Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer/vundo Using Rootkit


  • Please log in to reply
17 replies to this topic

#1 Javatime

Javatime

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Cedar Brook, NJ
  • Local time:07:10 AM

Posted 13 September 2008 - 12:35 AM

Hey Gang,
1st post... Spybot will not rid my registry completely of Virtumonde. I picked this virus up a couple of days ago but for some reason McAfee did not catch it completely. I have run vundo fix and the other fix(...something begone ?) and it will not completely get rid of the virus even running in Safe Mode. I also just deleted Java runtime 6.0 update 1 before I ran this. Thanks in advance for any help you can offer
Here's the HJT results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:11 AM, on 9/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\acautoup.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\PMService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tumbleweed\Desktop Validator\DVService.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\ovobsjaj\kxgzsnil.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\rmm0922\Desktop\Canon\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.hq.dla.mil:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dla1.dla.mil;dlaeis.dscr.dla.mil;today.dla.mil;*.bsm.dla.mil;dla1.eportal.dla.mil;*.eportal.use4.ad.dla.mil;*.dnsc.dla.mil;cols7.hroc.dla.mil;webapp2.use.ad.dla.mil;*.hq.dla.mil;denes-w001.usw.ad.dla.mil;do.use.ad.dla.mil;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [McAfeeFireTray] C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe
O4 - HKLM\..\Run: [EPA_EZ_GPO_Tool] C:\WINDOWS\system32\EZ_GPO_Tool.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [acEventServ] "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\DOCUME~1\rmm0922\Desktop\Canon\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [8sjUD0mwKv] C:\Documents and Settings\All Users\Application Data\ovobsjaj\kxgzsnil.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.bsm.dla.mil
O15 - Trusted Zone: http://pcbw.bsm.dla.mil
O15 - Trusted Zone: *.bsm.dla.mil (HKLM)
O15 - Trusted Zone: http://pcbw.bsm.dla.mil (HKLM)
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/amun/default/mjolauncher.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-d643f50ebd49e8b1.spaces.live.co...ad/MsnPUpld.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://kohler1.view22.com/app/view22RTE.cab
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = USE4.AD.DLA.MIL
O17 - HKLM\Software\..\Telephony: DomainName = USE4.AD.DLA.MIL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = USE4.AD.DLA.MIL
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = USE4.AD.DLA.MIL
O20 - Winlogon Notify: acAuth - C:\WINDOWS\SYSTEM32\acauth.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\
O21 - SSODL: apiweb - {3848E4C7-16BC-36DF-798E-060903DBCFD3} - C:\Program Files\thyruq\apiweb.dll
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Auto-Update Service (acautoupdate) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoup.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Cisco Systems, Inc. VPN Service CVPNDacautoupdate (CVPNDacautoupdate) - Unknown owner - ˜
.exe (file missing)
O23 - Service: DCOM Server Process Launcher DcomLaunchShellHWDetection (DcomLaunchShellHWDetection) - Unknown owner - .exe (file missing)
O23 - Service: Energy Star™ EZ GPO Power Management Configuration Tool (EPA_GPO_PMService) - TerraNovum - C:\WINDOWS\system32\PMService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - McAfee, Inc. - C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Tumbleweed Desktop Validator - Tumbleweed Communications Inc. - C:\Program Files\Tumbleweed\Desktop Validator\DVService.exe

--
End of file - 15692 bytes

BC AdBot (Login to Remove)

 


#2 Javatime

Javatime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Cedar Brook, NJ
  • Local time:07:10 AM

Posted 14 September 2008 - 03:29 PM

I also deleted ALL the Java programs and reinstalled just Java 6 update 7.

Edited by Javatime, 14 September 2008 - 03:30 PM.


#3 Javatime

Javatime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Cedar Brook, NJ
  • Local time:07:10 AM

Posted 14 September 2008 - 06:02 PM

I also deleted ALL the Java programs and reinstalled just Java 6 update 7.

UPDATE: I created a system restore point then scanned the registry and found a file called Virtumonde and deleted it. I then ran Spybot S&D and it's not finding Virtumonde anymore AND I'm not being redirected to other websites like before when doing google searches. I'm just not sure if I am completely rid of it or not??? Here's a new HJT file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:44 PM, on 9/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\acautoup.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\PMService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tumbleweed\Desktop Validator\DVService.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\ovobsjaj\kxgzsnil.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\rmm0922\Desktop\Canon\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.hq.dla.mil:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dla1.dla.mil;dlaeis.dscr.dla.mil;today.dla.mil;*.bsm.dla.mil;dla1.eportal.dla.mil;*.eportal.use4.ad.dla.mil;*.dnsc.dla.mil;cols7.hroc.dla.mil;webapp2.use.ad.dla.mil;*.hq.dla.mil;denes-w001.usw.ad.dla.mil;do.use.ad.dla.mil;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [McAfeeFireTray] C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe
O4 - HKLM\..\Run: [EPA_EZ_GPO_Tool] C:\WINDOWS\system32\EZ_GPO_Tool.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [acEventServ] "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\DOCUME~1\rmm0922\Desktop\Canon\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [8sjUD0mwKv] C:\Documents and Settings\All Users\Application Data\ovobsjaj\kxgzsnil.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.bsm.dla.mil
O15 - Trusted Zone: http://pcbw.bsm.dla.mil
O15 - Trusted Zone: *.bsm.dla.mil (HKLM)
O15 - Trusted Zone: http://pcbw.bsm.dla.mil (HKLM)
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/amun/default/mjolauncher.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-d643f50ebd49e8b1.spaces.live.co...ad/MsnPUpld.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://kohler1.view22.com/app/view22RTE.cab
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = USE4.AD.DLA.MIL
O17 - HKLM\Software\..\Telephony: DomainName = USE4.AD.DLA.MIL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = USE4.AD.DLA.MIL
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = USE4.AD.DLA.MIL
O20 - Winlogon Notify: acAuth - C:\WINDOWS\SYSTEM32\acauth.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\
O21 - SSODL: procmonsmart - {508A10B4-6D58-25C0-6272-02D488B89AFD} - C:\Program Files\vepyaue\procmonsmart.dll
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Auto-Update Service (acautoupdate) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoup.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Cisco Systems, Inc. VPN Service CVPNDacautoupdate (CVPNDacautoupdate) - Unknown owner - ˜
.exe (file missing)
O23 - Service: DCOM Server Process Launcher DcomLaunchShellHWDetection (DcomLaunchShellHWDetection) - Unknown owner - .exe (file missing)
O23 - Service: Energy Star™ EZ GPO Power Management Configuration Tool (EPA_GPO_PMService) - TerraNovum - C:\WINDOWS\system32\PMService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - McAfee, Inc. - C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Tumbleweed Desktop Validator - Tumbleweed Communications Inc. - C:\Program Files\Tumbleweed\Desktop Validator\DVService.exe

--
End of file - 15700 bytes

#4 Javatime

Javatime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Cedar Brook, NJ
  • Local time:07:10 AM

Posted 15 September 2008 - 06:31 PM

Hi Gang,
Thanks for your help in advance.
I've ran HJT (see below) and Malwarebytes' Anti-Malware twice (see below for latest). It appears that I'm not being rediretced anymore to certain sites, but I am not sure if I still have something that isn't being removed. I have also removed all Java apps and installed the latest version.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:00 PM, on 9/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\acautoup.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\PMService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tumbleweed\Desktop Validator\DVService.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\rmm0922\Desktop\Canon\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intelฎ PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intelฎ PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Tumbleweed Desktop Validator - Tumbleweed Communications Inc. - C:\Program Files\Tumbleweed\Desktop Validator\DVService.exe

--
End of file - 3406 bytes
*****************************************************************
Malwarebytes' Anti-Malware 1.28
Database version: 1153
Windows 5.1.2600 Service Pack 3

9/15/2008 7:10:04 PM
mbam-log-2008-09-15 (19-09-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 136321
Time elapsed: 1 hour(s), 17 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> No action taken.

Edited by Orange Blossom, 15 September 2008 - 11:18 PM.
Merged topics. ~ OB


#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:10 AM

Posted 19 September 2008 - 01:14 PM

Hello Javatime,

Have you been "fixing" items youself with Hijackthis? Your Hijackthis log is missing many valid items. :thumbsup:



Please disable McAfee Antivirus before running Kaspersky Online Scanner.


Please do a scan with Kaspersky Online Scanner


Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized). info.txt can also be found at c:\RSIT\info.txt

Edited by SifuMike, 19 September 2008 - 01:18 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Javatime

Javatime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Cedar Brook, NJ
  • Local time:07:10 AM

Posted 22 September 2008 - 08:40 AM

Thanks for your help with this. Yes. I have been trying to use HJt and other apps to get rid of the virus. This is a gov't laptop and I do have 'some' admin rights. I t was difficlut to disable the virus program, but finally got it disabled to run kaspersky.

*************************************************************
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, September 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 22, 2008 01:50:39
Records in database: 1248801
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 92208
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:26:49


File name / Threat name / Threats count
C:\Documents and Settings\DLAADMIN\Local Settings\Temporary Internet Files\Content.IE5\W5QRS563\popcaploader_v10[1].cab Infected: not-a-virus:Downloader.Win32.PopCap.b 1
C:\WINDOWS\system32\drivers\bajrg.sys Infected: Hoax.Win32.Agent.fu 1

The selected area was scanned.

***************************************************************************************
Logfile of random's system information tool 1.02 (written by random/random)
Run by RMM0922 at 2008-09-22 09:29:39
Microsoft Windows XP Professional Service Pack 3
System drive C: has 21 GB (55%) free of 38 GB
Total RAM: 511 MB (33% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:58 AM, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\acautoup.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\PMService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tumbleweed\Desktop Validator\DVService.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\rmm0922\Desktop\Canon\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Adobe\Acrobat\Acrobat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\rmm0922\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\RMM0922.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.hq.dla.mil:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dla1.dla.mil;dlaeis.dscr.dla.mil;today.dla.mil;*.bsm.dla.mil;dla1.eportal.dla.mil;*.eportal.use4.ad.dla.mil;*.dnsc.dla.mil;cols7.hroc.dla.mil;webapp2.use.ad.dla.mil;*.hq.dla.mil;denes-w001.usw.ad.dla.mil;do.use.ad.dla.mil;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [McAfeeFireTray] C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe
O4 - HKLM\..\Run: [EPA_EZ_GPO_Tool] C:\WINDOWS\system32\EZ_GPO_Tool.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [acEventServ] "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\DOCUME~1\rmm0922\Desktop\Canon\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-1437962126-4037215488-333535809-1006\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" (User '?')
O4 - HKUS\S-1-5-21-1659004503-562591055-682003330-37077\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" (User '?')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.bsm.dla.mil
O15 - Trusted Zone: http://pcbw.bsm.dla.mil
O15 - Trusted Zone: *.bsm.dla.mil (HKLM)
O15 - Trusted Zone: http://pcbw.bsm.dla.mil (HKLM)
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/amun/default/mjolauncher.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-d643f50ebd49e8b1.spaces.live.co...ad/MsnPUpld.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://kohler1.view22.com/app/view22RTE.cab
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = USE4.AD.DLA.MIL
O17 - HKLM\Software\..\Telephony: DomainName = USE4.AD.DLA.MIL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = USE4.AD.DLA.MIL
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = USE4.AD.DLA.MIL
O20 - Winlogon Notify: acAuth - C:\WINDOWS\SYSTEM32\acauth.dll
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Auto-Update Service (acautoupdate) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoup.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Cisco Systems, Inc. VPN Service CVPNDacautoupdate (CVPNDacautoupdate) - Unknown owner - ˜
.exe (file missing)
O23 - Service: DCOM Server Process Launcher DcomLaunchShellHWDetection (DcomLaunchShellHWDetection) - Unknown owner - .exe (file missing)
O23 - Service: Energy Star™ EZ GPO Power Management Configuration Tool (EPA_GPO_PMService) - TerraNovum - C:\WINDOWS\system32\PMService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - McAfee, Inc. - C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Tumbleweed Desktop Validator - Tumbleweed Communications Inc. - C:\Program Files\Tumbleweed\Desktop Validator\DVService.exe

--
End of file - 15804 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{49D119E9-79D0-481D-8879-79F86A8EF839}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-08-14 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll [2005-09-24 231160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll [2005-09-24 231160]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2003-04-28 360448]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"=C:\Program Files\Adobe\Distillr\Acrotray.exe [2006-01-12 483328]
""=C:\PROGRA~1\GRADKE~1\DBSIGN~1\lib\
"vdrdpup"=C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll []
"McAfeeUpdaterUI"=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe [2005-12-07 131072]
"gemstrmw"=C:\WINDOWS\system32\gemstrmw.exe [2003-08-30 24576]
"ShStatEXE"=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE [2004-08-18 94208]
"Network Associates Error Reporting Service"=C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe [2003-10-07 147514]
"McAfeeFireTray"=C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe [2006-01-13 655427]
"EPA_EZ_GPO_Tool"=C:\WINDOWS\system32\EZ_GPO_Tool.exe [2005-01-21 69632]
"GWMDMMSG"=C:\WINDOWS\GWMDMMSG.exe [2003-03-19 126976]
"acEventServ"=C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe [2003-07-01 28672]
"PrintServer Diagnostic"=C:\Program Files\Print Server\PTP\PSDiagnostic.exe [2004-11-24 266240]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-10-25 282624]
"IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2007-11-01 995328]
"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2007-11-01 1101824]
"NBKeyScan"=C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe []
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2008-09-10 1253040]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"PhotoShow Deluxe Media Manager"=C:\DOCUME~1\rmm0922\Desktop\Canon\COMCAS~1\data\Xtras\mssysmgr.exe [2005-05-09 192512]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-08-18 1832272]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe ASO-616B5711-6DAE-4795-A05F-39A1E5104020 []
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVConfigUpdate]
C:\Program Files\Tumbleweed\Desktop Validator\dvconfigupdate.exe [2005-11-11 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVTrayApp]
C:\Program Files\Tumbleweed\Desktop Validator\DVTrayApp.exe [2005-11-11 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\PROGRA~1\GRADKE~1\DBSIGN~1\lib\

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2006-10-25 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe [2004-09-25 1691648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SprintPort]
C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe [2002-08-20 122959]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ActivCard Gold Smart Card Agent.lnk]
C:\PROGRA~1\ACTIVC~1\ACTIVC~1\agquickp.exe [2005-01-07 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-09-02 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [1999-11-04 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^[email protected]]
C:\PROGRA~1\APPLEC~1\DVD@CC~1\DVDACC~1.EXE [2003-11-21 888832]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
C:\PROGRA~1\INTERV~1\Common\Bin\WINCIN~1.EXE [2005-06-22 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
c:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-08-07 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^rmm0922^Start Menu^Programs^Startup^Wireless Connection Manager Update.lnk]
C:\PROGRA~1\NOVATE~1\WIRELE~1\WiseUpdt.exe [2004-05-24 168297]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acAuth]
C:\WINDOWS\system32\acauth.dll [2002-12-17 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-08-09 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winin48.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\firehook]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\firehook.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winin48.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=1
"DisableCAD"=0
"LegalNoticeText"=This is a Department of Defense computer system. This computer system,including all related equipment,networks and network devices (specifically including Internet access),are provided only for authorized U.S. Government use. DOD computer systems may be monitored for all lawful purposes,including to ensure that their use is authorized,for management of the system,to facilitate protection against unauthorized access,and to verify security procedures,survivability and operational security. Monitoring includes active attacks by authorized DOD entities to test or verify the security of this system. During monitoring,information may be examined,recorded,copied and used for authorized purposes. All information,including personal information,placed on or sent over the system may be monitored. Use of this DOD computer system,authorized or unauthorized,constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative,criminal or other adverse action. Use of this system constitutes consent to monitoring for these purposes.
"LegalNoticeCaption"=WARNING --HQC NOTICE-- WARNING
"ShutdownWithoutLogon"=0
"Undockwithoutlogon"=0
"LogonType"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0
"ForceStartMenuLogOff"=1
"ForceClassicControlPanel"=1
"NoManageMyComputerVerb"=1
"EnforceShellExtensionSecurity"=1
"NoHardwareTab"=1
"NoRunasInstallPrompt"=1
"MemCheckBoxInRunDlg"=1
"GreyMSIAds"=1
"DisablePersonalDirChange"=1
"NoAutoUpdate"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoWelcomeScreen"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\McAfeeFire.exe"="C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\McAfeeFire.exe:*:Enabled:McAfee Desktop Firewall"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{201697d0-c60a-11dc-97ed-000e3578b7e2}]
shell\AutoRun\command - E:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2008-09-22 09:29:39 ----D---- C:\rsit
2008-09-15 23:02:20 ----A---- C:\WINDOWS\system32\rIwhipv.txt
2008-09-14 21:24:36 ----D---- C:\Documents and Settings\rmm0922\Application Data\Malwarebytes
2008-09-14 21:24:24 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-14 21:24:23 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-14 18:51:31 ----D---- C:\Program Files\vepyaue
2008-09-13 22:28:49 ----D---- C:\Program Files\lgcjwmc
2008-09-13 10:35:59 ----A---- C:\WINDOWS\system32\javaws.exe
2008-09-13 10:35:59 ----A---- C:\WINDOWS\system32\javaw.exe
2008-09-13 10:35:58 ----A---- C:\WINDOWS\system32\java.exe
2008-09-13 10:33:49 ----D---- C:\Program Files\Common Files\Java
2008-09-13 01:03:25 ----D---- C:\Program Files\thyruq
2008-09-13 00:45:53 ----D---- C:\Program Files\Trend Micro
2008-09-12 10:44:38 ----D---- C:\Program Files\xquvdcg
2008-09-10 23:06:56 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-10 23:05:52 ----D---- C:\Program Files\SUPERAntiSpyware
2008-09-10 23:05:51 ----D---- C:\Documents and Settings\rmm0922\Application Data\SUPERAntiSpyware.com
2008-09-10 21:15:54 ----D---- C:\VundoFix Backups
2008-09-10 21:15:54 ----A---- C:\VundoFix.txt
2008-09-10 19:39:21 ----D---- C:\Program Files\uuthzlg
2008-09-10 03:03:11 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-09 20:50:38 ----D---- C:\Program Files\Windows Live Safety Center
2008-09-07 01:02:12 ----D---- C:\Program Files\yliszze
2008-09-06 22:56:15 ----A---- C:\WINDOWS\wininit.ini
2008-09-06 21:13:17 ----D---- C:\Program Files\rcswzdd
2008-09-06 21:11:34 ----D---- C:\Documents and Settings\All Users\Application Data\ovobsjaj
2008-08-31 22:05:02 ----D---- C:\Program Files\Blender Foundation
2008-08-31 18:43:04 ----D---- C:\Documents and Settings\rmm0922\Application Data\Blender Foundation

======List of files/folders modified in the last 1 months======

2008-09-22 00:02:13 ----D---- C:\WINDOWS\Temp
2008-09-15 23:02:20 ----D---- C:\WINDOWS\system32\drivers
2008-09-15 23:02:20 ----D---- C:\WINDOWS\system32
2008-09-15 22:27:54 ----D---- C:\WINDOWS\system32\CatRoot2
2008-09-15 22:27:43 ----SD---- C:\WINDOWS\Tasks
2008-09-15 22:27:43 ----A---- C:\WINDOWS\SMSCFG.ini
2008-09-15 22:22:45 ----A---- C:\WINDOWS\ntbtlog.txt
2008-09-14 23:14:40 ----RD---- C:\Program Files
2008-09-14 22:34:44 ----D---- C:\quarantine
2008-09-14 21:34:30 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-09-13 10:35:57 ----D---- C:\Program Files\Java
2008-09-13 10:34:07 ----SHD---- C:\WINDOWS\Installer
2008-09-13 10:33:49 ----D---- C:\Program Files\Common Files
2008-09-10 23:05:06 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-10 22:47:23 ----D---- C:\WINDOWS
2008-09-10 19:16:05 ----HD---- C:\WINDOWS\inf
2008-09-10 03:03:13 ----D---- C:\WINDOWS\WinSxS
2008-09-06 21:36:39 ----D---- C:\WINDOWS\Help
2008-09-06 21:26:57 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-09-04 20:02:40 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-09-04 19:52:23 ----ASH---- C:\boot.ini
2008-09-04 19:52:23 ----A---- C:\WINDOWS\win.ini
2008-09-04 19:52:23 ----A---- C:\WINDOWS\system.ini
2008-09-04 19:52:19 ----D---- C:\WINDOWS\pss
2008-09-04 19:12:17 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-26 13:28:14 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2004-09-25 44288]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2004-09-25 24832]
R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2004-09-25 289792]
R1 DVDVRRdr_xp;DVDVRRdr_xp; C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2004-09-25 141184]
R1 FireHook;McAfee Desktop Firewall; \??\C:\WINDOWS\system32\Drivers\Firehk5x.sys []
R1 FireTDI;McAfee Desktop Firewall TDI Driver; \??\C:\WINDOWS\system32\Drivers\FireTDI.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 NaiAvTdi1;NaiAvTdi1; C:\WINDOWS\system32\drivers\mvstdi5x.sys [2006-06-08 58464]
R1 pwd_2k;pwd_2k; C:\WINDOWS\system32\drivers\pwd_2k.sys [2004-09-25 117632]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]
R1 UDFReadr;UDFReadr; C:\WINDOWS\system32\drivers\UDFReadr.sys [2004-09-25 200832]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.7.5.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-02-24 21361]
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver; \??\c:\WINDOWS\system32\Drivers\CVPNDRVA.sys []
R2 DVDAccss;DVDAccss; C:\WINDOWS\system32\drivers\DVDAccss.sys [2003-11-21 29156]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-04 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-04 55936]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2007-08-27 12288]
R2 SprintPort;SprintPort Serial Driver; \??\C:\Program Files\Novatel Wireless\SprintPort\WINPORT.SYS []
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-09 1273856]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2005-08-18 110080]
R3 E1000;Intel® PRO/1000 Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1000325.sys [2006-03-23 163840]
R3 EntDrv51;EntDrv51; \??\C:\WINDOWS\system32\drivers\EntDrv51.sys []
R3 firelm01;firelm01; \??\C:\WINDOWS\system32\drivers\firelm01.sys []
R3 GTWModem;GTW Modem; C:\WINDOWS\system32\DRIVERS\GWMDM.sys [2003-03-19 1136384]
R3 kbstuff;SMS Virtual Keyboard; C:\WINDOWS\system32\DRIVERS\kbstuff5.sys [2004-06-27 4864]
R3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2004-09-25 23808]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 NaiAvFilter1;NaiAvFilter1; C:\WINDOWS\system32\drivers\naiavf5x.sys [2006-06-08 116864]
R3 NWRDR;NetWare Rdr; C:\WINDOWS\system32\DRIVERS\nwrdr.sys [2008-04-13 163584]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-02-11 14572]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\STAC97.sys [2006-03-23 194000]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-13 12288]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w29n51;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2007-07-25 2210048]
S1 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2008-04-13 31744]
S3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 ati2mtaa;ati2mtaa; C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 327040]
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2005-05-17 5315]
S3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2004-09-25 23936]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 GEMPCC;Gemplus GemPC400 PCMCIA Smart Card Reader; C:\WINDOWS\system32\DRIVERS\gempcc.sys [2002-07-08 27320]
S3 GPR400;GEMPLUS GPR400 PCMCIA Smart Card Reader; C:\WINDOWS\system32\DRIVERS\gpr400.sys [2001-08-17 17408]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 idisw2km;idisw2km; C:\WINDOWS\system32\DRIVERS\idisw2km.sys [2004-06-27 2112]
S3 mf;mf; C:\WINDOWS\system32\DRIVERS\mf.sys [2008-04-13 63744]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 Novatel;Novatel Wireless Network Adapter; C:\WINDOWS\system32\DRIVERS\nwc201.sys [2004-04-21 40064]
S3 prepdrvr;SMS Process Event Driver; \??\C:\WINDOWS\system32\CCM\prepdrv.sys []
S3 SocketQuadSerial;Novatel Wireless CDMA 1.9GHz Modem driver; C:\WINDOWS\system32\DRIVERS\nvtlg2k.sys [2004-03-23 48556]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 vsdatant;vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 ACachSrv;ActivCard Authentication Service; C:\Program Files\Common Files\ActivCard\acachsrv.exe [2005-02-04 122880]
R2 acautoreg;ActivCard Gold Autoregister; C:\Program Files\Common Files\ActivCard\acautoreg.exe [2002-11-29 53248]
R2 acautoupdate;ActivCard Auto-Update Service; C:\Program Files\Common Files\ActivCard\acautoup.exe [2003-03-24 36864]
R2 Accoca;ActivCard Gold service; C:\Program Files\Common Files\ActivCard\accoca.exe [2002-08-12 159744]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-08-09 380928]
R2 CcmExec;SMS Agent Host; C:\WINDOWS\system32\CCM\CcmExec.exe [2004-10-25 571904]
R2 CVPND;Cisco Systems, Inc. VPN Service; c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [2006-04-20 1520688]
R2 EPA_GPO_PMService;Energy Star™ EZ GPO Power Management Configuration Tool; C:\WINDOWS\system32\PMService.exe [2005-01-21 81920]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2007-11-01 794624]
R2 FireSvc;McAfee Desktop Firewall Service; C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe [2006-01-13 757826]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\Network Associates\Common Framework\FrameworkService.exe [2005-12-07 98304]
R2 McShield;Network Associates McShield; C:\Program Files\Network Associates\VirusScan\Mcshield.exe [2006-02-14 221191]
R2 McTaskManager;Network Associates Task Manager; C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe [2006-06-08 29184]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 NWCWorkstation;Client Service for NetWare; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2007-11-01 483328]
R2 S24EventMonitor;Intel® PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2007-11-01 1183744]
R2 Tumbleweed Desktop Validator;Tumbleweed Desktop Validator; C:\Program Files\Tumbleweed\Desktop Validator\DVService.exe [2005-11-11 65536]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R2 Wuser32;SMS Remote Control Agent; C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe [2004-10-20 241664]
S2 CVPNDacautoupdate;Cisco Systems, Inc. VPN Service CVPNDacautoupdate; ˜
srv []
S2 DcomLaunchShellHWDetection;DCOM Server Process Launcher DcomLaunchShellHWDetection; srv []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMConnectCDS;Windows Media Connect Service; C:\Program Files\Windows Media Connect 2\wmccds.exe [2005-10-06 855552]

-----------------EOF-----------------

INFO.TXT
info.txt logfile of random's system information tool 1.02 2008-09-22 09:30:06

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ActivCard Gold for CAC - PKI - Version 3.0 Feature Pack 2-->MsiExec.exe /I{F489174B-CF14-4B4D-84BB-C1AD46EDB412}
Ad-Aware SE Personal-->MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Acrobat 7.0.7 Professional-->msiexec /I {AC76BA86-1033-0000-7760-100000000002}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0.1-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
BadCopy Pro-->C:\PROGRA~1\Jufsoft\BadCopy\UNWISE.EXE C:\PROGRA~1\Jufsoft\BadCopy\INSTALL.LOG
Blender (remove only)-->"C:\Program Files\Blender Foundation\Blender\uninstall.exe"
BUM-->MsiExec.exe /I{55937F00-A69B-4049-8D3A-1C7729742B6F}
Canon Camera Window for ZoomBrowser EX-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FC3EEA54-C009-4D75-B753-3CD871BF3EBA}
Canon i860-->C:\WINDOWS\system32\CNMCP56.exe "-PRINTERNAMECanon i860" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon i860 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon i860 Installer\Inst2\cnmi0409.dll"
Canon PhotoRecord-->MsiExec.exe /X{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}
Canon RAW Image Task for ZoomBrowser EX-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}
Canon RemoteCapture Task for ZoomBrowser EX-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2236B741-6631-49AE-B76E-3E14CA01CC87}
Canon Utilities Easy-PhotoPrint Plus-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Canon\Easy-PhotoPrint Plus\Uninst.isu" -c"C:\Program Files\Canon\Easy-PhotoPrint Plus\EZUNINST.DLL"
Canon Utilities Easy-PhotoPrint-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Canon\Easy-PhotoPrint\Uninst.isu" -c"C:\Program Files\Canon\Easy-PhotoPrint\EZUNINST.DLL"
Canon Utilities PhotoStitch 3.1-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{03CDDD00-BD57-4326-9480-4C74449AF597}
Canon Utilities ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
Cisco Systems VPN Client 4.8.01.0300-->MsiExec.exe /X{D25122BC-A60E-4663-B602-B01718F12044}
Comcast PhotoShow Deluxe 4-->"C:\Documents and Settings\rmm0922\Desktop\Canon\Comcast PhotoShow 4\data\Xtras\Uninstall.exe"
Creative DVD Audio Plugin for Audigy Series-->"C:\Program Files\Creative\CTDPlugin\CTUIDVD.exe " -u
DBsign Web Signer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44D21B77-D4FC-49E8-A726-CD00D5016703}\Setup.exe" -l0x9
DVD@ccess 2.0.3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B34414C-14FB-11D6-A329-0050045C24B2}\Setup.exe" -l0x9
Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
EOL Universal Printer Client-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD4776A5-A39D-4208-AC34-AF4373C81967}\Setup.exe" /u
EZ GPO Power Management Config Tool-->MsiExec.exe /X{C5B83F18-6959-4760-9879-709E29E75DAF}
FAS_RM-->"C:\FAS_RM\UNINSTAL.EXE" "C:\FAS_RM\INSTALL.LOG" "FAS_RM Uninstall"
Gateway Drivers and Applications Recovery-->C:\Program Files\Gateway\HPA\GWMenu.exe UNINSTALL
Gemplus Smart Card Reader Tools-->C:\Program Files\Gemplus\ReaderTools\Installer\setup.exe /u
GTW Modem-->C:\WINDOWS\GWMDMU.exe verbose
High Speed RAS-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAA2097C-D6C8-41DD-9C85-15635F536B4B}\Setup.exe"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hummingbird Connectivity Secure Shell 10-->MsiExec.exe /I{67DE738B-029F-4E23-8DC8-710AAF32E20E}
Hummingbird HostExplorer 10-->MsiExec.exe /I{AA20EF38-5DEC-4F20-A526-5D7F5D9CF9B8}
ieSpell-->"C:\Program Files\ieSpell\uninst.exe"
Intel® PRO Network Connections Drivers-->Prounstl.exe
Intel® PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe
InterVideo WinDVD 7-->"C:\Program Files\InstallShield Installation Information\{90885A82-9673-49EA-AB39-AF776639C67C}\setup.exe" REMOVEALL
IsoBuster 1.9.1-->"C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Kazaa Lite Resurrection 0.0.8-->"C:\Documents and Settings\rmm0922\Desktop\Downloads\Kazaa Lite Resurrection\unins000.exe"
Macromedia Shockwave Player-->MsiExec.exe /X{838A1BC9-95CA-4880-9BE3-2A7D23600A2B}
MailCrypt-->MsiExec.exe /X{A71AFC3C-D1DE-49B9-B267-CFCF7CF3A8AB}
MailNavigator v.1.11-->"C:\Program Files\MailNavigator\uninstall.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee Desktop Firewall 8.5-->C:\PROGRA~1\NETWOR~1\MCAFEE~1\McAfeefire.exe addremove
McAfee ePO Agent-->MsiExec.exe /I{F5D0ABD0-F6A3-40E2-A2A3-A436FAA3E5FB}
McAfee VirusScan Enterprise-->MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
mCore-->MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver-->MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi-->MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
MetaFrame Presentation Server Client-->MsiExec.exe /I{DF1D5FEC-D67C-43C8-9230-41F5DF350196}
MetaFrame Presentation Server Web Client for Win32-->C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
mHelp-->MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office FrontPage 2003-->MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows XP Video Decoder Checkup Utility-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DECCHECK.inf,Uninstall
mIWA-->MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView-->MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz-->MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSCfg-->MsiExec.exe /I{829CD169-E692-48E8-9BDE-A3E8D8B65538}
MSN Money Investment Toolbox-->"C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:5
MSXML 4.0 SP2 (KB925672)-->MsiExec.exe /I{A9CF9052-F4A0-475D-A00F-A8388C62DD63}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mZConfig-->MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Print Server Driver-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Print Server\PTP\Uninst.isu"
QuickTime-->MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Roxio Easy Media Creator 7 Basic Edition-->MsiExec.exe /I{F4862B43-A087-4826-8C50-D41646EC7728}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
SereneScreen Marine Aquarium 2.6-->"C:\Program Files\SereneScreen\Marine Aquarium 2.6\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
USE4-DV_Standard_East_4_9_no_exit-->"C:\Untitled\UNINSTAL.EXE" "C:\Untitled\INSTALL.LOG" "USE4-DV_Standard_East_4_9_no_exit Uninstall"
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Connect-->"C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinZip 9.0 SR-1-->MsiExec.exe /I{3D1E3DCB-9E20-41C2-9D99-9DC1FAD188CC}

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\PROGRA~1\GRADKE~1\DBSIGN~1\lib;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ActivCard\ActivCard Gold\Resources;Resources;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Tumbleweed\Desktop Validator\;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0d06
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"MOZ_PLUGIN_PATH"=C:\PROGRA~1\GRADKE~1\DBSIGN~1\lib;
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip

-----------------EOF-----------------

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:10 AM

Posted 22 September 2008 - 12:16 PM

This is a gov't laptop and I do have 'some' admin rights.


You said this is a gov't (work) computer..... does your company (gov't) have an IT department?

This would be a job for them. This is what they are paid to do. We're volunteers that work for free here, on a donation only basis.

Your company (gov't) has policies in place for this kind of thing, and I won't be responsible for possibly going against policy.

Please let me know what you're going to do.

Edited by SifuMike, 22 September 2008 - 12:21 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Javatime

Javatime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Cedar Brook, NJ
  • Local time:07:10 AM

Posted 22 September 2008 - 06:20 PM

Well. this is real catch 22 because this is now MY laptop that I purchased after I received a new one and my IT Dept. is not responsible for this one....guess I'm on my own.

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:10 AM

Posted 22 September 2008 - 10:17 PM

Since this is your own computer, then I will give you a hand.

You have made it far more difficult for me by try to fix this yourself, as you have may have been deleting valid files and registry keys; I have no idea of what you have been deleting, so I cant gaurentee we can find all the problems.

Uninstll Ad-Aware SE Personal, as that is obsolete. The new version is Ad-Aware 2008 Free. http://lavasoft.com/products/ad_aware_free.php


Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck

      File - Additional Folder Scans

  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post

If it is too big to fit into a single post, then you can upload the new scan log to me here.

Edited by SifuMike, 22 September 2008 - 10:23 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Javatime

Javatime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Cedar Brook, NJ
  • Local time:07:10 AM

Posted 23 September 2008 - 06:27 PM

OTScanIt logfile created on: 9/23/2008 7:12:14 PM

OTScanIt by OldTimer - Version 1.0.19.0	 Folder = C:\Documents and Settings\rmm0922\Desktop\OTScanIt

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

 

510.98 Mb Total Physical Memory | 112.91 Mb Available Physical Memory | 22.10% Memory free

1.25 Gb Paging File | 0.52 Gb Available in Paging File | 41.18% Paging File free

Paging file location(s): C:\pagefile.sys 800 1536;

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 37.25 Gb Total Space | 21.61 Gb Free Space | 58.00% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded



Computer Name: BEL1L-327905

Current User Name: RMM0922

NOT logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Whitelist: On



[Processes - Non-Microsoft Only]

acachsrv.exe -> %CommonProgramFiles%\ActivCard\acachsrv.exe -> ActivCard [Ver = 1, 0, 54, 2 | Size = 122880 bytes | Modified Date = 2/4/2005 8:44:30 PM | Attr =	]

acautoreg.exe -> %CommonProgramFiles%\ActivCard\acautoreg.exe -> ActivCard S.A. [Ver = 2, 0, 4, 0 | Size = 53248 bytes | Modified Date = 11/29/2002 3:43:58 PM | Attr =	]

acautoup.exe -> %CommonProgramFiles%\ActivCard\acautoup.exe -> ActivCard S.A. [Ver = 1, 6, 0, 0 | Size = 36864 bytes | Modified Date = 3/24/2003 2:39:22 PM | Attr =	]

accoca.exe -> %CommonProgramFiles%\ActivCard\accoca.exe -> ActivCard [Ver = 2, 1, 8, 0 | Size = 159744 bytes | Modified Date = 8/12/2002 5:54:58 PM | Attr =	]

pmservice.exe -> %SystemRoot%\system32\PMService.exe -> TerraNovum [Ver = 2, 0, 0, 14 | Size = 81920 bytes | Modified Date = 1/21/2005 3:07:16 PM | Attr =	]

vstskmgr.exe -> %ProgramFiles%\Network Associates\VirusScan\VsTskMgr.exe -> Network Associates, Inc. [Ver = 8.0.0.1004 | Size = 29184 bytes | Modified Date = 6/8/2006 8:00:00 PM | Attr =	]

dvservice.exe -> %ProgramFiles%\Tumbleweed\Desktop Validator\DVService.exe -> Tumbleweed Communications Inc. [Ver = 4.9.0 | Size = 65536 bytes | Modified Date = 11/11/2005 4:22:20 PM | Attr =	]

shstat.exe -> %ProgramFiles%\Network Associates\VirusScan\shstat.exe -> Network Associates, Inc. [Ver = 8.0.0.912 | Size = 94208 bytes | Modified Date = 8/18/2004 8:00:00 AM | Attr =	]

tbmon.exe -> %CommonProgramFiles%\Network Associates\TalkBack\TBMon.exe -> Network Associates, Inc. [Ver = 2.0.275.0 | Size = 147514 bytes | Modified Date = 10/7/2003 9:48:56 AM | Attr =	]

gwmdmmsg.exe -> %SystemRoot%\GWMDMMSG.exe -> GTW [Ver =  3.6.08 03/17/2003 15:19:57 | Size = 126976 bytes | Modified Date = 3/19/2003 5:39:00 PM | Attr =	]

acevtsrv.exe -> %ProgramFiles%\ActivCard\ActivCard Gold\acevtsrv.exe -> ActivCard [Ver = 1, 0, 53, 0 | Size = 28672 bytes | Modified Date = 7/1/2003 8:42:24 AM | Attr =	]

psdiagnostic.exe -> %ProgramFiles%\Print Server\PTP\PSDiagnostic.exe ->  [Ver = 2, 0, 7, 0 | Size = 266240 bytes | Modified Date = 11/24/2004 5:09:40 PM | Attr =	]

mssysmgr.exe -> %UserProfile%\Desktop\Canon\Comcast PhotoShow 4\data\Xtras\mssysmgr.exe -> Simple Star, Inc. [Ver = 4.0.0.0 | Size = 192512 bytes | Modified Date = 5/9/2005 7:16:15 PM | Attr =	]

mcshield.exe -> %ProgramFiles%\Network Associates\VirusScan\Mcshield.exe -> Network Associates, Inc. [Ver = 8.0.0.318 | Size = 221191 bytes | Modified Date = 2/14/2006 8:00:00 PM | Attr =	]



[Win32 Services - Non-Microsoft Only]

(ACachSrv) ActivCard Authentication Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\ActivCard\acachsrv.exe -> ActivCard [Ver = 1, 0, 54, 2 | Size = 122880 bytes | Modified Date = 2/4/2005 8:44:30 PM | Attr =	]

(acautoreg) ActivCard Gold Autoregister [Win32_Own | Auto | Running] -> %CommonProgramFiles%\ActivCard\acautoreg.exe -> ActivCard S.A. [Ver = 2, 0, 4, 0 | Size = 53248 bytes | Modified Date = 11/29/2002 3:43:58 PM | Attr =	]

(acautoupdate) ActivCard Auto-Update Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\ActivCard\acautoup.exe -> ActivCard S.A. [Ver = 1, 6, 0, 0 | Size = 36864 bytes | Modified Date = 3/24/2003 2:39:22 PM | Attr =	]

(Accoca) ActivCard Gold service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\ActivCard\accoca.exe -> ActivCard [Ver = 2, 1, 8, 0 | Size = 159744 bytes | Modified Date = 8/12/2002 5:54:58 PM | Attr =	]

(CVPNDacautoupdate) Cisco Systems, Inc. VPN Service CVPNDacautoupdate [Win32_Own | Auto | Stopped] ->  -> File not found

(DcomLaunchShellHWDetection) DCOM Server Process Launcher DcomLaunchShellHWDetection [Win32_Own | Auto | Stopped] -> . ->  [Folder | Modified Date = 9/23/2008 7:09:45 PM | Attr =	]

(EPA_GPO_PMService) Energy Star(TM) EZ GPO Power Management Configuration Tool [Win32_Own | Auto | Running] -> %SystemRoot%\system32\PMService.exe -> TerraNovum [Ver = 2, 0, 0, 14 | Size = 81920 bytes | Modified Date = 1/21/2005 3:07:16 PM | Attr =	]

(McShield) Network Associates McShield [Win32_Own | Auto | Running] -> %ProgramFiles%\Network Associates\VirusScan\Mcshield.exe -> Network Associates, Inc. [Ver = 8.0.0.318 | Size = 221191 bytes | Modified Date = 2/14/2006 8:00:00 PM | Attr =	]

(McTaskManager) Network Associates Task Manager [Win32_Own | Auto | Running] -> %ProgramFiles%\Network Associates\VirusScan\VsTskMgr.exe -> Network Associates, Inc. [Ver = 8.0.0.1004 | Size = 29184 bytes | Modified Date = 6/8/2006 8:00:00 PM | Attr =	]

(Tumbleweed Desktop Validator) Tumbleweed Desktop Validator [Win32_Own | Auto | Running] -> %ProgramFiles%\Tumbleweed\Desktop Validator\DVService.exe -> Tumbleweed Communications Inc. [Ver = 4.9.0 | Size = 65536 bytes | Modified Date = 11/11/2005 4:22:20 PM | Attr =	]



[Driver Services - Non-Microsoft Only]

(Cdr4_xp) Cdr4_xp [Kernel | System | Running] -> %SystemRoot%\System32\drivers\cdr4_xp.sys -> Roxio [Ver = 7.1.0.183  | Size = 44288 bytes | Modified Date = 9/25/2004 4:29:52 AM | Attr =	]

(Cdralw2k) Cdralw2k [Kernel | System | Running] -> %SystemRoot%\System32\drivers\cdralw2k.sys -> Roxio [Ver = 7.1.0.183  | Size = 24832 bytes | Modified Date = 9/25/2004 4:32:40 AM | Attr =	]

(cdudf_xp) cdudf_xp [File_System | System | Running] -> %SystemRoot%\System32\drivers\Cdudf_xp.sys -> Roxio [Ver = 7.1.0.183  | Size = 289792 bytes | Modified Date = 9/25/2004 4:39:08 AM | Attr =	]

(DNE) Deterministic Network Enhancer Miniport [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\dne2000.sys -> Deterministic Networks, Inc. [Ver = 3.11.3.12951 | Size = 110080 bytes | Modified Date = 8/18/2005 7:22:30 PM | Attr =	]

(dvd_2K) dvd_2K [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\dvd_2k.sys -> Roxio [Ver = 7.1.0.183  | Size = 23936 bytes | Modified Date = 9/25/2004 4:38:32 AM | Attr =	]

(FireHook) McAfee Desktop Firewall [Kernel | System | Running] -> %SystemRoot%\system32\drivers\FireHk5x.sys -> Networks Associates Technology, Inc. [Ver = 8.5 | Size = 26171 bytes | Modified Date = 4/12/2005 7:47:16 PM | Attr =	]

(firelm01) firelm01 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\Firelm01.sys ->  [Ver =  | Size = 32855 bytes | Modified Date = 1/13/2006 10:14:58 AM | Attr =	]

(GEMPCC) Gemplus GemPC400 PCMCIA Smart Card Reader [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\gempcc.sys -> Gemplus [Ver = 2.1.4 | Size = 27320 bytes | Modified Date = 7/8/2002 5:58:50 PM | Attr =	]

(GPR400) GEMPLUS GPR400 PCMCIA Smart Card Reader [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\gpr400.sys -> Gemplus [Ver = 5.1.2600.0 (XPClient.010817-1148) | Size = 17408 bytes | Modified Date = 8/17/2001 1:51:06 PM | Attr =	]

(GTWModem) GTW Modem [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\GWMDM.sys -> GTW [Ver =  3.6.08 03/19/2003 12:36:45 | Size = 1136384 bytes | Modified Date = 3/19/2003 5:39:02 PM | Attr =	]

(mmc_2K) mmc_2K [Kernel | On_Demand | Running] -> %SystemRoot%\System32\drivers\mmc_2k.sys -> Roxio [Ver = 7.1.0.183  | Size = 23808 bytes | Modified Date = 9/25/2004 4:26:28 AM | Attr =	]

(NaiAvFilter1) NaiAvFilter1 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\naiavf5x.sys -> McAfee Inc. [Ver = 11.0.0.114 | Size = 116864 bytes | Modified Date = 6/8/2006 8:00:00 PM | Attr =	]

(NaiAvTdi1) NaiAvTdi1 [Kernel | System | Running] -> %SystemRoot%\system32\drivers\mvstdi5x.sys -> Network Associates, Inc. [Ver = 8.0.0.301 | Size = 58464 bytes | Modified Date = 6/8/2006 8:00:00 PM | Attr =	]

(Novatel) Novatel Wireless Network Adapter [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\nwc201.sys -> Novatel Wireless, Inc. [Ver = 2.02.00.0000 | Size = 40064 bytes | Modified Date = 4/21/2004 10:26:14 AM | Attr =	]

(pwd_2k) pwd_2k [Kernel | System | Running] -> %SystemRoot%\System32\drivers\Pwd_2k.sys -> Roxio [Ver = 7.1.0.183  | Size = 117632 bytes | Modified Date = 9/25/2004 4:23:16 AM | Attr =	]

(SASDIFSV) SASDIFSV [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\sasdifsv.sys -> SUPERAdBlocker.com and SUPERAntiSpyware.com [Ver = 1, 0, 0, 1010 | Size = 8944 bytes | Modified Date = 9/3/2008 2:07:14 PM | Attr =	]

(SASENUM) SASENUM [Kernel | On_Demand | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASENUM.SYS ->  SUPERAdBlocker.com and SUPERAntiSpyware.com [Ver = 1, 0, 0, 1004 | Size = 7408 bytes | Modified Date = 9/3/2008 2:07:16 PM | Attr = R  ]

(SASKUTIL) SASKUTIL [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASKUTIL.SYS -> SUPERAdBlocker.com and SUPERAntiSpyware.com [Ver = 1, 0, 0, 1062 | Size = 55024 bytes | Modified Date = 9/3/2008 2:07:12 PM | Attr =	]

(SocketQuadSerial) Novatel Wireless CDMA 1.9GHz Modem driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\nvtlg2k.sys -> Socket Communications, Inc.  [Ver = 1, 0, 3, 7 | Size = 48556 bytes | Modified Date = 3/23/2004 11:26:00 AM | Attr =	]

(SprintPort) SprintPort Serial Driver [Kernel | Auto | Running] -> %ProgramFiles%\Novatel Wireless\SprintPort\winport.sys -> 3Com [Ver = 8, 0, 1, 3 | Size = 27040 bytes | Modified Date = 5/7/2002 3:35:08 PM | Attr =	]

(UDFReadr) UDFReadr [File_System | System | Running] -> %SystemRoot%\System32\drivers\Udfreadr.sys -> Roxio [Ver = 7.1.0.183  | Size = 200832 bytes | Modified Date = 9/25/2004 4:26:40 AM | Attr =	]

(vsdatant) vsdatant [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\vsdatant.sys -> Zone Labs LLC [Ver = 5.5.062.011 | Size = 280344 bytes | Modified Date = 1/26/2005 6:22:20 AM | Attr =	]

(Winin48) Winin48 [Kernel | Boot | Stopped] -> %SystemRoot%\System32\Drivers\Winin48.sys -> File not found

(EntDrv51) EntDrv51 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\EntDrv51.sys -> Network Associates, Inc [Ver = 8.0.0.448 | Size = 8448 bytes | Modified Date = 6/8/2006 8:00:00 PM | Attr =	]



[Registry - Non-Microsoft Only]

< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

 ->  [] -> File not found

acEventServ -> %ProgramFiles%\ActivCard\ActivCard Gold\acevtsrv.exe ["C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"] -> ActivCard [Ver = 1, 0, 53, 0 | Size = 28672 bytes | Modified Date = 7/1/2003 8:42:24 AM | Attr =	]

Acrobat Assistant 7.0 -> %ProgramFiles%\Adobe\Distillr\AcroTray.exe ["C:\Program Files\Adobe\Distillr\Acrotray.exe"] -> Adobe Systems Inc. [Ver = 7.0.7.2006011200 | Size = 483328 bytes | Modified Date = 1/12/2006 9:52:32 PM | Attr =	]

EPA_EZ_GPO_Tool -> %SystemRoot%\system32\EZ_GPO_Tool.exe [C:\WINDOWS\system32\EZ_GPO_Tool.exe] -> Environmental Protection Agency [Ver = 2.0.694 | Size = 69632 bytes | Modified Date = 1/21/2005 3:09:00 PM | Attr =	]

gemstrmw -> %SystemRoot%\system32\gemstrmw.exe [C:\WINDOWS\system32\gemstrmw.exe /r] -> Gemplus [Ver = 3, 0, 11, 0 | Size = 24576 bytes | Modified Date = 8/30/2003 12:35:24 AM | Attr =	]

GWMDMMSG -> %SystemRoot%\GWMDMMSG.exe [GWMDMMSG.exe] -> GTW [Ver =  3.6.08 03/17/2003 15:19:57 | Size = 126976 bytes | Modified Date = 3/19/2003 5:39:00 PM | Attr =	]

IntelWireless -> %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe ["C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless] -> Intel Corporation [Ver = 11. 5. 0. 1 | Size = 1101824 bytes | Modified Date = 11/1/2007 2:47:08 PM | Attr =	]

IntelZeroConfig -> %ProgramFiles%\Intel\Wireless\Bin\ZCfgSvc.exe ["C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"] -> Intel Corporation [Ver = 11. 5. 0. 1 | Size = 995328 bytes | Modified Date = 11/1/2007 2:51:34 PM | Attr =	]

Malwarebytes Anti-Malware (reboot) -> %ProgramFiles%\Malwarebytes' Anti-Malware\mbam.exe ["C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript] -> Malwarebytes Corporation [Ver = 1.28 | Size = 1253040 bytes | Modified Date = 9/10/2008 12:07:16 AM | Attr =	]

McAfeeFireTray -> %ProgramFiles%\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe [C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe] -> McAfee, Inc. [Ver = 8.5 | Size = 655427 bytes | Modified Date = 1/13/2006 10:08:26 AM | Attr =	]

McAfeeUpdaterUI -> %ProgramFiles%\Network Associates\Common Framework\UpdaterUI.exe ["C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey] -> McAfee, Inc. [Ver = 3.5.5.438 | Size = 131072 bytes | Modified Date = 12/7/2005 3:55:00 AM | Attr =	]

NBKeyScan -> %ProgramFiles%\Nero\Nero8\Nero BackItUp\NBKeyScan.exe ["C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"] -> File not found

Network Associates Error Reporting Service -> %CommonProgramFiles%\Network Associates\TalkBack\TBMon.exe ["C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"] -> Network Associates, Inc. [Ver = 2.0.275.0 | Size = 147514 bytes | Modified Date = 10/7/2003 9:48:56 AM | Attr =	]

PrintServer Diagnostic -> %ProgramFiles%\Print Server\PTP\PSDiagnostic.exe [C:\Program Files\Print Server\PTP\PSDiagnostic.exe] ->  [Ver = 2, 0, 7, 0 | Size = 266240 bytes | Modified Date = 11/24/2004 5:09:40 PM | Attr =	]

QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> Apple Computer, Inc. [Ver = 7.1.3 | Size = 282624 bytes | Modified Date = 10/25/2006 7:58:18 PM | Attr =	]

ShStatEXE -> %ProgramFiles%\Network Associates\VirusScan\shstat.exe ["C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE] -> Network Associates, Inc. [Ver = 8.0.0.912 | Size = 94208 bytes | Modified Date = 8/18/2004 8:00:00 AM | Attr =	]

SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 144784 bytes | Modified Date = 6/10/2008 4:27:04 AM | Attr =	]

vdrdpup -> %SystemRoot%\system32\vdrdpup.dll [C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel] -> Emergent OnLine [Ver = 4.0.28 | Size = 94208 bytes | Modified Date = 11/2/2005 1:14:54 PM | Attr =	]

< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} -> %CommonProgramFiles%\Nero\Lib\NMIndexStoreSvr.exe ["C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020] -> File not found

PhotoShow Deluxe Media Manager -> %UserProfile%\Desktop\Canon\Comcast PhotoShow 4\data\Xtras\mssysmgr.exe [C:\DOCUME~1\rmm0922\Desktop\Canon\COMCAS~1\data\Xtras\mssysmgr.exe] -> Simple Star, Inc. [Ver = 4.0.0.0 | Size = 192512 bytes | Modified Date = 5/9/2005 7:16:15 PM | Attr =	]

SpybotSD TeaTimer -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe [C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe] -> Safer Networking Limited [Ver = 1, 6, 2, 23 | Size = 1832272 bytes | Modified Date = 8/18/2008 6:41:00 PM | Attr =	]

SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe [C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe] -> SUPERAntiSpyware.com [Ver = 4, 21, 0, 1004 | Size = 1576176 bytes | Modified Date = 9/3/2008 2:07:12 PM | Attr =	]

< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 

< rmm0922 Startup Folder > -> C:\Documents and Settings\rmm0922\Start Menu\Programs\Startup -> 

< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 

{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1012 | Size = 77824 bytes | Modified Date = 5/13/2008 10:13:36 AM | Attr =	]

< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 

< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 

Explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 1033728 bytes | Modified Date = 4/13/2008 8:12:19 PM | Attr =	]

*MultiFile Done* -> -> 

*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 

C:\WINDOWS\system32\userinit.exe -> %SystemRoot%\system32\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 26112 bytes | Modified Date = 4/13/2008 8:12:38 PM | Attr =	]

*MultiFile Done* -> -> 

*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost -> 

logonui.exe -> %SystemRoot%\system32\logonui.exe -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 514560 bytes | Modified Date = 4/13/2008 8:12:24 PM | Attr =	]

*MultiFile Done* -> -> 

*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> 

rundll32 shell32 -> %SystemRoot%\system32\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 8461312 bytes | Modified Date = 4/13/2008 8:12:05 PM | Attr =	]

Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\sysdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2105) | Size = 300544 bytes | Modified Date = 4/13/2008 8:12:41 PM | Attr =	]

*MultiFile Done* -> -> 

< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 

acAuth -> %SystemRoot%\system32\acauth.dll -> ActivCard [Ver = 1, 0, 34, 0 | Size = 65536 bytes | Modified Date = 12/17/2002 12:11:44 PM | Attr =	]

AtiExtEvent -> %SystemRoot%\system32\ati2evxx.dll -> ATI Technologies Inc. [Ver = 6.14.10.4118 | Size = 46080 bytes | Modified Date = 8/9/2005 8:30:44 PM | Attr =	]

< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoWelcomeScreen -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\dontdisplaylastusername -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableCAD -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\LegalNoticeText -> [String data over 1000 bytes] -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\LegalNoticeCaption -> WARNING			  --HQC NOTICE--			  WARNING -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ShutdownWithoutLogon -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\Undockwithoutlogon -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\LogonType -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync -> 0 -> 

< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 0 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\ForceStartMenuLogOff -> 1 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\ForceClassicControlPanel -> 1 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoManageMyComputerVerb -> 1 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\EnforceShellExtensionSecurity -> 1 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoHardwareTab -> 1 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoRunasInstallPrompt -> 1 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\MemCheckBoxInRunDlg -> 1 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\GreyMSIAds -> 1 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\DisablePersonalDirChange -> 1 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoAutoUpdate -> 1 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 -> 

< CDROM Autorun Setting > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->

*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup -> 

SCSI miniport ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\drivers\cdrom.sys [system32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2108) | Size = 62976 bytes | Modified Date = 4/13/2008 2:40:46 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 -> 

*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable -> 

NEC	 MBR-7	->  -> File not found

NEC	 MBR-7.4  ->  -> File not found

PIONEER CHANGR DRM-1804X ->  -> File not found

PIONEER CD-ROM DRM-6324X ->  -> File not found

PIONEER CD-ROM DRM-624X  ->  -> File not found

TORiSAN CD-ROM CDR_C36 ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> -> 

< Drives with AutoRun files > ->  -> 

AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] ->  [Ver =  | Size = 0 bytes | Modified Date = 11/29/2005 4:54:51 PM | Attr =	]

< HOSTS File > (734 bytes and 19 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 

127.0.0.1	   localhost

< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 

HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 

HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 

HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 

HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 

HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 

HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 

HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 

< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 

HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm -> 

HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_CURRENT_USER\: Main\\Start Page -> http://www.msn.com/ -> 

HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 

HKEY_CURRENT_USER\: ProxyOverride -> dla1.dla.mil;dlaeis.dscr.dla.mil;today.dla.mil;*.bsm.dla.mil;dla1.eportal.dla.mil;*.eportal.use4.ad.dla.mil;*.dnsc.dla.mil;cols7.hroc.dla.mil;webapp2.use.ad.dla.mil;*.hq.dla.mil;denes-w001.usw.ad.dla.mil;do.use.ad.dla.mil;<local> -> 

< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4 domain(s) found. -> 

ddrs-afs-ora.ogden_disa.mil [https] -> Trusted sites -> 

*.bsm_dla.mil [*] -> Trusted sites -> 

cols7.hr_dla.mil [https] -> Trusted sites -> 

cols7.hroc_dla.mil [https] -> Trusted sites -> 

db01.bsm_dla.mil [https] -> Trusted sites -> 

dcrpt.hq_dla.mil [http] -> Local intranet -> 

dcrpt.hq_dla.mil [https] -> Trusted sites -> 

dcrpt-training.hq_dla.mil [http] -> Local intranet -> 

dcrpt-training.hq_dla.mil [https] -> Trusted sites -> 

denes-w001.usw.ad_dla.mil [https] -> Trusted sites -> 

dla1_dla.mil [https] -> Trusted sites -> 

dla1.eportal_dla.mil [https] -> Trusted sites -> 

dlacms.eportal_dla.mil [https] -> Trusted sites -> 

ewp-ads.eportal_dla.mil [https] -> Trusted sites -> 

opal.ddc_dla.mil [https] -> Trusted sites -> 

paaq.bsm_dla.mil [https] -> Trusted sites -> 

pb01.bsm_dla.mil [https] -> Trusted sites -> 

pbr2.bsm_dla.mil [https] -> Trusted sites -> 

pcbw.bsm_dla.mil [http] -> Trusted sites -> 

pcbw.bsm_dla.mil [https] -> Trusted sites -> 

pep1.bsm_dla.mil [https] -> Trusted sites -> 

pf02.bsm_dla.mil [https] -> Trusted sites -> 

pir1.bsm_dla.mil [https] -> Trusted sites -> 

pir2.bsm_dla.mil [https] -> Trusted sites -> 

piw1.bsm_dla.mil [https] -> Trusted sites -> 

pm02.bsm_dla.mil [https] -> Trusted sites -> 

pmov.bsm_dla.mil [https] -> Trusted sites -> 

polh.bsm_dla.mil [https] -> Trusted sites -> 

prar.bsm_dla.mil [https] -> Trusted sites -> 

tc1crm.bsm_dla.mil [https] -> Trusted sites -> 

tc1i.bsm_dla.mil [https] -> Trusted sites -> 

tc2crm.bsm_dla.mil [https] -> Trusted sites -> 

tc2i.bsm_dla.mil [https] -> Trusted sites -> 

tr11.bsm_dla.mil [https] -> Trusted sites -> 

tre1.bsm_dla.mil [https] -> Trusted sites -> 

www.powertrack_usbank.com [https] -> Trusted sites -> 

4 domain(s) and sub-domain(s) not assigned to a zone.

< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 

< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 3 domain(s) found. -> 

ddrs-afs-ora.ogden_disa.mil [https] -> Trusted sites -> 

*.bsm_dla.mil [*] -> Trusted sites -> 

cols7.hr_dla.mil [https] -> Trusted sites -> 

cols7.hroc_dla.mil [https] -> Trusted sites -> 

db01.bsm_dla.mil [https] -> Trusted sites -> 

dcrpt.hq_dla.mil [http] -> Local intranet -> 

dcrpt.hq_dla.mil [https] -> Trusted sites -> 

dcrpt-training.hq_dla.mil [http] -> Local intranet -> 

dcrpt-training.hq_dla.mil [https] -> Trusted sites -> 

denes-w001.usw.ad_dla.mil [https] -> Trusted sites -> 

dla1_dla.mil [https] -> Trusted sites -> 

dla1.eportal_dla.mil [https] -> Trusted sites -> 

dlacms.eportal_dla.mil [https] -> Trusted sites -> 

ewp-ads.eportal_dla.mil [https] -> Trusted sites -> 

opal.ddc_dla.mil [https] -> Trusted sites -> 

paaq.bsm_dla.mil [https] -> Trusted sites -> 

pb01.bsm_dla.mil [https] -> Trusted sites -> 

pbr2.bsm_dla.mil [https] -> Trusted sites -> 

pcbw.bsm_dla.mil [http] -> Trusted sites -> 

pcbw.bsm_dla.mil [https] -> Trusted sites -> 

pep1.bsm_dla.mil [https] -> Trusted sites -> 

pf02.bsm_dla.mil [https] -> Trusted sites -> 

pir1.bsm_dla.mil [https] -> Trusted sites -> 

pir2.bsm_dla.mil [https] -> Trusted sites -> 

piw1.bsm_dla.mil [https] -> Trusted sites -> 

pm02.bsm_dla.mil [https] -> Trusted sites -> 

pmov.bsm_dla.mil [https] -> Trusted sites -> 

polh.bsm_dla.mil [https] -> Trusted sites -> 

prar.bsm_dla.mil [https] -> Trusted sites -> 

tc1crm.bsm_dla.mil [https] -> Trusted sites -> 

tc1i.bsm_dla.mil [https] -> Trusted sites -> 

tc2crm.bsm_dla.mil [https] -> Trusted sites -> 

tc2i.bsm_dla.mil [https] -> Trusted sites -> 

tr11.bsm_dla.mil [https] -> Trusted sites -> 

tre1.bsm_dla.mil [https] -> Trusted sites -> 

www.powertrack_usbank.com [https] -> Trusted sites -> 

3 domain(s) and sub-domain(s) not assigned to a zone.

< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 

< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.7.2006011200 | Size = 63128 bytes | Modified Date = 1/12/2006 9:38:22 PM | Attr =	]

{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 6, 0, 12 | Size = 1562448 bytes | Modified Date = 8/14/2008 1:39:52 PM | Attr =	]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 509328 bytes | Modified Date = 6/10/2008 4:27:02 AM | Attr =	]

{AE7CD045-E861-484f-8273-0445EE161910} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat\AcroIEFavClient.dll [Adobe PDF Conversion Toolbar Helper] -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 9/24/2005 1:41:42 AM | Attr =	]

< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 

{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 9/24/2005 1:41:42 AM | Attr =	]

< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 

{327C2873-E90D-4c37-AA9D-10AC9BABA46C} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Canon\Easy-WebPrint\Toolband.dll [Easy-WebPrint] ->  [Ver = 2, 0, 0, 15 | Size = 360448 bytes | Modified Date = 4/28/2003 9:37:16 AM | Attr =	]

{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 9/24/2005 1:41:42 AM | Attr =	]

< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 

ShellBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 9/24/2005 1:41:42 AM | Attr =	]

WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 9/24/2005 1:41:42 AM | Attr =	]

< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 132496 bytes | Modified Date = 6/10/2008 4:27:02 AM | Attr =	]

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 509328 bytes | Modified Date = 6/10/2008 4:27:02 AM | Attr =	]

{0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [ieSpell] -> File not found

{1606D6F9-9D3B-4aea-A025-ED5B2FD488E7}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [ieSpell Options] -> File not found

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search && Destroy Configuration] -> Safer Networking Limited [Ver = 1, 6, 0, 12 | Size = 1562448 bytes | Modified Date = 8/14/2008 1:39:52 PM | Attr =	]

< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 

CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 132496 bytes | Modified Date = 6/10/2008 4:27:02 AM | Attr =	]

< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 

&ieSpell Options -> %ProgramFiles%\ieSpell\ieSpell.dll -> Red Egg Software [Ver = 2, 5, 1, 106 | Size = 262144 bytes | Modified Date = 10/31/2006 10:07:16 AM | Attr =	]

Check &Spelling -> %ProgramFiles%\ieSpell\ieSpell.dll -> Red Egg Software [Ver = 2, 5, 1, 106 | Size = 262144 bytes | Modified Date = 10/31/2006 10:07:16 AM | Attr =	]

Convert link target to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 9/24/2005 1:41:42 AM | Attr =	]

Convert link target to existing PDF -> %ProgramFiles%\Adobe\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 9/24/2005 1:41:42 AM | Attr =	]

Convert selected links to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 9/24/2005 1:41:42 AM | Attr =	]

Convert selected links to existing PDF -> %ProgramFiles%\Adobe\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 9/24/2005 1:41:42 AM | Attr =	]

Convert selection to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 9/24/2005 1:41:42 AM | Attr =	]

Convert selection to existing PDF -> %ProgramFiles%\Adobe\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 9/24/2005 1:41:42 AM | Attr =	]

Convert to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 9/24/2005 1:41:42 AM | Attr =	]

Convert to existing PDF -> %ProgramFiles%\Adobe\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 9/24/2005 1:41:42 AM | Attr =	]

Easy-WebPrint Add To Print List -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll ->  [Ver = 2, 0, 0, 15 | Size = 98304 bytes | Modified Date = 4/28/2003 9:36:18 AM | Attr =	]

Easy-WebPrint High Speed Print -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll ->  [Ver = 2, 0, 0, 15 | Size = 98304 bytes | Modified Date = 4/28/2003 9:36:18 AM | Attr =	]

Easy-WebPrint Preview -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll ->  [Ver = 2, 0, 0, 15 | Size = 98304 bytes | Modified Date = 4/28/2003 9:36:18 AM | Attr =	]

Easy-WebPrint Print -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll ->  [Ver = 2, 0, 0, 15 | Size = 98304 bytes | Modified Date = 4/28/2003 9:36:18 AM | Attr =	]

Lookup on Merriam Webster ->  -> File not found

Lookup on Wikipedia ->  -> File not found

< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 

PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 

PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 

< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 

{619F56F2-CB15-4172-B8CC-79E960BC0787} ->	(1394 Net Adapter) -> 

{6E6476B5-0DB5-4660-9011-D31CFC21B11F} ->	(Intel(R) PRO/1000 MT Network Connection) -> 

{B62C3E49-7F04-4321-9F90-410E55BEA6A0} ->	() -> 

{D87EC972-8FBF-4291-995D-D404EE41E66F} ->	(Intel(R) PRO/Wireless 2200BG Network Connection) -> 

{ED45E77B-D99B-460A-8AED-625C1862B731} ->	(Novatel Wireless Network Adapter) -> 

< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 

ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value

msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value

< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 

{00000161-9980-0010-8000-00AA00389B71}[HKEY_LOCAL_MACHINE] -> http://codecs.microsoft.com/codecs/i386/msaud.cab[Reg Error: Key does not exist or could not be opened.] -> 

{01012101-5E80-11D8-9E86-0007E96C65AE}[HKEY_LOCAL_MACHINE] -> http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab[SupportSoft Script Runner Class] -> 

{05D44720-58E3-49E6-BDF6-D00330E511D3}[HKEY_LOCAL_MACHINE] -> http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab[StagingUI Object] -> 

{33564D57-9980-0010-8000-00AA00389B71}[HKEY_LOCAL_MACHINE] -> http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab[Reg Error: Key does not exist or could not be opened.] -> 

{3BB54395-5982-4788-8AF4-B5388FFDD0D8}[HKEY_LOCAL_MACHINE] -> http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab[MSN Games – Buddy Invite] -> 

{5736C456-EA94-4AAC-BB08-917ABDD035B3}[HKEY_LOCAL_MACHINE] -> http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab[ZonePAChat Object] -> 

{5ED80217-570B-4DA9-BF44-BE107C0EC166}[HKEY_LOCAL_MACHINE] -> http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab[Windows Live Safety Center Base Module] -> 

{7E980B9B-8AE5-466A-B6D6-DA8CF814E78A}[HKEY_LOCAL_MACHINE] -> http://zone.msn.com/bingame/amun/default/mjolauncher.cab[MJLauncherCtrl Class] -> 

{7FC1B346-83E6-4774-8D20-1A6B09B0E737}[HKEY_LOCAL_MACHINE] -> http://cid-d643f50ebd49e8b1.spaces.live.com/PhotoUpload/MsnPUpld.cab[Windows Live Photo Upload Control] -> 

{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 

{9A57B18E-2F5D-11D5-8997-00104BD12D94}[HKEY_LOCAL_MACHINE] -> http://support.gateway.com/support/serialharvest/gwCID.CAB[compid Class] -> 

{A4110378-789B-455F-AE86-3A1BFC402853}[HKEY_LOCAL_MACHINE] -> http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab[ZPA_SHVL Object] -> 

{B8BE5E93-A60C-4D26-A2DC-220313175592}[HKEY_LOCAL_MACHINE] -> http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab[MSN Games - Installer] -> 

{BCBC9371-595D-11D4-A96D-00105A1CEF6C}[HKEY_LOCAL_MACHINE] -> http://kohler1.view22.com/app/view22RTE.cab[View22RTE Class] -> 

{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> 

{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> 

{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> 

{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> 

{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> 

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 

{D0C0F75C-683A-4390-A791-1ACFD5599AB8}[HKEY_LOCAL_MACHINE] -> http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab[Oberon Flash Game Host] -> 

{DA2AA6CF-5C7A-4B71-BC3B-C771BB369937}[HKEY_LOCAL_MACHINE] -> http://zone.msn.com/binframework/v10/StProxy.cab55579.cab[MSN Games – Game Communicator] -> 

< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gwCID.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gwCID.dll\\.Owner -> {9A57B18E-2F5D-11D5-8997-00104BD12D94} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gwCID.dll\\{9A57B18E-2F5D-11D5-8997-00104BD12D94} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/mjolauncher.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/mjolauncher.dll\\.Owner -> {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/mjolauncher.dll\\{7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MsnPUpld.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MsnPUpld.dll\\.Owner -> {7FC1B346-83E6-4774-8D20-1A6B09B0E737} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MsnPUpld.dll\\{7FC1B346-83E6-4774-8D20-1A6B09B0E737} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/OberonGameHost.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/OberonGameHost.dll\\.Owner -> {D0C0F75C-683A-4390-A791-1ACFD5599AB8} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/OberonGameHost.dll\\{D0C0F75C-683A-4390-A791-1ACFD5599AB8} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PURen-us.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PURen-us.dll\\.Owner -> {7FC1B346-83E6-4774-8D20-1A6B09B0E737} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PURen-us.dll\\{7FC1B346-83E6-4774-8D20-1A6B09B0E737} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/StagingUI.ocx\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/StagingUI.ocx\\.Owner -> {05D44720-58E3-49E6-BDF6-D00330E511D3} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/StagingUI.ocx\\{05D44720-58E3-49E6-BDF6-D00330E511D3} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/StProxy.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/StProxy.dll\\.Owner -> {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/StProxy.dll\\{DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/tgctlsr.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/tgctlsr.dll\\.Owner -> {01012101-5E80-11D8-9E86-0007E96C65AE} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/tgctlsr.dll\\{01012101-5E80-11D8-9E86-0007E96C65AE} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/View22RTE.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/View22RTE.dll\\.Owner -> {BCBC9371-595D-11D4-A96D-00105A1CEF6C} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/View22RTE.dll\\{BCBC9371-595D-11D4-A96D-00105A1CEF6C} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/wlscBase.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/wlscBase.dll\\.Owner -> {5ED80217-570B-4DA9-BF44-BE107C0EC166} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/wlscBase.dll\\{5ED80217-570B-4DA9-BF44-BE107C0EC166} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ZBuddy.ocx\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ZBuddy.ocx\\.Owner -> {3BB54395-5982-4788-8AF4-B5388FFDD0D8} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ZBuddy.ocx\\{3BB54395-5982-4788-8AF4-B5388FFDD0D8} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ZIntro.ocx\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ZIntro.ocx\\.Owner -> {B8BE5E93-A60C-4D26-A2DC-220313175592} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ZIntro.ocx\\{B8BE5E93-A60C-4D26-A2DC-220313175592} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ZPAChat.ocx\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ZPAChat.ocx\\.Owner -> {5736C456-EA94-4AAC-BB08-917ABDD035B3} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ZPAChat.ocx\\{5736C456-EA94-4AAC-BB08-917ABDD035B3} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/zpa_shvl.ocx\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/zpa_shvl.ocx\\.Owner -> {A4110378-789B-455F-AE86-3A1BFC402853} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/zpa_shvl.ocx\\{A4110378-789B-455F-AE86-3A1BFC402853} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/atl.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/atl.dll\\.Owner -> Unknown Owner -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/atl.dll\\{BCBC9371-595D-11D4-A96D-00105A1CEF6C} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/biosid.exe\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/biosid.exe\\.Owner -> Unknown Owner -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/biosid.exe\\{9A57B18E-2F5D-11D5-8997-00104BD12D94} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/devil.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/devil.dll\\.Owner -> {BCBC9371-595D-11D4-A96D-00105A1CEF6C} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/devil.dll\\{BCBC9371-595D-11D4-A96D-00105A1CEF6C} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/DXFLib.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/DXFLib.dll\\.Owner -> {BCBC9371-595D-11D4-A96D-00105A1CEF6C} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/DXFLib.dll\\{BCBC9371-595D-11D4-A96D-00105A1CEF6C} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/LegitCheckControl.DLL\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/LegitCheckControl.DLL\\.Owner -> Unknown Owner -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/opcode.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/opcode.dll\\.Owner -> {BCBC9371-595D-11D4-A96D-00105A1CEF6C} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/opcode.dll\\{BCBC9371-595D-11D4-A96D-00105A1CEF6C} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/shfolder.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/shfolder.dll\\.Owner -> Unknown Owner -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/shfolder.dll\\{BCBC9371-595D-11D4-A96D-00105A1CEF6C} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/wuweb.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/wuweb.dll\\.Owner -> Unknown Owner -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/WinSxS/x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82/GdiPlus.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/WinSxS/x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82/GdiPlus.dll\\.Owner -> Unknown Owner -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/WinSxS/x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82/GdiPlus.dll\\{BCBC9371-595D-11D4-A96D-00105A1CEF6C} ->  -> 





[Registry - Additional Scans - Non-Microsoft Only]

< BotCheck > -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> [Binary data over 100 bytes] -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction -> [Binary data over 100 bytes] -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction -> [Binary data over 100 bytes] -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937AD} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A93843} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D69} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> -> 

Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ not found. -> -> 

Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ not found. -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->

*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 

msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 132608 bytes | Modified Date = 4/13/2008 8:12:00 PM | Attr =	]

nwprovau -> %SystemRoot%\system32\nwprovau.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 142336 bytes | Modified Date = 4/13/2008 8:12:02 PM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> 0  [binary data] -> 

*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> 

kerberos -> %SystemRoot%\system32\kerberos.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 299520 bytes | Modified Date = 4/13/2008 8:11:56 PM | Attr =	]

msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 132608 bytes | Modified Date = 4/13/2008 8:12:00 PM | Attr =	]

schannel -> %SystemRoot%\system32\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 144384 bytes | Modified Date = 4/13/2008 8:12:05 PM | Attr =	]

wdigest -> %SystemRoot%\system32\wdigest.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 49152 bytes | Modified Date = 4/13/2008 8:12:08 PM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 1524 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing ->  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 -> 

*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages -> 

scecli -> %SystemRoot%\system32\scecli.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 181248 bytes | Modified Date = 4/13/2008 8:12:05 PM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\CrashOnAuditFail ->  -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\RestrictAnonymous -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\DisableDomainCreds -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\NoLMHash -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> -> 

*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder -> 

Windows NT Access Provider ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> %SystemRoot%\system32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 118784 bytes | Modified Date = 4/13/2008 8:12:02 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> 40 5E 17 E2 75 73 8C 19 7C DA D0 C8 4A 5D 3E 6C 35 61 33 34 63 30 39 31 00 00 00 00 EC 8B 00 00 9C D1 1B 00 99 D0 BF 71 88 D1 1B 00 10 00 00 00 00 00 00 00 51 D6 E3 4B 5A 8F 34 DF 4E 01 20 5A  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> 9C B8 B6 09 B3 D8 CC E8 15  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> 22 BD 97 08 21 EA  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\\MaxPacketSize -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth132 -> %SystemRoot%\system32\iissuba.dll [IISSUBA] -> Microsoft Corporation [Ver = 6.0.2600.0 (xpclient.010817-1148) | Size = 9216 bytes | Modified Date = 8/4/2004 8:00:00 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminclientsec -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminserversec -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> 17 6D 80 49 05 79 E8 28 5F 89 16 8F 5B 8A C4 08  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> 00 91 02 AA C0 CD C8 01  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> 00 54 CF 23 C4 9D C8 01  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> 00 DB 62 27 C4 9D C8 01  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> 00 08 94 28 C4 9D C8 01  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup ->  -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Windows Firewall/Internet Connection Sharing (ICS) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> %SystemRoot%\system32\svchost.exe [%SystemRoot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 14336 bytes | Modified Date = 4/13/2008 8:12:36 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 7240 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> %SystemRoot%\system32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-0852) | Size = 331264 bytes | Modified Date = 4/13/2008 8:11:55 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> %SystemRoot%\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 141312 bytes | Modified Date = 4/13/2008 8:12:34 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\Network Diagnostic\xpnetdiag.exe -> %SystemRoot%\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-0852) | Size = 558080 bytes | Modified Date = 4/13/2008 2:53:32 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\1900:UDP -> 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\2869:TCP -> 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\10280:UDP -> 10280:UDP:LocalSubNet:Enabled:Windows Media Connect -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\10281:UDP -> 10281:UDP:LocalSubNet:Enabled:Windows Media Connect -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\10282:UDP -> 10282:UDP:LocalSubNet:Enabled:Windows Media Connect -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\10283:UDP -> 10283:UDP:LocalSubNet:Enabled:Windows Media Connect -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\10284:UDP -> 10284:UDP:LocalSubNet:Enabled:Windows Media Connect -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\10243:TCP -> 10243:TCP:LocalSubNet:Enabled:Windows Media Connect -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\139:TCP -> 139:TCP:*:Enabled:@xpsp2res.dll,-22004 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\445:TCP -> 445:TCP:*:Enabled:@xpsp2res.dll,-22005 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\137:UDP -> 137:UDP:*:Enabled:@xpsp2res.dll,-22001 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\138:UDP -> 138:UDP:*:Enabled:@xpsp2res.dll,-22002 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DisableNotifications -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> %SystemRoot%\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 141312 bytes | Modified Date = 4/13/2008 8:12:34 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Network Associates\Common Framework\FrameworkService.exe -> %ProgramFiles%\Network Associates\Common Framework\FrameworkService.exe [C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service] -> McAfee, Inc. [Ver = 3.5.5.438 | Size = 98304 bytes | Modified Date = 12/7/2005 3:55:00 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\Network Diagnostic\xpnetdiag.exe -> %SystemRoot%\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-0852) | Size = 558080 bytes | Modified Date = 4/13/2008 2:53:32 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\McAfeeFire.exe -> %ProgramFiles%\Network Associates\McAfee Desktop Firewall for Windows XP\McAfeeFire.exe [C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\McAfeeFire.exe:*:Enabled:McAfee Desktop Firewall] -> McAfee, Inc. [Ver = 8.5 | Size = 708677 bytes | Modified Date = 1/13/2006 10:03:36 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP -> 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP -> 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10280:UDP -> 10280:UDP:LocalSubNet:Enabled:Windows Media Connect -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10281:UDP -> 10281:UDP:LocalSubNet:Enabled:Windows Media Connect -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10282:UDP -> 10282:UDP:LocalSubNet:Enabled:Windows Media Connect -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10283:UDP -> 10283:UDP:LocalSubNet:Enabled:Windows Media Connect -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10284:UDP -> 10284:UDP:LocalSubNet:Enabled:Windows Media Connect -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10243:TCP -> 10243:TCP:LocalSubNet:Enabled:Windows Media Connect -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP -> 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP -> 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP -> 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP -> 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> %SystemRoot%\system32\svchost.exe [%systemroot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 14336 bytes | Modified Date = 4/13/2008 8:12:36 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> %SystemRoot%\system32\wuauserv.dll [C:\WINDOWS\system32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.3790.5512 (xpsp.080413-0852) | Size = 6656 bytes | Modified Date = 4/13/2008 8:12:11 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> [Binary data over 100 bytes] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Description -> Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. -> 

*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DependOnService -> 

RPCSS -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2108) | Size = 399360 bytes | Modified Date = 4/13/2008 8:12:04 PM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DisplayName -> Remote Registry -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ImagePath -> %SystemRoot%\system32\svchost.exe [%SystemRoot%\system32\svchost.exe -k LocalService] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 14336 bytes | Modified Date = 4/13/2008 8:12:36 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ObjectName -> NT AUTHORITY\LocalService -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Group ->  -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Start -> 2 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Type -> 32 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\FailureActions -> 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 E0 AD 08 00 01 00 00 00 E8 03 00 00  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\\ServiceDll -> %SystemRoot%\system32\regsvc.dll [%SystemRoot%\system32\regsvc.dll] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 59904 bytes | Modified Date = 4/13/2008 8:12:04 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\\Security -> [Binary data over 100 bytes] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\0 -> Root\LEGACY_REMOTEREGISTRY\0000 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\Count -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\NextInstance -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Type -> 16 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Start -> 4 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ImagePath -> %SystemRoot%\system32\tlntsvr.exe [C:\WINDOWS\system32\tlntsvr.exe] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-0852) | Size = 73216 bytes | Modified Date = 4/13/2008 8:12:38 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DisplayName -> Telnet -> 

*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnService -> 

RPCSS -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2108) | Size = 399360 bytes | Modified Date = 4/13/2008 8:12:04 PM | Attr =	]

TCPIP ->  -> File not found

NTLMSSP ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnGroup ->  -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ObjectName -> LocalSystem -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Description -> Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\\Security -> [Binary data over 100 bytes] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Enum\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Enum\\0 -> Root\LEGACY_TLNTSVR\0000 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Enum\\Count -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Enum\\NextInstance -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 -> 





[Files/Folders - Created Within 30 days]

hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 535875584 bytes | Created Date = 9/15/2008 10:24:10 PM | Attr =  HS]

rsit -> %SystemDrive%\rsit ->  [Folder | Created Date = 9/22/2008 9:29:39 AM | Attr =	]

VundoFix Backups -> %SystemDrive%\VundoFix Backups ->  [Folder | Created Date = 9/10/2008 9:15:54 PM | Attr =	]

bajrg.sys -> %SystemRoot%\System32\drivers\bajrg.sys ->  [Ver =  | Size = 61440 bytes | Created Date = 9/15/2008 11:02:20 PM | Attr =	]

744777172.dat -> %SystemRoot%\System32\744777172.dat ->  [Ver =  | Size = 32 bytes | Created Date = 9/6/2008 9:11:34 PM | Attr =   S]

QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Created Date = 8/31/2008 5:17:28 PM | Attr =	]

QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Created Date = 8/31/2008 5:17:28 PM | Attr =  H ]

wininit.ini -> %SystemRoot%\wininit.ini ->  [Ver =  | Size = 96 bytes | Created Date = 9/6/2008 10:56:15 PM | Attr =	]

[Files Created - Additional Folder Scans - Non-Microsoft Only]

Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes ->  [Folder | Created Date = 9/14/2008 9:24:24 PM | Attr =	]

ovobsjaj -> %AllUsersProfile%\Application Data\ovobsjaj ->  [Folder | Created Date = 9/6/2008 9:11:34 PM | Attr =	]

SUPERAntiSpyware.com -> %AllUsersProfile%\Application Data\SUPERAntiSpyware.com ->  [Folder | Created Date = 9/10/2008 11:06:56 PM | Attr =	]

Blender Foundation -> %AppData%\Blender Foundation ->  [Folder | Created Date = 8/31/2008 6:43:04 PM | Attr =	]

Malwarebytes -> %AppData%\Malwarebytes ->  [Folder | Created Date = 9/14/2008 9:24:36 PM | Attr =	]

SUPERAntiSpyware.com -> %AppData%\SUPERAntiSpyware.com ->  [Folder | Created Date = 9/10/2008 11:05:51 PM | Attr =	]

Unzipped -> %UserProfile%\My Documents\Unzipped ->  [Folder | Created Date = 8/31/2008 7:37:49 PM | Attr =	]

Blender.lnk -> %UserProfile%\Desktop\Blender.lnk ->  [Ver =  | Size = 1745 bytes | Created Date = 8/31/2008 10:46:52 PM | Attr =	]

Home theater dedicated video room.url -> %UserProfile%\Desktop\Home theater dedicated video room.url ->  [Ver =  | Size = 210 bytes | Created Date = 8/31/2008 10:18:12 PM | Attr =	]

Logo -> %UserProfile%\Desktop\Logo ->  [Folder | Created Date = 9/1/2008 12:41:27 AM | Attr =	]

OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Created Date = 9/23/2008 7:09:45 PM | Attr =	]

OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 576581 bytes | Created Date = 9/23/2008 7:09:24 PM | Attr =	]

Java -> %CommonProgramFiles%\Java ->  [Folder | Created Date = 9/13/2008 10:33:49 AM | Attr =	]

Blender Foundation -> %ProgramFiles%\Blender Foundation ->  [Folder | Created Date = 8/31/2008 10:05:02 PM | Attr =	]

lgcjwmc -> %ProgramFiles%\lgcjwmc ->  [Folder | Created Date = 9/13/2008 10:28:49 PM | Attr =	]

Malwarebytes' Anti-Malware -> %ProgramFiles%\Malwarebytes' Anti-Malware ->  [Folder | Created Date = 9/14/2008 9:24:23 PM | Attr =	]

rcswzdd -> %ProgramFiles%\rcswzdd ->  [Folder | Created Date = 9/6/2008 9:13:17 PM | Attr =	]

SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware ->  [Folder | Created Date = 9/10/2008 11:05:52 PM | Attr =	]

thyruq -> %ProgramFiles%\thyruq ->  [Folder | Created Date = 9/13/2008 1:03:25 AM | Attr =	]

Trend Micro -> %ProgramFiles%\Trend Micro ->  [Folder | Created Date = 9/13/2008 12:45:53 AM | Attr =	]

uuthzlg -> %ProgramFiles%\uuthzlg ->  [Folder | Created Date = 9/10/2008 7:39:21 PM | Attr =	]

vepyaue -> %ProgramFiles%\vepyaue ->  [Folder | Created Date = 9/14/2008 6:51:31 PM | Attr =	]

Windows Live Safety Center -> %ProgramFiles%\Windows Live Safety Center ->  [Folder | Created Date = 9/9/2008 8:50:38 PM | Attr =	]

xquvdcg -> %ProgramFiles%\xquvdcg ->  [Folder | Created Date = 9/12/2008 10:44:38 AM | Attr =	]

yliszze -> %ProgramFiles%\yliszze ->  [Folder | Created Date = 9/7/2008 1:02:12 AM | Attr =	]



[Files/Folders - Modified Within 30 days]

boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 211 bytes | Modified Date = 9/4/2008 7:52:23 PM | Attr =  HS]

hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 535875584 bytes | Modified Date = 9/15/2008 10:24:10 PM | Attr =  HS]

bajrg.sys -> %SystemRoot%\System32\drivers\bajrg.sys ->  [Ver =  | Size = 61440 bytes | Modified Date = 9/15/2008 11:02:20 PM | Attr =	]

744777172.dat -> %SystemRoot%\System32\744777172.dat ->  [Ver =  | Size = 32 bytes | Modified Date = 9/6/2008 9:11:35 PM | Attr =   S]

1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 

wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 2206 bytes | Modified Date = 9/12/2008 11:51:39 PM | Attr =	]

bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 9/15/2008 10:24:19 PM | Attr =   S]

4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 

QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Modified Date = 8/31/2008 5:17:28 PM | Attr =	]

QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Modified Date = 9/6/2008 9:08:46 PM | Attr =  H ]

randseed.rnd -> %SystemRoot%\randseed.rnd ->  [Ver =  | Size = 512 bytes | Modified Date = 9/23/2008 6:00:03 PM | Attr =	]

SMSCFG.ini -> %SystemRoot%\SMSCFG.ini ->  [Ver =  | Size = 467 bytes | Modified Date = 9/15/2008 10:27:43 PM | Attr =	]

system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 299 bytes | Modified Date = 9/4/2008 7:52:23 PM | Attr =	]

win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 573 bytes | Modified Date = 9/4/2008 7:52:23 PM | Attr =	]

wininit.ini -> %SystemRoot%\wininit.ini ->  [Ver =  | Size = 96 bytes | Modified Date = 9/6/2008 10:56:15 PM | Attr =	]

MP Scheduled Scan.job -> %SystemRoot%\tasks\MP Scheduled Scan.job ->  [Ver =  | Size = 330 bytes | Modified Date = 9/22/2008 8:00:01 AM | Attr =  H ]

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader ->  [Folder | Modified Date = 9/17/2008 7:37:00 PM | Attr =	]

qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 4232 bytes | Modified Date = 9/23/2008 6:02:57 PM | Attr =	]

qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 5487 bytes | Modified Date = 9/23/2008 6:02:55 PM | Attr =	]

C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA ->  [Folder | Modified Date = 12/6/2005 5:30:40 PM | Attr =	]

opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat ->  [Ver =  | Size = 8206 bytes | Modified Date = 12/6/2005 5:30:40 PM | Attr =	]

[Files Modified - Additional Folder Scans - Non-Microsoft Only]

IconCache.db -> %UserProfile%\Local Settings\Application Data\IconCache.db ->  [Ver =  | Size = 4240656 bytes | Modified Date = 9/15/2008 10:22:52 PM | Attr =  H ]

ZbThumbnail.info -> %UserProfile%\My Documents\ZbThumbnail.info ->  [Ver =  | Size = 26076 bytes | Modified Date = 8/29/2008 8:44:41 AM | Attr =  H ]

Blender.lnk -> %UserProfile%\Desktop\Blender.lnk ->  [Ver =  | Size = 1745 bytes | Modified Date = 8/31/2008 10:46:52 PM | Attr =	]

Home theater dedicated video room.url -> %UserProfile%\Desktop\Home theater dedicated video room.url ->  [Ver =  | Size = 210 bytes | Modified Date = 8/31/2008 10:18:12 PM | Attr =	]

OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 576581 bytes | Modified Date = 9/23/2008 7:09:30 PM | Attr =	]



< End of report >


#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:10 AM

Posted 23 September 2008 - 08:26 PM

Hello Javatime,

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).

Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Registry - Non-Microsoft Only]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [ieSpell]
YN -> {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [ieSpell Options]
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
YN -> Lookup on Merriam Webster -> 
YN -> Lookup on Wikipedia -> 
[Files/Folders - Created Within 30 days]
NY -> VundoFix Backups -> %SystemDrive%\VundoFix Backups
NY -> bajrg.sys -> %SystemRoot%\System32\drivers\bajrg.sys
[Files/Folders - Modified Within 30 days]
NY -> bajrg.sys -> %SystemRoot%\System32\drivers\bajrg.sys
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.


If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Javatime

Javatime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Cedar Brook, NJ
  • Local time:07:10 AM

Posted 24 September 2008 - 06:00 PM

OK...It asked for a reboot. Also, a 10.0 KB Date Base File icon showed up on my desktop called "Thumbs.db." I did not open it.

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1606D6F9-9D3B-4aea-A025-ED5B2FD488E7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1606D6F9-9D3B-4aea-A025-ED5B2FD488E7}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Lookup on Merriam Webster\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Lookup on Wikipedia\ deleted successfully.
[Files/Folders - Created Within 30 days]
C:\VundoFix Backups folder moved successfully.
C:\WINDOWS\System32\drivers\bajrg.sys moved successfully.
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\System32\drivers\bajrg.sys not found!
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\rmm0922\Local Settings\Temp\Acr3D5.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\rmm0922\Local Settings\Temp\Acr3DB.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\WFV41A.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 09242008_181956

Files moved on Reboot...
File C:\Documents and Settings\rmm0922\Local Settings\Temp\Acr3D5.tmp not found!
File C:\Documents and Settings\rmm0922\Local Settings\Temp\Acr3DB.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\WFV41A.tmp not found!

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:10 AM

Posted 24 September 2008 - 06:13 PM

Please tell me how the computer is running.


10.0 KB Date Base File icon showed up on my desktop called "Thumbs.db." I did not open it.


What is the thumbs.db file and how do I remove it?

Edited by SifuMike, 24 September 2008 - 06:21 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Javatime

Javatime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Cedar Brook, NJ
  • Local time:07:10 AM

Posted 24 September 2008 - 08:53 PM

The computer is running better and thanks for your time and all your help. You do a great service.
However, I just ran a quick scan with Malwarebytes' Anti-Malware, rebooted, and ran it again with the same results. Are these infected files anything to be concerned with?

Malwarebytes' Anti-Malware 1.28
Database version: 1159
Windows 5.1.2600 Service Pack 3

9/24/2008 9:44:28 PM
mbam-log-2008-09-24 (21-44-28).txt

Scan type: Quick Scan
Objects scanned: 56322
Time elapsed: 9 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:10 AM

Posted 24 September 2008 - 10:18 PM

Are these infected files anything to be concerned with?


No, it looks like you got reinfected by trojan while we were fixing stuff. MalwareBytes is updated several times daily, so it is always finding new malware.

You need to update MalwareBytes more freqently
this is old

Database version: 1159


Lastest is

Database version 1201


How is the computer running?

Edited by SifuMike, 24 September 2008 - 10:23 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users