Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer spyware [RESOLVED]


  • This topic is locked This topic is locked

#1
Julien

Julien

    New Member

  • Member
  • Pip
  • 5 posts
I cannot remove winfixer. I have read some of the other topics posted on this subject. So here's my HijackThis log; thenks for help!
Logfile of HijackThis v1.99.1
Scan saved at 19:05:17, on 13/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Generic\USB Card Reader Driver v2.2(D)\Disk_Monitor.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Julien LOUVEL\Mes documents\Pinnacle Expression\Nouveau dossier (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card Reader Driver v2.2(D)\Disk_Monitor.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PMCS] C:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe -host -clearDebug
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite 3\HitwarePKLite.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....012/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098176184359
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15012/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35E8A874-554B-41B4-8BD1-55D9BDCF1AF7}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC79133D-A03B-4CA7-B4E6-E2A14A7EEB86}: NameServer = 193.54.82.20,193.54.82.25
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\meidle.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Julien LOUVEL\Mes documents\Pinnacle Expression\Nouveau dossier (2)\CWShredder-1.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
Julien

Julien

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
here is a new fresh log:
Logfile of HijackThis v1.99.1
Scan saved at 17:53:18, on 17/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Generic\USB Card Reader Driver v2.2(D)\Disk_Monitor.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\fr\msnappau.exe
C:\Program Files\eMule\emule.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Julien LOUVEL\Mes documents\Pinnacle Expression\Nouveau dossier (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card Reader Driver v2.2(D)\Disk_Monitor.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PMCS] C:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe -host -clearDebug
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....012/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098176184359
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15012/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35E8A874-554B-41B4-8BD1-55D9BDCF1AF7}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC79133D-A03B-4CA7-B4E6-E2A14A7EEB86}: NameServer = 193.54.82.20,193.54.82.25
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\meidle.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

thanks a lot!
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#5
Julien

Julien

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
here it is:
L2MFIX find log 1.03c
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\meidle.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{79BF320F-9D66-5FBC-EA41-8000A5D15D93}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Feuille de propri‚t‚s du fichier multim‚dia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de s‚curit‚ NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des propri‚t‚s de OLE DocFile"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'environnement pour le partage"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage cran du Panneau de configuration"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Panorama du Panneau de configuration"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Page de s‚curit‚ DS"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Page de compatibilit‚"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Gestionnaire de donn‚es endommag‚es de l'environnement"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Extension copie de disquette"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensions de l'environnement pour les objets r‚seau de Microsoft Windows"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gestion d'‚cran ICM"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gestion d'imprimante ICM"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensions de l'environnement de compression de fichiers"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Extension de l'environnement d'imprimante Web"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu contextuel de cryptage"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porte-documents"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Extension ic“ne HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profil ICC"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Page de s‚curit‚ des imprimantes"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensions de l'environnement pour le partage"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie PKO"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie Sign"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Connexions r‚seau"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Connexions r‚seau"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&Scanneurs et appareils photo"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&Scanneurs et appareils photo"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="&Scanneurs et appareils photo"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&Scanneurs et appareils photo"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&Scanneurs et appareils photo"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensions de l'interpr‚teur de commandes pour l'environnement d'ex‚cution de scripts Windows"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Liaison de donn‚es Microsoft"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tƒches planifi‚es"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barre des tƒches et menu D‚marrer"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Rechercher"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Aide et support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ex‚cuter..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Courrier ‚lectronique"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Polices"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Outils d'administration"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Page de propri‚t‚s des versions pr‚c‚dentes"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Versions pr‚c‚dentes"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barre d'outils Internet Microsoft"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="tat du t‚l‚chargement"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Dossier Bureau ‚tendu"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Dossier du shell augment‚"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Bande du navigateur Microsoft"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Bande de recherche"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Volet int‚gr‚ de recherche"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Recherche Web"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilitaire des options de l'arborescence du Registre"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="BoŒte d'entr‚e de l'adresse"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Saisie semi-automatique Microsoft"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="Liste de saisie semi-automatique MRU"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Liste de saisie semi-automatique personnalis‚e MRU"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barre de progrŠs auto-ouvrante"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Liste de saisie semi-automatique de l'historique Microsoft"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Liste de saisie semi-automatique du dossier Shell Microsoft"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Conteneur de la liste de saisie semi-automatique multiple Microsoft"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu Site de bandes"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Barre du Bureau"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistance utilisateur"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="ParamŠtres du dossier global"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historique"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Image de d‚marrage de la Suite IE4"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Dossier ActiveX Cache"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Dossier Inscription"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gestionnaire d'applications d'environnement"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="num‚rateur d'applications install‚es"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Publication d'application Darwin"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extracteur de miniatures de fichier + GDI"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Gestionnaire de miniatures - Informations de r‚sum‚ (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extracteur de miniatures HTML"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Assistant Publication de sites Web"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Commande d'impressions via le Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objet Assistant de publication Shell"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Assistant Obtenir une identit‚ Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Comptes d'utilisateurs"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Dossier Fichiers hors connexion"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Des &personnes..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{F5D92341-0A64-11D0-9956-0000E8096023}"="CD Copy Shell Extension"
"{F5D92342-0A64-11D0-9956-0000E8096023}"="CD Wizard Shell Extension"
"{F5D92344-0A64-11D0-9956-0000E8096023}"="InstantWrite Shellextension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{63542C48-9552-494A-84F7-73AA6A7C99C1}"="OpenOffice Property Sheet Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="P‚riph‚riques Plug and Play universels"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Fichier de chaŒne"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Raccourci de chaŒne"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{2D7EFC99-3383-431E-81DA-0DAC692E5017}"=""
"{211CCD7A-4887-4A8C-B66D-1766C0923698}"=""
"{7EE5C12D-73CE-4B54-B472-4EB28325C0F8}"=""
"{7CA6C884-0FF8-4962-AD1B-0196FC8EE6C5}"=""
"{809492E6-6448-4ECD-95B3-446D9D9D307E}"=""
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{FED7043D-346A-414D-ACD7-550D052499A7}"="dBpowerAMP Music Converter 1"
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}"="dBpowerAMP Music Converter"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2D7EFC99-3383-431E-81DA-0DAC692E5017}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2D7EFC99-3383-431E-81DA-0DAC692E5017}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2D7EFC99-3383-431E-81DA-0DAC692E5017}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2D7EFC99-3383-431E-81DA-0DAC692E5017}\InprocServer32]
@="C:\\WINDOWS\\system32\\mmjetoledb40.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{211CCD7A-4887-4A8C-B66D-1766C0923698}]
@=""
"IDEx"="ST015"

[HKEY_CLASSES_ROOT\CLSID\{211CCD7A-4887-4A8C-B66D-1766C0923698}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{211CCD7A-4887-4A8C-B66D-1766C0923698}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{211CCD7A-4887-4A8C-B66D-1766C0923698}\InprocServer32]
@="C:\\WINDOWS\\system32\\mzi.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7EE5C12D-73CE-4B54-B472-4EB28325C0F8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7EE5C12D-73CE-4B54-B472-4EB28325C0F8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7EE5C12D-73CE-4B54-B472-4EB28325C0F8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7EE5C12D-73CE-4B54-B472-4EB28325C0F8}\InprocServer32]
@="C:\\WINDOWS\\system32\\NKERROR.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7CA6C884-0FF8-4962-AD1B-0196FC8EE6C5}]
@=""
"IDEx"="ST"

[HKEY_CLASSES_ROOT\CLSID\{7CA6C884-0FF8-4962-AD1B-0196FC8EE6C5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7CA6C884-0FF8-4962-AD1B-0196FC8EE6C5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7CA6C884-0FF8-4962-AD1B-0196FC8EE6C5}\InprocServer32]
@="C:\\WINDOWS\\system32\\dvnhpast.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{809492E6-6448-4ECD-95B3-446D9D9D307E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{809492E6-6448-4ECD-95B3-446D9D9D307E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{809492E6-6448-4ECD-95B3-446D9D9D307E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{809492E6-6448-4ECD-95B3-446D9D9D307E}\InprocServer32]
@="C:\\WINDOWS\\system32\\mdroDV2Bmp.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
afdiosrv.dll Tue 12 Jul 2005 4:12:06 ..S.R 417 792 408,00 K
ati2cqag.dll Wed 29 Jun 2005 3:57:38 A.... 208 896 204,00 K
ati2dvag.dll Wed 29 Jun 2005 5:02:16 A.... 232 960 227,50 K
ati2edxx.dll Wed 29 Jun 2005 4:56:58 A.... 39 936 39,00 K
ati2evxx.dll Wed 29 Jun 2005 4:56:48 A.... 46 080 45,00 K
ati3duag.dll Wed 29 Jun 2005 4:47:52 A.... 2 360 736 2,25 M
atiddc.dll Wed 29 Jun 2005 4:55:08 A.... 53 248 52,00 K
atidemgr.dll Wed 29 Jun 2005 7:09:08 A.... 241 664 236,00 K
atiiiexx.dll Wed 29 Jun 2005 7:41:46 A.... 307 200 300,00 K
atikvmag.dll Wed 29 Jun 2005 4:30:10 A.... 143 360 140,00 K
atioglx1.dll Wed 29 Jun 2005 6:26:40 A.... 6 684 672 6,38 M
atioglxx.dll Wed 29 Jun 2005 5:18:36 A.... 4 857 856 4,63 M
atipdlxx.dll Wed 29 Jun 2005 4:57:26 A.... 94 208 92,00 K
atitvo32.dll Wed 29 Jun 2005 4:03:00 A.... 17 408 17,00 K
ativvaxx.dll Wed 29 Jun 2005 4:41:42 A.... 648 000 632,81 K
axicap.dll Tue 12 Jul 2005 4:12:10 ..S.R 417 792 408,00 K
browseui.dll Sun 3 Jul 2005 4:16:40 A.... 1 020 416 996,50 K
cdfview.dll Sun 3 Jul 2005 4:16:40 A.... 152 064 148,50 K
cdm.dll Thu 26 May 2005 4:16:24 A.... 75 544 73,77 K
divx.dll Thu 9 Jun 2005 22:32:28 A.... 692 736 676,50 K
dvnhpast.dll Mon 11 Jul 2005 18:24:10 ..S.R 417 792 408,00 K
gwfspi~1.dll Tue 12 Jul 2005 18:04:22 A.... 23 304 22,76 K
hhsetup.dll Fri 27 May 2005 4:08:06 A.... 41 472 40,50 K
icm32.dll Wed 29 Jun 2005 3:49:42 A.... 254 976 249,00 K
iepeers.dll Sun 3 Jul 2005 4:16:40 A.... 251 392 245,50 K
inseng.dll Sun 3 Jul 2005 4:16:40 A.... 96 768 94,50 K
itircl.dll Fri 27 May 2005 4:08:06 A.... 155 136 151,50 K
itss.dll Fri 27 May 2005 4:08:06 A.... 137 216 134,00 K
iuengine.dll Thu 26 May 2005 4:16:24 A.... 198 424 193,77 K
kedir.dll Tue 12 Jul 2005 1:40:04 ..S.R 417 792 408,00 K
kerberos.dll Wed 15 Jun 2005 19:50:32 A.... 295 936 289,00 K
kgdmlt47.dll Tue 12 Jul 2005 18:24:22 ..S.R 417 792 408,00 K
khdukx.dll Tue 12 Jul 2005 0:20:04 ..S.R 417 792 408,00 K
legitc~1.dll Tue 12 Jul 2005 18:04:22 A.... 520 456 508,26 K
mdrodv~1.dll Tue 16 Aug 2005 18:50:58 ..S.R 417 792 408,00 K
meidle.dll Thu 21 Jul 2005 23:04:58 ..S.R 417 792 408,00 K
micr0st.dll Sun 10 Jul 2005 22:36:02 A.... 4 0,00 K
mmimsg.dll Thu 14 Jul 2005 7:20:34 ..S.R 417 792 408,00 K
mmjeto~1.dll Sun 10 Jul 2005 22:08:14 ..S.R 417 792 408,00 K
mpdimap.dll Tue 12 Jul 2005 7:09:08 ..S.R 417 792 408,00 K
mqdsrv32.dll Tue 12 Jul 2005 17:03:58 ..S.R 417 792 408,00 K
mscms.dll Wed 29 Jun 2005 3:49:42 A.... 74 240 72,50 K
mshtml.dll Wed 20 Jul 2005 4:04:52 A.... 3 012 096 2,87 M
mshtmled.dll Sun 3 Jul 2005 4:16:40 A.... 448 512 438,00 K
mspi.dll Tue 12 Jul 2005 17:03:56 ..... 417 792 408,00 K
msrating.dll Sun 3 Jul 2005 4:16:40 A.... 146 432 143,00 K
mzi.dll Sun 10 Jul 2005 22:08:16 ..S.R 417 792 408,00 K
mzimsg.dll Tue 12 Jul 2005 5:42:06 ..S.R 417 792 408,00 K
mzls31.dll Tue 12 Jul 2005 5:42:10 ..S.R 417 792 408,00 K
nkerror.dll Mon 11 Jul 2005 16:59:38 ..S.R 417 792 408,00 K
oemdspif.dll Wed 29 Jun 2005 4:57:14 A.... 73 728 72,00 K
ofbcbcp.dll Mon 1 Aug 2005 10:49:42 ..S.R 417 792 408,00 K
onbc32.dll Tue 12 Jul 2005 17:05:22 ..S.R 417 792 408,00 K
oubcp32r.dll Tue 12 Jul 2005 3:09:06 ..S.R 417 792 408,00 K
oxfox32.dll Tue 12 Jul 2005 17:05:26 ..S.R 417 792 408,00 K
pngfilt.dll Sun 3 Jul 2005 4:16:40 A.... 39 424 38,50 K
rmcss.dll Sun 10 Jul 2005 22:02:32 ..... 417 792 408,00 K
ropwsx.dll Sun 10 Jul 2005 22:02:34 ..S.R 417 792 408,00 K
shdocvw.dll Sun 3 Jul 2005 4:16:42 A.... 1 484 288 1,41 M
shlwapi.dll Sun 3 Jul 2005 4:16:42 A.... 474 112 463,00 K
sintf16.dll Fri 22 Jul 2005 18:55:38 A.... 12 067 11,78 K
sintf32.dll Fri 22 Jul 2005 18:55:38 A.... 17 212 16,81 K
sintfnt.dll Fri 22 Jul 2005 18:55:38 A.... 21 840 21,33 K
tapisrv.dll Fri 8 Jul 2005 18:28:58 A.... 249 344 243,50 K
umpnpmgr.dll Thu 30 Jun 2005 4:06:30 A.... 119 808 117,00 K
urlmon.dll Sun 3 Jul 2005 4:16:42 A.... 605 696 591,50 K
vuins32.dll Fri 17 Jun 2005 11:41:14 A.... 61 440 60,00 K
wdpcore.dll Mon 11 Jul 2005 23:03:06 ..S.R 417 792 408,00 K
wininet.dll Sun 3 Jul 2005 4:16:42 A.... 662 528 647,00 K
wuapi.dll Thu 26 May 2005 4:16:30 A.... 467 224 456,27 K
wuaueng.dll Thu 26 May 2005 4:16:30 A.... 1 343 768 1,28 M
wuaueng1.dll Thu 26 May 2005 4:16:32 A.... 195 352 190,77 K
wucltui.dll Thu 26 May 2005 4:16:32 A.... 128 792 125,77 K
wups.dll Thu 26 May 2005 4:16:30 A.... 41 240 40,27 K
wups2.dll Thu 26 May 2005 4:16:30 A.... 18 200 17,77 K
wuweb.dll Thu 26 May 2005 4:16:30 A.... 173 536 169,47 K
wxpencen.dll Mon 11 Jul 2005 23:03:12 ..S.R 417 792 408,00 K

77 items found: 77 files (23 H/S), 0 directories.
Total of file sizes: 40 167 747 bytes 38,30 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sat 13 Aug 2005 18:46:54 ..S.R 417 792 408,00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417 792 bytes 408,00 K
**********************************************************************************
Directory Listing of system files:
Le volume dans le lecteur C n'a pas de nom.
Le num‚ro de s‚rie du volume est 2CAD-173D

R‚pertoire de C:\WINDOWS\System32

16/08/2005 18:50 417˙792 mdroDV2Bmp.dll
14/08/2005 09:52 <REP> dllcache
13/08/2005 18:46 417˙792 guard.tmp
01/08/2005 10:49 417˙792 ofbcbcp.dll
21/07/2005 23:04 417˙792 meidle.dll
14/07/2005 07:20 417˙792 mmimsg.dll
12/07/2005 18:24 417˙792 kgdmlt47.dll
12/07/2005 17:05 417˙792 oxfox32.dll
12/07/2005 17:05 417˙792 onbc32.dll
12/07/2005 17:03 417˙792 mqdsrv32.dll
12/07/2005 07:09 417˙792 mpdimap.dll
12/07/2005 05:42 417˙792 mzls31.dll
12/07/2005 05:42 417˙792 mzimsg.dll
12/07/2005 04:12 417˙792 axicap.dll
12/07/2005 04:12 417˙792 afdiosrv.dll
12/07/2005 03:09 417˙792 oubcp32r.dll
12/07/2005 01:40 417˙792 kedir.dll
12/07/2005 00:20 417˙792 khdukx.dll
11/07/2005 23:03 417˙792 wxpencen.dll
11/07/2005 23:03 417˙792 wdpcore.dll
11/07/2005 18:24 417˙792 dvnhpast.dll
11/07/2005 16:59 417˙792 NKERROR.DLL
10/07/2005 22:08 417˙792 mzi.dll
10/07/2005 22:08 417˙792 mmjetoledb40.dll
10/07/2005 22:02 417˙792 ropwsx.dll
03/07/2005 17:07 56 EA7BE3F911.sys
18/10/2004 16:13 <REP> Microsoft
25 fichier(s) 10˙027˙064 octets
2 R‚p(s) 78˙722˙007˙040 octets libres
  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
  • 0

#7
Julien

Julien

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
heres the l2mfix log:
L2Mfix 1.03c

Running From:
C:\Documents and Settings\Julien LOUVEL\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrateurs
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Julien LOUVEL\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Julien LOUVEL\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 592 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1104 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\afdiosrv.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\afdiosrv.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\axicap.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\axicap.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\dDdrm.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\dDdrm.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\dvnhpast.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\dvnhpast.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\kedir.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\kedir.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\kgdmlt47.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\kgdmlt47.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\khdukx.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\khdukx.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\meidle.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\meidle.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mmimsg.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mmimsg.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mmjetoledb40.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mmjetoledb40.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mpdimap.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mpdimap.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mqdsrv32.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mqdsrv32.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\MSPI.DLL
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\MSPI.DLL
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mzi.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mzi.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mzimsg.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mzimsg.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mzls31.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\mzls31.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\NKERROR.DLL
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\NKERROR.DLL
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\ofbcbcp.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\ofbcbcp.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\onbc32.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\onbc32.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\oubcp32r.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\oubcp32r.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\oxfox32.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\oxfox32.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\rmcss.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\rmcss.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\ropwsx.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\ropwsx.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\sjpblb.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\sjpblb.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\wdpcore.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\wdpcore.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\wxpencen.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\wxpencen.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\guard.tmp
1 fichier(s) copi‚(s).
Backing Up: C:\WINDOWS\system32\guard.tmp
1 fichier(s) copi‚(s).
deleting: C:\WINDOWS\system32\afdiosrv.dll
Successfully Deleted: C:\WINDOWS\system32\afdiosrv.dll
deleting: C:\WINDOWS\system32\afdiosrv.dll
Successfully Deleted: C:\WINDOWS\system32\afdiosrv.dll
deleting: C:\WINDOWS\system32\axicap.dll
Successfully Deleted: C:\WINDOWS\system32\axicap.dll
deleting: C:\WINDOWS\system32\axicap.dll
Successfully Deleted: C:\WINDOWS\system32\axicap.dll
deleting: C:\WINDOWS\system32\dDdrm.dll
Successfully Deleted: C:\WINDOWS\system32\dDdrm.dll
deleting: C:\WINDOWS\system32\dDdrm.dll
Successfully Deleted: C:\WINDOWS\system32\dDdrm.dll
deleting: C:\WINDOWS\system32\dvnhpast.dll
Successfully Deleted: C:\WINDOWS\system32\dvnhpast.dll
deleting: C:\WINDOWS\system32\dvnhpast.dll
Successfully Deleted: C:\WINDOWS\system32\dvnhpast.dll
deleting: C:\WINDOWS\system32\kedir.dll
Successfully Deleted: C:\WINDOWS\system32\kedir.dll
deleting: C:\WINDOWS\system32\kedir.dll
Successfully Deleted: C:\WINDOWS\system32\kedir.dll
deleting: C:\WINDOWS\system32\kgdmlt47.dll
Successfully Deleted: C:\WINDOWS\system32\kgdmlt47.dll
deleting: C:\WINDOWS\system32\kgdmlt47.dll
Successfully Deleted: C:\WINDOWS\system32\kgdmlt47.dll
deleting: C:\WINDOWS\system32\khdukx.dll
Successfully Deleted: C:\WINDOWS\system32\khdukx.dll
deleting: C:\WINDOWS\system32\khdukx.dll
Successfully Deleted: C:\WINDOWS\system32\khdukx.dll
deleting: C:\WINDOWS\system32\meidle.dll
Successfully Deleted: C:\WINDOWS\system32\meidle.dll
deleting: C:\WINDOWS\system32\meidle.dll
Successfully Deleted: C:\WINDOWS\system32\meidle.dll
deleting: C:\WINDOWS\system32\mmimsg.dll
Successfully Deleted: C:\WINDOWS\system32\mmimsg.dll
deleting: C:\WINDOWS\system32\mmimsg.dll
Successfully Deleted: C:\WINDOWS\system32\mmimsg.dll
deleting: C:\WINDOWS\system32\mmjetoledb40.dll
Successfully Deleted: C:\WINDOWS\system32\mmjetoledb40.dll
deleting: C:\WINDOWS\system32\mmjetoledb40.dll
Successfully Deleted: C:\WINDOWS\system32\mmjetoledb40.dll
deleting: C:\WINDOWS\system32\mpdimap.dll
Successfully Deleted: C:\WINDOWS\system32\mpdimap.dll
deleting: C:\WINDOWS\system32\mpdimap.dll
Successfully Deleted: C:\WINDOWS\system32\mpdimap.dll
deleting: C:\WINDOWS\system32\mqdsrv32.dll
Successfully Deleted: C:\WINDOWS\system32\mqdsrv32.dll
deleting: C:\WINDOWS\system32\mqdsrv32.dll
Successfully Deleted: C:\WINDOWS\system32\mqdsrv32.dll
deleting: C:\WINDOWS\system32\MSPI.DLL
Successfully Deleted: C:\WINDOWS\system32\MSPI.DLL
deleting: C:\WINDOWS\system32\MSPI.DLL
Successfully Deleted: C:\WINDOWS\system32\MSPI.DLL
deleting: C:\WINDOWS\system32\mzi.dll
Successfully Deleted: C:\WINDOWS\system32\mzi.dll
deleting: C:\WINDOWS\system32\mzi.dll
Successfully Deleted: C:\WINDOWS\system32\mzi.dll
deleting: C:\WINDOWS\system32\mzimsg.dll
Successfully Deleted: C:\WINDOWS\system32\mzimsg.dll
deleting: C:\WINDOWS\system32\mzimsg.dll
Successfully Deleted: C:\WINDOWS\system32\mzimsg.dll
deleting: C:\WINDOWS\system32\mzls31.dll
Successfully Deleted: C:\WINDOWS\system32\mzls31.dll
deleting: C:\WINDOWS\system32\mzls31.dll
Successfully Deleted: C:\WINDOWS\system32\mzls31.dll
deleting: C:\WINDOWS\system32\NKERROR.DLL
Successfully Deleted: C:\WINDOWS\system32\NKERROR.DLL
deleting: C:\WINDOWS\system32\NKERROR.DLL
Successfully Deleted: C:\WINDOWS\system32\NKERROR.DLL
deleting: C:\WINDOWS\system32\ofbcbcp.dll
Successfully Deleted: C:\WINDOWS\system32\ofbcbcp.dll
deleting: C:\WINDOWS\system32\ofbcbcp.dll
Successfully Deleted: C:\WINDOWS\system32\ofbcbcp.dll
deleting: C:\WINDOWS\system32\onbc32.dll
Successfully Deleted: C:\WINDOWS\system32\onbc32.dll
deleting: C:\WINDOWS\system32\onbc32.dll
Successfully Deleted: C:\WINDOWS\system32\onbc32.dll
deleting: C:\WINDOWS\system32\oubcp32r.dll
Successfully Deleted: C:\WINDOWS\system32\oubcp32r.dll
deleting: C:\WINDOWS\system32\oubcp32r.dll
Successfully Deleted: C:\WINDOWS\system32\oubcp32r.dll
deleting: C:\WINDOWS\system32\oxfox32.dll
Successfully Deleted: C:\WINDOWS\system32\oxfox32.dll
deleting: C:\WINDOWS\system32\oxfox32.dll
Successfully Deleted: C:\WINDOWS\system32\oxfox32.dll
deleting: C:\WINDOWS\system32\rmcss.dll
Successfully Deleted: C:\WINDOWS\system32\rmcss.dll
deleting: C:\WINDOWS\system32\rmcss.dll
Successfully Deleted: C:\WINDOWS\system32\rmcss.dll
deleting: C:\WINDOWS\system32\ropwsx.dll
Successfully Deleted: C:\WINDOWS\system32\ropwsx.dll
deleting: C:\WINDOWS\system32\ropwsx.dll
Successfully Deleted: C:\WINDOWS\system32\ropwsx.dll
deleting: C:\WINDOWS\system32\sjpblb.dll
Successfully Deleted: C:\WINDOWS\system32\sjpblb.dll
deleting: C:\WINDOWS\system32\sjpblb.dll
Successfully Deleted: C:\WINDOWS\system32\sjpblb.dll
deleting: C:\WINDOWS\system32\wdpcore.dll
Successfully Deleted: C:\WINDOWS\system32\wdpcore.dll
deleting: C:\WINDOWS\system32\wdpcore.dll
Successfully Deleted: C:\WINDOWS\system32\wdpcore.dll
deleting: C:\WINDOWS\system32\wxpencen.dll
Successfully Deleted: C:\WINDOWS\system32\wxpencen.dll
deleting: C:\WINDOWS\system32\wxpencen.dll
Successfully Deleted: C:\WINDOWS\system32\wxpencen.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: afdiosrv.dll (164 bytes security) (deflated 48%)
adding: axicap.dll (164 bytes security) (deflated 48%)
adding: dDdrm.dll (164 bytes security) (deflated 48%)
adding: dvnhpast.dll (164 bytes security) (deflated 48%)
adding: kedir.dll (164 bytes security) (deflated 48%)
adding: kgdmlt47.dll (164 bytes security) (deflated 48%)
adding: khdukx.dll (164 bytes security) (deflated 48%)
adding: meidle.dll (164 bytes security) (deflated 48%)
adding: mmimsg.dll (164 bytes security) (deflated 48%)
adding: mmjetoledb40.dll (164 bytes security) (deflated 48%)
adding: mpdimap.dll (164 bytes security) (deflated 48%)
adding: mqdsrv32.dll (164 bytes security) (deflated 48%)
adding: MSPI.DLL (164 bytes security) (deflated 48%)
adding: mzi.dll (164 bytes security) (deflated 48%)
adding: mzimsg.dll (164 bytes security) (deflated 48%)
adding: mzls31.dll (164 bytes security) (deflated 48%)
adding: NKERROR.DLL (164 bytes security) (deflated 48%)
adding: ofbcbcp.dll (164 bytes security) (deflated 48%)
adding: onbc32.dll (164 bytes security) (deflated 48%)
adding: oubcp32r.dll (164 bytes security) (deflated 48%)
adding: oxfox32.dll (164 bytes security) (deflated 48%)
adding: rmcss.dll (164 bytes security) (deflated 48%)
adding: ropwsx.dll (164 bytes security) (deflated 48%)
adding: sjpblb.dll (164 bytes security) (deflated 48%)
adding: wdpcore.dll (164 bytes security) (deflated 48%)
adding: wxpencen.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 56%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 89%)
adding: readme.txt (164 bytes security) (deflated 51%)
adding: report.txt (164 bytes security) (deflated 68%)
adding: test.txt (164 bytes security) (deflated 90%)
adding: test2.txt (164 bytes security) (deflated 36%)
adding: test3.txt (164 bytes security) (deflated 36%)
adding: test5.txt (164 bytes security) (deflated 36%)
adding: xfind.txt (164 bytes security) (deflated 87%)
adding: backregs/211CCD7A-4887-4A8C-B66D-1766C0923698.reg (164 bytes security) (deflated 69%)
adding: backregs/2D7EFC99-3383-431E-81DA-0DAC692E5017.reg (164 bytes security) (deflated 70%)
adding: backregs/7CA6C884-0FF8-4962-AD1B-0196FC8EE6C5.reg (164 bytes security) (deflated 70%)
adding: backregs/7EE5C12D-73CE-4B54-B472-4EB28325C0F8.reg (164 bytes security) (deflated 70%)
adding: backregs/809492E6-6448-4ECD-95B3-446D9D9D307E.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

Restoring Windows Update Certificates.:

deleting local copy: afdiosrv.dll
deleting local copy: afdiosrv.dll
deleting local copy: axicap.dll
deleting local copy: axicap.dll
deleting local copy: dDdrm.dll
deleting local copy: dDdrm.dll
deleting local copy: dvnhpast.dll
deleting local copy: dvnhpast.dll
deleting local copy: kedir.dll
deleting local copy: kedir.dll
deleting local copy: kgdmlt47.dll
deleting local copy: kgdmlt47.dll
deleting local copy: khdukx.dll
deleting local copy: khdukx.dll
deleting local copy: meidle.dll
deleting local copy: meidle.dll
deleting local copy: mmimsg.dll
deleting local copy: mmimsg.dll
deleting local copy: mmjetoledb40.dll
deleting local copy: mmjetoledb40.dll
deleting local copy: mpdimap.dll
deleting local copy: mpdimap.dll
deleting local copy: mqdsrv32.dll
deleting local copy: mqdsrv32.dll
deleting local copy: MSPI.DLL
deleting local copy: MSPI.DLL
deleting local copy: mzi.dll
deleting local copy: mzi.dll
deleting local copy: mzimsg.dll
deleting local copy: mzimsg.dll
deleting local copy: mzls31.dll
deleting local copy: mzls31.dll
deleting local copy: NKERROR.DLL
deleting local copy: NKERROR.DLL
deleting local copy: ofbcbcp.dll
deleting local copy: ofbcbcp.dll
deleting local copy: onbc32.dll
deleting local copy: onbc32.dll
deleting local copy: oubcp32r.dll
deleting local copy: oubcp32r.dll
deleting local copy: oxfox32.dll
deleting local copy: oxfox32.dll
deleting local copy: rmcss.dll
deleting local copy: rmcss.dll
deleting local copy: ropwsx.dll
deleting local copy: ropwsx.dll
deleting local copy: sjpblb.dll
deleting local copy: sjpblb.dll
deleting local copy: wdpcore.dll
deleting local copy: wdpcore.dll
deleting local copy: wxpencen.dll
deleting local copy: wxpencen.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\afdiosrv.dll
C:\WINDOWS\system32\afdiosrv.dll
C:\WINDOWS\system32\axicap.dll
C:\WINDOWS\system32\axicap.dll
C:\WINDOWS\system32\dDdrm.dll
C:\WINDOWS\system32\dDdrm.dll
C:\WINDOWS\system32\dvnhpast.dll
C:\WINDOWS\system32\dvnhpast.dll
C:\WINDOWS\system32\kedir.dll
C:\WINDOWS\system32\kedir.dll
C:\WINDOWS\system32\kgdmlt47.dll
C:\WINDOWS\system32\kgdmlt47.dll
C:\WINDOWS\system32\khdukx.dll
C:\WINDOWS\system32\khdukx.dll
C:\WINDOWS\system32\meidle.dll
C:\WINDOWS\system32\meidle.dll
C:\WINDOWS\system32\mmimsg.dll
C:\WINDOWS\system32\mmimsg.dll
C:\WINDOWS\system32\mmjetoledb40.dll
C:\WINDOWS\system32\mmjetoledb40.dll
C:\WINDOWS\system32\mpdimap.dll
C:\WINDOWS\system32\mpdimap.dll
C:\WINDOWS\system32\mqdsrv32.dll
C:\WINDOWS\system32\mqdsrv32.dll
C:\WINDOWS\system32\MSPI.DLL
C:\WINDOWS\system32\MSPI.DLL
C:\WINDOWS\system32\mzi.dll
C:\WINDOWS\system32\mzi.dll
C:\WINDOWS\system32\mzimsg.dll
C:\WINDOWS\system32\mzimsg.dll
C:\WINDOWS\system32\mzls31.dll
C:\WINDOWS\system32\mzls31.dll
C:\WINDOWS\system32\NKERROR.DLL
C:\WINDOWS\system32\NKERROR.DLL
C:\WINDOWS\system32\ofbcbcp.dll
C:\WINDOWS\system32\ofbcbcp.dll
C:\WINDOWS\system32\onbc32.dll
C:\WINDOWS\system32\onbc32.dll
C:\WINDOWS\system32\oubcp32r.dll
C:\WINDOWS\system32\oubcp32r.dll
C:\WINDOWS\system32\oxfox32.dll
C:\WINDOWS\system32\oxfox32.dll
C:\WINDOWS\system32\rmcss.dll
C:\WINDOWS\system32\rmcss.dll
C:\WINDOWS\system32\ropwsx.dll
C:\WINDOWS\system32\ropwsx.dll
C:\WINDOWS\system32\sjpblb.dll
C:\WINDOWS\system32\sjpblb.dll
C:\WINDOWS\system32\wdpcore.dll
C:\WINDOWS\system32\wdpcore.dll
C:\WINDOWS\system32\wxpencen.dll
C:\WINDOWS\system32\wxpencen.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{2D7EFC99-3383-431E-81DA-0DAC692E5017}"=-
"{211CCD7A-4887-4A8C-B66D-1766C0923698}"=-
"{7EE5C12D-73CE-4B54-B472-4EB28325C0F8}"=-
"{7CA6C884-0FF8-4962-AD1B-0196FC8EE6C5}"=-
"{809492E6-6448-4ECD-95B3-446D9D9D307E}"=-
[-HKEY_CLASSES_ROOT\CLSID\{2D7EFC99-3383-431E-81DA-0DAC692E5017}]
[-HKEY_CLASSES_ROOT\CLSID\{211CCD7A-4887-4A8C-B66D-1766C0923698}]
[-HKEY_CLASSES_ROOT\CLSID\{7EE5C12D-73CE-4B54-B472-4EB28325C0F8}]
[-HKEY_CLASSES_ROOT\CLSID\{7CA6C884-0FF8-4962-AD1B-0196FC8EE6C5}]
[-HKEY_CLASSES_ROOT\CLSID\{809492E6-6448-4ECD-95B3-446D9D9D307E}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
*************************************************************************

and the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 17:06:22, on 19/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Generic\USB Card Reader Driver v2.2(D)\Disk_Monitor.exe
C:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Julien LOUVEL\Mes documents\Pinnacle Expression\Nouveau dossier (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card Reader Driver v2.2(D)\Disk_Monitor.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PMCS] C:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe -host -clearDebug
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....012/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098176184359
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15012/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35E8A874-554B-41B4-8BD1-55D9BDCF1AF7}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC79133D-A03B-4CA7-B4E6-E2A14A7EEB86}: NameServer = 193.54.82.20,193.54.82.25
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

thanks!
  • 0

#8
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your log looks pretty good to me. How are things running on your end? Any problems still?
  • 0

#9
Julien

Julien

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
no popup anymore! thanks a lot!
  • 0

#10
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:tazz: :)
  • 0

#11
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP