GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-03 16:46:12 Windows 6.2.9200 \Device\Harddisk0\DR0 -> \Device\00000024 ST3320620AS rev.3.AAJ 298,09GB Running: 49jtl6eo.exe; Driver: X:\Users\Default\AppData\Local\Temp\kwryiuoc.sys ---- System - GMER 2.1 ---- INT 0xA1 ? 90D90B54 ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwReplacePartitionUnit + 2A8F 80D7C439 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 66A 80D80E5A 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ? X:\Users\Default\AppData\Local\Temp\aswMBR.sys Le fichier spécifié est introuvable. ! ? X:\Users\Default\AppData\Local\Temp\aswVmm.sys Le fichier spécifié est introuvable. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[928] ntdll.dll!NtWriteFileGather 772D4264 5 Bytes JMP 6B09E1AE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[928] ntdll.dll!NtWriteFile 772D4278 5 Bytes JMP 6A8143D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[928] ntdll.dll!NtReadFileScatter 772D4C7C 5 Bytes JMP 6B09E1FF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[928] ntdll.dll!NtReadFile 772D4C90 5 Bytes JMP 6A7FC750 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[928] ntdll.dll!NtQueryFullAttributesFile 772D5038 5 Bytes JMP 6A813820 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[928] ntdll.dll!NtFlushBuffersFile 772D586C 5 Bytes JMP 6A7FC661 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[928] ntdll.dll!NtCreateFile 772D5DA0 5 Bytes JMP 6A813D20 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[928] ntdll.dll!LdrLoadDll 772F9F3F 5 Bytes JMP 6F9F1F4C C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[928] KERNEL32.DLL!GetCurrentThread + 6 7550158B 7 Bytes JMP 6B03F582 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[928] KERNEL32.DLL!TermsrvGetWindowsDirectoryW + 16 7550280D 7 Bytes JMP 6B03F55F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[928] KERNEL32.DLL!BaseIsAppcompatInfrastructureDisabledWorker + 9C 7550589C 7 Bytes JMP 6A8106F3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[928] USER32.dll!CharPrevW + AE 76A34D14 1 Byte [E9] .text C:\Program Files\Mozilla Firefox\firefox.exe[928] USER32.dll!CharPrevW + AE 76A34D14 7 Bytes JMP 6AF4E5A9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[928] GDI32.dll!SetWindowOrgEx + 3B2 76EF8E18 7 Bytes JMP 6B03F4E0 C:\Program Files\Mozilla Firefox\xul.dll .text X:\windows\explorer.exe[1300] SHELL32.dll!SHGetIDListFromObject + 3413 759217F4 4 Bytes [A0, 2A, 00, 10] ---- User IAT/EAT - GMER 2.1 ---- IAT X:\windows\explorer.exe[1300] @ X:\windows\explorer.exe [KERNEL32.dll!SetErrorMode] [100043D0] X:\windows\WRP32.dll IAT X:\windows\explorer.exe[1300] @ X:\windows\explorer.exe [USER32.dll!SetWindowCompositionAttribute] [10004C70] X:\windows\WRP32.dll IAT X:\windows\explorer.exe[1300] @ X:\windows\explorer.exe [USER32.dll!SetWindowRgn] [10004BA0] X:\windows\WRP32.dll IAT X:\windows\explorer.exe[1300] @ X:\windows\explorer.exe [UxTheme.dll!SetWindowTheme] [100043F0] X:\windows\WRP32.dll IAT X:\windows\explorer.exe[1300] @ X:\windows\explorer.exe [dwmapi.dll!DwmEnableBlurBehindWindow] [10004BE0] X:\windows\WRP32.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Services - GMER 2.1 ---- Service X:\windows\system32\efssvc.dll (*** hidden *** ) [MANUAL] EFS <-- ROOTKIT !!! Service X:\windows\System32\ikeext.dll (*** hidden *** ) [MANUAL] IKEEXT <-- ROOTKIT !!! Service X:\windows\System32\lmhsvc.dll (*** hidden *** ) [MANUAL] lmhosts <-- ROOTKIT !!! Service X:\windows\system32\mpssvc.dll (*** hidden *** ) [DISABLED] MpsSvc <-- ROOTKIT !!! Service X:\windows\System32\DRIVERS\netbt.sys (*** hidden *** ) [MANUAL] NetBT <-- ROOTKIT !!! Service X:\windows\System32\Perfctrs.dll (*** hidden *** ) [BOOT] Tcpip <-- ROOTKIT !!! Service X:\windows\system32\wbem\WMIsvc.dll (*** hidden *** ) [AUTO] Winmgmt <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName@ComputerName MINWINPC Reg HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB@CurrentConfig 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management@ExistingPageFiles \??\X:\pagefile.sys? Reg HKLM\SYSTEM\CurrentControlSet\Services\Dhcp@DependOnService nsi?tcpip?NetBT? Reg HKLM\SYSTEM\CurrentControlSet\Services\EFS@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\EFS Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastSqmLog 0xF9 0x45 0x69 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\IKEEXT@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\IKEEXT Reg HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters@NullSessionPipes SQL\QUERY?EPMAPPER?LOCATOR?TrkWks?TrkSvr? Reg HKLM\SYSTEM\CurrentControlSet\Services\lmhosts@ImagePath %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted Reg HKLM\SYSTEM\CurrentControlSet\Services\lmhosts@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\lmhosts@DependOnService Afd? Reg HKLM\SYSTEM\CurrentControlSet\Services\lmhosts Reg HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc Reg HKLM\SYSTEM\CurrentControlSet\Services\MSiSCSI\Enum@0 Root\LEGACY_MSISCSI\0000 Reg HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio\Linkage@Bind \Device\{22CE1964-FD8E-440D-8494-57690A30D2A8}? Reg HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio\Linkage@Route "{22CE1964-FD8E-440D-8494-57690A30D2A8}"? Reg HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio\Linkage@Export \Device\Ndisuio_{22CE1964-FD8E-440D-8494-57690A30D2A8}? Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisWan\Linkage@Bind \Device\{C0EF51E2-3E9E-4FFA-92D3-53FE1969E6C2}?\Device\{BD8570CF-8A17-47DE-BEB6-7685E5FD0905}?\Device\{3642FC08-7790-421E-9A2F-77384C84C54B}?\Device\{729D367D-F62E-4405-BC25-EEBFDEC4F59A}?\Device\{826616AE-F7CA-4729-A145-F8A86E332619}?\Device\{FDACAA5F-1BBB-4948-88D1-2470D113414F}? Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisWan\Linkage@Route "{C0EF51E2-3E9E-4FFA-92D3-53FE1969E6C2}"?"{BD8570CF-8A17-47DE-BEB6-7685E5FD0905}"?"{3642FC08-7790-421E-9A2F-77384C84C54B}"?"{729D367D-F62E-4405-BC25-EEBFDEC4F59A}"?"{826616AE-F7CA-4729-A145-F8A86E332619}"?"{FDACAA5F-1BBB-4948-88D1-2470D113414F}"? Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisWan\Linkage@Export \Device\NdisWan_{C0EF51E2-3E9E-4FFA-92D3-53FE1969E6C2}?\Device\NdisWan_{BD8570CF-8A17-47DE-BEB6-7685E5FD0905}?\Device\NdisWan_{3642FC08-7790-421E-9A2F-77384C84C54B}?\Device\NdisWan_{729D367D-F62E-4405-BC25-EEBFDEC4F59A}?\Device\NdisWan_{826616AE-F7CA-4729-A145-F8A86E332619}?\Device\NdisWan_{FDACAA5F-1BBB-4948-88D1-2470D113414F}? Reg HKLM\SYSTEM\CurrentControlSet\Services\NetBT@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\NetBT Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 11 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip@DisplayName @%SystemRoot%\system32\drivers\tcpip.sys,-10001 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt Reg HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5@Num_Catalog_Entries 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5@Serial_Access_Num 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@DisplayString Tcpip Reg HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath X:\Windows\system32\mswsock.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9@Num_Catalog_Entries 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9@Next_Catalog_Entry_ID 1001 Reg HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9@Serial_Access_Num 1 Reg HKLM\SYSTEM\Setup@SetupType 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap@ProxyByPass 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap@IntranetName 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager@LoadedBefore 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager@ServerChangeNumber 1 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@SystemRoot X:\Windows Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@CurrentType Multiprocessor Checked Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\DnsCache Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\International Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\International@SystemLocale Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\International@InputLocale Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\International@UILanguage Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\International@UserLocale Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\International@UILanguageFallback Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Netio Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Netio@IcmpRedirectsEnabled 1 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Windows Error Reporting Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Windows Error Reporting@DisableWER 0 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Windows Error Reporting\Consent Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Windows Error Reporting\Consent@DefaultConsent 0 Reg HKLM\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32@ X:\Windows\System32\msi.dll Reg HKLM\SOFTWARE\Classes\CLSID\{000C1090-0000-0000-C000-000000000046}\InprocHandler32@ X:\Windows\System32\ole32.dll Reg HKLM\SOFTWARE\Classes\CLSID\{000C1090-0000-0000-C000-000000000046}\InprocServer32@ X:\Windows\System32\msi.dll Reg HKLM\SOFTWARE\Classes\CLSID\{000C1094-0000-0000-C000-000000000046}\InprocServer32@ X:\Windows\System32\msi.dll Reg HKLM\SOFTWARE\Classes\CLSID\{05589FAF-C356-11CE-BF01-00AA0055595A}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{060AF76C-68DD-11D0-8FC1-00C04FD9189D}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{06B32AEE-77DA-484B-973B-5D64F47201B0}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{07B65360-C445-11CE-AFDE-00AA006C14F4}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770} Reg HKLM\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}@FriendlyName AVI/WAV File Source Reg HKLM\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}@FilterData 0x02 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}@CLSID {D3588AB0-0781-11CE-B03A-0020AF0BA770} Reg HKLM\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}\InProcServer32@ X:\Windows\System32\wshom.ocx Reg HKLM\SOFTWARE\Classes\CLSID\{0C41D1E6-9D16-41ED-9CDD-D0665039857B}\InProcServer32@ X:\Windows\System32\tcpipcfg.dll Reg HKLM\SOFTWARE\Classes\CLSID\{1643E180-90F5-11CE-97D5-00AA0055595A}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{1E651CC0-B199-11D0-8212-00C04FC32C45}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{301056D0-6DFF-11D2-9EEB-006008039E37}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{336475D0-942A-11CE-A870-00AA002FEAB5}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{37E92A92-D9AA-11D2-BF84-8EF2B1555AED}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{3DD82D10-E6F1-11D2-B139-00105A1F77A1}\InprocServer32@ %systemroot%\system32\wbem\cimwin32.dll Reg HKLM\SOFTWARE\Classes\CLSID\{418AFB70-F8B8-11CE-AAC6-0020AF0B99A3}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{4444AC9E-242E-471B-A3C7-45DCD46352BC}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{48025243-2D39-11CE-875D-00608CB78066}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{51B4ABF3-748F-4E3B-A276-C828330E926A}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{59CE6880-ACF8-11CF-B56E-0080C7C4B68A}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{6A08CF80-0E18-11CF-A24D-0020AFD79767}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{70E102B0-5556-11CE-97C0-00AA0055595A}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32@ X:\Windows\System32\wshom.ocx Reg HKLM\SOFTWARE\Classes\CLSID\{79376820-07D0-11CF-A24D-0020AFD79767}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{7D8AA343-6E63-4663-BE90-6B80F66540A3}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{8670C736-F614-427b-8ADA-BBADC587194B}@ DirectShow Plugin Manager Reg HKLM\SOFTWARE\Classes\CLSID\{8670C736-F614-427b-8ADA-BBADC587194B}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{944D4C00-DD52-11CE-BF0E-00AA0055595A}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{99D54F63-1A69-41AE-AA4D-C976EB3F0713}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{A3ECBC41-581A-4476-B693-A63340462D8B}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{A8DFB9A0-8A20-479F-B538-9387C5EEBA2B}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{A907657F-6FDF-11D0-8EFB-00C04FD912B2}\InProcServer32@ X:\Windows\System32\tcpipcfg.dll Reg HKLM\SOFTWARE\Classes\CLSID\{B80AB0A0-7416-11D2-9EEB-006008039E37}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{B87BEB7B-8D29-423F-AE4D-6582C10175AC}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{CC785860-B2CA-11CE-8D2B-0000E202599C}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{CDA42200-BD88-11D0-BD4E-00A0C911CE86}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{CDBD8D00-C193-11D0-BD4E-00A0C911CE86}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{D31B6A3F-9350-40DE-A3FC-A7EDEB9B7C63}\InprocServer32@ %systemroot%\system32\wbem\cimwin32.dll Reg HKLM\SOFTWARE\Classes\CLSID\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{D51BD5A2-7548-11CF-A520-0080C77EF58A}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{D51BD5A5-7548-11CF-A520-0080C77EF58A}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32@ %systemroot%\system32\wbem\cimwin32.dll Reg HKLM\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{E436EBB1-524F-11CE-9F53-0020AF0BA770}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{E436EBB2-524F-11CE-9F53-0020AF0BA770}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{E436EBB7-524F-11CE-9F53-0020AF0BA770}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{E436EBB8-524F-11CE-9F53-0020AF0BA770}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{E4979309-7A32-495E-8A92-7B014AAD4961}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{E5B4EAA0-B2CA-11CE-8D2B-0000E202599C}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}\InProcServer32@ X:\Windows\System32\wshom.ocx Reg HKLM\SOFTWARE\Classes\CLSID\{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}\InProcServer32@ X:\Windows\System32\wshom.ocx Reg HKLM\SOFTWARE\Classes\CLSID\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\InprocServer32@ X:\Windows\System32\quartz.dll Reg HKLM\SOFTWARE\Classes\Interface\{000C101C-0000-0000-C000-000000000046}\NumMethods@ 27 Reg HKLM\SOFTWARE\Classes\Interface\{0AB5A3D0-E5B6-11D0-ABF5-00A0C90FFFC0}\TypeLib@ {420B2830-E718-11CF-893D-00A0C9054228} Reg HKLM\SOFTWARE\Classes\Interface\{2A0B9D10-4B87-11D3-A97A-00104B365C9F}\TypeLib@ {420B2830-E718-11CF-893D-00A0C9054228} Reg HKLM\SOFTWARE\Classes\Interface\{53BAD8C1-E718-11CF-893D-00A0C9054228}\TypeLib@ {420B2830-E718-11CF-893D-00A0C9054228} Reg HKLM\SOFTWARE\Classes\Interface\{C7C3F5A0-88A3-11D0-ABCB-00A0C90FFFC0}\TypeLib@ {420B2830-E718-11CF-893D-00A0C9054228} Reg HKLM\SOFTWARE\Classes\Interface\{C7C3F5A1-88A3-11D0-ABCB-00A0C90FFFC0}\TypeLib@ {420B2830-E718-11CF-893D-00A0C9054228} Reg HKLM\SOFTWARE\Classes\Interface\{C7C3F5A2-88A3-11D0-ABCB-00A0C90FFFC0}\TypeLib@ {420B2830-E718-11CF-893D-00A0C9054228} Reg HKLM\SOFTWARE\Classes\Interface\{C7C3F5A3-88A3-11D0-ABCB-00A0C90FFFC0}\TypeLib@ {420B2830-E718-11CF-893D-00A0C9054228} Reg HKLM\SOFTWARE\Classes\Interface\{C7C3F5A4-88A3-11D0-ABCB-00A0C90FFFC0}\TypeLib@ {420B2830-E718-11CF-893D-00A0C9054228} Reg HKLM\SOFTWARE\Classes\Interface\{C7C3F5A5-88A3-11D0-ABCB-00A0C90FFFC0}\TypeLib@ {420B2830-E718-11CF-893D-00A0C9054228} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers@DisableAutoplay 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlersDefaultSelection Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlersDefaultSelection@ Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers@ Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences@DisableResultsInNewWindow 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences@DisableAutoNavigateURL 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences@DisableAutoResolveEmailAddrs 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences@IEAddressBarSearchDefault MSNSearch Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences@BreadCrumbBarSearchDefault MSNSearch Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences@EditSavedSearch 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences@DisableTabbedBrowsing 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders@!Do not use this registry key Use the SHGetFolderPath or SHGetKnownFolderPath function instead Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings@User Agent Mozilla/5.0 (compatible; MSIE 9.0; Win32) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ThemeManager@DllName %SystemRoot%\resources\themes\Aero\Aero.msstyles Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ThemeManager@PrePolicy-DllName x:\Windows\resources\themes\Aero\Aero.msstyles Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting@Disabled 0 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting@MaxQueueCount 50 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting@DisableQueue 0 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting@LoggingDisabled 0 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting@DontSendAdditionalData 0 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting@ForceQueue 0 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting@DontShowUI 0 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting@ConfigureArchive 1 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting@MaxArchiveCount 500 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting@DisableArchive 0 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Hangs Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\EFS Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@ExcludeProfileDirs AppData\Local;AppData\LocalLow;$Recycle.Bin ---- EOF - GMER 2.1 ----