Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Frozen And Completely Hijacked


  • This topic is locked This topic is locked
12 replies to this topic

#1 nsgrace

nsgrace

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 07 January 2008 - 09:37 PM

Hey there!! I’m typing this from another computer as mine completely froze. I booted up on my computer in safe mode to get the data from Hijack This. I read the "read this first" post, but can't download any of the programs you recommend as I can't use my computer (only in safe mode.)

I’m locked out of changing my computer time/date, the date it’s been set to is Dec 26 (today is Jan 7th) and it’s a half hour slow. The error message is “This operation has been cancelled due to restrictions in effect on this computer. Please contact your systems administrator” ” and I can’t use Ctrl/Alt/Del at all (again, my “administrator” locked it). Google is my start page the virus changed it to, but it’s not really Google. And there always a “Copying…” icon working on the top left of my screen…that doesn’t look good…

Here is my Hijack this log…by the way…I have KillBox on my computer too if that’s needed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:56 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
c:\program files\avira\antivir personaledition classic\avscan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPWUTOOLBOX] C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe "-i"
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: traywc.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) - https://vpn.fbwebapps.com/net6helper.cab
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://www.fbwebapps.com/farm%20bureau%20i...en/CSGProxy.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{714981A2-3268-43A1-B9D8-5B1A333EBFCB}: NameServer = 4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{714981A2-3268-43A1-B9D8-5B1A333EBFCB}: NameServer = 4.2.2.2
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmljaG9sZQ\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 3641 bytes



Any help would be appreciated, I don't want to buy a new computer!!! Thanks!

Edited by nsgrace, 08 January 2008 - 12:04 AM.


BC AdBot (Login to Remove)

 


#2 nsgrace

nsgrace
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 07 January 2008 - 11:46 PM

I forgot I has VundoFix v6.7.7. ..so I ran that...can't find the log of it (where would I find it? It deleted quite a few files) and here's a new Hijack This log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:12 AM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\traywc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: (no name) - {88d2410e-4988-403f-aa1d-4c2457d6799e} - C:\WINDOWS\system32\snfrmam.dll
O2 - BHO: (no name) - {A837B9B1-0BED-4F2B-BBEC-6512CF07B130} - C:\Program Files\Internet Explorer\hokep83122.dll
O2 - BHO: (no name) - {AEBF6926-DBA6-4100-A838-1CED0169AB78} - C:\WINDOWS\system32\ddcdday.dll (file missing)
O2 - BHO: {99e1519b-3a71-f68b-7bd4-67f86a57d58d} - {d85d75a6-8f76-4db7-b86f-17a3b9151e99} - C:\WINDOWS\system32\rfyaamtw.dll (file missing)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\Helper9.dll (file missing)
O2 - BHO: (no name) - {F9F015F4-96EE-4036-A507-C9221F19C387} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: 0 - {FA0A6530-CD33-4433-02A2-40686EF73076} - C:\Program Files\MSN Gaming Zone\lavujat251.dll (file missing)
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPWUTOOLBOX] C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe "-i"
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - Global Startup: traywc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) - https://vpn.fbwebapps.com/net6helper.cab
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://www.fbwebapps.com/farm%20bureau%20i...en/CSGProxy.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{714981A2-3268-43A1-B9D8-5B1A333EBFCB}: NameServer = 4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{714981A2-3268-43A1-B9D8-5B1A333EBFCB}: NameServer = 4.2.2.2
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmljaG9sZQ\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 5588 bytes

Also ran Combofix...here is that log...

ComboFix 07-08-17.2 - "Nichole" 2007-12-27 0:25:00.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1091 [GMT -5:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Nichole\APPLIC~1.\sks~1
C:\DOCUME~1\Nichole\APPLIC~1.\ystem~1
C:\DOCUME~1\Nichole\Desktop.\Find Spyware Remover.lnk
C:\DOCUME~1\Nichole\Desktop.\Free Online Dating.lnk
C:\DOCUME~1\Nichole\Desktop.\Go to Casino.lnk
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Internet Explorer\hokep4444.dll
C:\Program Files\Internet Explorer\hokep83122.dll
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071211-181455-862.dll
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\Program Files\Ultimate Defender
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.6\wbuninst.exe
C:\Program Files\web buying\v1.8.6\webbuying.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\Casino.ico
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\snfrmam.dll
C:\WINDOWS\system32\wintisv.exe
C:\WINDOWS\TmljaG9sZQ\asappsrv.dll
C:\WINDOWS\TTC-4444.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\core
-------\DomainService
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))


2007-12-26 23:33 <DIR> d-------- C:\VundoFix Backups
2007-12-26 19:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-12-26 14:17 6,144 --a------ C:\WINDOWS\SYSTEM32\user32.dat
2007-12-26 14:14 <DIR> d-------- C:\Program Files\Helper
2007-12-26 13:57 <DIR> d-------- C:\Program Files\Avira
2007-12-26 13:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avira
2007-12-25 21:14 18,944 --a------ C:\WINDOWS\SYSTEM32\wowfx.dll
2007-12-11 18:17 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-12-11 18:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\rex2
2007-12-11 18:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\doc4
2007-12-11 18:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\daSgo01
2007-12-11 18:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\bbc5
2007-12-11 18:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\ashell3
2007-12-11 18:12 <DIR> d-------- C:\Temp\bkR11
2007-12-11 18:12 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon
2007-12-11 15:37 91,923 --a------ C:\WINDOWS\SYSTEM32\EPPICPrinterDB.dat
2007-12-11 15:37 76,956 --a------ C:\WINDOWS\SYSTEM32\EPPICPattern2.dat
2007-12-11 15:37 65,536 --a------ C:\WINDOWS\SYSTEM32\EPPicMgr.dll
2007-12-11 15:37 413,696 --a------ C:\WINDOWS\SYSTEM32\PICSDK.dll
2007-12-11 15:37 39,121 --a------ C:\WINDOWS\SYSTEM32\EPPICPattern1.dat
2007-12-11 15:37 27,965 --a------ C:\WINDOWS\SYSTEM32\EPPICPresetData_JP.dat
2007-12-11 15:37 15,172 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PzWDM.sys
2007-12-11 15:37 114,688 --a------ C:\WINDOWS\SYSTEM32\EpPicPrt.dll
2007-12-11 15:37 <DIR> d-------- C:\Program Files\CASIO
2007-12-11 15:35 <DIR> d-------- C:\Program Files\HOTALBUMMyBOX


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-12-26 19:20 --------- d-------- C:\Program Files\Weight Commander
2007-12-26 19:02 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-12-26 08:50 --------- d-------- C:\DOCUME~1\Nichole\APPLIC~1\ultra
2007-12-11 15:36 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-11-24 16:03 --------- d-------- C:\Program Files\Yahoo!
2007-11-24 16:03 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2007-11-18 11:29 --------- d-------- C:\DOCUME~1\Nichole\APPLIC~1\AdobeUM
2007-11-14 02:26 450560 --------- C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 20:15 --------- d-------- C:\Program Files\World of Warcraft
2007-11-13 05:25 20480 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 21:44 --------- d-------- C:\Program Files\7-Zip
2007-10-30 05:16 3058688 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 17:43 1287680 --a------ C:\WINDOWS\system32\quartz.dll
2007-10-29 17:43 1287680 --------- C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 17:40 227328 --a------ C:\WINDOWS\system32\wmasf.dll
2007-10-27 17:40 227328 --a------ C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-25 22:36 8454656 --------- C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-18 08:06 31 --ah----- C:\WINDOWS\uccspecc.sys
2007-10-11 01:13 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 01:13 659456 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 01:13 615424 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 01:13 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 01:13 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 01:13 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 01:13 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 01:13 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 01:13 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 01:13 251392 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 01:13 205312 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 01:13 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 01:13 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 01:13 1494528 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 01:13 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 01:13 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 01:13 1023488 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 06:16 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-04-27 15:20 1183254 --a------ C:\DOCUME~1\Nichole\APPLIC~1\CitrixSAClient.exe
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\TmljaG9sZQ\nA53u36Ptk.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEBF6926-DBA6-4100-A838-1CED0169AB78}]
C:\WINDOWS\system32\ddcdday.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d85d75a6-8f76-4db7-b86f-17a3b9151e99}]
C:\WINDOWS\system32\rfyaamtw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]
C:\Program Files\Helper\Helper9.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9F015F4-96EE-4036-A507-C9221F19C387}]
C:\WINDOWS\system32\pmnno.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA0A6530-CD33-4433-02A2-40686EF73076}]
C:\Program Files\MSN Gaming Zone\lavujat251.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 15:51]
"HPWUTOOLBOX"="C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-09-19 10:31]
"Printer"="C:\WINDOWS\system32\printer.exe" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-26 13:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49]
"Spoolsv"="C:\WINDOWS\system32\spoolvs.exe" []

C:\Documents and Settings\Nichole\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]
traywc.exe [2003-02-07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEBF6926-DBA6-4100-A838-1CED0169AB78}"= C:\WINDOWS\system32\ddcdday.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\wowfx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\pmnno

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll, wowfx.dll
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

R0 PzWDM;PzWDM;C:\WINDOWS\system32\Drivers\PzWDM.sys
R1 avgio;avgio;\??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
R1 avipbb;avipbb;C:\WINDOWS\system32\DRIVERS\avipbb.sys
R1 ssmdrv;ssmdrv;C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
R2 hmonitor;hmonitor;\??\C:\WINDOWS\system32\drivers\hmonitor.sys
R2 Machnm32;Machnm32 Driver;\??\C:\WINDOWS\system32\Machnm32.sys
R3 avgntflt;avgntflt;\??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
R3 Net6IM;Net6;C:\WINDOWS\system32\DRIVERS\net6im51.sys
R3 P16X;Creative SB Live! Series (WDM);C:\WINDOWS\system32\drivers\P16X.sys
R3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);C:\WINDOWS\system32\DRIVERS\CamDrL20.sys
S3 gtermddo;gtermddo;\??\C:\DOCUME~1\Nichole\LOCALS~1\Temp\gtermddo.sys
S3 SaiNtHid;SaiNtHid;C:\WINDOWS\system32\DRIVERS\SaiNtHid.sys
S3 SaiNtSub;SaiNtSub;C:\WINDOWS\system32\DRIVERS\SaiNtSub.sys


Contents of the 'Scheduled Tasks' folder
2007-12-26 23:38:00 C:\WINDOWS\Tasks\HP Usg Daily.job
2007-07-11 21:57:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 00:32:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-12-27 0:36:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-12-27 00:36
C:\ComboFix2.txt ... 2007-09-02 21:10
C:\ComboFix3.txt ... 2007-08-29 19:28

--- E O F ---


Seems to be running better now...I can get into Task Manager now...what do you guys think?

Edited by nsgrace, 08 January 2008 - 12:07 AM.


#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:49 PM

Posted 15 January 2008 - 12:13 PM

Hello nsgrace and welcome to the BC HijackThis forum. It looks like there are still some items lurking in there. Let's see what else we can find.

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program.
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      Reg - Desktop Components
      Reg - Session Manager Settings
      Reg - Software Policy Settings
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 nsgrace

nsgrace
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 26 January 2008 - 11:52 PM

WinPFind35 logfile created on: 1/26/2008 11:50:42 PM

WinPFind35U Version Beta38	 Folder = C:\Documents and Settings\Nichole\Desktop\WinPFind35u

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

 

1.50 Gb Total Physical Memory | 1.05 Gb Available Physical Memory | 70.31% Memory free

2.11 Gb Paging File | 1.73 Gb Available in Paging File | 82.31% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536;

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.46 Gb Total Space | 2.49 Gb Free Space | 3.34% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 955.73 Mb Total Space | 950.28 Mb Free Space | 99.43% Space Free | Partition Type: FAT



Computer Name: DD90BM41

Current User Name: Nichole

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user





[Processes - Non-Microsoft Only]

ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4129 | Size = 405504 bytes | Modified Date = 1/24/2006 10:45:24 PM | Attr =	]

avguard.exe -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avguard.exe -> Avira GmbH [Ver = 7.00.00.82 | Size = 214056 bytes | Modified Date = 12/26/2007 1:57:05 PM | Attr =	]

ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4129 | Size = 405504 bytes | Modified Date = 1/24/2006 10:45:24 PM | Attr =	]

dsentry.exe -> %System32%\DSentry.exe -> Dell - Advanced Desktop Engineering [Ver = 1, 0, 5, 0 | Size = 28672 bytes | Modified Date = 8/13/2003 11:27:40 AM | Attr =	]

cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 8/12/2005 2:43:58 PM | Attr =	]

qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Inc. [Ver = 7.1.6 | Size = 282624 bytes | Modified Date = 4/27/2007 8:41:54 AM | Attr =	]

ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Inc. [Ver = 7.2.0.35 | Size = 257088 bytes | Modified Date = 6/1/2007 3:51:26 PM | Attr =	]

hpwutbx.exe -> %ProgramFiles%\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe -> Hewlett-Packard Company [Ver = 2005.0919.0.0 | Size = 352256 bytes | Modified Date = 9/19/2005 10:31:48 AM | Attr =	]

avgnt.exe -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgnt.exe -> Avira GmbH [Ver = 7.02.00.16 | Size = 249896 bytes | Modified Date = 12/26/2007 1:57:05 PM | Attr =	]

ctfmona.exe -> %System32%\ctfmona.exe ->  [Ver =  | Size = 29824 bytes | Modified Date = 1/9/2008 12:45:21 PM | Attr =	]

ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.2.0.35 | Size = 501312 bytes | Modified Date = 6/1/2007 3:51:22 PM | Attr =	]

dsagnt.exe -> %ProgramFiles%\DellSupport\DSAgnt.exe -> Gteko Ltd. [Ver = 3, 0, 0, 197 | Size = 460784 bytes | Modified Date = 3/15/2007 10:09:36 AM | Attr =	]

traywc.exe -> %AllUsersStartup%\traywc.exe -> weight commander [Ver = 1.00 | Size = 274432 bytes | Modified Date = 2/7/2003 | Attr =	]

cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 8/12/2005 2:43:58 PM | Attr =	]

cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 8/12/2005 2:43:58 PM | Attr =	]

ymsgr_tray.exe -> %ProgramFiles%\Yahoo!\Messenger\Ymsgr_tray.exe -> Yahoo! Inc. [Ver = 8,1,0,0 | Size = 103928 bytes | Modified Date = 11/30/2006 9:49:06 PM | Attr =	]

winpfind35u.exe -> %UserDesktop%\WinPFind35u\WinPFind35U.exe -> OldTimer Tools [Ver = 1.0.0.0 | Size = 307712 bytes | Modified Date = 1/26/2008 1:34:08 PM | Attr =	]



[Win32 Services - Non-Microsoft Only]

(AntiVirScheduler) AntiVir PersonalEdition Classic Scheduler [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\sched.exe -> Avira GmbH [Ver = 7.00.00.62 | Size = 63016 bytes | Modified Date = 8/28/2007 1:16:22 PM | Attr =	]

(AntiVirService) AntiVir PersonalEdition Classic Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avguard.exe -> Avira GmbH [Ver = 7.00.00.82 | Size = 214056 bytes | Modified Date = 12/26/2007 1:57:05 PM | Attr =	]

(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4129 | Size = 405504 bytes | Modified Date = 1/24/2006 10:45:24 PM | Attr =	]

(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] -> %System32%\ati2sgag.exe ->  [Ver = 5.13.0025 | Size = 520192 bytes | Modified Date = 1/26/2006 8:57:00 AM | Attr =	]

(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 7:31:10 AM | Attr =	]

(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 2:56:48 AM | Attr =	]

(DSBrokerService) DSBrokerService [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\DellSupport\brkrsvc.exe ->  [Ver = 1, 0, 0, 8 | Size = 76848 bytes | Modified Date = 3/7/2007 2:47:46 PM | Attr =	]

(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 12:41:10 AM | Attr =	]

(iPod Service) iPod Service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.2.0.35 | Size = 501312 bytes | Modified Date = 6/1/2007 3:51:22 PM | Attr =	]

(NetSvc) Intel NCS NetService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Intel\NCS\Sync\NetSvc.exe -> Intel(R) Corporation [Ver = 1.2.26.0 | Size = 143360 bytes | Modified Date = 3/3/2003 2:33:40 PM | Attr =	]

(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Disabled | Stopped] -> %System32%\HPZipm12.exe -> HP [Ver = 8, 0, 0, 0 | Size = 65536 bytes | Modified Date = 3/18/2004 4:55:48 PM | Attr =	]



[Driver Services - Non-Microsoft Only]

(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] ->  -> File not found

(AliIde) AliIde [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\ALIIDE.SYS -> Acer Laboratories Inc. [Ver = 1.20 | Size = 5248 bytes | Modified Date = 8/17/2001 2:51:56 PM | Attr =	]

(amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\amdagp.sys -> Advanced Micro Devices, Inc. [Ver = 5.00 (xpsp_sp2_rtm.040803-2158) | Size = 43008 bytes | Modified Date = 8/4/2004 1:07:42 AM | Attr =	]

(asc) asc [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\ASC.SYS -> Advanced System Products, Inc. [Ver = 2.9I-MS (XPClient.010817-1148) | Size = 26496 bytes | Modified Date = 8/17/2001 2:52:00 PM | Attr =	]

(asc3550) asc3550 [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\ASC3550.SYS -> Advanced System Products, Inc. [Ver = 3.1E-MS (XPClient.010817-1148) | Size = 14848 bytes | Modified Date = 8/17/2001 2:51:58 PM | Attr =	]

(Atdisk) Atdisk [Kernel | Disabled | Stopped] ->  -> File not found

(ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> %System32%\DRIVERS\ati2mtag.sys -> ATI Technologies Inc. [Ver = 6.14.10.6599 | Size = 1478656 bytes | Modified Date = 1/24/2006 10:52:31 PM | Attr =	]

(AVG Anti-Spyware Driver) AVG Anti-Spyware Driver [Kernel | System | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.sys ->  [Ver =  | Size = 11000 bytes | Modified Date = 5/30/2007 7:10:42 AM | Attr =	]

(AvgAsCln) AVG Anti-Spyware Clean Driver [Kernel | System | Running] -> %System32%\DRIVERS\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Modified Date = 5/30/2007 7:10:42 AM | Attr =	]

(avgio) avgio [Kernel | System | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgio.sys -> Avira GmbH [Ver = 1.0.0.30 | Size = 11840 bytes | Modified Date = 2/27/2007 3:25:10 PM | Attr =	]

(avgntflt) avgntflt [File_System | On_Demand | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgntflt.sys -> Avira GmbH [Ver = 7.00.00.04 | Size = 48448 bytes | Modified Date = 12/26/2007 1:57:06 PM | Attr =	]

(avipbb) avipbb [Kernel | System | Running] -> %System32%\DRIVERS\avipbb.sys -> AVIRA GmbH [Ver = 1.00.02.13 | Size = 61632 bytes | Modified Date = 12/26/2007 1:57:17 PM | Attr =	]

(Beep) Beep [Kernel | System | Stopped] ->  -> File not found

(bvrp_pci) bvrp_pci [Kernel | On_Demand | Stopped] ->  -> File not found

(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\Nichole\LOCALS~1\Temp\catchme.sys -> File not found

(Changer) Changer [Kernel | System | Stopped] ->  -> File not found

(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\CMDIDE.SYS -> CMD Technology, Inc. [Ver = 2.0.7 (XPClient.010817-1148) | Size = 6656 bytes | Modified Date = 8/17/2001 2:51:54 PM | Attr =	]

(dac2w2k) dac2w2k [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\DAC2W2K.SYS -> Mylex Corporation [Ver = 6.00-21 (XPClient.010817-1148) | Size = 179584 bytes | Modified Date = 8/17/2001 2:52:16 PM | Attr =	]

(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 799744 bytes | Modified Date = 8/4/2004 1:07:17 AM | Attr =	]

(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %System32%\DRIVERS\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153344 bytes | Modified Date = 8/4/2004 1:07:16 AM | Attr =	]

(dmload) dmload [Kernel | Boot | Running] -> %System32%\DRIVERS\DMLOAD.SYS -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 8/29/2002 6:00:00 AM | Attr =	]

(drvmcdb) drvmcdb [Kernel | Boot | Running] -> %System32%\DRIVERS\drvmcdb.sys -> Sonic Solutions [Ver = 3.21.65a | Size = 84576 bytes | Modified Date = 7/31/2003 4:21:00 AM | Attr =	]

(drvnddm) drvnddm [File_System | Auto | Running] -> %System32%\DRIVERS\drvnddm.sys -> Sonic Solutions [Ver = 2.56.38a | Size = 40448 bytes | Modified Date = 6/20/2003 3:56:00 AM | Attr =	]

(DSproct) DSproct [Kernel | On_Demand | Running] -> %ProgramFiles%\DellSupport\GTAction\triggers\DSproct.sys -> Gteko Ltd. [Ver = 2, 0, 0, 30 | Size = 4736 bytes | Modified Date = 10/5/2006 3:07:28 PM | Attr =	]

(dsunidrv) DellSupport UniDriver [Kernel | Auto | Running] -> %System32%\DRIVERS\dsunidrv.sys -> Gteko Ltd. [Ver = 1, 0, 0, 12 | Size = 5376 bytes | Modified Date = 2/25/2007 11:10:48 AM | Attr =   S]

(E100B) Intel(R) PRO Adapter Driver [Kernel | On_Demand | Running] -> %System32%\DRIVERS\e100b325.sys -> Intel Corporation [Ver = 7.0.26.0 built by: WinDDK | Size = 145408 bytes | Modified Date = 3/4/2003 1:56:26 PM | Attr =	]

(EL90XBC) 3Com EtherLink XL 90XB/C Adapter Driver [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\EL90XBC5.SYS -> 3Com Corporation [Ver = 4.05.00.0000 | Size = 66591 bytes | Modified Date = 8/17/2001 1:11:06 PM | Attr =	]

(GEARAspiWDM) GEARAspiWDM [Kernel | On_Demand | Running] -> %System32%\DRIVERS\GEARAspiWDM.sys -> GEAR Software Inc. [Ver = 2.0.6.1 | Size = 15664 bytes | Modified Date = 9/19/2006 3:44:04 PM | Attr =	]

(gtermddo) gtermddo [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\Nichole\LOCALS~1\Temp\gtermddo.sys -> File not found

(hmonitor) hmonitor [Kernel | Auto | Running] -> %System32%\DRIVERS\Hmonitor.sys ->  [Ver =  | Size = 7188 bytes | Modified Date = 12/5/2006 9:26:22 AM | Attr =	]

(HPZid412) IEEE-1284.4 Driver HPZid412 [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\HPZid412.sys -> HP [Ver = 8, 0, 0, 0 | Size = 51088 bytes | Modified Date = 3/18/2004 4:52:00 AM | Attr =	]

(HPZipr12) Print Class Driver for IEEE-1284.4 HPZipr12 [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\HPZipr12.sys -> HP [Ver = 8, 0, 0, 0 | Size = 16496 bytes | Modified Date = 3/18/2004 4:52:00 AM | Attr =	]

(HPZius12) USB to IEEE-1284.4 Translation Driver HPZius12 [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\HPZius12.sys -> HP [Ver = 8, 0, 0, 0 | Size = 21744 bytes | Modified Date = 3/18/2004 4:51:00 AM | Attr =	]

(i81x) i81x [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\i81xnt5.sys -> Intel(R) Corporation [Ver = 6.13.01.3198  | Size = 161020 bytes | Modified Date = 8/4/2004 12:29:36 AM | Attr =	]

(iAimFP0) iAimFP0 [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\wadv01nt.sys -> Intel(R) Corporation [Ver = 6.13.01.3198  | Size = 12415 bytes | Modified Date = 8/4/2004 12:29:37 AM | Attr =	]

(iAimFP1) iAimFP1 [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\wadv02nt.sys -> Intel(R) Corporation [Ver = 6.13.01.3198  | Size = 12127 bytes | Modified Date = 8/4/2004 12:29:37 AM | Attr =	]

(iAimFP2) iAimFP2 [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\wadv05nt.sys -> Intel(R) Corporation [Ver = 6.13.01.3198  | Size = 11775 bytes | Modified Date = 8/4/2004 12:29:37 AM | Attr =	]

(iAimFP3) iAimFP3 [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\wsiintxx.sys -> Intel(R) Corporation [Ver = 6.13.01.3198  | Size = 12063 bytes | Modified Date = 8/4/2004 12:29:47 AM | Attr =	]

(iAimFP4) iAimFP4 [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\wvchntxx.sys -> Intel(R) Corporation [Ver = 6.13.01.3198  | Size = 19455 bytes | Modified Date = 8/4/2004 12:29:49 AM | Attr =	]

(iAimTV0) iAimTV0 [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\watv01nt.sys -> Intel(R) Corporation [Ver = 6.13.01.3198  | Size = 29311 bytes | Modified Date = 8/4/2004 12:29:41 AM | Attr =	]

(iAimTV1) iAimTV1 [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\watv02nt.sys -> Intel(R) Corporation [Ver = 6.13.01.3198  | Size = 19551 bytes | Modified Date = 8/4/2004 12:29:42 AM | Attr =	]

(iAimTV2) iAimTV2 [Kernel | On_Demand | Stopped] -> System32\DRIVERS\wATV03nt.sys -> File not found

(iAimTV3) iAimTV3 [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\watv04nt.sys -> Intel(R) Corporation [Ver = 6.13.01.3198  | Size = 33599 bytes | Modified Date = 8/4/2004 12:29:43 AM | Attr =	]

(iAimTV4) iAimTV4 [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\wch7xxnt.sys -> Intel(R) Corporation [Ver = 6.13.01.3198  | Size = 23615 bytes | Modified Date = 8/4/2004 12:29:45 AM | Attr =	]

(IntelC51) IntelC51 [Kernel | On_Demand | Running] -> %System32%\DRIVERS\IntelC51.sys -> Intel Corporation [Ver = 2.15.25.0 | Size = 1232741 bytes | Modified Date = 11/20/2003 11:13:40 PM | Attr =	]

(IntelC52) IntelC52 [Kernel | On_Demand | Running] -> %System32%\DRIVERS\IntelC52.sys -> Intel Corporation [Ver = 4.58.1 | Size = 646825 bytes | Modified Date = 11/20/2003 11:14:28 PM | Attr =	]

(IntelC53) IntelC53 [Kernel | On_Demand | Running] -> %System32%\DRIVERS\IntelC53.sys -> Intel Corporation [Ver = 2.15.25.0 | Size = 59717 bytes | Modified Date = 11/20/2003 11:12:56 PM | Attr =	]

(lbrtfdc) lbrtfdc [Kernel | System | Stopped] ->  -> File not found

(LVUSBSta) Logitech USB Monitor Filter [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\LVUSBSta.sys ->  [Ver =  | Size = 19968 bytes | Modified Date = 5/27/2004 10:47:16 AM | Attr =	]

(Machnm32) Machnm32 Driver [Kernel | Auto | Running] -> %System32%\Machnm32.sys ->  [Ver =  | Size = 2304 bytes | Modified Date = 8/12/2003 11:27:00 PM | Attr =	]

(mohfilt) mohfilt [Kernel | On_Demand | Running] -> %System32%\DRIVERS\mohfilt.sys -> Intel Corporation [Ver = 7.11.0.0 | Size = 37048 bytes | Modified Date = 11/20/2003 11:12:42 PM | Attr =	]

(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\MRAID35X.SYS -> American Megatrends Inc. [Ver = 6.19 (XPClient.010817-1148) | Size = 17280 bytes | Modified Date = 8/17/2001 2:52:12 PM | Attr =	]

(Net6IM) Net6 [Kernel | On_Demand | Running] -> %System32%\DRIVERS\net6im51.sys -> Net6, Inc. [Ver = 1.0.0.100 built by: WinDDK | Size = 44664 bytes | Modified Date = 7/11/2006 5:56:24 AM | Attr =	]

(omci) OMCI WDM Device Driver [Kernel | System | Running] -> %System32%\DRIVERS\omci.sys -> Dell Computer Corporation [Ver = 7, 0, 323, 0 | Size = 17217 bytes | Modified Date = 11/8/2002 2:45:06 PM | Attr =	]

(P16X) Creative SB Live! Series (WDM) [Kernel | On_Demand | Running] -> %System32%\DRIVERS\P16X.sys -> Creative Technology Ltd. [Ver = 5.12.01.129 | Size = 1296384 bytes | Modified Date = 8/14/2003 11:58:12 AM | Attr =	]

(PCAMPR5) PCAMPR5 NDIS Protocol Driver [Kernel | On_Demand | Stopped] -> %System32%\PCAMPR5.SYS -> File not found

(PCIDump) PCIDump [Kernel | System | Stopped] ->  -> File not found

(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] ->  -> File not found

(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] ->  -> File not found

(PDRELI) PDRELI [Kernel | On_Demand | Stopped] ->  -> File not found

(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] ->  -> File not found

(PfModNT) PfModNT [Kernel | Auto | Running] -> %System32%\PFMODNT.SYS -> Creative Technology Ltd. [Ver = 2.0.0.0 | Size = 6752 bytes | Modified Date = 12/17/1999 | Attr =	]

(PhilCam8116_XP) Logitech QuickCam Pro 3000(PID_08B1) [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\CamDrL20.sys -> Logitech Inc. [Ver = 8.3.0.1096 | Size = 245760 bytes | Modified Date = 5/21/2004 2:16:50 PM | Attr =	]

(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %System32%\DRIVERS\PTILINK.SYS -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 8/29/2002 6:00:00 AM | Attr =	]

(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %System32%\DRIVERS\pxhelp20.sys -> Sonic Solutions [Ver = 3.00.43J | Size = 36624 bytes | Modified Date = 10/18/2006 3:00:00 AM | Attr =	]

(PzWDM) PzWDM [Kernel | Boot | Running] -> %System32%\DRIVERS\PzWDM.sys -> Prassi Technology [Ver = 1, 0, 0, 59 | Size = 15172 bytes | Modified Date = 12/11/2007 3:37:09 PM | Attr =	]

(ql1080) ql1080 [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\QL1080.SYS -> QLogic Corporation [Ver = 3.04 | Size = 40320 bytes | Modified Date = 8/17/2001 2:52:20 PM | Attr =	]

(ql12160) ql12160 [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\QL12160.SYS -> QLogic Corporation [Ver = 7.13.02 (W64) | Size = 45312 bytes | Modified Date = 8/17/2001 2:52:20 PM | Attr =	]

(ql1280) ql1280 [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\QL1280.SYS -> QLogic Corporation [Ver = 7.13.01 (W2K) | Size = 49024 bytes | Modified Date = 8/17/2001 2:52:18 PM | Attr =	]

(SaiNtHid) SaiNtHid [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\SaiNtHid.sys -> Saitek [Ver = 3,02,000,013 | Size = 48384 bytes | Modified Date = 4/10/2003 10:42:56 AM | Attr =	]

(SaiNtSub) SaiNtSub [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\saintsub.sys -> Saitek [Ver = 3,02,000,013 | Size = 19200 bytes | Modified Date = 4/10/2003 10:42:32 AM | Attr =	]

(Secdrv) Secdrv [Kernel | Auto | Running] -> %System32%\DRIVERS\secdrv.sys -> Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.03.086 | Size = 20480 bytes | Modified Date = 11/13/2007 5:25:53 AM | Attr =	]

(Simbad) Simbad [Kernel | Disabled | Stopped] ->  -> File not found

(sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\sisagp.sys -> Silicon Integrated Systems Corporation [Ver = 5.12.01.2010 (xpsp_sp2_rtm.040803-2158) | Size = 41088 bytes | Modified Date = 8/4/2004 1:07:42 AM | Attr =	]

(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\SPARROW.SYS -> Adaptec, Inc. [Ver = v2.0a (ReleaseBinaries.001205-1804) | Size = 19072 bytes | Modified Date = 8/17/2001 3:07:44 PM | Attr =	]

(sscdbhk5) sscdbhk5 [File_System | System | Running] -> %System32%\DRIVERS\sscdbhk5.sys -> Sonic Solutions [Ver = 1.10.81a | Size = 5621 bytes | Modified Date = 7/14/2003 12:28:40 PM | Attr =	]

(ssmdrv) ssmdrv [Kernel | System | Running] -> %System32%\DRIVERS\ssmdrv.sys -> Avira GmbH [Ver = 7.0.1.1 | Size = 28352 bytes | Modified Date = 3/1/2007 10:34:36 AM | Attr =	]

(ssrtln) ssrtln [File_System | System | Running] -> %System32%\DRIVERS\ssrtln.sys -> Sonic Solutions [Ver = 1.10.81a | Size = 23219 bytes | Modified Date = 7/14/2003 12:28:22 PM | Attr =	]

(symc810) symc810 [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\SYMC810.SYS -> Symbios Logic Inc. [Ver = 5.1.2409.1 (ReleaseBinaries.001205-1804) | Size = 16256 bytes | Modified Date = 8/17/2001 3:07:34 PM | Attr =	]

(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\SYMC8XX.SYS -> LSI Logic [Ver = 5.1.2409.1 (ReleaseBinaries.001205-1804) | Size = 32640 bytes | Modified Date = 8/17/2001 3:07:36 PM | Attr =	]

(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\SYM_HI.SYS -> LSI Logic [Ver = 5.1.2462.0 (Lab01_N.010309-0027) | Size = 28384 bytes | Modified Date = 8/17/2001 3:07:40 PM | Attr =	]

(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\SYM_U3.SYS -> LSI Logic [Ver = 5.1.2462.0 (Lab01_N.010309-0027) | Size = 30688 bytes | Modified Date = 8/17/2001 3:07:42 PM | Attr =	]

(tfsnboio) tfsnboio [File_System | Auto | Running] -> %System32%\dla\tfsnboio.sys -> Sonic Solutions [Ver = 1.04.05b | Size = 25685 bytes | Modified Date = 8/6/2003 2:04:00 AM | Attr =	]

(tfsncofs) tfsncofs [File_System | Auto | Running] -> %System32%\dla\tfsncofs.sys -> Sonic Solutions [Ver = 1.04.05b | Size = 34837 bytes | Modified Date = 8/6/2003 2:04:00 AM | Attr =	]

(tfsndrct) tfsndrct [File_System | Auto | Running] -> %System32%\dla\tfsndrct.sys -> Sonic Solutions [Ver = 1.04.05b | Size = 4117 bytes | Modified Date = 8/6/2003 2:04:00 AM | Attr =	]

(tfsndres) tfsndres [File_System | Auto | Running] -> %System32%\dla\tfsndres.sys -> Sonic Solutions [Ver = 1.04.05b | Size = 2233 bytes | Modified Date = 8/6/2003 2:04:00 AM | Attr =	]

(tfsnifs) tfsnifs [File_System | Auto | Running] -> %System32%\dla\tfsnifs.sys -> Sonic Solutions [Ver = 1.04.05b | Size = 83284 bytes | Modified Date = 8/6/2003 2:04:00 AM | Attr =	]

(tfsnopio) tfsnopio [File_System | Auto | Running] -> %System32%\dla\tfsnopio.sys -> Sonic Solutions [Ver = 1.04.05b | Size = 14229 bytes | Modified Date = 8/6/2003 2:04:00 AM | Attr =	]

(tfsnpool) tfsnpool [File_System | Auto | Running] -> %System32%\dla\tfsnpool.sys -> Sonic Solutions [Ver = 1.04.05b | Size = 6357 bytes | Modified Date = 8/6/2003 2:04:00 AM | Attr =	]

(tfsnudf) tfsnudf [File_System | Auto | Running] -> %System32%\dla\tfsnudf.sys -> Sonic Solutions [Ver = 1.04.05b | Size = 98068 bytes | Modified Date = 8/6/2003 2:04:00 AM | Attr =	]

(tfsnudfa) tfsnudfa [File_System | Auto | Running] -> %System32%\dla\tfsnudfa.sys -> Sonic Solutions [Ver = 1.04.05b | Size = 100373 bytes | Modified Date = 8/6/2003 2:04:00 AM | Attr =	]

(ultra) ultra [Kernel | Disabled | Stopped] -> %System32%\DRIVERS\ULTRA.SYS -> Promise Technology, Inc. [Ver =  1.43 (Build 0603) | Size = 36736 bytes | Modified Date = 8/17/2001 2:52:22 PM | Attr =	]

(wanatw) WAN Miniport (ATW) [Kernel | On_Demand | Stopped] -> System32\DRIVERS\wanatw4.sys -> File not found

(WDICA) WDICA [Kernel | On_Demand | Stopped] ->  -> File not found

(USBNET_XP) Instant Wireless XP USB Network Adapter ver.2.6 Driver [Kernel | On_Demand | Running] -> %System32%\DRIVERS\netusbxp.sys -> The LinkSys Group, Inc. [Ver = 1.02.02.0066 built by: WinDDK | Size = 72576 bytes | Modified Date = 2/20/2002 2:34:18 AM | Attr =	]



[Registry - Non-Microsoft Only]

< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

ATICCC -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 8/12/2005 2:43:58 PM | Attr =	]

avgnt -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgnt.exe -> Avira GmbH [Ver = 7.02.00.16 | Size = 249896 bytes | Modified Date = 12/26/2007 1:57:05 PM | Attr =	]

ctfmona -> %System32%\ctfmona.exe ->  [Ver =  | Size = 29824 bytes | Modified Date = 1/9/2008 12:45:21 PM | Attr =	]

DVDSentry -> %System32%\DSentry.exe -> Dell - Advanced Desktop Engineering [Ver = 1, 0, 5, 0 | Size = 28672 bytes | Modified Date = 8/13/2003 11:27:40 AM | Attr =	]

HPWUTOOLBOX -> %ProgramFiles%\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe -> Hewlett-Packard Company [Ver = 2005.0919.0.0 | Size = 352256 bytes | Modified Date = 9/19/2005 10:31:48 AM | Attr =	]

iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Inc. [Ver = 7.2.0.35 | Size = 257088 bytes | Modified Date = 6/1/2007 3:51:26 PM | Attr =	]

Printer -> %System32%\printer.exe -> File not found

QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Inc. [Ver = 7.1.6 | Size = 282624 bytes | Modified Date = 4/27/2007 8:41:54 AM | Attr =	]

< RunOnceEx [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx -> 

 ->  -> File not found

< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 

IMAIL-> Installed = 1 -> 

MAPI-> Installed = 1 -> 

MSFS-> Installed = 1 -> 

< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

DellSupport -> %ProgramFiles%\DellSupport\DSAgnt.exe -> Gteko Ltd. [Ver = 3, 0, 0, 197 | Size = 460784 bytes | Modified Date = 3/15/2007 10:09:36 AM | Attr =	]

Spoolsv -> %System32%\spoolvs.exe -> File not found

Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe -> Yahoo! Inc. [Ver = 8,1,0,209 | Size = 4662776 bytes | Modified Date = 11/30/2006 9:49:04 PM | Attr =	]

< RunOnce [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce -> 

FlashPlayerUpdate -> %System32%\Macromed\Flash\FlashUtil9c.exe -> Adobe Systems, Inc. [Ver = 9,0,45,0 | Size = 190696 bytes | Modified Date = 3/23/2007 4:59:38 PM | Attr = R  ]

< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 

 -> %AllUsersStartup%\traywc.exe -> weight commander [Ver = 1.00 | Size = 274432 bytes | Modified Date = 2/7/2003 | Attr =	]

< Nichole Startup Folder > -> C:\Documents and Settings\Nichole\Start Menu\Programs\Startup -> 

< ICQ Agent [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\ ->

HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\ -> ->

< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs -> 

*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls -> 

C:\WINDOWS\system32\wowfx.dll -> %System32%\wowfx.dll ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/13/2007 10:09:16 PM | Attr =	]

*MultiFile Done* -> -> 

< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 

{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 7:29:58 AM | Attr =	]

{AEBF6926-DBA6-4100-A838-1CED0169AB78} [HKEY_LOCAL_MACHINE] -> %System32%\ddcdday.dll [] -> File not found

< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 

*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 

xlibgfl254.dll -> xlibgfl254.dll -> File not found

wowfx.dll -> %System32%\wowfx.dll ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/13/2007 10:09:16 PM | Attr =	]

*MultiFile Done* -> -> 

< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 

AtiExtEvent -> %System32%\ati2evxx.dll -> ATI Technologies Inc. [Ver = 6.14.10.4129 | Size = 61440 bytes | Modified Date = 1/24/2006 10:46:38 PM | Attr =	]

< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\ ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoCDBurning -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> -> 

< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> -> 

< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 

< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 

HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 

HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.google.com/ie -> 

HKEY_LOCAL_MACHINE\: Main\\Local Page -> C:\WINDOWS\SYSTEM32\blank.htm -> 

HKEY_LOCAL_MACHINE\: Main\\Search Bar -> http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html -> 

HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.google.com -> 

HKEY_LOCAL_MACHINE\: Main\\Start Page -> about:blank -> 

HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 

HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.google.com/ie -> 

HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 

< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 

HKEY_CURRENT_USER\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\SYSTEM32\blank.htm -> 

HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_CURRENT_USER\: Main\\Start Page -> http://www.yahoo.com/ -> 

HKEY_CURRENT_USER\: Search\\SearchAssistant -> http://www.google.com/ie -> 

HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 

< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 

1 domain(s) and sub-domain(s) not assigned to a zone.

< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 

< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5868 domain(s) found. -> 

< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 87 range(s) found. -> 

< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 

{AEBF6926-DBA6-4100-A838-1CED0169AB78} [HKEY_LOCAL_MACHINE] -> %System32%\ddcdday.dll [Reg Error: Value  does not exist or could not be read.] -> File not found

{d85d75a6-8f76-4db7-b86f-17a3b9151e99} [HKEY_LOCAL_MACHINE] -> %System32%\rfyaamtw.dll [Reg Error: Value  does not exist or could not be read.] -> File not found

{F10587E9-0E47-4CBE-84AE-7DD20B8684BB} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Helper\Helper9.dll [e404mgr Class] -> File not found

{F10587E9-0E47-4CBE-84AE-7DD20B8684CC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Helper\bigsearchonline.dll [e404mgr Class] ->  [Ver = 1, 0, 0, 1 | Size = 15872 bytes | Modified Date = 1/26/2008 11:47:56 PM | Attr =	]

{F9F015F4-96EE-4036-A507-C9221F19C387} [HKEY_LOCAL_MACHINE] -> %System32%\pmnno.dll [Reg Error: Value  does not exist or could not be read.] -> File not found

{FA0A6530-CD33-4433-02A2-40686EF73076} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\MSN Gaming Zone\lavujat251.dll [Reg Error: Value  does not exist or could not be read.] -> File not found

< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 

{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found

< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 

{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found

{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found

< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 

WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar] -> File not found

< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 

CmdMapping\\{85d1f590-48f4-11d9-9669-0800200c9a66} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found

CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found

CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found

< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 

PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 

PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 

< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform -> 

SV1 ->  -> 

< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 

{1A7DA63D-F2E9-4AF2-9348-F6AA628084C0} ->	(Instant Wireless USB Network Adapter ver.2.6) -> 

{714981A2-3268-43A1-B9D8-5B1A333EBFCB} -> 4.2.2.2   (Intel(R) PRO/100 VE Network Connection) -> 

{799D3E13-0363-4653-AF81-9723293CD78D} ->	(Instant Wireless USB Network Adapter ver.2.6) -> 

{AC0C8180-07D4-4C70-801B-487E3E94C915} ->	() -> 

< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 

cetihpz:{CF184AD3-CDCB-4168-A3F7-8E447D129300} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll[CZipHandler Object] -> Hewlett-Packard Company [Ver = 2.1.5 | Size = 81920 bytes | Modified Date = 5/12/2004 2:18:56 PM | Attr =	]

ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[{1A03F196-9617-4CA0-842B-A83CEECB022B}] -> File not found

msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[{1A03F196-9617-4CA0-842B-A83CEECB022B}] -> File not found

< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 

{17492023-C23A-453E-A040-C7C580BBF700}[HKEY_LOCAL_MACHINE] -> http://go.microsoft.com/fwlink/?linkid=39204[Windows Genuine Advantage Validation Tool] -> 

{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}[HKEY_LOCAL_MACHINE] -> C:\Program Files\Yahoo!\Common\Yinsthelper.dll[Installation Support] -> 

{33564D57-0000-0010-8000-00AA00389B71}[HKEY_LOCAL_MACHINE] -> http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB[Reg Error: Key does not exist or could not be opened.] -> 

{406B5949-7190-4245-91A9-30A17DE16AD0}[HKEY_LOCAL_MACHINE] -> http://www1.snapfish.com/SnapfishActivia.cab[Snapfish Activia] -> 

{7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B}[HKEY_LOCAL_MACHINE] -> https://vpn.fbwebapps.com/net6helper.cab[Net6Launcher Class] -> 

{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab[Java Plug-in 1.5.0_03] -> 

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab[Reg Error: Key does not exist or could not be opened.] -> 

{9F1C11AA-197B-4942-BA54-47A8489BB47F}[HKEY_LOCAL_MACHINE] -> http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38124.5903240741[Reg Error: Key does not exist or could not be opened.] -> 

{A17E30C4-A9BA-11D4-8673-60DB54C10000}[HKEY_LOCAL_MACHINE] -> http://download.yahoo.com/dl/installs/ymail/ymmapi.dll[YahooYMailTo Class] -> 

{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab[Java Plug-in 1.4.2] -> 

{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab[Java Plug-in 1.5.0_03] -> 

{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab[Shockwave Flash Object] -> 

{EBC1356E-7D5E-44EC-831D-847882F06FE5}[HKEY_LOCAL_MACHINE] -> https://www.fbwebapps.com/farm%20bureau%20insurance/cds/CGC/en/CSGProxy.cab[Gateway Client for MetaFrame] -> 

Microsoft XML Parser for Java[HKEY_LOCAL_MACHINE] -> file://C:\WINDOWS\Java\classes\xmldso.cab[Reg Error: Key does not exist or could not be opened.] -> 





[Registry - Additional Scans - Non-Microsoft Only]

< BotCheck > -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> (binary data) -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction -> (binary data) -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction -> (binary data) -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937AD} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A93843} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D69} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\\System.EnterpriseServices.Thunk.dll ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> -> 

Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ not found. -> -> 

Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ not found. -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->

*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 

msv1_0 -> %System32%\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 8/4/2004 2:56:43 AM | Attr =	]

C:\\WINDOWS\\system32\\pmnno ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> (binary data) -> 

*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> 

kerberos -> %System32%\kerberos.dll -> Microsoft Corporation [Ver = 5.1.2600.2698 (xpsp_sp2_gdr.050614-1522) | Size = 295936 bytes | Modified Date = 6/15/2005 12:49:30 PM | Attr =	]

msv1_0 -> %System32%\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 8/4/2004 2:56:43 AM | Attr =	]

schannel -> %System32%\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.3126 (xpsp_sp2_gdr.070425-0226) | Size = 144896 bytes | Modified Date = 4/25/2007 9:21:15 AM | Attr =	]

wdigest -> %System32%\wdigest.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49152 bytes | Modified Date = 8/4/2004 2:56:46 AM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 976 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 -> 

*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages -> 

scecli -> %System32%\scecli.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 180224 bytes | Modified Date = 8/4/2004 2:56:44 AM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\enabledcom -> y -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> -> 

*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder -> 

Windows NT Access Provider ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> C:\WINDOWS\SYSTEM32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 118784 bytes | Modified Date = 8/4/2004 2:56:44 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth132 -> C:\WINDOWS\SYSTEM32\IISSUBA.DLL [IISSUBA] -> Microsoft Corporation [Ver = 6.0.2600.0 (xpclient.010817-1148) | Size = 9216 bytes | Modified Date = 8/29/2002 6:00:00 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminclientsec -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminserversec -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> C:\WINDOWS\SYSTEM32\svchost.exe [%SystemRoot%\System32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 2:56:57 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Internet Connection Sharing -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup ->  -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 36202 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> C:\WINDOWS\SYSTEM32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 331264 bytes | Modified Date = 8/4/2004 2:56:42 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\139:TCP -> 139:TCP:*:Enabled:@xpsp2res.dll,-22004 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\445:TCP -> 445:TCP:*:Enabled:@xpsp2res.dll,-22005 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\137:UDP -> 137:UDP:*:Enabled:@xpsp2res.dll,-22001 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\138:UDP -> 138:UDP:*:Enabled:@xpsp2res.dll,-22002 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DisableNotifications -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Internet Explorer\iexplore.exe -> C:\Program Files\Internet Explorer\iexplore.exe [C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer] -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 93184 bytes | Modified Date = 8/4/2004 2:56:50 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -> C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger] -> Yahoo! Inc. [Ver = 8,1,0,209 | Size = 4662776 bytes | Modified Date = 11/30/2006 9:49:04 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP -> 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll [139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP -> 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll [445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP -> 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll [137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP -> 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll [138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP -> 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll [1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP -> 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll [2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\\Security -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{FDD13E98-83D5-4010-8D93-4891C63586FA} -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\All -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> C:\WINDOWS\SYSTEM32\svchost.exe [%systemroot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 2:56:57 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> C:\WINDOWS\SYSTEM32\wuauserv.dll [C:\WINDOWS\system32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.3790.2180 (xpsp_sp2_rtm.040803-2158) | Size = 6656 bytes | Modified Date = 8/4/2004 2:56:46 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Description -> Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. -> 

*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DependOnService -> 

RPCSS -> %System32%\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size = 397824 bytes | Modified Date = 7/25/2005 11:39:49 PM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DisplayName -> Remote Registry -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ImagePath -> C:\WINDOWS\SYSTEM32\svchost.exe [%SystemRoot%\system32\svchost.exe -k LocalService] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 2:56:57 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ObjectName -> NT AUTHORITY\LocalService -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Group ->  -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Start -> 2 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Type -> 32 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\FailureActions -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\\ServiceDll -> C:\WINDOWS\SYSTEM32\regsvc.dll [%SystemRoot%\system32\regsvc.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 59904 bytes | Modified Date = 8/4/2004 2:56:44 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\\Security -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\0 -> Root\LEGACY_REMOTEREGISTRY\0000 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\Count -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\NextInstance -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Type -> 16 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Start -> 4 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ImagePath -> C:\WINDOWS\SYSTEM32\tlntsvr.exe [C:\WINDOWS\System32\tlntsvr.exe] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 73216 bytes | Modified Date = 8/4/2004 2:56:57 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DisplayName -> Telnet -> 

*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnService -> 

RPCSS -> %System32%\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size = 397824 bytes | Modified Date = 7/25/2005 11:39:49 PM | Attr =	]

TCPIP ->  -> File not found

NTLMSSP ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnGroup ->  -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ObjectName -> LocalSystem -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Description -> Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\\Security -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\EnableAutodial -> 0 -> 

< Session Manager Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> 

BootExecute -> autocheck autochk *; -> 

ExcludeFromKnownDlls ->  -> 

*PendingFileRenameOperations* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\\PendingFileRenameOperations -> 

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\System32\wowfx.dll [\??\C:\WINDOWS\System32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\WINDOWS\system32\wowfx.dll [\??\C:\WINDOWS\system32\wowfx.dll]  -> %System32%\wowfx.dll [%System32%\wowfx.dll] ->  [Ver =  | Size = 18944 bytes | Modified Date = 5/14/2007 10:12:26 AM | Attr =	]

\??\C:\DOCUME~1\Nichole\LOCALS~1\Temp\A~NSISu_.exe [\??\C:\DOCUME~1\Nichole\LOCALS~1\Temp\A~NSISu_.exe]  -> %LocalSettings%\Temp\A~NSISu_.exe [%LocalSettings%\Temp\A~NSISu_.exe] -> Pandora-Software [Ver = 3.5.1.20 | Size = 71188 bytes | Modified Date = 1/9/2008 12:45:45 PM | Attr =	]

*MultiFile Done* -> -> 

< Session Manager Environment Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment -> 

ComSpec -> C:\WINDOWS\SYSTEM32\cmd.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 388608 bytes | Modified Date = 8/4/2004 2:56:48 AM | Attr =	]

TEMP -> %SystemRoot%\TEMP -> 

TMP -> %SystemRoot%\TEMP -> 

windir -> %SystemRoot% -> 

*Path* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\Path -> 

%SystemRoot%\system32 -> %System32% ->  [Folder | Modified Date = 1/26/2008 11:50:50 PM | Attr =	]

%SystemRoot% -> %SystemRoot% ->  [Folder | Modified Date = 1/26/2008 11:43:39 PM | Attr =	]

%SystemRoot%\System32\Wbem -> %System32%\WBEM ->  [Folder | Modified Date = 12/6/2006 11:18:05 PM | Attr =	]

C:\Program Files\ATI Technologies\ATI.ACE\ -> %ProgramFiles%\ATI Technologies\ATI.ACE ->  [Folder | Modified Date = 12/8/2006 10:33:16 PM | Attr =	]

C:\Program Files\QuickTime\QTSystem\ -> %ProgramFiles%\QuickTime\QTSystem ->  [Folder | Modified Date = 6/6/2007 7:13:25 PM | Attr =	]

*MultiFile Done* -> -> 

*PATHEXT* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\PATHEXT -> 

.COM -> .COM -> File not found

.EXE -> .EXE -> File not found

.BAT -> .BAT -> File not found

.CMD -> .CMD -> File not found

.VBS -> .VBS -> File not found

.VBE -> .VBE -> File not found

.JS -> .JS -> File not found

.JSE -> .JSE -> File not found

.WSF -> .WSF -> File not found

.WSH -> .WSH -> File not found

*MultiFile Done* -> -> 

< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\policies\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Conferencing\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Internet Explorer\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Internet Explorer\Restrictions\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Messenger\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Messenger\Client\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Messenger\Client\\PreventAutoRun -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\MRT\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Installer\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Installer\\EnableAdminTSRemote -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\RTC\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\RTC\PortRange\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\RTC\PortRange\\Enabled -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\ -> -> 

*ExecutableTypes* -> HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\\ExecutableTypes -> 

ADE ->  -> File not found

ADP ->  -> File not found

BAS ->  -> File not found

BAT ->  -> File not found

CHM ->  -> File not found

CMD -> %System32%\cmd.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 388608 bytes | Modified Date = 8/4/2004 2:56:48 AM | Attr =	]

COM ->  -> File not found

CPL ->  -> File not found

CRT ->  -> File not found

EXE ->  -> File not found

HLP ->  -> File not found

HTA ->  -> File not found

INF ->  -> File not found

INS ->  -> File not found

ISP ->  -> File not found

LNK ->  -> File not found

MDB ->  -> File not found

MDE ->  -> File not found

MSC ->  -> File not found

MSI -> %System32%\msi.dll -> Microsoft Corporation [Ver = 3.1.4000.4039 | Size = 2854400 bytes | Modified Date = 4/18/2007 11:12:23 AM | Attr =	]

MSP ->  -> File not found

MST ->  -> File not found

OCX ->  -> File not found

PCD ->  -> File not found

PIF ->  -> File not found

REG -> %System32%\reg.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 50176 bytes | Modified Date = 8/4/2004 2:56:55 AM | Attr =	]

SCR ->  -> File not found

SHS ->  -> File not found

URL -> %System32%\url.dll -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 37888 bytes | Modified Date = 8/4/2004 2:56:46 AM | Attr =	]

VB ->  -> File not found

WSC ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\\TransparentEnabled -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\\DefaultLevel -> 262144 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\\AuthenticodeEnabled -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\\PolicyScope -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\Description -> Stop the download of this file -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\FriendlyName -> Mdac11.cab [Mdac11.cab] -> File not found

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\SaferFlags -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\HashAlg -> 32771 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\ItemData -> (binary data) -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\LastModified ->  -> 

*ItemSize* -> HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\ItemSize -> 

̋ ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\Description -> Stop the download of this file -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\FriendlyName -> mdac20.cab [mdac20.cab] -> File not found

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\SaferFlags -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\HashAlg -> 32771 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\ItemData -> (binary data) -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\LastModified ->  -> 

*ItemSize* -> HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\ItemSize -> 

ȅ ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\Description -> Stop the download of this file -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\FriendlyName -> mdac20_a.cab [mdac20_a.cab] -> File not found

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\SaferFlags -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\HashAlg -> 32771 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\ItemData -> (binary data) -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\LastModified ->  -> 

*ItemSize* -> HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\ItemSize -> 

Ζ ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\Description -> Stop the download of this file -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\FriendlyName -> _msadc10.cab [_msadc10.cab] -> File not found

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\SaferFlags -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\HashAlg -> 32771 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\ItemData -> (binary data) -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\LastModified ->  -> 

*ItemSize* -> HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\ItemSize -> 

å ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\Description -> Stop the download of this file -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\FriendlyName -> msadc11.cab [msadc11.cab] -> File not found

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\SaferFlags -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\HashAlg -> 32771 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\ItemData -> (binary data) -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\LastModified ->  -> 

*ItemSize* -> HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\ItemSize -> 

Ų ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\\Description ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\\SaferFlags -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\\ItemData -> %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\\LastModified ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows NT\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows NT\Terminal Services\ -> -> 

< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\policies\ -> 

HKEY_CURRENT_USER\Software\Policies\ -> ->

HKEY_CURRENT_USER\Software\Policies\Microsoft\ -> -> 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\ -> -> 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ -> -> 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions\ -> -> 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\ -> -> 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\AppCompat\ -> -> 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\ -> -> 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Update\ -> -> 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Update\\NoAutoUpdate -> 1 -> 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Update\\NoWindowsUpdate -> 1 -> 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\ -> -> 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ -> -> 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\\AutoUpdate -> 1 -> 





[Files/Folders - Created Within 30 days]

Linksys Driver -> %SystemDrive%\Linksys Driver ->  [Folder | Created Date = 1/26/2008 11:42:57 PM | Attr =	]

ctfmona.exe -> %System32%\ctfmona.exe ->  [Ver =  | Size = 29824 bytes | Created Date = 1/9/2008 12:45:21 PM | Attr =	]

imsins.BAK -> %SystemRoot%\imsins.BAK ->  [Ver =  | Size = 1355 bytes | Created Date = 1/7/2008 10:49:47 AM | Attr =	]

LastGood -> %SystemRoot%\LastGood ->  [Folder | Created Date = 1/26/2008 11:43:39 PM | Attr =	]

2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 

[Files Created - Additional Folder Scans - Non-Microsoft Only]

EasySpywareCleaner.com -> %UserAppData%\EasySpywareCleaner.com ->  [Folder | Created Date = 1/9/2008 12:45:47 PM | Attr =	]

InfeStop.com -> %UserAppData%\InfeStop.com ->  [Folder | Created Date = 1/15/2008 2:44:55 AM | Attr =	]

spy-rid.com -> %UserAppData%\spy-rid.com ->  [Folder | Created Date = 1/10/2008 12:46:04 AM | Attr =	]

Maybe if people moved out in droves.doc -> %UserDocuments%\Maybe if people moved out in droves.doc ->  [Ver =  | Size = 26112 bytes | Created Date = 1/10/2008 3:36:34 PM | Attr =	]

Flash -> %UserDesktop%\Flash ->  [Folder | Created Date = 1/26/2008 11:14:53 PM | Attr =	]

WinPFind35u -> %UserDesktop%\WinPFind35u ->  [Folder | Created Date = 1/26/2008 11:49:20 PM | Attr =	]

WinPFind35u.exe -> %UserDesktop%\WinPFind35u.exe ->  [Ver =  | Size = 478592 bytes | Created Date = 1/26/2008 11:49:05 PM | Attr =	]

@Alternate Data Stream - 26 bytes -> %UserDesktop%\WinPFind35u.exe:Zone.Identifier



[Files/Folders - Modified Within 30 days]

hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 1609617408 bytes | Modified Date = 1/26/2008 7:49:39 PM | Attr =  HS]

Linksys Driver -> %SystemDrive%\Linksys Driver ->  [Folder | Modified Date = 1/26/2008 11:42:57 PM | Attr =	]

Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 1/15/2008 2:44:53 AM | Attr = R  ]

WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 1/26/2008 11:43:39 PM | Attr =	]

CatRoot2 -> %System32%\CatRoot2 ->  [Folder | Modified Date = 1/26/2008 7:50:25 PM | Attr =	]

2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 

ctfmona.exe -> %System32%\ctfmona.exe ->  [Ver =  | Size = 29824 bytes | Modified Date = 1/9/2008 12:45:21 PM | Attr =	]

desktop8.dat -> %System32%\desktop8.dat ->  [Ver =  | Size = 106 bytes | Modified Date = 1/8/2008 7:14:55 AM | Attr =	]

DLLCACHE -> %System32%\DLLCACHE ->  [Folder | Modified Date = 1/9/2008 9:31:21 AM | Attr = RHS]

DRIVERS -> %System32%\DRIVERS ->  [Folder | Modified Date = 1/26/2008 11:43:40 PM | Attr =	]

WPA.DBL -> %System32%\WPA.DBL ->  [Ver =  | Size = 1170 bytes | Modified Date = 1/26/2008 7:49:44 PM | Attr =	]

$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 1/8/2008 7:49:25 PM | Attr =  H ]

2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 

BOOTSTAT.DAT -> %SystemRoot%\BOOTSTAT.DAT ->  [Ver =  | Size = 2048 bytes | Modified Date = 1/26/2008 7:49:42 PM | Attr =   S]

Debug -> %SystemRoot%\Debug ->  [Folder | Modified Date = 1/26/2008 7:55:42 PM | Attr =	]

imsins.BAK -> %SystemRoot%\imsins.BAK ->  [Ver =  | Size = 1355 bytes | Modified Date = 1/9/2008 9:31:16 AM | Attr =	]

INF -> %SystemRoot%\INF ->  [Folder | Modified Date = 1/26/2008 11:43:42 PM | Attr =  H ]

LastGood -> %SystemRoot%\LastGood ->  [Folder | Modified Date = 1/26/2008 11:43:39 PM | Attr =	]

Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 1/26/2008 11:49:19 PM | Attr =	]

SYSTEM32 -> %System32% ->  [Folder | Modified Date = 1/26/2008 11:50:50 PM | Attr =	]

temp -> %SystemRoot%\temp ->  [Folder | Modified Date = 1/26/2008 8:00:29 PM | Attr =	]

webica.ini -> %SystemRoot%\webica.ini ->  [Ver =  | Size = 109 bytes | Modified Date = 1/14/2008 2:58:53 PM | Attr =	]

HP Usg Daily.job -> %SystemRoot%\tasks\HP Usg Daily.job ->  [Ver =  | Size = 320 bytes | Modified Date = 1/26/2008 10:38:00 PM | Attr =	]

SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 1/26/2008 7:49:45 PM | Attr =  H ]

[Files Modified - Additional Folder Scans - Non-Microsoft Only]

EasySpywareCleaner.com -> %UserAppData%\EasySpywareCleaner.com ->  [Folder | Modified Date = 1/9/2008 12:45:47 PM | Attr =	]

InfeStop.com -> %UserAppData%\InfeStop.com ->  [Folder | Modified Date = 1/15/2008 2:44:55 AM | Attr =	]

Microsoft -> %UserAppData%\Microsoft ->  [Folder | Modified Date = 1/26/2008 11:13:36 PM | Attr =   S]

spy-rid.com -> %UserAppData%\spy-rid.com ->  [Folder | Modified Date = 1/10/2008 12:46:04 AM | Attr =	]

Maybe if people moved out in droves.doc -> %UserDocuments%\Maybe if people moved out in droves.doc ->  [Ver =  | Size = 26112 bytes | Modified Date = 1/10/2008 3:36:34 PM | Attr =	]

Flash -> %UserDesktop%\Flash ->  [Folder | Modified Date = 1/26/2008 11:16:40 PM | Attr =	]

WinPFind35u -> %UserDesktop%\WinPFind35u ->  [Folder | Modified Date = 1/26/2008 11:49:20 PM | Attr =	]

WinPFind35u.exe -> %UserDesktop%\WinPFind35u.exe ->  [Ver =  | Size = 478592 bytes | Modified Date = 1/26/2008 11:49:09 PM | Attr =	]

@Alternate Data Stream - 26 bytes -> %UserDesktop%\WinPFind35u.exe:Zone.Identifier

hhcolreg.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\hhcolreg.dat ->  [Ver =  | Size = 1306 bytes | Modified Date = 12/7/2006 12:33:21 AM | Attr =	]

about.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\12.0\Webcache\about.dat ->  [Ver =  | Size = 1528 bytes | Modified Date = 6/18/2003 1:00:00 PM | Attr =	]

college.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\12.0\Webcache\college.dat ->  [Ver =  | Size = 327746 bytes | Modified Date = 6/18/2003 1:00:00 PM | Attr =	]

moreinfo.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\12.0\Webcache\moreinfo.dat ->  [Ver =  | Size = 102 bytes | Modified Date = 6/18/2003 1:00:00 PM | Attr =	]

ylpgscat.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\12.0\Webcache\ylpgscat.dat ->  [Ver =  | Size = 12283223 bytes | Modified Date = 6/18/2003 1:00:00 PM | Attr =	]

qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 11436 bytes | Modified Date = 1/26/2008 7:51:24 PM | Attr =	]

qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 11436 bytes | Modified Date = 1/26/2008 7:51:24 PM | Attr =	]

opa12.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa12.dat ->  [Ver =  | Size = 8460 bytes | Modified Date = 12/20/2007 11:24:39 AM | Attr =	]

Perflib_Perfdata_7b4.dat -> C:\Documents and Settings\Nichole\Local Settings\Temp\Perflib_Perfdata_7b4.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 1/26/2008 7:51:20 PM | Attr =	]

Perflib_Perfdata_d60.dat -> C:\Documents and Settings\Nichole\Local Settings\Temp\Perflib_Perfdata_d60.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 1/26/2008 7:52:18 PM | Attr =	]

Perflib_Perfdata_d68.dat -> C:\Documents and Settings\Nichole\Local Settings\Temp\Perflib_Perfdata_d68.dat ->  [Ver =  | Size = 0 bytes | Modified Date = 1/26/2008 7:52:17 PM | Attr =	]

1 C:\Documents and Settings\Nichole\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Nichole\Local Settings\Temp\*.tmp -> 



< End of report >


#5 nsgrace

nsgrace
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 26 January 2008 - 11:54 PM

Thanks for waiting! I was moving last week and didn't have my computer set up. Please let me know what the next step is when you get a chance and thanks!

#6 nsgrace

nsgrace
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 26 January 2008 - 11:56 PM

By the way, if we can get this fixed (even if we can't!!) I'll owe ya a Mad Hatter IPA from New Holland Brewery (I'm from Frankenmuth and LOVE that brewery!) :thumbsup:

Edited by nsgrace, 27 January 2008 - 12:03 AM.


#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:49 PM

Posted 27 January 2008 - 11:38 AM

Hi nsgrace. That is a very old version of ComboFix. It has been updated many times since. Let's get the latest version and try a run with that.

Step #1

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Run ComboFix:
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
--------------------------------------------------------------------

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Step #2

Start WinPFind35U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> ctfmona.exe -> %System32%\ctfmona.exe
[Driver Services - Non-Microsoft Only]
YY -> (gtermddo) gtermddo [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\Nichole\LOCALS~1\Temp\gtermddo.sys
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> ctfmona -> %System32%\ctfmona.exe
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> Spoolsv -> %System32%\spoolvs.exe
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\WINDOWS\system32\wowfx.dll -> %System32%\wowfx.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {AEBF6926-DBA6-4100-A838-1CED0169AB78} [HKEY_LOCAL_MACHINE] -> %System32%\ddcdday.dll []
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
YN -> xlibgfl254.dll -> xlibgfl254.dll
YY -> wowfx.dll -> %System32%\wowfx.dll
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {AEBF6926-DBA6-4100-A838-1CED0169AB78} [HKEY_LOCAL_MACHINE] -> %System32%\ddcdday.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {d85d75a6-8f76-4db7-b86f-17a3b9151e99} [HKEY_LOCAL_MACHINE] -> %System32%\rfyaamtw.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Helper\Helper9.dll [e404mgr Class]
YN -> {F9F015F4-96EE-4036-A507-C9221F19C387} [HKEY_LOCAL_MACHINE] -> %System32%\pmnno.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {FA0A6530-CD33-4433-02A2-40686EF73076} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\MSN Gaming Zone\lavujat251.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YN -> C:\\WINDOWS\\system32\\pmnno -> 
< BotCheck > -> 
[Files/Folders - Created Within 30 days]
NY -> ctfmona.exe -> %System32%\ctfmona.exe
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
NY -> 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 days]
NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> ctfmona.exe -> %System32%\ctfmona.exe
NY -> 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
YN -> 1 C:\Documents and Settings\Nichole\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Nichole\Local Settings\Temp\*.tmp
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or asking you to reboot to finish moving files. Click the Ok button or the Yes button as appropriate.

Step #3

Post logs:
  • The ComboFix log ("C:\ComboFix.txt" )
  • the latest .log file from the WinPFind3u/MovedFiles folder (it will be a .log file and have a date_time name in the format mmddyyyy_hhmmss.log)
  • Post a new new WinPFind35 log (choose the Additional Scans option for File - Additional Folders)
I will review the information when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 nsgrace

nsgrace
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 27 January 2008 - 01:54 PM

Here's the ComboFix log...

ComboFix 08-01-23.1C - Nichole 2008-01-27 13:22:20.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.996 [GMT -5:00]
Running from: C:\Documents and Settings\Nichole\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\Nichole\Application Data\ultra
C:\Documents and Settings\Nichole\Application Data\ultra\uninstall.bat
C:\Program Files\Helper
C:\Program Files\Helper\bigsearchonline.dll
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\system32\bbc5
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\Cache\buts.bin
C:\WINDOWS\system32\Cache\chart 1.bmp
C:\WINDOWS\system32\Cache\ding.bmp
C:\WINDOWS\system32\Cache\disk 1.bmp
C:\WINDOWS\system32\Cache\document.bmp
C:\WINDOWS\system32\Cache\mail unreaded.bmp
C:\WINDOWS\system32\Cache\peoples 1.bmp
C:\WINDOWS\system32\Cache\search find 2.bmp
C:\WINDOWS\system32\Cache\web app.bmp
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\doc4
C:\WINDOWS\system32\doc4\mmildot83122.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rex2
C:\WINDOWS\system32\user32.dat
C:\WINDOWS\system32\wowfx.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-26 23:42 . 2008-01-26 23:42 <DIR> d-------- C:\Linksys Driver
2008-01-15 02:44 . 2008-01-26 20:00 <DIR> d-------- C:\Program Files\InfeStop
2008-01-10 00:46 . 2008-01-26 20:00 <DIR> d-------- C:\Program Files\Spy-Rid
2008-01-09 12:45 . 2008-01-26 20:00 <DIR> d-------- C:\Program Files\EasySpywareCleaner
2008-01-07 10:49 . 2008-01-09 09:31 1,355 --a------ C:\WINDOWS\imsins.BAK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 01:02 --------- d-----w C:\Program Files\HOTALBUMMyBOX
2008-01-08 12:14 --------- d-----w C:\Program Files\Weight Commander
2007-12-26 18:57 --------- d-----w C:\Program Files\Avira
2007-12-11 20:38 --------- d-----w C:\Program Files\CASIO
2007-12-11 20:37 15,172 ----a-w C:\WINDOWS\system32\drivers\PzWDM.sys
2007-12-11 20:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2005-07-29 21:24 472 --sha-r C:\WINDOWS\TmljaG9sZQ\nA53u36Ptk.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d85d75a6-8f76-4db7-b86f-17a3b9151e99}]
C:\WINDOWS\system32\rfyaamtw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9F015F4-96EE-4036-A507-C9221F19C387}]
C:\WINDOWS\system32\pmnno.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA0A6530-CD33-4433-02A2-40686EF73076}]
C:\Program Files\MSN Gaming Zone\lavujat251.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49 4662776]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 16:46 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27 28672]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 15:51 257088]
"HPWUTOOLBOX"="C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-09-19 10:31 352256]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-26 13:57 249896]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [ ]

C:\Documents and Settings\Brian\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-02-27 11:29:31 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
traywc.exe [2003-02-07 274432]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-05-06 22:43 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--------- 2004-06-01 11:03 217088 C:\Program Files\Logitech\Video\LogiTray.exe

R0 PzWDM;PzWDM;C:\WINDOWS\system32\Drivers\PzWDM.sys [2007-12-11 15:37]
R2 hmonitor;hmonitor;C:\WINDOWS\system32\drivers\hmonitor.sys [2006-12-05 09:26]
R2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys [2003-08-12 23:27]
R3 Net6IM;Net6;C:\WINDOWS\system32\DRIVERS\net6im51.sys [2006-07-11 05:56]
R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys [2002-02-20 02:34]
S3 gtermddo;gtermddo;C:\DOCUME~1\Nichole\LOCALS~1\Temp\gtermddo.sys []
S3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);C:\WINDOWS\system32\DRIVERS\CamDrL20.sys [2004-05-21 14:16]
S3 SaiNtHid;SaiNtHid;C:\WINDOWS\system32\DRIVERS\SaiNtHid.sys [2003-04-10 10:42]
S3 SaiNtSub;SaiNtSub;C:\WINDOWS\system32\DRIVERS\SaiNtSub.sys [2003-04-10 10:42]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 03:38:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe
"2007-07-11 21:57:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 13:29:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 13:37:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-27 18:37:40
ComboFix2.txt 2007-12-27 05:36:54
ComboFix3.txt 2007-09-03 02:10:04
ComboFix4.txt 2007-08-30 00:28:32
.
2008-01-09 14:32:33 --- E O F ---


Here is the .log file in the folder MovedFiles...

Explorer killed successfully
[Processes - Non-Microsoft Only]
Unable to kill process ctfmona.exe .
File C:\WINDOWS\System32\ctfmona.exe not found.
[Driver Services - Non-Microsoft Only]
Service gtermddo stopped successfully.
Service gtermddo deleted successfully.
File C:\DOCUME~1\Nichole\LOCALS~1\Temp\gtermddo.sys not found.
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ctfmona deleted successfully.
File C:\WINDOWS\System32\ctfmona.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Spoolsv not found.
File C:\WINDOWS\System32\spoolvs.exe not found.
Unable to delete registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\wowfx.dll .
File C:\WINDOWS\System32\wowfx.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEBF6926-DBA6-4100-A838-1CED0169AB78} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEBF6926-DBA6-4100-A838-1CED0169AB78}\ not found.
File C:\WINDOWS\System32\ddcdday.dll not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders:xlibgfl254.dll deleted successfully.
Unable to delete registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders:wowfx.dll .
File C:\WINDOWS\System32\wowfx.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEBF6926-DBA6-4100-A838-1CED0169AB78}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEBF6926-DBA6-4100-A838-1CED0169AB78}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d85d75a6-8f76-4db7-b86f-17a3b9151e99}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d85d75a6-8f76-4db7-b86f-17a3b9151e99}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9F015F4-96EE-4036-A507-C9221F19C387}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9F015F4-96EE-4036-A507-C9221F19C387}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FA0A6530-CD33-4433-02A2-40686EF73076}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FA0A6530-CD33-4433-02A2-40686EF73076}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
[Registry - Additional Scans - Non-Microsoft Only]
Unable to delete registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\\WINDOWS\\system32\\pmnno .
[Files/Folders - Created Within 30 days]
File C:\WINDOWS\System32\ctfmona.exe not found!
C:\WINDOWS\imsins.BAK moved successfully.
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\System32\ctfmona.exe not found!
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
File delete failed. C:\Documents and Settings\Nichole\Local Settings\Temp\~DFB1A9.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nichole\Local Settings\Temp\~DFDA44.tmp scheduled to be deleted on reboot.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Nichole\Local Settings\Temp\Perflib_Perfdata_748.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nichole\Local Settings\Temp\Perflib_Perfdata_970.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nichole\Local Settings\Temp\Perflib_Perfdata_bbc.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nichole\Local Settings\Temp\Perflib_Perfdata_e54.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nichole\Local Settings\Temp\~DFB1A9.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nichole\Local Settings\Temp\~DFDA44.tmp scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
WinPFind35U Version Beta38 fix logfile created on 01272008_134102

And finally, the WinPFind35u log...

WinPFind35 logfile created on: 1/27/2008 1:52:32 PM
WinPFind35U Version Beta38	 Folder = C:\Documents and Settings\Nichole\Desktop\WinPFind35u
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
 
1.50 Gb Total Physical Memory | 1.06 Gb Available Physical Memory | 70.49% Memory free
2.11 Gb Paging File | 1.74 Gb Available in Paging File | 82.46% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 2.58 Gb Free Space | 3.47% Space Free | Partition Type: NTFS
Drive D: | 702.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
Drive F: | 955.73 Mb Total Space | 950.28 Mb Free Space | 99.43% Space Free | Partition Type: FAT

Computer Name: DD90BM41
Current User Name: Nichole
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user


[Processes - Non-Microsoft Only]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4129 | Size = 405504 bytes | Modified Date = 1/24/2006 10:45:24 PM | Attr =	]
avguard.exe -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avguard.exe -> Avira GmbH [Ver = 7.00.00.82 | Size = 214056 bytes | Modified Date = 12/26/2007 1:57:05 PM | Attr =	]
sched.exe -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\sched.exe -> Avira GmbH [Ver = 7.00.00.62 | Size = 63016 bytes | Modified Date = 8/28/2007 1:16:22 PM | Attr =	]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4129 | Size = 405504 bytes | Modified Date = 1/24/2006 10:45:24 PM | Attr =	]
dsentry.exe -> %System32%\DSentry.exe -> Dell - Advanced Desktop Engineering [Ver = 1, 0, 5, 0 | Size = 28672 bytes | Modified Date = 8/13/2003 11:27:40 AM | Attr =	]
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 8/12/2005 2:43:58 PM | Attr =	]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Inc. [Ver = 7.1.6 | Size = 282624 bytes | Modified Date = 4/27/2007 8:41:54 AM | Attr =	]
ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Inc. [Ver = 7.2.0.35 | Size = 257088 bytes | Modified Date = 6/1/2007 3:51:26 PM | Attr =	]
hpwutbx.exe -> %ProgramFiles%\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe -> Hewlett-Packard Company [Ver = 2005.0919.0.0 | Size = 352256 bytes | Modified Date = 9/19/2005 10:31:48 AM | Attr =	]
avgnt.exe -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgnt.exe -> Avira GmbH [Ver = 7.02.00.16 | Size = 249896 bytes | Modified Date = 12/26/2007 1:57:05 PM | Attr =	]
dsagnt.exe -> %ProgramFiles%\DellSupport\DSAgnt.exe -> Gteko Ltd. [Ver = 3, 0, 0, 197 | Size = 460784 bytes | Modified Date = 3/15/2007 10:09:36 AM | Attr =	]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.2.0.35 | Size = 501312 bytes | Modified Date = 6/1/2007 3:51:22 PM | Attr =	]
transferagent.exe -> %AllUsersAppData%\Dell\TransferAgent\TransferAgent.exe ->   [Ver = 1.0.2873.20447 | Size = 135168 bytes | Modified Date = 11/13/2007 4:46:00 PM | Attr =	]
traywc.exe -> %AllUsersStartup%\traywc.exe -> weight commander [Ver = 1.00 | Size = 274432 bytes | Modified Date = 2/7/2003 | Attr =	]
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 8/12/2005 2:43:58 PM | Attr =	]
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 8/12/2005 2:43:58 PM | Attr =	]
winpfind35u.exe -> %UserDesktop%\WinPFind35u\WinPFind35U.exe -> OldTimer Tools [Ver = 1.0.0.0 | Size = 307712 bytes | Modified Date = 1/26/2008 1:34:08 PM | Attr =	]

[Win32 Services - Non-Microsoft Only]
(AntiVirScheduler) AntiVir PersonalEdition Classic Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\sched.exe -> Avira GmbH [Ver = 7.00.00.62 | Size = 63016 bytes | Modified Date = 8/28/2007 1:16:22 PM | Attr =	]
(AntiVirService) AntiVir PersonalEdition Classic Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avguard.exe -> Avira GmbH [Ver = 7.00.00.82 | Size = 214056 bytes | Modified Date = 12/26/2007 1:57:05 PM | Attr =	]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4129 | Size = 405504 bytes | Modified Date = 1/24/2006 10:45:24 PM | Attr =	]
(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] -> %System32%\ati2sgag.exe ->  [Ver = 5.13.0025 | Size = 520192 bytes | Modified Date = 1/26/2006 8:57:00 AM | Attr =	]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 7:31:10 AM | Attr =	]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 2:56:48 AM | Attr =	]
(DSBrokerService) DSBrokerService [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\DellSupport\brkrsvc.exe ->  [Ver = 1, 0, 0, 8 | Size = 76848 bytes | Modified Date = 3/7/2007 2:47:46 PM | Attr =	]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 12:41:10 AM | Attr =	]
(iPod Service) iPod Service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.2.0.35 | Size = 501312 bytes | Modified Date = 6/1/2007 3:51:22 PM | Attr =	]
(NetSvc) Intel NCS NetService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Intel\NCS\Sync\NetSvc.exe -> Intel(R) Corporation [Ver = 1.2.26.0 | Size = 143360 bytes | Modified Date = 3/3/2003 2:33:40 PM | Attr =	]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Disabled | Stopped] -> %System32%\HPZipm12.exe -> HP [Ver = 8, 0, 0, 0 | Size = 65536 bytes | Modified Date = 3/18/2004 4:55:48 PM | Attr =	]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
ATICCC -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 8/12/2005 2:43:58 PM | Attr =	]
avgnt -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgnt.exe -> Avira GmbH [Ver = 7.02.00.16 | Size = 249896 bytes | Modified Date = 12/26/2007 1:57:05 PM | Attr =	]
DVDSentry -> %System32%\DSentry.exe -> Dell - Advanced Desktop Engineering [Ver = 1, 0, 5, 0 | Size = 28672 bytes | Modified Date = 8/13/2003 11:27:40 AM | Attr =	]
HPWUTOOLBOX -> %ProgramFiles%\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe -> Hewlett-Packard Company [Ver = 2005.0919.0.0 | Size = 352256 bytes | Modified Date = 9/19/2005 10:31:48 AM | Attr =	]
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Inc. [Ver = 7.2.0.35 | Size = 257088 bytes | Modified Date = 6/1/2007 3:51:26 PM | Attr =	]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Inc. [Ver = 7.1.6 | Size = 282624 bytes | Modified Date = 4/27/2007 8:41:54 AM | Attr =	]
< RunOnceEx [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx -> 
 ->  -> File not found
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
DellSupport -> %ProgramFiles%\DellSupport\DSAgnt.exe -> Gteko Ltd. [Ver = 3, 0, 0, 197 | Size = 460784 bytes | Modified Date = 3/15/2007 10:09:36 AM | Attr =	]
DellTransferAgent -> %AllUsersAppData%\Dell\TransferAgent\TransferAgent.exe ->   [Ver = 1.0.2873.20447 | Size = 135168 bytes | Modified Date = 11/13/2007 4:46:00 PM | Attr =	]
Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe -> Yahoo! Inc. [Ver = 8,1,0,209 | Size = 4662776 bytes | Modified Date = 11/30/2006 9:49:04 PM | Attr =	]
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
 -> %AllUsersStartup%\traywc.exe -> weight commander [Ver = 1.00 | Size = 274432 bytes | Modified Date = 2/7/2003 | Attr =	]
< Nichole Startup Folder > -> C:\Documents and Settings\Nichole\Start Menu\Programs\Startup -> 
< ICQ Agent [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\ ->
HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\ -> ->
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 7:29:58 AM | Attr =	]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
  ->  -> File not found
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
AtiExtEvent -> %System32%\ati2evxx.dll -> ATI Technologies Inc. [Ver = 6.14.10.4129 | Size = 61440 bytes | Modified Date = 1/24/2006 10:46:38 PM | Attr =	]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\ ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoCDBurning -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> -> 
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.google.com/ie -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> C:\WINDOWS\SYSTEM32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Bar -> http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.google.com -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> about:blank -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.google.com/ie -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\SYSTEM32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.yahoo.com/ -> 
HKEY_CURRENT_USER\: Search\\SearchAssistant -> http://www.google.com/ie -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5868 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 87 range(s) found. -> 
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar] -> File not found
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\{85d1f590-48f4-11d9-9669-0800200c9a66} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform -> 
SV1 ->  -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{1A7DA63D-F2E9-4AF2-9348-F6AA628084C0} ->	(Instant Wireless USB Network Adapter ver.2.6) -> 
{714981A2-3268-43A1-B9D8-5B1A333EBFCB} -> 4.2.2.2   (Intel(R) PRO/100 VE Network Connection) -> 
{799D3E13-0363-4653-AF81-9723293CD78D} ->	(Instant Wireless USB Network Adapter ver.2.6) -> 
{AC0C8180-07D4-4C70-801B-487E3E94C915} ->	() -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
cetihpz:{CF184AD3-CDCB-4168-A3F7-8E447D129300} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll[CZipHandler Object] -> Hewlett-Packard Company [Ver = 2.1.5 | Size = 81920 bytes | Modified Date = 5/12/2004 2:18:56 PM | Attr =	]
ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[{1A03F196-9617-4CA0-842B-A83CEECB022B}] -> File not found
msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[{1A03F196-9617-4CA0-842B-A83CEECB022B}] -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{17492023-C23A-453E-A040-C7C580BBF700}[HKEY_LOCAL_MACHINE] -> http://go.microsoft.com/fwlink/?linkid=39204[Windows Genuine Advantage Validation Tool] -> 
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}[HKEY_LOCAL_MACHINE] -> C:\Program Files\Yahoo!\Common\Yinsthelper.dll[Installation Support] -> 
{33564D57-0000-0010-8000-00AA00389B71}[HKEY_LOCAL_MACHINE] -> http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB[Reg Error: Key does not exist or could not be opened.] -> 
{406B5949-7190-4245-91A9-30A17DE16AD0}[HKEY_LOCAL_MACHINE] -> http://www1.snapfish.com/SnapfishActivia.cab[Snapfish Activia] -> 
{7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B}[HKEY_LOCAL_MACHINE] -> https://vpn.fbwebapps.com/net6helper.cab[Net6Launcher Class] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab[Java Plug-in 1.5.0_03] -> 
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab[Reg Error: Key does not exist or could not be opened.] -> 
{9F1C11AA-197B-4942-BA54-47A8489BB47F}[HKEY_LOCAL_MACHINE] -> http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38124.5903240741[Reg Error: Key does not exist or could not be opened.] -> 
{A17E30C4-A9BA-11D4-8673-60DB54C10000}[HKEY_LOCAL_MACHINE] -> http://download.yahoo.com/dl/installs/ymail/ymmapi.dll[YahooYMailTo Class] -> 
{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab[Java Plug-in 1.4.2] -> 
{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab[Java Plug-in 1.5.0_03] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab[Shockwave Flash Object] -> 
{EBC1356E-7D5E-44EC-831D-847882F06FE5}[HKEY_LOCAL_MACHINE] -> https://www.fbwebapps.com/farm%20bureau%20insurance/cds/CGC/en/CSGProxy.cab[Gateway Client for MetaFrame] -> 
Microsoft XML Parser for Java[HKEY_LOCAL_MACHINE] -> file://C:\WINDOWS\Java\classes\xmldso.cab[Reg Error: Key does not exist or could not be opened.] -> 



[Files/Folders - Created Within 30 days]
Linksys Driver -> %SystemDrive%\Linksys Driver ->  [Folder | Created Date = 1/26/2008 11:42:57 PM | Attr =	]
TEMP -> %SystemRoot%\TEMP ->  [Folder | Created Date = 1/27/2008 1:37:45 PM | Attr =	]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
EasySpywareCleaner.com -> %UserAppData%\EasySpywareCleaner.com ->  [Folder | Created Date = 1/9/2008 12:45:47 PM | Attr =	]
InfeStop.com -> %UserAppData%\InfeStop.com ->  [Folder | Created Date = 1/15/2008 2:44:55 AM | Attr =	]
spy-rid.com -> %UserAppData%\spy-rid.com ->  [Folder | Created Date = 1/10/2008 12:46:04 AM | Attr =	]
Maybe if people moved out in droves.doc -> %UserDocuments%\Maybe if people moved out in droves.doc ->  [Ver =  | Size = 26112 bytes | Created Date = 1/10/2008 3:36:34 PM | Attr =	]
Flash -> %UserDesktop%\Flash ->  [Folder | Created Date = 1/26/2008 11:14:53 PM | Attr =	]
WinPFind35u -> %UserDesktop%\WinPFind35u ->  [Folder | Created Date = 1/26/2008 11:49:20 PM | Attr =	]
WinPFind35u.exe -> %UserDesktop%\WinPFind35u.exe ->  [Ver =  | Size = 478592 bytes | Created Date = 1/26/2008 11:49:05 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\WinPFind35u.exe:Zone.Identifier

[Files/Folders - Modified Within 30 days]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Modified Date = 1/27/2008 1:37:47 PM | Attr =	]
hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 1609617408 bytes | Modified Date = 1/27/2008 1:42:11 PM | Attr =  HS]
Linksys Driver -> %SystemDrive%\Linksys Driver ->  [Folder | Modified Date = 1/26/2008 11:42:57 PM | Attr =	]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 1/27/2008 1:27:20 PM | Attr = R  ]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Modified Date = 1/27/2008 1:37:40 PM | Attr =	]
Temp -> %SystemDrive%\Temp ->  [Folder | Modified Date = 1/27/2008 1:27:21 PM | Attr =	]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 1/27/2008 1:44:12 PM | Attr =	]
ETC -> %System32%\drivers\ETC ->  [Folder | Modified Date = 1/27/2008 1:29:45 PM | Attr =	]
hosts -> %System32%\drivers\ETC\hosts ->  [Ver =  | Size = 27 bytes | Modified Date = 1/27/2008 1:29:45 PM | Attr =	]
CatRoot2 -> %System32%\CatRoot2 ->  [Folder | Modified Date = 1/26/2008 7:50:25 PM | Attr =	]
CONFIG -> %System32%\CONFIG ->  [Folder | Modified Date = 1/27/2008 1:27:46 PM | Attr =	]
desktop8.dat -> %System32%\desktop8.dat ->  [Ver =  | Size = 106 bytes | Modified Date = 1/8/2008 7:14:55 AM | Attr =	]
DLLCACHE -> %System32%\DLLCACHE ->  [Folder | Modified Date = 1/9/2008 9:31:21 AM | Attr = RHS]
DRIVERS -> %System32%\DRIVERS ->  [Folder | Modified Date = 1/27/2008 1:29:45 PM | Attr =	]
WPA.DBL -> %System32%\WPA.DBL ->  [Ver =  | Size = 1170 bytes | Modified Date = 1/26/2008 7:49:44 PM | Attr =	]
$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 1/8/2008 7:49:25 PM | Attr =  H ]
BOOTSTAT.DAT -> %SystemRoot%\BOOTSTAT.DAT ->  [Ver =  | Size = 2048 bytes | Modified Date = 1/27/2008 1:42:14 PM | Attr =   S]
Debug -> %SystemRoot%\Debug ->  [Folder | Modified Date = 1/26/2008 7:55:42 PM | Attr =	]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Modified Date = 1/27/2008 1:27:31 PM | Attr =	]
Fonts -> %SystemRoot%\Fonts ->  [Folder | Modified Date = 1/27/2008 1:27:19 PM | Attr = R S]
INF -> %SystemRoot%\INF ->  [Folder | Modified Date = 1/27/2008 1:27:20 PM | Attr =  H ]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 1/27/2008 1:26:52 PM | Attr =	]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 227 bytes | Modified Date = 1/27/2008 1:29:53 PM | Attr =	]
SYSTEM32 -> %System32% ->  [Folder | Modified Date = 1/27/2008 1:41:02 PM | Attr =	]
TEMP -> %SystemRoot%\TEMP ->  [Folder | Modified Date = 1/27/2008 1:42:47 PM | Attr =	]
webica.ini -> %SystemRoot%\webica.ini ->  [Ver =  | Size = 109 bytes | Modified Date = 1/14/2008 2:58:53 PM | Attr =	]
HP Usg Daily.job -> %SystemRoot%\tasks\HP Usg Daily.job ->  [Ver =  | Size = 320 bytes | Modified Date = 1/26/2008 10:38:00 PM | Attr =	]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 1/27/2008 1:42:18 PM | Attr =  H ]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Dell -> %AllUsersAppData%\Dell ->  [Folder | Modified Date = 1/27/2008 1:29:06 AM | Attr =	]
Microsoft -> %AllUsersAppData%\Microsoft ->  [Folder | Modified Date = 1/26/2008 11:44:08 PM | Attr =   S]
EasySpywareCleaner.com -> %UserAppData%\EasySpywareCleaner.com ->  [Folder | Modified Date = 1/9/2008 12:45:47 PM | Attr =	]
InfeStop.com -> %UserAppData%\InfeStop.com ->  [Folder | Modified Date = 1/15/2008 2:44:55 AM | Attr =	]
Microsoft -> %UserAppData%\Microsoft ->  [Folder | Modified Date = 1/26/2008 11:13:36 PM | Attr =   S]
spy-rid.com -> %UserAppData%\spy-rid.com ->  [Folder | Modified Date = 1/10/2008 12:46:04 AM | Attr =	]
ApplicationHistory -> %LocalAppData%\ApplicationHistory ->  [Folder | Modified Date = 1/27/2008 1:29:08 AM | Attr =	]
Maybe if people moved out in droves.doc -> %UserDocuments%\Maybe if people moved out in droves.doc ->  [Ver =  | Size = 26112 bytes | Modified Date = 1/10/2008 3:36:34 PM | Attr =	]
ComboFix.exe -> %UserDesktop%\ComboFix.exe ->  [Ver =  | Size = 1568123 bytes | Modified Date = 1/27/2008 1:20:54 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\ComboFix.exe:Zone.Identifier
Flash -> %UserDesktop%\Flash ->  [Folder | Modified Date = 1/26/2008 11:16:40 PM | Attr =	]
WinPFind35u -> %UserDesktop%\WinPFind35u ->  [Folder | Modified Date = 1/27/2008 1:41:02 PM | Attr =	]
WinPFind35u.exe -> %UserDesktop%\WinPFind35u.exe ->  [Ver =  | Size = 478592 bytes | Modified Date = 1/26/2008 11:49:09 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\WinPFind35u.exe:Zone.Identifier
hhcolreg.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\hhcolreg.dat ->  [Ver =  | Size = 1306 bytes | Modified Date = 12/7/2006 12:33:21 AM | Attr =	]
about.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\12.0\Webcache\about.dat ->  [Ver =  | Size = 1528 bytes | Modified Date = 6/18/2003 1:00:00 PM | Attr =	]
college.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\12.0\Webcache\college.dat ->  [Ver =  | Size = 327746 bytes | Modified Date = 6/18/2003 1:00:00 PM | Attr =	]
moreinfo.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\12.0\Webcache\moreinfo.dat ->  [Ver =  | Size = 102 bytes | Modified Date = 6/18/2003 1:00:00 PM | Attr =	]
ylpgscat.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\12.0\Webcache\ylpgscat.dat ->  [Ver =  | Size = 12283223 bytes | Modified Date = 6/18/2003 1:00:00 PM | Attr =	]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 11436 bytes | Modified Date = 1/27/2008 1:43:43 PM | Attr =	]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 11436 bytes | Modified Date = 1/27/2008 1:43:43 PM | Attr =	]
opa12.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa12.dat ->  [Ver =  | Size = 8468 bytes | Modified Date = 1/27/2008 12:04:37 AM | Attr =	]
Perflib_Perfdata_3a4.dat -> C:\Documents and Settings\Nichole\Local Settings\Temp\Perflib_Perfdata_3a4.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 1/27/2008 1:43:29 PM | Attr =	]
Perflib_Perfdata_cf4.dat -> C:\Documents and Settings\Nichole\Local Settings\Temp\Perflib_Perfdata_cf4.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 1/27/2008 1:44:27 PM | Attr =	]
Perflib_Perfdata_cfc.dat -> C:\Documents and Settings\Nichole\Local Settings\Temp\Perflib_Perfdata_cfc.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 1/27/2008 1:44:24 PM | Attr =	]
2 C:\Documents and Settings\Nichole\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Nichole\Local Settings\Temp\*.tmp -> 

< End of report >


#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:49 PM

Posted 27 January 2008 - 03:03 PM

Hi nsgrace. Everything looks fine in the logs. How are things running?

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 nsgrace

nsgrace
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 27 January 2008 - 03:34 PM

Excellent! Thank you so much!! Anything else that needs to be done?

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:49 PM

Posted 27 January 2008 - 03:43 PM

Hi nsgrace. Just a last bit of final cleanup to do.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.


WinPFind35 CleanUp -

Hi <name>. Let's do some final cleanup to reset the System Restore points and remove all of the tools we used during the fix.

Step #1

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Step #2

To remove all of the tools we used and the files and folders they created do the following:
  • Start WinPFind35
    Click the CleanUp button
  • WinPFind35 will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
  • WinPFind35 will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself. Click Yes.
After that you are good to go :thumbsup: Congratulations.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 nsgrace

nsgrace
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 28 January 2008 - 05:24 PM

Thanks so much!!!!!!!! You rock!!

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:49 PM

Posted 28 January 2008 - 05:31 PM

You are very welcome nsgrace, I'm glad that we could help.

I will now close this topic. If you have any new malware related issues in the future please start a new topic.

Cheers and Happy Computing!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users