Hello
I'm infected by mkc001, and I think too CWS.
spysweeper and adaware are not efficient to destroy those f..ing spywares. I post the HJT log. can you help me ???
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1036\msoffice.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ieqw.exe
C:\WINNT\system32\msyq32.exe
C:\WINNT\system32\epl2.exe
C:\WINNT\system32\cmd.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Palm\palm.exe
C:\Lotus\Notes\nWEB.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\spyremoval\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\obina.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\obina.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nsproxy.ares.fr:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://intranet;intranet;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9028785F-208A-2322-82BA-DF9DD786F992} - C:\WINNT\system32\appwr32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1036,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [wingr32.exe] C:\WINNT\system32\wingr32.exe
O4 - HKLM\..\Run: [msyq32.exe] C:\WINNT\system32\msyq32.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Raccourci vers OSA9.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
O16 - DPF: Interface Chat Voila - http://chat4.x-echo.com/Applet/vchatsign.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://195.167.194.77/CFIDE/classes/CFJava.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = agence.toulouse.ares.fr
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = agence.toulouse.ares.fr
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = agence.toulouse.ares.fr

I need your complete log. Starts with "Logfile..." and goes through O23 items (if XP),.
Current vresion is 199.1


Please download and install the new version (199.1) from one of the following links:
http://www.computercops.biz/downloads-file-328.html


Run HiJackThis-199.1 and post the new log in this thread.

here is the latest version of log file

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\sdkzd32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINNT\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1036\msoffice.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\WINNT\system32\wuauclt.exe
C:\Lotus\Notes\naldaemn.EXE
C:\WINNT\system32\addws32.exe
C:\Lotus\Notes\nhldaemn.EXE
C:\WINNT\explorer.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\spyremoval\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\wahns.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\wahns.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nsproxy.ares.fr:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://intranet;intranet;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A5DBCBC9-0122-6667-F9E4-C63B46BD6D04} - C:\WINNT\system32\netgq32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1036,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [wingr32.exe] C:\WINNT\system32\wingr32.exe
O4 - HKLM\..\Run: [msyq32.exe] C:\WINNT\system32\msyq32.exe
O4 - HKLM\..\Run: [ipdq32.exe] C:\WINNT\system32\ipdq32.exe
O4 - HKLM\..\Run: [javadi.exe] C:\WINNT\system32\javadi.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Raccourci vers OSA9.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
O16 - DPF: Interface Chat Voila - http://chat4.x-echo.com/Applet/vchatsign.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://195.167.194.77/CFIDE/classes/CFJava.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = agence.toulouse.ares.fr
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = agence.toulouse.ares.fr
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = agence.toulouse.ares.fr
O20 - Winlogon Notify: Internet Settings - C:\WINNT\system32\p08q0al5edq.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Helper (� 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINNT\sdkzd32.exe

with the beginning it's better :

Logfile of HijackThis v1.99.1
Scan saved at 19:06:31, on 28/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\sdkzd32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINNT\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1036\msoffice.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\WINNT\system32\wuauclt.exe
C:\Lotus\Notes\naldaemn.EXE
C:\WINNT\system32\addws32.exe
C:\Lotus\Notes\nhldaemn.EXE
C:\WINNT\explorer.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\spyremoval\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\wahns.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\wahns.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nsproxy.ares.fr:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://intranet;intranet;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A5DBCBC9-0122-6667-F9E4-C63B46BD6D04} - C:\WINNT\system32\netgq32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1036,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [wingr32.exe] C:\WINNT\system32\wingr32.exe
O4 - HKLM\..\Run: [msyq32.exe] C:\WINNT\system32\msyq32.exe
O4 - HKLM\..\Run: [ipdq32.exe] C:\WINNT\system32\ipdq32.exe
O4 - HKLM\..\Run: [javadi.exe] C:\WINNT\system32\javadi.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Raccourci vers OSA9.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
O16 - DPF: Interface Chat Voila - http://chat4.x-echo.com/Applet/vchatsign.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://195.167.194.77/CFIDE/classes/CFJava.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = agence.toulouse.ares.fr
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = agence.toulouse.ares.fr
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = agence.toulouse.ares.fr
O20 - Winlogon Notify: Internet Settings - C:\WINNT\system32\p08q0al5edq.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Helper (� 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINNT\sdkzd32.exe

First:
1. Download AboutBuster here:
http://www.malwarebytes.biz/AboutBuster.zip

Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.

2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process.

3. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

4. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called 'Network Security Service' or 'Remote Procedure Call (RPC) Helper' or 'Workstation NetLogon Service'. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

5. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

6. Scan with Hijack This (current version is 198.2) and put checks next to all the following, then click "Fix Checked".
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\wahns.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\wahns.dll/sp.html#37049
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {A5DBCBC9-0122-6667-F9E4-C63B46BD6D04} - C:\WINNT\system32\netgq32.dll

O4 - HKLM\..\Run: [wingr32.exe] C:\WINNT\system32\wingr32.exe
O4 - HKLM\..\Run: [msyq32.exe] C:\WINNT\system32\msyq32.exe
O4 - HKLM\..\Run: [ipdq32.exe] C:\WINNT\system32\ipdq32.exe
O4 - HKLM\..\Run: [javadi.exe] C:\WINNT\system32\javadi.exe
O4 - Startup: PowerReg Scheduler.exe

O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab

O20 - Winlogon Notify: Internet Settings - C:\WINNT\system32\p08q0al5edq.dll

O23 - Service: Remote Procedure Call (RPC) Helper (� 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINNT\sdkzd32.exe

Delete the following files/folders:
C:\WINNT\sdkzd32.exe
C:\WINNT\system32\addws32.exe
C:\WINNT\system32\wahns.dll
C:\WINNT\system32\netgq32.dll
C:\WINNT\system32\wingr32.exe
C:\WINNT\system32\msyq32.exe
C:\WINNT\system32\ipdq32.exe
C:\WINNT\system32\javadi.exe
C:\WINNT\system32\p08q0al5edq.dll

7. Double click on the AboutBuster tool I had you download earlier. Follow the instruction prompts to use the program and let do two scans (it will ask). When finished, press the *Save log* button. I will want a copy of that log after all steps are completed here.

8. Scan with Adaware and let it remove any bad files found.

9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin

10. Reboot to normal mode, scan again with Hijack This and post a new log here.

11. NOTE:Two possibly three or four files may have been deleted from your computer by the hijacker and may need to be replaced.

Control.exe
Shell.dll
SDHelper.dll (if you are using Spybot Search & Destroy)
Hosts file (no extension)

If control.exe, shell.dll or SDHelper is missing
Go here: http://spywareinfo.com/~merijn/winfiles.html and download the needed file.

For a missing Hosts file:
Download Hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

12. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Quote:

ActiveX controls and plug-ins
* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)

13. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com


Second:
Download DelDomains.inf from here:

www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

When its finished your IE Zones wil lbe reset. That will make it necessary to re-install protection using SpywareBlaster and to re-install IE/Spyads, if you use them.



Third:
Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review

Hello. I've run the processes you told me.
Here's the final result

Logfile of HijackThis v1.99.1
Scan saved at 11:46:32, on 01/03/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1036\msoffice.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\spyremoval\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nsproxy.ares.fr:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://intranet;intranet;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: @msdxmLC.dll,-1@1036,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: Raccourci vers OSA9.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: fdjeux - https://www.fdjeux.net/classes/fdjeux.cab
O16 - DPF: Interface Chat Voila - http://chat4.x-echo.com/Applet/vchatsign.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://195.167.194.77/CFIDE/classes/CFJava.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = agence.toulouse.ares.fr
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = agence.toulouse.ares.fr
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = agence.toulouse.ares.fr
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: Run Once - C:\WINNT\system32\jt6807jue.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

First:
Download DelDomains.inf from here:

www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

When its finished your IE Zones wil lbe reset. That will make it necessary to re-install protection using SpywareBlaster and to re-install IE/Spyads, if you use them.


Second:

At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and Internet Explorer. The first defense against infection is a properly patched Operating System.
a. Windows Update: http://v5.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:
Select Internet Options from the Control Panels, or from Internet Explorer (Tools -> Internet Options)
Press 'default level', then OK
Now press "Custom Level."

In the ActiveX controls and plug-ins section set these options:
'Download singed ActiveX controls' - Prompt
'Download unsigned ActiveX controls' - Disable
'Initialize and script ActiveX controls not maked as safe'- Disable

(All other options accept the default)

3. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm
c. BHODemon: http://www.definitivesolutions.com/bhodemon.htm
d. Bugoff: http://castlecops.com/downloads-file-374.html

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing one of the following:
a. Microsoft AntiSpyware: http://www.microsoft.com/athome/security/s...re/default.mspx
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download
c. AdAware: http://www.lavasoft.de/ Due to AdAware's recent decision to remove WhenU from its detection database, only to quickly add it back in response to public outcry I can no longer recommend this product as a first line of defense. For those interested, here is a link to discussion regarding this: http://www.dslreports.com/forum/remark,12665642~mode=flat

Use these programs to regularly scan your system for and remove many forms of spyware/malware. I recommend and use Micosoft AntiSpyware.

If you use, or plan on using, additional spyware/malware detection and/or removal programs, please check Items 8 and 9.

5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick

6. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information.

7. Clean Temporary Files and Folders
Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the bottom of the fly out window. On the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.

Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin

Click OK and Disk Cleanup will delete those files for you.

8. Rogue/Suspect Anti-Spyware
Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm

9. Anti-Spyware Programs Compared
Want to know just how effective your anti-spyware program is? Wonder how well any of the "rogue" programs listed above work? Check this link for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm

10. Alternate Browser
Consider using an alternate browser as your default. I recommend and use Firefox as my primary browser. It is still necessary to keep Internet Explorer current and protected in order to use Windows Update.


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

"It is your responsibility to read and adhere to the End User Licensing Agreement (EULA) of all software and services mentioned."

Good luck, and thanks for coming to our forums for help with your security and malware issues.

MIssed one!!


First:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'C:\Program Files\Hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
O20 - Winlogon Notify: Run Once - C:\WINNT\system32\jt6807jue.dll

Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be lcoated in C:\Windows\ or C:\Windows\System32\)

C:\WINNT\system32\jt6807jue.dll

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.


Second:
Download DLLCompare from here:
http://www.downloads.subratam.org/DllCompare.exe

Copy the program to its own folder and double click on it.
Press the 'Run Locate.com' button

That should finish quickly, then:
Press the 'Compare' button.

That will run for a while longer.

When it is finished, press the 'Make A Log of What was Found' button
and post the log in this thread.

Press 'Exit' to quit program.

hello
when I try to delete the dll, my systems tells me "the file can not be deleted, is in use"... what can I do ?

Were you in Safe Mode when you tried to delete the dll??

Did you remove the O20 entry?

I was in safe mode with network support.
I tried with standard safe mode. Same problem.
each time I reboot, HJT shows a new O20 entry (the DLL name is changing).

First:
Please copy the text in the box below to Notepad and save it to your desktop as reginfo.bat.

Double-click on the reginfo.bat file, and it will run and create a text document on your desktop which will open in Notepad.

Copy and paste the contents of that entire file in this thread.


Second:
Download DLLCompare from here:
http://www.downloads.subratam.org/DllCompare.exe

Copy the program to its own folder and double click on it.
Press the 'Run Locate.com' button

That should finish quickly, then:
Press the 'Compare' button.

That will run for a while longer.

When it is finished, press the 'Make A Log of What was Found' button
and post the log in this thread.

Press 'Exit' to quit program.


Third:
Please download the following Zip archive:
http://www.silentrunners.org/Silent%20Runners.zip

Unzip the archive to your desktop and double click on the VBS file.
(If your AntiVirus alerts, allow the script to run.

Once finished, the script will save a Notepad document to your Desktop.

Copy and paste the contents of that text file in this thread.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"
"DllName"="C:\\WINNT\\system32\\NavLogon.dll"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\l8p20i7oe8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\asycfilt.dll Thu 19 Jun 2003 12:05:04 A.SH. 143 632 140,27 K
C:\WINNT\SYSTEM32\axdds.dll Wed 2 Mar 2005 15:02:56 ..S.R 225 672 220,38 K
C:\WINNT\SYSTEM32\bzbvt.dll Tue 23 Nov 2004 20:17:26 A.SH. 55 808 54,50 K
C:\WINNT\SYSTEM32\cfbjmon.dll Mon 3 Jan 2005 8:59:30 ..S.R 222 844 217,62 K
C:\WINNT\SYSTEM32\cjfgnt.dll Mon 10 Jan 2005 8:52:54 ..S.R 224 105 218,85 K
C:\WINNT\SYSTEM32\coseqchk.dll Fri 10 Dec 2004 10:10:16 ..S.R 225 267 219,98 K
C:\WINNT\SYSTEM32\ctdptpu.dll Thu 25 Nov 2004 15:40:12 ..S.R 225 267 219,98 K
C:\WINNT\SYSTEM32\dequery.dll Fri 3 Dec 2004 9:51:18 ..S.R 225 267 219,98 K
C:\WINNT\SYSTEM32\donwsock.dll Mon 24 Jan 2005 10:17:14 ..S.R 224 471 219,21 K
C:\WINNT\SYSTEM32\dwound3d.dll Wed 2 Mar 2005 12:17:04 ..S.R 225 975 220,68 K
C:\WINNT\SYSTEM32\ebxfp.dll Tue 30 Nov 2004 22:16:34 A.SH. 56 320 55,00 K
C:\WINNT\SYSTEM32\en40l1~1.dll Mon 31 Jan 2005 9:11:46 ..S.R 224 471 219,21 K
C:\WINNT\SYSTEM32\fdwkh.dll Thu 23 Dec 2004 21:36:12 A.SH. 55 808 54,50 K
C:\WINNT\SYSTEM32\fprka.dll Wed 10 Nov 2004 8:50:22 A.SH. 56 320 55,00 K
C:\WINNT\SYSTEM32\fqnai.dll Mon 29 Nov 2004 15:38:12 A.SH. 56 320 55,00 K
C:\WINNT\SYSTEM32\hsuic.dll Wed 15 Dec 2004 8:56:18 A.SH. 56 320 55,00 K
C:\WINNT\SYSTEM32\i2060c~1.dll Tue 1 Mar 2005 11:23:46 ..S.R 222 906 217,68 K
C:\WINNT\SYSTEM32\i260lc~1.dll Mon 24 Jan 2005 10:08:54 ..S.R 224 316 219,06 K
C:\WINNT\SYSTEM32\iteu32.dll Thu 30 Dec 2004 10:08:12 ..S.R 222 844 217,62 K
C:\WINNT\SYSTEM32\j6n2lg~1.dll Mon 31 Jan 2005 8:42:04 ..S.R 225 727 220,43 K
C:\WINNT\SYSTEM32\jt0m07~1.dll Wed 23 Feb 2005 18:25:38 ..S.R 225 779 220,48 K
C:\WINNT\SYSTEM32\jtp607~1.dll Fri 14 Jan 2005 15:04:18 ..S.R 224 993 219,72 K
C:\WINNT\SYSTEM32\kbaud.dll Fri 19 Nov 2004 3:22:48 A.SH. 56 320 55,00 K
C:\WINNT\SYSTEM32\l8p20i~1.dll Wed 2 Mar 2005 15:13:38 ..S.R 225 672 220,38 K
C:\WINNT\SYSTEM32\lv2209~1.dll Fri 4 Mar 2005 9:07:36 ..S.R 225 975 220,68 K
C:\WINNT\SYSTEM32\mctime.dll Mon 31 Jan 2005 8:42:08 ..S.R 224 471 219,21 K
C:\WINNT\SYSTEM32\mfc42.dll Thu 19 Jun 2003 12:05:04 A.SH. 1 015 859 992,05 K
C:\WINNT\SYSTEM32\mfc42loc.dll Thu 16 Dec 1999 9:00:00 A.SH. 57 344 56,00 K
C:\WINNT\SYSTEM32\mfshn.dll Wed 1 Dec 2004 4:07:46 A.SH. 56 320 55,00 K
C:\WINNT\SYSTEM32\mrasn1.dll Thu 16 Dec 2004 11:16:08 ..S.R 225 267 219,98 K
C:\WINNT\SYSTEM32\mrcfh32.dll Thu 23 Dec 2004 9:56:46 ..S.R 222 844 217,62 K
C:\WINNT\SYSTEM32\msfxmod.dll Tue 11 Jul 1995 9:50:00 A..H. 1 024 1,00 K
C:\WINNT\SYSTEM32\msvcirt.dll Thu 16 Dec 1999 9:00:00 ..SH. 77 878 76,05 K
C:\WINNT\SYSTEM32\msvcp60.dll Tue 29 Aug 2000 1:19:16 A.SH. 401 462 392,05 K
C:\WINNT\SYSTEM32\msvcrt.dll Thu 19 Jun 2003 12:05:04 A.SH. 286 773 280,05 K
C:\WINNT\SYSTEM32\msvcrt20.dll Thu 16 Dec 1999 9:00:00 A.SH. 253 952 248,00 K
C:\WINNT\SYSTEM32\mzcsubs.dll Wed 23 Feb 2005 18:25:38 ..S.R 225 672 220,38 K
C:\WINNT\SYSTEM32\nomkcert.dll Tue 1 Mar 2005 11:41:08 ..S.R 225 672 220,38 K
C:\WINNT\SYSTEM32\obina.dll Mon 21 Feb 2005 6:10:38 A.SH. 64 000 62,50 K
C:\WINNT\SYSTEM32\oleaut32.dll Thu 19 Jun 2003 12:05:04 A.SH. 626 960 612,27 K
C:\WINNT\SYSTEM32\olepro32.dll Thu 19 Jun 2003 12:05:04 A.SH. 164 112 160,27 K
C:\WINNT\SYSTEM32\phustab.dll Mon 7 Feb 2005 9:06:40 ..S.R 224 471 219,21 K
C:\WINNT\SYSTEM32\pirfdisk.dll Fri 4 Mar 2005 9:22:50 ..S.R 225 672 220,38 K
C:\WINNT\SYSTEM32\pwofmap.dll Wed 23 Feb 2005 17:51:56 ..S.R 225 672 220,38 K
C:\WINNT\SYSTEM32\q4rq0e~1.dll Thu 30 Dec 2004 10:08:08 ..S.R 223 438 218,20 K
C:\WINNT\SYSTEM32\rsayu.dll Thu 18 Nov 2004 3:34:44 A.SH. 56 320 55,00 K
C:\WINNT\SYSTEM32\sjbrsrc.dll Wed 2 Mar 2005 9:27:20 ..S.R 225 672 220,38 K
C:\WINNT\SYSTEM32\srnscfg.dll Wed 23 Feb 2005 18:21:14 ..S.R 224 471 219,21 K
C:\WINNT\SYSTEM32\ttolhelp.dll Mon 14 Feb 2005 8:54:58 ..S.R 224 471 219,21 K
C:\WINNT\SYSTEM32\uspeu.dll Mon 28 Feb 2005 9:23:04 ..S.R 225 672 220,38 K
C:\WINNT\SYSTEM32\uupeu.dll Fri 7 Jan 2005 7:45:30 A.SH. 70 144 68,50 K
C:\WINNT\SYSTEM32\vbajet32.dll Thu 19 Jun 2003 12:05:04 A.SH. 30 749 30,03 K
C:\WINNT\SYSTEM32\vswfo.dll Tue 21 Dec 2004 1:15:20 A.SH. 55 808 54,50 K
C:\WINNT\SYSTEM32\werhx.dll Tue 30 Nov 2004 13:24:24 A.SH. 56 320 55,00 K
C:\WINNT\SYSTEM32\wnvcore.dll Fri 4 Mar 2005 9:04:36 ..S.R 225 975 220,68 K
C:\WINNT\SYSTEM32\xrwjs.dll Thu 18 Nov 2004 19:29:20 A.SH. 56 320 55,00 K
C:\WINNT\SYSTEM32\zqbjp.dll Mon 22 Nov 2004 2:08:52 A.SH. 56 320 55,00 K
________________________________________________

1 302 items found: 1 302 files (57 H/S), 0 directories.
Total of file sizes: 213 270 853 bytes 203,39 M

Administrator Account = Vrai

--------------------End log---------------------

"Silent Runners.vbs", revision 32, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"S3TRAY" = "S3tray.exe" ["S3 Incorporated."]
"LVCOMS" = "C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE" ["Logitech Inc."]
"ACUMon" = ""C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a" ["Cisco Systems, Inc."]
"HPDJ Taskbar Utility" = "C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe" ["HP"]
"HPHmon03" = "C:\WINNT\System32\hphmon03.exe" ["Hewlett-Packard"]
"CXMon" = ""C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"" ["Hewlett-Packard Company"]
"vptray" = "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extension Affichage Panorama du Panneau de configuration"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio10\VisShe.dll" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio10\VisShe.dll" [null data]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{DC2501E9-7EF7-4638-8F28-F212E906A0BD}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\guard.tmp" [file not found]
"{EA4AA8A8-AAAD-45D3-9939-AD1496D5C038}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\iassuba.dll" [null data]
"{D601CE69-06DE-4EDC-A8D8-EA751E9AA251}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\guard.tmp" [file not found]
"{1B2AFCFE-BC5C-4AE9-A56D-83540895251C}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\mgscrfr.dll" [null data]
"{8AF24A58-7BE5-40B1-9ABC-AAC90BA79440}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\guard.tmp" [file not found]
"{19673521-08DE-4158-9EAF-4916B85523C5}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\OWBC32GT.dll" [null data]
"{6244BDFE-1FF9-492F-8DDA-26D7AAAFE67B}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\pirfdisk.dll" [null data]
"{28617158-69EE-4A1D-ADDB-8CF21B466D8B}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\guard.tmp" [file not found]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "GinaDLL" = "cswGina.dll" ["Cisco Systems, Inc."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINNT\system32\NavLogon.dll" [null data]
INFECTION WARNING! RunOnceEx\DLLName = "C:\WINNT\system32\l8p20i7oe8.dll" [null data]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts
Logon -> launches: "\\agence.toulouse.ares.fr\sysvol\agence.toulouse.ares.fr\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\User\Scripts\Logon\symantec.bat" [** WMI GetObject error **]


Startup items in "jfdyon" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\JFDYON\Menu Démarrer\Programmes\Démarrage
"HotSync Manager" -> shortcut to: "C:\Palm\HOTSYNC.EXE" ["Palm, Inc."]
"Raccourci vers OSA9" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE" [MS]

C:\Documents and Settings\All Users.WINNT\Menu Démarrer\Programmes\Démarrage
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"HP DArC Task #Hewlett-Packard#7200#CN35J1B3YJ7G" -> launches: "C:\Program Files\HP\hpcoretech\comp\hpdarc.exe /#Hewlett-Packard#7200#CN35J1B3YJ7G" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

DefWatch, DefWatch, "C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe" ["Symantec Corporation"]
Symantec AntiVirus Client, Norton AntiVirus Server, "C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe" ["Symantec Corporation"]
Système d'événements de COM+, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.


IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"
"DllName"="C:\\WINNT\\system32\\NavLogon.dll"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\l8p20i7oe8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4809A3D8-7590-4F57-B525-49B78ABEB567}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Feuille de propri‚t‚s du fichier multim‚dia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de s‚curit‚ NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des propri‚t‚s de OLE DocFile"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'interpr‚teur de commandes pour le partage"
"{41E300E0-78B6-11ce-849B-444553540000}"="Extension du Panneau de configuration PlusPack"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage �cran du Panneau de configuration"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Panorama du Panneau de configuration"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Page de s‚curit‚ DS"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Gestionnaire de donn‚es endommag‚es de l'interpr‚teur de commandes"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Extension copie de disquette"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensions de l'interpr‚teur de commandes pour les objets Microsoft Windows Network"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gestion d'‚cran ICM"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gestion d'imprimante ICM"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensions de l'interpr‚teur de commandes pour la compression de fichiers"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Extension du shell d'imprimante Web"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu contextuel de cryptage"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porte-documents"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profil ICC"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Page de s‚curit‚ des imprimantes"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensions de l'interpr‚teur de commandes pour le partage"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extension de l'interpr‚teur de commande pour Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie PKO"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie Sign"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Connexions r‚seau et accŠs … distance"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tƒches planifi‚es"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Dossier favori du shell"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="Poste de travail"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Porte-documents"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Raccourci vers le dossier"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Volume mont‚"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="Extension de la page de propri‚t‚s des fichiers"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="Page des types de fichiers"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="Gestionnaire des types de fichiers MIME"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Service Copier vers Microsoft"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Service D‚placer vers Microsoft"
"{13709620-C279-11CE-A49E-444553540000}"="Service d'automatisation de l'interface"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Menu D‚marrer"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Service SendTo Microsoft"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Service Nouvel objet Microsoft"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Ouvrir avec le gestionnaire de menu contextuel"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Afficher les extensions HTML du Panneau de configuration"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Extension de la page de propri‚t‚s des options des dossiers"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Application d'aide du systŠme pour le glisser-d‚placer"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Ajouter l'‚l‚ment de cryptage dans les menus contextuels de l'Explorateur"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barre d'outils Internet Microsoft"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="�tat du t‚l‚chargement"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Dossier Bureau"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Bande de menus"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Suivi du menu Shell"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Barre du Bureau"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Dossier Bureau ‚tendu"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Dossier du shell augment‚"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Bande du navigateur Microsoft"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Bande de recherche"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Volet int‚gr‚ de recherche"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Recherche Web"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Liens"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilitaire des options de l'arborescence du Registre"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="BoŒte d'entr‚e de l'adresse"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Saisie semi-automatique Microsoft"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Image miniature"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="Liste de saisie semi-automatique MRU"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Liste de saisie semi-automatique de l'historique Microsoft"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Liste de saisie semi-automatique du dossier Shell Microsoft"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Conteneur de la liste de saisie semi-automatique multiple Microsoft"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu Site de bandes"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Barre du Bureau"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistance utilisateur"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="ParamŠtres du dossier global"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historique"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Image de d‚marrage de la Suite IE4"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Dossier ActiveX Cache"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Dossier Inscription"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Miniatures"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="Extracteur de miniatures HTML"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Extracteur de miniatures des filtres graphiques Office"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gestionnaire d'application du shell"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="�num‚rateur d'applications install‚es"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Menu Fichiers hors connexion"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Options du dossier Fichiers hors connexion"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Dossier Fichiers hors connexion"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Liste de saisie semi-automatique personnalis‚e MRU"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barre de progrŠs auto-ouvrante"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analyseur de la barre d'adresses"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Des &personnes..."
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{52B87208-9CCF-42C9-B88E-069281105805}"="Trojan Remover Shell Extension"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{DC2501E9-7EF7-4638-8F28-F212E906A0BD}"=""
"{EA4AA8A8-AAAD-45D3-9939-AD1496D5C038}"=""
"{D601CE69-06DE-4EDC-A8D8-EA751E9AA251}"=""
"{1B2AFCFE-BC5C-4AE9-A56D-83540895251C}"=""
"{8AF24A58-7BE5-40B1-9ABC-AAC90BA79440}"=""
"{19673521-08DE-4158-9EAF-4916B85523C5}"=""
"{6244BDFE-1FF9-492F-8DDA-26D7AAAFE67B}"=""
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Fichier de chaŒne"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Raccourci de chaŒne"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{28617158-69EE-4A1D-ADDB-8CF21B466D8B}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DC2501E9-7EF7-4638-8F28-F212E906A0BD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DC2501E9-7EF7-4638-8F28-F212E906A0BD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DC2501E9-7EF7-4638-8F28-F212E906A0BD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DC2501E9-7EF7-4638-8F28-F212E906A0BD}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EA4AA8A8-AAAD-45D3-9939-AD1496D5C038}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA4AA8A8-AAAD-45D3-9939-AD1496D5C038}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA4AA8A8-AAAD-45D3-9939-AD1496D5C038}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA4AA8A8-AAAD-45D3-9939-AD1496D5C038}\InprocServer32]
@="C:\\WINNT\\system32\\iassuba.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D601CE69-06DE-4EDC-A8D8-EA751E9AA251}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D601CE69-06DE-4EDC-A8D8-EA751E9AA251}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D601CE69-06DE-4EDC-A8D8-EA751E9AA251}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D601CE69-06DE-4EDC-A8D8-EA751E9AA251}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1B2AFCFE-BC5C-4AE9-A56D-83540895251C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1B2AFCFE-BC5C-4AE9-A56D-83540895251C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1B2AFCFE-BC5C-4AE9-A56D-83540895251C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1B2AFCFE-BC5C-4AE9-A56D-83540895251C}\InprocServer32]
@="C:\\WINNT\\system32\\mgscrfr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8AF24A58-7BE5-40B1-9ABC-AAC90BA79440}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8AF24A58-7BE5-40B1-9ABC-AAC90BA79440}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8AF24A58-7BE5-40B1-9ABC-AAC90BA79440}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8AF24A58-7BE5-40B1-9ABC-AAC90BA79440}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{19673521-08DE-4158-9EAF-4916B85523C5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{19673521-08DE-4158-9EAF-4916B85523C5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{19673521-08DE-4158-9EAF-4916B85523C5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{19673521-08DE-4158-9EAF-4916B85523C5}\InprocServer32]
@="C:\\WINNT\\system32\\OWBC32GT.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6244BDFE-1FF9-492F-8DDA-26D7AAAFE67B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6244BDFE-1FF9-492F-8DDA-26D7AAAFE67B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6244BDFE-1FF9-492F-8DDA-26D7AAAFE67B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6244BDFE-1FF9-492F-8DDA-26D7AAAFE67B}\InprocServer32]
@="C:\\WINNT\\system32\\pirfdisk.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{28617158-69EE-4A1D-ADDB-8CF21B466D8B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{28617158-69EE-4A1D-ADDB-8CF21B466D8B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{28617158-69EE-4A1D-ADDB-8CF21B466D8B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{28617158-69EE-4A1D-ADDB-8CF21B466D8B}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
apimf.dll Sun 9 Jan 2005 11:41:34 ..... 96 566 94,30 K
appwr32.dll Wed 26 Jan 2005 4:20:06 ..... 99 153 96,83 K
axdds.dll Wed 2 Mar 2005 15:02:56 ..S.R 225 672 220,38 K
cfbjmon.dll Mon 3 Jan 2005 8:59:30 ..S.R 222 844 217,62 K
cjfgnt.dll Mon 10 Jan 2005 8:52:54 ..S.R 224 105 218,85 K
coseqchk.dll Fri 10 Dec 2004 10:10:16 ..S.R 225 267 219,98 K
d3ak32.dll Mon 10 Jan 2005 15:25:02 ..... 96 048 93,80 K
donwsock.dll Mon 24 Jan 2005 10:17:14 ..S.R 224 471 219,21 K
dwound3d.dll Wed 2 Mar 2005 12:17:04 ..S.R 225 975 220,68 K
en40l1~1.dll Mon 31 Jan 2005 9:11:46 ..S.R 224 471 219,21 K
fdwkh.dll Thu 23 Dec 2004 21:36:12 A.SH. 55 808 54,50 K
hsuic.dll Wed 15 Dec 2004 8:56:18 A.SH. 56 320 55,00 K
i2060c~1.dll Tue 1 Mar 2005 11:23:46 ..S.R 222 906 217,68 K
i260lc~1.dll Mon 24 Jan 2005 10:08:54 ..S.R 224 316 219,06 K
iassuba.dll Fri 14 Jan 2005 15:04:22 A.... 224 316 219,06 K
iteu32.dll Thu 30 Dec 2004 10:08:12 ..S.R 222 844 217,62 K
j6n2lg~1.dll Mon 31 Jan 2005 8:42:04 ..S.R 225 727 220,43 K
javaoc.dll Mon 17 Jan 2005 1:39:44 ..... 96 048 93,80 K
jt0m07~1.dll Wed 23 Feb 2005 18:25:38 ..S.R 225 779 220,48 K
jtp607~1.dll Fri 14 Jan 2005 15:04:18 ..S.R 224 993 219,72 K
l8p20i~1.dll Wed 2 Mar 2005 15:13:38 ..S.R 225 672 220,38 K
lv2209~1.dll Fri 4 Mar 2005 9:07:36 ..S.R 225 975 220,68 K
mctime.dll Mon 31 Jan 2005 8:42:08 ..S.R 224 471 219,21 K
mfcrl.dll Fri 10 Dec 2004 2:15:32 ..... 99 590 97,25 K
mgscrfr.dll Mon 24 Jan 2005 9:20:58 A.... 224 316 219,06 K
mrasn1.dll Thu 16 Dec 2004 11:16:08 ..S.R 225 267 219,98 K
mrcfh32.dll Thu 23 Dec 2004 9:56:46 ..S.R 222 844 217,62 K
mzcsubs.dll Wed 23 Feb 2005 18:25:38 ..S.R 225 672 220,38 K
nethj.dll Wed 9 Feb 2005 9:11:00 ..... 99 153 96,83 K
netuz32.dll Thu 23 Dec 2004 16:22:32 ..... 96 439 94,18 K
nomkcert.dll Tue 1 Mar 2005 11:41:08 ..S.R 225 672 220,38 K
obina.dll Mon 21 Feb 2005 6:10:38 A.SH. 64 000 62,50 K
owbc32gt.dll Wed 23 Feb 2005 15:52:48 A.... 224 471 219,21 K
phustab.dll Mon 7 Feb 2005 9:06:40 ..S.R 224 471 219,21 K
pirfdisk.dll Fri 4 Mar 2005 9:22:50 ..S.R 225 672 220,38 K
pwofmap.dll Wed 23 Feb 2005 17:51:56 ..S.R 225 672 220,38 K
q4rq0e~1.dll Thu 30 Dec 2004 10:08:08 ..S.R 223 438 218,20 K
sjbrsrc.dll Wed 2 Mar 2005 9:27:20 ..S.R 225 672 220,38 K
srnscfg.dll Wed 23 Feb 2005 18:21:14 ..S.R 224 471 219,21 K
ttolhelp.dll Mon 14 Feb 2005 8:54:58 ..S.R 224 471 219,21 K
uspeu.dll Mon 28 Feb 2005 9:23:04 ..S.R 225 672 220,38 K
uupeu.dll Fri 7 Jan 2005 7:45:30 A.SH. 70 144 68,50 K
vswfo.dll Tue 21 Dec 2004 1:15:20 A.SH. 55 808 54,50 K
winei.dll Wed 2 Feb 2005 13:37:54 ..... 99 153 96,83 K
wnvcore.dll Fri 4 Mar 2005 9:04:36 ..S.R 225 975 220,68 K

45 items found: 45 files (34 H/S), 0 directories.
Total of file sizes: 8 277 790 bytes 7,89 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Le volume dans le lecteur C n'a pas de nom.
Le num‚ro de s‚rie du volume est D425-6F92

R‚pertoire de C:\WINNT\System32

04/03/2005 09:22 225ÿ672 pirfdisk.dll
04/03/2005 09:07 225ÿ975 lv2209foe.dll
04/03/2005 09:04 225ÿ975 wnvcore.dll
02/03/2005 15:13 225ÿ672 l8p20i7oe8.dll
02/03/2005 15:02 225ÿ672 axdds.dll
02/03/2005 12:17 225ÿ975 dwound3d.dll
02/03/2005 09:27 225ÿ672 sjbrsrc.dll
01/03/2005 11:41 225ÿ672 nomkcert.dll
01/03/2005 11:23 222ÿ906 i2060cdsef060.dll
01/03/2005 09:24 <DIR> dllcache
28/02/2005 09:23 225ÿ672 uspeu.dll
23/02/2005 18:25 225ÿ672 mzcsubs.dll
23/02/2005 18:25 225ÿ779 jt0m07d1e.dll
23/02/2005 18:21 224ÿ471 srnscfg.dll
23/02/2005 17:51 225ÿ672 pwofmap.dll
22/02/2005 01:44 3ÿ567 snqyr.dat
21/02/2005 06:10 64ÿ000 obina.dll
17/02/2005 02:27 29ÿ256 0000
15/02/2005 13:41 7ÿ471 rcviw.dat
14/02/2005 08:54 224ÿ471 ttolhelp.dll
14/02/2005 00:11 3ÿ567 htddy.log
13/02/2005 11:33 7ÿ471 rtqke.dat
11/02/2005 06:18 10ÿ824 sy
11/02/2005 03:12 10ÿ824 mfcll32.exe
08/02/2005 06:10 3ÿ567 tawzn.txt
07/02/2005 09:06 224ÿ471 phustab.dll
06/02/2005 12:24 10ÿ824 ieq
05/02/2005 09:17 10ÿ824 ipcb.exe
05/02/2005 07:44 29ÿ768 d3kn.exe
03/02/2005 12:14 3ÿ567 xpjum.txt
03/02/2005 00:23 3ÿ567 aeyeb.txt
02/02/2005 18:56 10ÿ824 appy
02/02/2005 13:27 29ÿ768 wingr3
31/01/2005 09:11 224ÿ471 en40l1hm1.dll
31/01/2005 08:42 224ÿ471 mctime.dll
31/01/2005 08:42 225ÿ727 j6n2lg5o16.dll
28/01/2005 12:53 9ÿ728 msbp32.exe
28/01/2005 11:38 3ÿ567 momiu.dat
27/01/2005 12:24 7ÿ471 jbwjo.log
27/01/2005 11:55 3ÿ567 edshn.txt
26/01/2005 12:04 0 criq32.exe
25/01/2005 06:09 9ÿ728 crm
24/01/2005 10:17 224ÿ471 donwsock.dll
24/01/2005 10:08 224ÿ316 i260lcjm1foa.dll
24/01/2005 08:57 10ÿ824 ieup
24/01/2005 05:29 30ÿ792 ntlp
17/01/2005 10:22 7ÿ471 lmwug.dat
15/01/2005 02:17 9ÿ728 winab32.exe
14/01/2005 15:04 224ÿ993 jtp6077se.dll
13/01/2005 06:04 9ÿ728 mfcop
10/01/2005 22:21 9ÿ728 ntas.exe
10/01/2005 08:52 224ÿ105 cjfgnt.dll
08/01/2005 16:20 9ÿ728 d3sj32.exe
07/01/2005 07:45 70ÿ144 uupeu.dll
03/01/2005 08:59 222ÿ844 cfbjmon.dll
30/12/2004 10:08 222ÿ844 iteu32.dll
30/12/2004 10:08 223ÿ438 q4rq0e95eh.dll
25/12/2004 22:25 0 ssxlw.txt
23/12/2004 21:36 55ÿ808 fdwkh.dll
23/12/2004 09:56 222ÿ844 mrcfh32.dll
22/12/2004 07:12 3ÿ567 spmuz.dat
21/12/2004 01:15 55ÿ808 vswfo.dll
16/12/2004 11:16 225ÿ267 mrasn1.dll
15/12/2004 08:56 56ÿ320 hsuic.dll
10/12/2004 10:10 225ÿ267 coseqchk.dll
08/12/2004 13:26 10ÿ752 msb
03/12/2004 09:51 225ÿ267 dequery.dll
01/12/2004 04:07 56ÿ320 mfshn.dll
30/11/2004 22:16 56ÿ320 ebxfp.dll
30/11/2004 13:24 56ÿ320 werhx.dll
29/11/2004 15:38 56ÿ320 fqnai.dll
25/11/2004 15:40 225ÿ267 CTDPTPU.dll
23/11/2004 20:17 55ÿ808 bzbvt.dll
22/11/2004 02:08 56ÿ320 zqbjp.dll
19/11/2004 03:22 56ÿ320 kbaud.dll
18/11/2004 19:29 56ÿ320 xrwjs.dll
18/11/2004 03:34 56ÿ320 rsayu.dll
10/11/2004 08:50 56ÿ320 fprka.dll
24/09/2004 03:46 11ÿ256 nethh.exe
19/06/2003 12:05 164ÿ112 OLEPRO32.DLL
19/06/2003 12:05 286ÿ773 msvcrt.dll
19/06/2003 12:05 30ÿ749 vbajet32.dll
19/06/2003 12:05 143ÿ632 ASYCFILT.DLL
19/06/2003 12:05 1ÿ015ÿ859 mfc42.dll
19/06/2003 12:05 626ÿ960 OLEAUT32.DLL
21/03/2001 21:34 244ÿ232 Msflxgrd.ocx
29/08/2000 01:19 401ÿ462 msvcp60.dll
16/12/1999 09:00 253ÿ952 msvcrt20.dll
16/12/1999 09:00 57ÿ344 mfc42loc.dll
16/12/1999 09:00 77ÿ878 msvcirt.dll
03/12/1996 21:50 37ÿ376 VEN2232.OLB
90 fichier(s) 11ÿ499ÿ412 octets
1 R‚p(s) 15ÿ002ÿ795ÿ008 octets libres

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.


IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!