adding: dlls/kcdhe.dll (164 bytes security) (deflated 5%)

adding: dlls/kmdkaz.dll (164 bytes security) (deflated 5%)

adding: dlls/l0p2la7o1d.dll (164 bytes security) (deflated 5%)

adding: dlls/l48mlel11hq.dll (164 bytes security) (deflated 5%)

adding: dlls/lqexpand.dll (164 bytes security) (deflated 5%)

adding: dlls/lv2209foe.dll (164 bytes security) (deflated 4%)

adding: dlls/lvns0957e.dll (164 bytes security) (deflated 5%)

adding: dlls/m0rmla911d.dll (164 bytes security) (deflated 5%)

adding: dlls/m4ls0e37eh.dll (164 bytes security) (deflated 5%)

adding: dlls/m8rm0i91e8.dll (164 bytes security) (deflated 4%)

adding: dlls/maoa.dll (164 bytes security) (deflated 5%)

adding: dlls/mknetobj.dll (164 bytes security) (deflated 4%)

adding: dlls/mql_hp.dll (164 bytes security) (deflated 5%)

adding: dlls/mvdtctm.dll (164 bytes security) (deflated 5%)

adding: dlls/n0p4la7q1d.dll (164 bytes security) (deflated 5%)

adding: dlls/n46q0ej5eho.dll (164 bytes security) (deflated 5%)

adding: dlls/n4l80e3ueh.dll (164 bytes security) (deflated 5%)

adding: dlls/nTl80e3ueh.dll (164 bytes security) (deflated 5%)

adding: dlls/pSutoenr.dll (164 bytes security) (deflated 5%)

adding: dlls/r8r60i9se8.dll (164 bytes security) (deflated 5%)

adding: dlls/scgina.dll (164 bytes security) (deflated 5%)

adding: dlls/teappcmp.dll (164 bytes security) (deflated 5%)

adding: dlls/uorv80a.dll (164 bytes security) (deflated 5%)

adding: dlls/uurdpa.dll (164 bytes security) (deflated 5%)

adding: dlls/vkajet32.dll (164 bytes security) (deflated 5%)

adding: dlls/vnpodbc.dll (164 bytes security) (deflated 5%)

adding: dlls/vwajet32.dll (164 bytes security) (deflated 5%)

adding: dlls/winotify.dll (164 bytes security) (deflated 4%)

adding: dlls/wvhfr.dll (164 bytes security) (deflated 5%)

2EME RAPPORT:

Logfile of HijackThis v1.99.1

Scan saved at 21:07:44, on 12/12/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\System32\atievxx.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\notepad.exe