Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Infected?


  • Please log in to reply
23 replies to this topic

#1 Sesmu

Sesmu

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 27 January 2008 - 07:15 AM

Hi,

I just ran a bunch of cleaning utilities - Ad-Aware, Spybot, Housecall, McAfee Avert tools - and basically want to find out if my system still has anything dengerous. From the behavior and cleaning utilities results I had (hopefully used to) password stealing, URL redirects among other nasties. So here's my Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:24 AM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hjt\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131978878828
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...150/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{125B1D80-0A16-4389-96F3-F459553F12E0}: NameServer = 85.255.113.126,85.255.112.227
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{125B1D80-0A16-4389-96F3-F459553F12E0}: NameServer = 85.255.113.126,85.255.112.227
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{125B1D80-0A16-4389-96F3-F459553F12E0}: NameServer = 85.255.113.126,85.255.112.227
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AppMgmt - Unknown owner - C:\WINDOWS\TEMP\146531.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: BITS - Unknown owner - C:\WINDOWS\TEMP\123703.exe (file missing)
O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\Temp\124015.exe (file missing)
O23 - Service: dmadmin - Unknown owner - C:\WINDOWS\Temp\124015.exe (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\BN2.tmp (file missing)
O23 - Service: ERSvc - Unknown owner - C:\WINDOWS\Temp\124015.exe (file missing)
O23 - Service: Eventlog - Unknown owner - C:\WINDOWS\Temp\124015.exe (file missing)
O23 - Service: EventSystem - Unknown owner - C:\WINDOWS\Temp\124015.exe (file missing)
O23 - Service: FastUserSwitchingCompatibility - Unknown owner - C:\WINDOWS\TEMP\145656.exe (file missing)
O23 - Service: IDriverT - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ose - Unknown owner - C:\WINDOWS\TEMP\125640.exe (file missing)
O23 - Service: UPHClean - Unknown owner - C:\Program Files\UPHClean\uphclean.exe (file missing)

--
End of file - 8080 bytes


Thanks!

BC AdBot (Login to Remove)

 


#2 Sesmu

Sesmu
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 28 January 2008 - 09:22 AM

any thoughts?

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:02 PM

Posted 06 February 2008 - 04:14 PM

Hello Sesmu and welcome to the BC HijackThis fourm. Let's look a little closer and see what we find.

Before running the scan let's clean out the temporoary folders.

Download ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 Sesmu

Sesmu
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 16 February 2008 - 10:48 PM

Hi OldTimer. Sorry, I couldn't get to this earlier. Thanks for your help. I followed the instructions and here are the results:
(One little problem though. I see < End of report > line, but whenever I try to post an entire report in one post, the browser closes on me. So I will divide it.)

WinPFind35 logfile created on: 2/16/2008 10:30:28 PM
WinPFind35U Version Beta52	 Folder = C:\Documents and Settings\Owner\Desktop\WinPFind35u
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
511.30 Mb Total Physical Memory | 249.66 Mb Available Physical Memory | 48.83% Memory free
1.97 Gb Paging File | 1.73 Gb Available in Paging File | 87.82% Paging File free
Paging file location(s): c:\pagefile.sys 1536 1536;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 20.81 Gb Free Space | 18.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 85.48 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VLAD
Current User Name: Owner
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 12:11:35 AM | Attr =	]
winpfind35u.exe -> %UserProfile%\Desktop\WinPFind35u\WinPFind35U.exe -> OldTimer Tools [Ver = 1.0.0.0 | Size = 309760 bytes | Modified Date = 2/16/2008 1:03:26 PM | Attr =	]

[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.65.010 | Size = 69632 bytes | Modified Date = 4/15/2006 2:22:54 AM | Attr =	]
(AppMgmt) AppMgmt [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\TEMP\146531.exe -> File not found
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> File not found
(BITS) BITS [Win32_Own | Auto | Stopped] -> %SystemRoot%\TEMP\123703.exe -> File not found
(clr_optimization_v2.0.50727_32) clr_optimization_v2.0.50727_32 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> File not found
(COMSysApp) COMSysApp [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Temp\124015.exe -> File not found
(dmadmin) dmadmin [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Temp\124015.exe -> File not found
(dmserver) dmserver [Win32_Own | Auto | Stopped] -> %SystemRoot%\TEMP\BN2.tmp -> File not found
(ERSvc) ERSvc [Win32_Own | Auto | Stopped] -> %SystemRoot%\Temp\124015.exe -> File not found
(Eventlog) Eventlog [Win32_Own | Auto | Stopped] -> %SystemRoot%\Temp\124015.exe -> File not found
(EventSystem) EventSystem [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Temp\124015.exe -> File not found
(FastUserSwitchingCompatibility) FastUserSwitchingCompatibility [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\TEMP\145656.exe -> File not found
(IDriverT) IDriverT [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 12:41:10 AM | Attr =	]
(ose) ose [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\TEMP\125640.exe -> File not found
(UPHClean) UPHClean [Win32_Own | Auto | Stopped] -> %ProgramFiles%\UPHClean\uphclean.exe -> File not found

[Driver Services - Non-Microsoft Only]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] ->  -> File not found
(abp480n5) abp480n5 [Kernel | Disabled | Stopped] ->  -> File not found
(ac97intc) Intel(r) 82801 Audio Driver Install Service (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ac97intc.sys -> Intel Corporation [Ver = 5.10.3523 built by: WinDDK | Size = 96256 bytes | Modified Date = 8/17/2001 7:20:04 AM | Attr =	]
(adpu160m) adpu160m [Kernel | Disabled | Stopped] ->  -> File not found
(Aha154x) Aha154x [Kernel | Disabled | Stopped] ->  -> File not found
(aic78u2) aic78u2 [Kernel | Disabled | Stopped] ->  -> File not found
(aic78xx) aic78xx [Kernel | Disabled | Stopped] ->  -> File not found
(AliIde) AliIde [Kernel | Disabled | Stopped] ->  -> File not found
(amsint) amsint [Kernel | Disabled | Stopped] ->  -> File not found
(asc) asc [Kernel | Disabled | Stopped] ->  -> File not found
(asc3350p) asc3350p [Kernel | Disabled | Stopped] ->  -> File not found
(asc3550) asc3550 [Kernel | Disabled | Stopped] ->  -> File not found
(Atdisk) Atdisk [Kernel | Disabled | Stopped] ->  -> File not found
(basic2) basic2 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\basic2.sys -> Conexant Systems [Ver = 3.05.20 | Size = 77426 bytes | Modified Date = 7/12/2001 1:49:32 PM | Attr =	]
(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] ->  -> File not found
(Changer) Changer [Kernel | System | Stopped] ->  -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] ->  -> File not found
(Cnxtdiag) Cnxtdiag [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\cnxtdiag.sys -> Conexant Systems [Ver = 3.5.18.4 | Size = 17776 bytes | Modified Date = 7/3/2001 5:42:30 PM | Attr =	]
(CO_Mon) CO_Mon [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\Drivers\CO_Mon.sys -> File not found
(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] ->  -> File not found
(dac960nt) dac960nt [Kernel | Disabled | Stopped] ->  -> File not found
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 799744 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153344 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
(dmload) dmload [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
(dpti2o) dpti2o [Kernel | Disabled | Stopped] ->  -> File not found
(E100B) Intel(R) PRO Adapter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\e100b325.sys -> Intel Corporation [Ver = 5.41.22.0000 built by: WinDDK | Size = 117760 bytes | Modified Date = 8/17/2001 7:12:10 AM | Attr =	]
(Fallback) Fallback [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\fallback.sys -> Conexant Systems [Ver = 3.05.20 | Size = 310739 bytes | Modified Date = 7/12/2001 1:52:10 PM | Attr =	]
(Fsks) Fsks [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\fsksnt.sys -> Conexant Systems [Ver = 3.05.19 | Size = 127405 bytes | Modified Date = 6/14/2001 6:37:38 PM | Attr =	]
(hpn) hpn [Kernel | Disabled | Stopped] ->  -> File not found
(i2omgmt) i2omgmt [Kernel | System | Stopped] ->  -> File not found
(i2omp) i2omp [Kernel | Disabled | Stopped] ->  -> File not found
(ini910u) ini910u [Kernel | Disabled | Stopped] ->  -> File not found
(K56) K56 [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\k56nt.sys -> Conexant Systems [Ver = 3.05.20 | Size = 427167 bytes | Modified Date = 7/12/2001 1:52:38 PM | Attr =	]
(lanmandrv) lanmandrv [Kernel | System | Running] -> %SystemRoot%\System32\lanmandrv.sys -> File not found
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] ->  -> File not found
(mraid35x) mraid35x [Kernel | Disabled | Stopped] ->  -> File not found
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 6.14.10.5673 | Size = 1897408 bytes | Modified Date = 8/3/2004 5:29:56 PM | Attr =	]
(PCIDump) PCIDump [Kernel | System | Stopped] ->  -> File not found
(PCIIde) PCIIde [Kernel | Disabled | Stopped] ->  -> File not found
(Pcouffin) Low level access layer for CD devices [Kernel | On_Demand | Stopped] -> System32\Drivers\Pcouffin.sys -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] ->  -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] ->  -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] ->  -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] ->  -> File not found
(perc2) perc2 [Kernel | Disabled | Stopped] ->  -> File not found
(perc2hib) perc2hib [Kernel | Disabled | Stopped] ->  -> File not found
(PREVXEmulator) PREVX Emulator driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\PxEmu.sys -> Prevx Limited, http://www.prevx1.com/ [Ver = 3.1.0.8744 built by: WinDDK | Size = 107784 bytes | Modified Date = 9/5/2007 10:47:28 AM | Attr =	]
(PREVXTdi) PREVX TDI filter [Kernel | System | Running] -> %SystemRoot%\system32\drivers\pxtdi.sys -> Prevx Limited, http://www.prevx1.com/ [Ver = 3.1.0.8744 built by: WinDDK | Size = 28040 bytes | Modified Date = 9/5/2007 10:47:16 AM | Attr =	]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\PxHelp20.sys -> Sonic Solutions [Ver = 2.03.28a | Size = 20640 bytes | Modified Date = 12/5/2005 12:12:26 AM | Attr =	]
(PXRDDriver) PREVX Rootkitscan driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\PxRD.sys -> Prevx Limited, http://www.prevx1.com/ [Ver = 3.1.0.8744 built by: WinDDK | Size = 23048 bytes | Modified Date = 9/5/2007 10:45:42 AM | Attr =	]
(ql1080) ql1080 [Kernel | Disabled | Stopped] ->  -> File not found
(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] ->  -> File not found
(ql12160) ql12160 [Kernel | Disabled | Stopped] ->  -> File not found
(ql1240) ql1240 [Kernel | Disabled | Stopped] ->  -> File not found
(ql1280) ql1280 [Kernel | Disabled | Stopped] ->  -> File not found
(Rksample) Rksample [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\rksample.sys -> Conexant Systems [Ver = 3.05.19 | Size = 67622 bytes | Modified Date = 6/14/2001 6:33:04 PM | Attr =	]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\secdrv.sys ->  [Ver =  | Size = 27440 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
(Simbad) Simbad [Kernel | Disabled | Stopped] ->  -> File not found
(SoftFax) SoftFax [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\faxnt.sys -> Conexant Systems [Ver = 3.05.19 | Size = 216987 bytes | Modified Date = 6/14/2001 6:36:52 PM | Attr =	]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] ->  -> File not found
(Syg42) Syg42 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\Syg42.sys ->  [Ver =  | Size = 25984 bytes | Modified Date = 2/16/2008 10:18:20 PM | Attr =	]
(symc810) symc810 [Kernel | Disabled | Stopped] ->  -> File not found
(symc8xx) symc8xx [Kernel | Disabled | Stopped] ->  -> File not found
(sym_hi) sym_hi [Kernel | Disabled | Stopped] ->  -> File not found
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] ->  -> File not found
(tmcomm) tmcomm [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1059 | Size = 102664 bytes | Modified Date = 8/1/2007 4:47:26 PM | Attr =	]
(Tones) Tones [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\tonesnt.sys -> Conexant Systems [Ver = 3.05.19 | Size = 56639 bytes | Modified Date = 6/14/2001 6:35:50 PM | Attr =	]
(TosIde) TosIde [Kernel | Disabled | Stopped] ->  -> File not found
(ultra) ultra [Kernel | Disabled | Stopped] ->  -> File not found
(V124) V124 [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\v124nt.sys -> Conexant Systems [Ver = 3.05.20 | Size = 534605 bytes | Modified Date = 7/12/2001 1:49:10 PM | Attr =	]
(ViaIde) ViaIde [Kernel | Disabled | Stopped] ->  -> File not found
(WDICA) WDICA [Kernel | On_Demand | Stopped] ->  -> File not found
(Wek30) Wek30 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\Wek30.sys ->  [Ver =  | Size = 21760 bytes | Modified Date = 12/20/2007 1:21:01 AM | Attr =	]
(winachsf) winachsf [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HSF_CNXT.sys -> Conexant Systems [Ver = 3.05.20 | Size = 584304 bytes | Modified Date = 7/12/2001 1:54:20 PM | Attr =	]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
QuickTime Task -> %ProgramFiles%\QuickTime\QTTask.exe -> Apple Inc. [Ver = 7.2 | Size = 286720 bytes | Modified Date = 6/29/2007 5:24:52 AM | Attr =	]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 12:11:35 AM | Attr =	]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
< Owner Startup Folder > -> C:\Documents and Settings\Owner\Start Menu\Programs\Startup -> 
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*System* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\System -> 
kdtfy.exe -> kdtfy.exe -> File not found
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
PPLICATION DATA ->  -> File not found
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoDeletingComponents -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 
< HOSTS File > (736 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://mail.yahoo.com/ -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://mail.yahoo.com/ -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Default_Page_URL ->  -> 
HKEY_CURRENT_USER\: Main\\Default_Search_URL -> http://ie.search.msn.com -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Bar -> http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm -> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.google.com/ -> 
HKEY_CURRENT_USER\: Main\\Start Page -> http://mail.yahoo.com/ -> 
HKEY_CURRENT_USER\: Search\\CustomizeSearch -> http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm -> 
HKEY_CURRENT_USER\: Search\\SearchAssistant -> http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm -> 
HKEY_CURRENT_USER\: SearchURL\\ -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[Reg Error: Value provider does not exist or could not be read.] -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
HKEY_CURRENT_USER\: ProxyOverride -> local -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 3917 domain(s) found. -> 
turbotax.com .[https] -> Trusted sites -> 
31 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 53 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 12/18/2006 3:16:41 AM | Attr =	]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 12:11:33 AM | Attr =	]
{AE7CD045-E861-484f-8273-0445EE161910} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF Conversion Toolbar Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 12:11:34 AM | Attr =	]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 12:11:33 AM | Attr =	]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 12:11:34 AM | Attr =	]
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
Adobe PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert link target to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert link target to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert selected links to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert selected links to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert selection to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert selection to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
기존 PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
링크 대상을 Adobe PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
링크 대상을 기존 PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
선택 영역을 Adobe PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
선택 영역을 기존 PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
선택한 링크를 Adobe PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
선택한 링크를 기존 PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform -> 
{65C01276-617B-5097-8978-6CB99F662693} ->  -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{125B1D80-0A16-4389-96F3-F459553F12E0} -> 208.67.220.220,208.67.222.222	(Intel(R) PRO/100 VE Network Connection) -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value  does not exist or could not be read.] -> File not found
msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value  does not exist or could not be read.] -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{17492023-C23A-453E-A040-C7C580BBF700}[HKEY_LOCAL_MACHINE] -> http://go.microsoft.com/fwlink/?LinkID=39204[Windows Genuine Advantage Validation Tool] -> 
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}[HKEY_LOCAL_MACHINE] -> http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[Symantec AntiVirus scanner] -> 
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}[HKEY_LOCAL_MACHINE] -> http://office.microsoft.com/officeupdate/content/opuc3.cab[Office Update Installation Engine] -> 
{644E432F-49D3-41A1-8DD5-E099162EEEC5}[HKEY_LOCAL_MACHINE] -> http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[Symantec RuFSI Utility Class] -> 
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}[HKEY_LOCAL_MACHINE] -> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131978878828[MUWebControl Class] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab[Java Plug-in 1.5.0_06] -> 
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab[Java Plug-in 1.5.0_09] -> 
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab[Java Plug-in 1.5.0_10] -> 
{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab[Java Plug-in 1.5.0_11] -> 
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab[Java Plug-in 1.6.0_01] -> 
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab[Java Plug-in 1.6.0_02] -> 
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] -> 
{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}[HKEY_LOCAL_MACHINE] -> http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5150/mcfscan.cab[McFreeScan Class] ->

[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> (binary data) -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction -> (binary data) -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction -> (binary data) -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937AD} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A93843} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D69} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> -> 
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ not found. -> -> 
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ not found. -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> (binary data) -> 
*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> 
kerberos -> %SystemRoot%\system32\kerberos.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 294400 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
schannel -> %SystemRoot%\system32\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 144896 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
wdigest -> %SystemRoot%\system32\wdigest.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49152 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 708 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing -> (binary data) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 -> 
*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages -> 
scecli -> %SystemRoot%\system32\scecli.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 180224 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> -> 
*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder -> 
Windows NT Access Provider ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> C:\WINDOWS\system32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 118784 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> (binary data) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> (binary data) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> (binary data) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth132 -> C:\WINDOWS\system32\iissuba.dll [IISSUBA] -> Microsoft Corporation [Ver = 6.0.2600.0 (xpclient.010817-1148) | Size = 9216 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminclientsec -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminserversec -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> (binary data) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> (binary data) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> (binary data) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> (binary data) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> (binary data) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup ->  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Windows Firewall/Internet Connection Sharing (ICS) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> C:\WINDOWS\system32\svchost.exe [%SystemRoot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 12539 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> C:\WINDOWS\system32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 331264 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 140800 bytes | Modified Date = 8/3/2004 6:56:58 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\139:TCP -> 139:TCP:*:Enabled:@xpsp2res.dll,-22004 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\445:TCP -> 445:TCP:*:Enabled:@xpsp2res.dll,-22005 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\137:UDP -> 137:UDP:*:Enabled:@xpsp2res.dll,-22001 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\138:UDP -> 138:UDP:*:Enabled:@xpsp2res.dll,-22002 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\1900:UDP -> 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll [1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\2869:TCP -> 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll [2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DisableNotifications -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 140800 bytes | Modified Date = 8/3/2004 6:56:58 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\eMule\emule.exe -> C:\Program Files\eMule\emule.exe [C:\Program Files\eMule\emule.exe:*:Enabled:eMule] -> http://www.emule-project.net [Ver = 0.48.0 Unicode | Size = 5308416 bytes | Modified Date = 5/13/2007 9:57:46 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Owner\Desktop\uTorrent.exe -> C:\Documents and Settings\Owner\Desktop\uTorrent.exe [C:\Documents and Settings\Owner\Desktop\uTorrent.exe:*:Enabled:µTorrent] ->  [Ver =  | Size = 219952 bytes | Modified Date = 1/29/2008 5:17:09 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP -> 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll [139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP -> 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll [445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP -> 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll [137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP -> 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll [138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP -> 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll [1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP -> 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll [2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> C:\WINDOWS\system32\svchost.exe [%systemroot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> C:\WINDOWS\system32\wuauserv.dll [C:\WINDOWS\system32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.3790.2180 (xpsp_sp2_rtm.040803-2158) | Size = 6656 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> (binary data) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Description -> Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. -> 
*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DependOnService -> 
RPCSS -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 395776 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DisplayName -> Remote Registry -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ImagePath -> C:\WINDOWS\system32\svchost.exe [%SystemRoot%\system32\svchost.exe -k LocalService] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ObjectName -> NT AUTHORITY\LocalService -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Group ->  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\FailureActions -> (binary data) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\\ServiceDll -> C:\WINDOWS\system32\regsvc.dll [%SystemRoot%\system32\regsvc.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 59904 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\\Security -> (binary data) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\0 -> Root\LEGACY_REMOTEREGISTRY\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Type -> 16 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Start -> 4 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ImagePath -> C:\WINDOWS\system32\tlntsvr.exe [C:\WINDOWS\system32\tlntsvr.exe] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 73216 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DisplayName -> TlntSvr -> 
*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnService -> 
RPCSS -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 395776 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
TCPIP ->  -> File not found
NTLMSSP ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnGroup ->  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Description -> Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\\Security -> (binary data) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 -> 


[Files/Folders - Created Within 30 days]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Created Date = 1/29/2008 8:55:44 AM | Attr =  HS]
tmcomm.sys -> %SystemRoot%\System32\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1059 | Size = 102664 bytes | Modified Date = 8/1/2007 4:47:26 PM | Attr =	]
5_exception.nls -> %SystemRoot%\System32\5_exception.nls ->  [Ver =  | Size = 0 bytes | Modified Date = 2/6/2008 12:41:30 AM | Attr =	]
87422.exe -> %SystemRoot%\System32\87422.exe ->  [Ver =  | Size = 14336 bytes | Modified Date = 2/14/2008 4:22:20 PM | Attr =	]
kcopt.dll -> %SystemRoot%\System32\kcopt.dll ->  [Ver =  | Size = 27281 bytes | Modified Date = 2/16/2008 10:20:50 PM | Attr =	]
ksvcl.dll -> %SystemRoot%\System32\ksvcl.dll ->  [Ver =  | Size = 0 bytes | Modified Date = 2/16/2008 10:20:50 PM | Attr =	]
LogCrypt.dll -> %SystemRoot%\System32\LogCrypt.dll ->  [Ver =  | Size = 8704 bytes | Modified Date = 2/14/2008 3:57:57 PM | Attr =	]
qmopt.dll -> %SystemRoot%\System32\qmopt.dll ->  [Ver =  | Size = 724 bytes | Modified Date = 2/16/2008 10:17:41 PM | Attr =	]
SpoonUninstall-dBpoweramp WavPack Codec.bmp -> %SystemRoot%\System32\SpoonUninstall-dBpoweramp WavPack Codec.bmp ->  [Ver =  | Size = 33846 bytes | Modified Date = 1/25/2008 11:27:00 PM | Attr =	]
SpoonUninstall-dBpoweramp WavPack Codec.dat -> %SystemRoot%\System32\SpoonUninstall-dBpoweramp WavPack Codec.dat ->  [Ver =  | Size = 3008 bytes | Modified Date = 1/25/2008 11:27:13 PM | Attr =	]
WLCtrl32.dll -> %SystemRoot%\System32\WLCtrl32.dll ->  [Ver =  | Size = 6656 bytes | Modified Date = 2/16/2008 10:16:29 PM | Attr =	]
QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Modified Date = 2/13/2008 4:29:59 PM | Attr =	]
QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Modified Date = 2/13/2008 4:29:59 PM | Attr =  H ]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
HouseCall 6.6 -> %AppData%\HouseCall 6.6 ->  [Folder | Created Date = 1/27/2008 2:25:34 AM | Attr =	]
NeroVision -> %UserProfile%\My Documents\NeroVision ->  [Folder | Created Date = 1/26/2008 8:47:12 PM | Attr =	]
???????.txt -> %UserProfile%\My Documents\женщина.txt ->  [Ver =  | Size = 2226 bytes | Modified Date = 4/10/2007 3:58:15 PM | Attr =	]
???.txt -> %UserProfile%\My Documents\тай.txt ->  [Ver =  | Size = 7236 bytes | Modified Date = 3/12/2007 9:43:51 PM | Attr =	]
100OLYMP -> %UserProfile%\Desktop\100OLYMP ->  [Folder | Created Date = 2/9/2008 5:43:10 PM | Attr =	]
BU 14 evals.xls -> %UserProfile%\Desktop\BU 14 evals.xls ->  [Ver =  | Size = 67072 bytes | Modified Date = 2/14/2008 10:43:41 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\BU 14 evals.xls:Zone.Identifier
comcast payment02-13.pdf -> %UserProfile%\Desktop\comcast payment02-13.pdf ->  [Ver =  | Size = 13331 bytes | Modified Date = 2/14/2008 12:37:19 AM | Attr =	]
comcast01-18.pdf -> %UserProfile%\Desktop\comcast01-18.pdf ->  [Ver =  | Size = 1377347 bytes | Modified Date = 2/14/2008 12:34:59 AM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\comcast01-18.pdf:Zone.Identifier
comcast12-18.pdf -> %UserProfile%\Desktop\comcast12-18.pdf ->  [Ver =  | Size = 163340 bytes | Modified Date = 2/14/2008 12:34:35 AM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\comcast12-18.pdf:Zone.Identifier
Drop in Sports Feb Vac 2008 - Appl.doc -> %UserProfile%\Desktop\Drop in Sports Feb Vac 2008 - Appl.doc ->  [Ver =  | Size = 33280 bytes | Modified Date = 2/13/2008 10:27:51 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Drop in Sports Feb Vac 2008 - Appl.doc:Zone.Identifier
hjt.lnk -> %UserProfile%\Desktop\hjt.lnk ->  [Ver =  | Size = 560 bytes | Modified Date = 1/27/2008 1:47:35 AM | Attr =	]
ResumeLena.doc -> %UserProfile%\Desktop\ResumeLena.doc ->  [Ver =  | Size = 32768 bytes | Modified Date = 2/12/2008 9:55:52 PM | Attr =	]
VLADDOOB-1.htm -> %UserProfile%\Desktop\VLADDOOB-1.htm ->  [Ver =  | Size = 8046 bytes | Modified Date = 2/5/2008 11:22:49 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\VLADDOOB-1.htm:Zone.Identifier
WinPFind35u -> %UserProfile%\Desktop\WinPFind35u ->  [Folder | Created Date = 2/16/2008 10:25:58 PM | Attr =	]
WinPFind35u.exe -> %UserProfile%\Desktop\WinPFind35u.exe ->  [Ver =  | Size = 480802 bytes | Modified Date = 2/16/2008 10:25:11 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\WinPFind35u.exe:Zone.Identifier

[Files/Folders - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 211 bytes | Modified Date = 2/13/2008 10:17:41 PM | Attr =  HS]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Modified Date = 1/29/2008 8:57:10 AM | Attr =  HS]
Downloads -> %SystemDrive%\Downloads ->  [Folder | Modified Date = 2/16/2008 10:21:46 PM | Attr =	]
hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 536203264 bytes | Modified Date = 2/16/2008 10:16:28 PM | Attr =  HS]
My EAC -> %SystemDrive%\My EAC ->  [Folder | Modified Date = 2/11/2008 6:34:50 PM | Attr =	]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 1/27/2008 1:47:06 AM | Attr = R  ]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 1/28/2008 12:21:20 AM | Attr =  HS]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 2/13/2008 4:29:59 PM | Attr =	]
etc -> %SystemRoot%\System32\drivers\etc ->  [Folder | Modified Date = 1/27/2008 4:24:24 AM | Attr =	]
1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> 
Syg42.sys -> %SystemRoot%\System32\drivers\Syg42.sys ->  [Ver =  | Size = 25984 bytes | Modified Date = 2/16/2008 10:18:20 PM | Attr =	]
5_exception.nls -> %SystemRoot%\System32\5_exception.nls ->  [Ver =  | Size = 0 bytes | Modified Date = 2/6/2008 12:41:30 AM | Attr =	]
87422.exe -> %SystemRoot%\System32\87422.exe ->  [Ver =  | Size = 14336 bytes | Modified Date = 2/14/2008 4:22:20 PM | Attr =	]
CatRoot2 -> %SystemRoot%\System32\CatRoot2 ->  [Folder | Modified Date = 2/11/2008 9:20:37 PM | Attr =	]
4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
dllcache -> %SystemRoot%\System32\dllcache ->  [Folder | Modified Date = 1/27/2008 5:42:08 AM | Attr = RHS]
drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 2/14/2008 4:11:57 PM | Attr =	]
kcopt.dll -> %SystemRoot%\System32\kcopt.dll ->  [Ver =  | Size = 27281 bytes | Modified Date = 2/16/2008 10:20:50 PM | Attr =	]
ksvcl.dll -> %SystemRoot%\System32\ksvcl.dll ->  [Ver =  | Size = 0 bytes | Modified Date = 2/16/2008 10:20:50 PM | Attr =	]
LogCrypt.dll -> %SystemRoot%\System32\LogCrypt.dll ->  [Ver =  | Size = 8704 bytes | Modified Date = 2/14/2008 3:57:57 PM | Attr =	]
qmopt.dll -> %SystemRoot%\System32\qmopt.dll ->  [Ver =  | Size = 724 bytes | Modified Date = 2/16/2008 10:17:41 PM | Attr =	]
Restore -> %SystemRoot%\System32\Restore ->  [Folder | Modified Date = 1/28/2008 12:21:20 AM | Attr =	]
SpoonUninstall-dBpoweramp WavPack Codec.bmp -> %SystemRoot%\System32\SpoonUninstall-dBpoweramp WavPack Codec.bmp ->  [Ver =  | Size = 33846 bytes | Modified Date = 1/25/2008 11:27:00 PM | Attr =	]
SpoonUninstall-dBpoweramp WavPack Codec.dat -> %SystemRoot%\System32\SpoonUninstall-dBpoweramp WavPack Codec.dat ->  [Ver =  | Size = 3008 bytes | Modified Date = 1/25/2008 11:27:13 PM | Attr =	]
SpoonUninstall.exe -> %SystemRoot%\System32\SpoonUninstall.exe ->  [Ver =  | Size = 429432 bytes | Modified Date = 1/25/2008 11:26:38 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %SystemRoot%\System32\SpoonUninstall.exe:Zone.Identifier
wbem -> %SystemRoot%\System32\wbem ->  [Folder | Modified Date = 1/27/2008 5:41:53 AM | Attr =	]
WLCtrl32.dll -> %SystemRoot%\System32\WLCtrl32.dll ->  [Ver =  | Size = 6656 bytes | Modified Date = 2/16/2008 10:16:29 PM | Attr =	]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 2228 bytes | Modified Date = 2/16/2008 7:43:12 AM | Attr =	]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 2/16/2008 10:16:30 PM | Attr =   S]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 1/29/2008 8:13:09 AM | Attr =  H ]
1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 1/29/2008 8:13:04 AM | Attr =  HS]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini ->  [Ver =  | Size = 116 bytes | Modified Date = 1/26/2008 8:53:48 PM | Attr =	]
Network Diagnostic -> %SystemRoot%\Network Diagnostic ->  [Folder | Modified Date = 2/15/2008 12:36:01 PM | Attr =	]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 2/16/2008 10:22:56 PM | Attr =	]
QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Modified Date = 2/13/2008 4:29:59 PM | Attr =	]
QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Modified Date = 2/13/2008 4:29:59 PM | Attr =  H ]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 253 bytes | Modified Date = 2/13/2008 10:17:41 PM | Attr =	]
system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 2/16/2008 10:20:50 PM | Attr =	]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 2/16/2008 10:22:16 PM | Attr =	]
win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 743 bytes | Modified Date = 2/13/2008 10:17:41 PM | Attr =	]
wininit.ini -> %SystemRoot%\wininit.ini ->  [Ver =  | Size = 747 bytes | Modified Date = 1/27/2008 12:46:12 AM | Attr =	]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 2/16/2008 10:16:32 PM | Attr =  H ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 6549 bytes | Modified Date = 12/31/2007 8:53:24 AM | Attr =	]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 6164 bytes | Modified Date = 12/31/2007 8:53:24 AM | Attr =	]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat ->  [Ver =  | Size = 8206 bytes | Modified Date = 10/8/2005 7:25:58 PM | Attr =	]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Prevx -> %AllUsersProfile%\Application Data\Prevx ->  [Folder | Modified Date = 1/29/2008 8:55:48 AM | Attr =	]
QTSBandwidthCache -> %AllUsersProfile%\Application Data\QTSBandwidthCache ->  [Ver =  | Size = 1759 bytes | Modified Date = 1/20/2008 8:09:02 PM | Attr =	]
foobar2000 -> %AppData%\foobar2000 ->  [Folder | Modified Date = 2/16/2008 1:29:20 AM | Attr =	]
HouseCall 6.6 -> %AppData%\HouseCall 6.6 ->  [Folder | Modified Date = 1/27/2008 4:25:59 AM | Attr =	]
uTorrent -> %AppData%\uTorrent ->  [Folder | Modified Date = 2/16/2008 5:18:19 PM | Attr =	]
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ->  [Ver =  | Size = 146432 bytes | Modified Date = 2/4/2008 5:26:34 PM | Attr =	]
B of A -> %UserProfile%\My Documents\B of A ->  [Folder | Modified Date = 2/15/2008 4:13:56 PM | Attr =	]
chckbk.xls -> %UserProfile%\My Documents\chckbk.xls ->  [Ver =  | Size = 317952 bytes | Modified Date = 2/16/2008 12:21:05 AM | Attr =	]
music.xls -> %UserProfile%\My Documents\music.xls ->  [Ver =  | Size = 25600 bytes | Modified Date = 2/13/2008 9:30:29 PM | Attr =	]
My Videos -> %UserProfile%\My Documents\My Videos ->  [Folder | Modified Date = 1/22/2008 6:43:08 PM | Attr = R  ]
NeroVision -> %UserProfile%\My Documents\NeroVision ->  [Folder | Modified Date = 1/26/2008 8:47:12 PM | Attr =	]
re -> %UserProfile%\My Documents\re ->  [Folder | Modified Date = 2/5/2008 12:45:50 AM | Attr =	]
ResumeLena1.doc -> %UserProfile%\My Documents\ResumeLena1.doc ->  [Ver =  | Size = 27648 bytes | Modified Date = 2/12/2008 9:56:03 PM | Attr =	]
WYS -> %UserProfile%\My Documents\WYS ->  [Folder | Modified Date = 2/16/2008 4:56:59 PM | Attr =	]
???????.txt -> %UserProfile%\My Documents\женщина.txt ->  [Ver =  | Size = 2226 bytes | Modified Date = 4/10/2007 3:58:15 PM | Attr =	]
???.txt -> %UserProfile%\My Documents\тай.txt ->  [Ver =  | Size = 7236 bytes | Modified Date = 3/12/2007 9:43:51 PM | Attr =	]
100OLYMP -> %UserProfile%\Desktop\100OLYMP ->  [Folder | Modified Date = 2/9/2008 5:44:03 PM | Attr =	]
BU 14 evals.xls -> %UserProfile%\Desktop\BU 14 evals.xls ->  [Ver =  | Size = 67072 bytes | Modified Date = 2/14/2008 10:43:41 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\BU 14 evals.xls:Zone.Identifier
comcast payment02-13.pdf -> %UserProfile%\Desktop\comcast payment02-13.pdf ->  [Ver =  | Size = 13331 bytes | Modified Date = 2/14/2008 12:37:19 AM | Attr =	]
comcast01-18.pdf -> %UserProfile%\Desktop\comcast01-18.pdf ->  [Ver =  | Size = 1377347 bytes | Modified Date = 2/14/2008 12:34:59 AM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\comcast01-18.pdf:Zone.Identifier
comcast12-18.pdf -> %UserProfile%\Desktop\comcast12-18.pdf ->  [Ver =  | Size = 163340 bytes | Modified Date = 2/14/2008 12:34:35 AM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\comcast12-18.pdf:Zone.Identifier
Drop in Sports Feb Vac 2008 - Appl.doc -> %UserProfile%\Desktop\Drop in Sports Feb Vac 2008 - Appl.doc ->  [Ver =  | Size = 33280 bytes | Modified Date = 2/13/2008 10:27:51 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Drop in Sports Feb Vac 2008 - Appl.doc:Zone.Identifier
hjt.lnk -> %UserProfile%\Desktop\hjt.lnk ->  [Ver =  | Size = 560 bytes | Modified Date = 1/27/2008 1:47:35 AM | Attr =	]
old docs -> %UserProfile%\Desktop\old docs ->  [Folder | Modified Date = 1/22/2008 6:41:16 PM | Attr =	]
ResumeLena.doc -> %UserProfile%\Desktop\ResumeLena.doc ->  [Ver =  | Size = 32768 bytes | Modified Date = 2/12/2008 9:55:52 PM | Attr =	]
uTorrent.exe -> %UserProfile%\Desktop\uTorrent.exe ->  [Ver =  | Size = 219952 bytes | Modified Date = 1/29/2008 5:17:09 PM | Attr =	]
VLADDOOB-1.htm -> %UserProfile%\Desktop\VLADDOOB-1.htm ->  [Ver =  | Size = 8046 bytes | Modified Date = 2/5/2008 11:22:49 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\VLADDOOB-1.htm:Zone.Identifier
WinPFind35u -> %UserProfile%\Desktop\WinPFind35u ->  [Folder | Modified Date = 2/16/2008 10:30:14 PM | Attr =	]
WinPFind35u.exe -> %UserProfile%\Desktop\WinPFind35u.exe ->  [Ver =  | Size = 480802 bytes | Modified Date = 2/16/2008 10:25:11 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\WinPFind35u.exe:Zone.Identifier

< End of report >


#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:02 PM

Posted 17 February 2008 - 10:14 AM

Hi Sesmu. This machine is pretty much toasted and I'm surprized the system even boots up. A number of the system services required to run Windows properly have been compromized. At the very least, a repair install of the operating system is required. My recommendation would be to simply wipe the drive clean and do a complete, fresh install.

That said, if you want to try the repair install, let's remove what we can see. Follow the steps below in order.

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
AppMgmt
aspnet_state
BITS
clr_optimization_v2.0.50727_32
COMSysApp
dmadmin
dmserver
ERSvc
Eventlog
EventSystem
FastUserSwitchingCompatibility
lanmandrv
ose
Syg42
UPHClean
Wek30
Files to delete:
%ProgramFiles%\UPHClean\uphclean.exe
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
%SystemRoot%\System32\87422.exe
%SystemRoot%\system32\drivers\Syg42.sys
%SystemRoot%\system32\drivers\Wek30.sys
%SystemRoot%\System32\kcopt.dll
%SystemRoot%\System32\ksvcl.dll
%SystemRoot%\System32\lanmandrv.sys
%SystemRoot%\System32\LogCrypt.dll
%SystemRoot%\System32\qmopt.dll
%SystemRoot%\System32\WLCtrl32.dll
%SystemRoot%\TEMP\123703.exe
%SystemRoot%\Temp\124015.exe
%SystemRoot%\TEMP\125640.exe
%SystemRoot%\TEMP\145656.exe
%SystemRoot%\TEMP\146531.exe
%SystemRoot%\TEMP\BN2.tmp

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start WinPFind35U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Win32 Services - Non-Microsoft Only]
NY -> (AppMgmt) AppMgmt [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\TEMP\146531.exe
NY -> (aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
NY -> (BITS) BITS [Win32_Own | Auto | Stopped] -> %SystemRoot%\TEMP\123703.exe
NY -> (clr_optimization_v2.0.50727_32) clr_optimization_v2.0.50727_32 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
NY -> (COMSysApp) COMSysApp [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Temp\124015.exe
NY -> (dmadmin) dmadmin [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Temp\124015.exe
NY -> (dmserver) dmserver [Win32_Own | Auto | Stopped] -> %SystemRoot%\TEMP\BN2.tmp
NY -> (ERSvc) ERSvc [Win32_Own | Auto | Stopped] -> %SystemRoot%\Temp\124015.exe
NY -> (Eventlog) Eventlog [Win32_Own | Auto | Stopped] -> %SystemRoot%\Temp\124015.exe
NY -> (EventSystem) EventSystem [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Temp\124015.exe
NY -> (FastUserSwitchingCompatibility) FastUserSwitchingCompatibility [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\TEMP\145656.exe
NY -> (ose) ose [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\TEMP\125640.exe
NY -> (UPHClean) UPHClean [Win32_Own | Auto | Stopped] -> %ProgramFiles%\UPHClean\uphclean.exe
[Driver Services - Non-Microsoft Only]
YY -> (lanmandrv) lanmandrv [Kernel | System | Running] -> %SystemRoot%\System32\lanmandrv.sys
YY -> (Syg42) Syg42 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\Syg42.sys
YY -> (Wek30) Wek30 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\Wek30.sys
[Registry - Non-Microsoft Only]
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*System* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\System
YN -> kdtfy.exe -> kdtfy.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YN -> PPLICATION DATA -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
[Files/Folders - Created Within 30 days]
NY -> 87422.exe -> %SystemRoot%\System32\87422.exe
NY -> kcopt.dll -> %SystemRoot%\System32\kcopt.dll
NY -> ksvcl.dll -> %SystemRoot%\System32\ksvcl.dll
NY -> LogCrypt.dll -> %SystemRoot%\System32\LogCrypt.dll
NY -> qmopt.dll -> %SystemRoot%\System32\qmopt.dll
NY -> WLCtrl32.dll -> %SystemRoot%\System32\WLCtrl32.dll
[Files/Folders - Modified Within 30 days]
NY -> Syg42.sys -> %SystemRoot%\System32\drivers\Syg42.sys
NY -> 87422.exe -> %SystemRoot%\System32\87422.exe
NY -> kcopt.dll -> %SystemRoot%\System32\kcopt.dll
NY -> ksvcl.dll -> %SystemRoot%\System32\ksvcl.dll
NY -> LogCrypt.dll -> %SystemRoot%\System32\LogCrypt.dll
NY -> qmopt.dll -> %SystemRoot%\System32\qmopt.dll
NY -> WLCtrl32.dll -> %SystemRoot%\System32\WLCtrl32.dll
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.

Step #3

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Step #4

Run a new WinPFind35u scan with the following options:

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program.
  • In the Driver Services section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:

    • File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Step #5

Post the following back here:The Avenger report (c:\Avenger.txt)
The latest WinPFind35u fix log (look in the WinPFind35u folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
The new WinPFind35u scan log
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 Sesmu

Sesmu
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 18 February 2008 - 12:27 AM

Thanks, OldTimer. I will do this tomorrow, when I have more time. I was curious though, what are these files that appear in the TEMP folder:
123703.exe, 124015.exe, 125640.exe and different enumerations? And what is BN2.tmp file? Files like these used to appear every time I booted before I ran the Housecall scan. But they also appear on my son's computer from time to time (I'd assume his would need to be cleaned as well.)

I am still pondering a complete reinstall of the system, but that would require a lot of movements of the existing files to a different hard drive and I don't feel like going that route. You think repair install, after all this cleaning, would be enough?

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:02 PM

Posted 18 February 2008 - 12:54 AM

Hi Sesmu. Those are all infected files and some have replaced various system files. That is why at the very least, a repair install is needed. Whether that will be enough to fix the issues only trying it will determine. I would be careful what files I backed up if you are considering a complete reinstall. Definitely not any applications and only data files that you might have created. Not any downloaded files for sure.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 Sesmu

Sesmu
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 18 February 2008 - 08:47 AM

>That is why at the very least, a repair install is needed. Whether that will be enough to fix the issues only trying it will determine.

I have done a repair install, a few times I think, and it doesn't appear now that it was enough. However, I haven't gone through any intensive system cleaning that you're suggesting now. Maybe that was the issue as well.

#9 Sesmu

Sesmu
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 18 February 2008 - 08:25 PM

Hi OldTimer,

well, I attempted it :blink: I downloaded the Avenger program, copy-pasted the code and started Avenger.

> It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)

I don't know whether it happened after the first restart or a second one, I left it for about 10-15 minutes, but it was stuck in a loop tryting to start Windows. It would show "Intel Inside" screen, then "Windows XP" screen wih downloading bars and almost right away it would show a blue screen (of death). But literally for a fraction of a second - I couldn't even catch a glimpse of what it said. And then repeat the process over and over and over...

I turned the computer off (with the button), let it sit for a while and then turned on. The outcome was the same. Starting from the Safe Mode wouldn't change anything. So I had to start from the Last Known Good Configuration. First time it went all the way, showed the desktop and then gave a grey alert sign that there is a problem with "svchost.exe" file. It restarted itself again and then loaded.

> On reboot, it will briefly open a black command window on your desktop, this is normal.

It did show the command window with some script running.

> After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt

Then it gave me a message that the file avenger.txt does not exist and whether I want to create one. I said "yes", it created, but the file is empty.

> The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip

Yes, it created a backup file as well. Do you need to know its content?

What's the next step? :thumbsup: I didn't go through with the rest yet because I wanted to hear your response first.

Regards,
Sesmu

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:02 PM

Posted 18 February 2008 - 08:54 PM

Hi Sesmu. Yeah, that machine is pretty fubarred. You can try the rest of the fix but I doubt you will ever get it completely functional again. Like I said at the beginning. The best thing you can do with that is wipe it completely and install a fresh, good working copy of the operating system.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 Sesmu

Sesmu
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 19 February 2008 - 12:04 AM

Hi OldTimer,

well, I decided to finish the cleaning anyway. If you don't mind, look at the results. All the rest went fine. Should I try and redo the Avenger part?
WinPFind35u fix log
Explorer killed successfully
[Win32 Services - Non-Microsoft Only]
Service AppMgmt stopped successfully.
Service AppMgmt deleted successfully.
File C:\WINDOWS\TEMP\146531.exe not found.
Service aspnet_state stopped successfully.
Service aspnet_state deleted successfully.
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe not found.
Service BITS stopped successfully.
Service BITS deleted successfully.
File C:\WINDOWS\TEMP\123703.exe not found.
Service clr_optimization_v2.0.50727_32 stopped successfully.
Service clr_optimization_v2.0.50727_32 deleted successfully.
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe not found.
Service COMSysApp stopped successfully.
Service COMSysApp deleted successfully.
File C:\WINDOWS\Temp\124015.exe not found.
Service dmadmin stopped successfully.
Service dmadmin deleted successfully.
File C:\WINDOWS\Temp\124015.exe not found.
Service dmserver stopped successfully.
Service dmserver deleted successfully.
File C:\WINDOWS\TEMP\BN2.tmp not found.
Service ERSvc stopped successfully.
Service ERSvc deleted successfully.
File C:\WINDOWS\Temp\124015.exe not found.
Service Eventlog stopped successfully.
Service Eventlog deleted successfully.
File C:\WINDOWS\Temp\124015.exe not found.
Service EventSystem stopped successfully.
Service EventSystem deleted successfully.
File C:\WINDOWS\Temp\124015.exe not found.
Service FastUserSwitchingCompatibility stopped successfully.
Service FastUserSwitchingCompatibility deleted successfully.
File C:\WINDOWS\TEMP\145656.exe not found.
Service ose stopped successfully.
Service ose deleted successfully.
File C:\WINDOWS\TEMP\125640.exe not found.
Service UPHClean stopped successfully.
Service UPHClean deleted successfully.
File C:\Program Files\UPHClean\uphclean.exe not found.
[Driver Services - Non-Microsoft Only]
Unable to stop service lanmandrv .
Service lanmandrv deleted successfully.
File move failed. C:\WINDOWS\System32\lanmandrv.sys scheduled to be moved on reboot.
Unable to stop service Syg42 .
Service Syg42 deleted successfully.
File move failed. C:\WINDOWS\system32\drivers\Syg42.sys scheduled to be moved on reboot.
Service Wek30 stopped successfully.
Service Wek30 deleted successfully.
C:\WINDOWS\system32\drivers\Wek30.sys moved successfully.
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\System:kdtfy.exe deleted successfully.
Unable to delete registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:PPLICATION DATA .
[Files/Folders - Created Within 30 days]
C:\WINDOWS\System32\87422.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\kcopt.dll
C:\WINDOWS\System32\kcopt.dll NOT unregistered.
C:\WINDOWS\System32\kcopt.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\ksvcl.dll
C:\WINDOWS\System32\ksvcl.dll NOT unregistered.
File move failed. C:\WINDOWS\System32\ksvcl.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\LogCrypt.dll
C:\WINDOWS\System32\LogCrypt.dll NOT unregistered.
C:\WINDOWS\System32\LogCrypt.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\qmopt.dll
C:\WINDOWS\System32\qmopt.dll NOT unregistered.
C:\WINDOWS\System32\qmopt.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\WLCtrl32.dll
C:\WINDOWS\System32\WLCtrl32.dll NOT unregistered.
C:\WINDOWS\System32\WLCtrl32.dll moved successfully.
[Files/Folders - Modified Within 30 days]
File move failed. C:\WINDOWS\System32\drivers\Syg42.sys scheduled to be moved on reboot.
File C:\WINDOWS\System32\87422.exe not found!
File C:\WINDOWS\System32\kcopt.dll not found!
LoadLibrary failed for C:\WINDOWS\System32\ksvcl.dll
C:\WINDOWS\System32\ksvcl.dll NOT unregistered.
File move failed. C:\WINDOWS\System32\ksvcl.dll scheduled to be moved on reboot.
File C:\WINDOWS\System32\LogCrypt.dll not found!
File C:\WINDOWS\System32\qmopt.dll not found!
File C:\WINDOWS\System32\WLCtrl32.dll not found!
[Empty Temp Folders]
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
WinPFind35U Version Beta52 fix logfile created on 02182008_215705

WinPFind35u scan report
WinPFind35 logfile created on: 2/18/2008 11:57:46 PM
WinPFind35U Version Beta52	 Folder = C:\Documents and Settings\Owner\Desktop\WinPFind35u
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
511.30 Mb Total Physical Memory | 252.49 Mb Available Physical Memory | 49.38% Memory free
1.97 Gb Paging File | 1.81 Gb Available in Paging File | 91.90% Paging File free
Paging file location(s): c:\pagefile.sys 1536 1536;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 20.30 Gb Free Space | 18.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VLAD
Current User Name: Owner
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 12:11:35 AM | Attr =	]
winpfind35u.exe -> %UserProfile%\Desktop\WinPFind35u\WinPFind35U.exe -> OldTimer Tools [Ver = 1.0.0.0 | Size = 309760 bytes | Modified Date = 2/16/2008 1:03:26 PM | Attr =	]

[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.65.010 | Size = 69632 bytes | Modified Date = 4/15/2006 2:22:54 AM | Attr =	]
(IDriverT) IDriverT [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 12:41:10 AM | Attr =	]

[Driver Services - Non-Microsoft Only]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] ->  -> File not found
(abp480n5) abp480n5 [Kernel | Disabled | Stopped] ->  -> File not found
(ac97intc) Intel(r) 82801 Audio Driver Install Service (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ac97intc.sys -> Intel Corporation [Ver = 5.10.3523 built by: WinDDK | Size = 96256 bytes | Modified Date = 8/17/2001 7:20:04 AM | Attr =	]
(adpu160m) adpu160m [Kernel | Disabled | Stopped] ->  -> File not found
(Aha154x) Aha154x [Kernel | Disabled | Stopped] ->  -> File not found
(aic78u2) aic78u2 [Kernel | Disabled | Stopped] ->  -> File not found
(aic78xx) aic78xx [Kernel | Disabled | Stopped] ->  -> File not found
(AliIde) AliIde [Kernel | Disabled | Stopped] ->  -> File not found
(amsint) amsint [Kernel | Disabled | Stopped] ->  -> File not found
(asc) asc [Kernel | Disabled | Stopped] ->  -> File not found
(asc3350p) asc3350p [Kernel | Disabled | Stopped] ->  -> File not found
(asc3550) asc3550 [Kernel | Disabled | Stopped] ->  -> File not found
(Atdisk) Atdisk [Kernel | Disabled | Stopped] ->  -> File not found
(basic2) basic2 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\basic2.sys -> Conexant Systems [Ver = 3.05.20 | Size = 77426 bytes | Modified Date = 7/12/2001 1:49:32 PM | Attr =	]
(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] ->  -> File not found
(Changer) Changer [Kernel | System | Stopped] ->  -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] ->  -> File not found
(Cnxtdiag) Cnxtdiag [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\cnxtdiag.sys -> Conexant Systems [Ver = 3.5.18.4 | Size = 17776 bytes | Modified Date = 7/3/2001 5:42:30 PM | Attr =	]
(CO_Mon) CO_Mon [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\Drivers\CO_Mon.sys -> File not found
(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] ->  -> File not found
(dac960nt) dac960nt [Kernel | Disabled | Stopped] ->  -> File not found
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 799744 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153344 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
(dmload) dmload [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
(dpti2o) dpti2o [Kernel | Disabled | Stopped] ->  -> File not found
(E100B) Intel(R) PRO Adapter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\e100b325.sys -> Intel Corporation [Ver = 5.41.22.0000 built by: WinDDK | Size = 117760 bytes | Modified Date = 8/17/2001 7:12:10 AM | Attr =	]
(Fallback) Fallback [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\fallback.sys -> Conexant Systems [Ver = 3.05.20 | Size = 310739 bytes | Modified Date = 7/12/2001 1:52:10 PM | Attr =	]
(Fsks) Fsks [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\fsksnt.sys -> Conexant Systems [Ver = 3.05.19 | Size = 127405 bytes | Modified Date = 6/14/2001 6:37:38 PM | Attr =	]
(hpn) hpn [Kernel | Disabled | Stopped] ->  -> File not found
(i2omgmt) i2omgmt [Kernel | System | Stopped] ->  -> File not found
(i2omp) i2omp [Kernel | Disabled | Stopped] ->  -> File not found
(ini910u) ini910u [Kernel | Disabled | Stopped] ->  -> File not found
(K56) K56 [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\k56nt.sys -> Conexant Systems [Ver = 3.05.20 | Size = 427167 bytes | Modified Date = 7/12/2001 1:52:38 PM | Attr =	]
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] ->  -> File not found
(mraid35x) mraid35x [Kernel | Disabled | Stopped] ->  -> File not found
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 6.14.10.5673 | Size = 1897408 bytes | Modified Date = 8/3/2004 5:29:56 PM | Attr =	]
(PCIDump) PCIDump [Kernel | System | Stopped] ->  -> File not found
(PCIIde) PCIIde [Kernel | Disabled | Stopped] ->  -> File not found
(Pcouffin) Low level access layer for CD devices [Kernel | On_Demand | Stopped] -> System32\Drivers\Pcouffin.sys -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] ->  -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] ->  -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] ->  -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] ->  -> File not found
(perc2) perc2 [Kernel | Disabled | Stopped] ->  -> File not found
(perc2hib) perc2hib [Kernel | Disabled | Stopped] ->  -> File not found
(PREVXEmulator) PREVX Emulator driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\PxEmu.sys -> Prevx Limited, http://www.prevx1.com/ [Ver = 3.1.0.8744 built by: WinDDK | Size = 107784 bytes | Modified Date = 9/5/2007 10:47:28 AM | Attr =	]
(PREVXTdi) PREVX TDI filter [Kernel | System | Running] -> %SystemRoot%\system32\drivers\pxtdi.sys -> Prevx Limited, http://www.prevx1.com/ [Ver = 3.1.0.8744 built by: WinDDK | Size = 28040 bytes | Modified Date = 9/5/2007 10:47:16 AM | Attr =	]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\PxHelp20.sys -> Sonic Solutions [Ver = 2.03.28a | Size = 20640 bytes | Modified Date = 12/5/2005 12:12:26 AM | Attr =	]
(PXRDDriver) PREVX Rootkitscan driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\PxRD.sys -> Prevx Limited, http://www.prevx1.com/ [Ver = 3.1.0.8744 built by: WinDDK | Size = 23048 bytes | Modified Date = 9/5/2007 10:45:42 AM | Attr =	]
(ql1080) ql1080 [Kernel | Disabled | Stopped] ->  -> File not found
(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] ->  -> File not found
(ql12160) ql12160 [Kernel | Disabled | Stopped] ->  -> File not found
(ql1240) ql1240 [Kernel | Disabled | Stopped] ->  -> File not found
(ql1280) ql1280 [Kernel | Disabled | Stopped] ->  -> File not found
(Rksample) Rksample [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\rksample.sys -> Conexant Systems [Ver = 3.05.19 | Size = 67622 bytes | Modified Date = 6/14/2001 6:33:04 PM | Attr =	]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\secdrv.sys ->  [Ver =  | Size = 27440 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr =	]
(Simbad) Simbad [Kernel | Disabled | Stopped] ->  -> File not found
(SoftFax) SoftFax [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\faxnt.sys -> Conexant Systems [Ver = 3.05.19 | Size = 216987 bytes | Modified Date = 6/14/2001 6:36:52 PM | Attr =	]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] ->  -> File not found
(symc810) symc810 [Kernel | Disabled | Stopped] ->  -> File not found
(symc8xx) symc8xx [Kernel | Disabled | Stopped] ->  -> File not found
(sym_hi) sym_hi [Kernel | Disabled | Stopped] ->  -> File not found
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] ->  -> File not found
(tmcomm) tmcomm [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1059 | Size = 102664 bytes | Modified Date = 8/1/2007 4:47:26 PM | Attr =	]
(Tones) Tones [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\tonesnt.sys -> Conexant Systems [Ver = 3.05.19 | Size = 56639 bytes | Modified Date = 6/14/2001 6:35:50 PM | Attr =	]
(TosIde) TosIde [Kernel | Disabled | Stopped] ->  -> File not found
(ultra) ultra [Kernel | Disabled | Stopped] ->  -> File not found
(V124) V124 [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\v124nt.sys -> Conexant Systems [Ver = 3.05.20 | Size = 534605 bytes | Modified Date = 7/12/2001 1:49:10 PM | Attr =	]
(ViaIde) ViaIde [Kernel | Disabled | Stopped] ->  -> File not found
(WDICA) WDICA [Kernel | On_Demand | Stopped] ->  -> File not found
(winachsf) winachsf [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HSF_CNXT.sys -> Conexant Systems [Ver = 3.05.20 | Size = 584304 bytes | Modified Date = 7/12/2001 1:54:20 PM | Attr =	]
(lanmandrv) lanmandrv [Kernel | System | Running] -> %SystemRoot%\System32\lanmandrv.sys -> File not found

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
QuickTime Task -> %ProgramFiles%\QuickTime\QTTask.exe -> Apple Inc. [Ver = 7.2 | Size = 286720 bytes | Modified Date = 6/29/2007 5:24:52 AM | Attr =	]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 12:11:35 AM | Attr =	]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
< Owner Startup Folder > -> C:\Documents and Settings\Owner\Start Menu\Programs\Startup -> 
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoDeletingComponents -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 
< HOSTS File > (736 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://mail.yahoo.com/ -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://mail.yahoo.com/ -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Default_Page_URL ->  -> 
HKEY_CURRENT_USER\: Main\\Default_Search_URL -> http://ie.search.msn.com -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Bar -> http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm -> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.google.com/ -> 
HKEY_CURRENT_USER\: Main\\Start Page -> http://mail.yahoo.com/ -> 
HKEY_CURRENT_USER\: Search\\CustomizeSearch -> http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm -> 
HKEY_CURRENT_USER\: Search\\SearchAssistant -> http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm -> 
HKEY_CURRENT_USER\: SearchURL\\ -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[Reg Error: Value provider does not exist or could not be read.] -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
HKEY_CURRENT_USER\: ProxyOverride -> local -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 3917 domain(s) found. -> 
turbotax.com .[https] -> Trusted sites -> 
31 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 53 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 12/18/2006 3:16:41 AM | Attr =	]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 12:11:33 AM | Attr =	]
{AE7CD045-E861-484f-8273-0445EE161910} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF Conversion Toolbar Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 12:11:34 AM | Attr =	]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 12:11:33 AM | Attr =	]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 12:11:34 AM | Attr =	]
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
Adobe PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert link target to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert link target to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert selected links to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert selected links to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert selection to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert selection to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
Convert to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
기존 PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
링크 대상을 Adobe PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
링크 대상을 기존 PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
선택 영역을 Adobe PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
선택 영역을 기존 PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
선택한 링크를 Adobe PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
선택한 링크를 기존 PDF로 변환 -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 AM | Attr =	]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform -> 
{65C01276-617B-5097-8978-6CB99F662693} ->  -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{125B1D80-0A16-4389-96F3-F459553F12E0} -> 208.67.220.220,208.67.222.222	(Intel(R) PRO/100 VE Network Connection) -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value  does not exist or could not be read.] -> File not found
msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value  does not exist or could not be read.] -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{0B79F48A-E8D6-11DB-9283-E25056D89593}[HKEY_LOCAL_MACHINE] -> http://support.f-secure.com/ols/fscax.cab[F-Secure Online Scanner 3.1] -> 
{17492023-C23A-453E-A040-C7C580BBF700}[HKEY_LOCAL_MACHINE] -> http://go.microsoft.com/fwlink/?LinkID=39204[Windows Genuine Advantage Validation Tool] -> 
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}[HKEY_LOCAL_MACHINE] -> http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[Symantec AntiVirus scanner] -> 
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}[HKEY_LOCAL_MACHINE] -> http://office.microsoft.com/officeupdate/content/opuc3.cab[Office Update Installation Engine] -> 
{644E432F-49D3-41A1-8DD5-E099162EEEC5}[HKEY_LOCAL_MACHINE] -> http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[Symantec RuFSI Utility Class] -> 
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}[HKEY_LOCAL_MACHINE] -> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131978878828[MUWebControl Class] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab[Java Plug-in 1.5.0_06] -> 
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab[Java Plug-in 1.5.0_09] -> 
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab[Java Plug-in 1.5.0_10] -> 
{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab[Java Plug-in 1.5.0_11] -> 
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab[Java Plug-in 1.6.0_01] -> 
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab[Java Plug-in 1.6.0_02] -> 
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] -> 
{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}[HKEY_LOCAL_MACHINE] -> http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5150/mcfscan.cab[McFreeScan Class] -> 



[Files/Folders - Created Within 30 days]
avenger -> %SystemDrive%\avenger ->  [Folder | Created Date = 2/18/2008 8:06:21 PM | Attr =	]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Created Date = 1/29/2008 8:55:44 AM | Attr =  HS]
tmcomm.sys -> %SystemRoot%\System32\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1059 | Size = 102664 bytes | Modified Date = 8/1/2007 4:47:26 PM | Attr =	]
5_exception.nls -> %SystemRoot%\System32\5_exception.nls ->  [Ver =  | Size = 0 bytes | Modified Date = 2/6/2008 12:41:30 AM | Attr =	]
DLL.0LL -> %SystemRoot%\System32\DLL.0LL ->  [Ver =  | Size = 13824 bytes | Modified Date = 2/18/2008 10:01:40 PM | Attr =	]
kcopt.dll -> %SystemRoot%\System32\kcopt.dll ->  [Ver =  | Size = 574 bytes | Modified Date = 2/18/2008 10:01:37 PM | Attr =	]
KERNELDRV.0XE -> %SystemRoot%\System32\KERNELDRV.0XE ->  [Ver =  | Size = 39424 bytes | Modified Date = 2/16/2008 8:24:36 PM | Attr =	]
ksvcl.dll -> %SystemRoot%\System32\ksvcl.dll ->  [Ver =  | Size = 303 bytes | Modified Date = 2/18/2008 10:01:40 PM | Attr =	]
LANMANWRK.0XE -> %SystemRoot%\System32\LANMANWRK.0XE ->  [Ver =  | Size = 14336 bytes | Modified Date = 2/14/2008 4:11:51 PM | Attr =	]
qmopt.dll -> %SystemRoot%\System32\qmopt.dll ->  [Ver =  | Size = 724 bytes | Modified Date = 2/18/2008 11:32:39 PM | Attr =	]
SpoonUninstall-dBpoweramp WavPack Codec.bmp -> %SystemRoot%\System32\SpoonUninstall-dBpoweramp WavPack Codec.bmp ->  [Ver =  | Size = 33846 bytes | Modified Date = 1/25/2008 11:27:00 PM | Attr =	]
SpoonUninstall-dBpoweramp WavPack Codec.dat -> %SystemRoot%\System32\SpoonUninstall-dBpoweramp WavPack Codec.dat ->  [Ver =  | Size = 3008 bytes | Modified Date = 1/25/2008 11:27:13 PM | Attr =	]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
HouseCall 6.6 -> %AppData%\HouseCall 6.6 ->  [Folder | Created Date = 1/27/2008 2:25:34 AM | Attr =	]
NeroVision -> %UserProfile%\My Documents\NeroVision ->  [Folder | Created Date = 1/26/2008 8:47:12 PM | Attr =	]
???????.txt -> %UserProfile%\My Documents\женщина.txt ->  [Ver =  | Size = 2226 bytes | Modified Date = 4/10/2007 3:58:15 PM | Attr =	]
???.txt -> %UserProfile%\My Documents\тай.txt ->  [Ver =  | Size = 7236 bytes | Modified Date = 3/12/2007 9:43:51 PM | Attr =	]
100OLYMP -> %UserProfile%\Desktop\100OLYMP ->  [Folder | Created Date = 2/9/2008 5:43:10 PM | Attr =	]
avenger.exe -> %UserProfile%\Desktop\avenger.exe ->  [Ver =  | Size = 130048 bytes | Modified Date = 2/25/2006 11:28:16 PM | Attr =	]
BU 14 evals.xls -> %UserProfile%\Desktop\BU 14 evals.xls ->  [Ver =  | Size = 67072 bytes | Modified Date = 2/14/2008 10:43:41 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\BU 14 evals.xls:Zone.Identifier
comcast payment02-13.pdf -> %UserProfile%\Desktop\comcast payment02-13.pdf ->  [Ver =  | Size = 13331 bytes | Modified Date = 2/14/2008 12:37:19 AM | Attr =	]
comcast01-18.pdf -> %UserProfile%\Desktop\comcast01-18.pdf ->  [Ver =  | Size = 1377347 bytes | Modified Date = 2/14/2008 12:34:59 AM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\comcast01-18.pdf:Zone.Identifier
comcast12-18.pdf -> %UserProfile%\Desktop\comcast12-18.pdf ->  [Ver =  | Size = 163340 bytes | Modified Date = 2/14/2008 12:34:35 AM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\comcast12-18.pdf:Zone.Identifier
Drop in Sports Feb Vac 2008 - Appl.doc -> %UserProfile%\Desktop\Drop in Sports Feb Vac 2008 - Appl.doc ->  [Ver =  | Size = 33280 bytes | Modified Date = 2/13/2008 10:27:51 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Drop in Sports Feb Vac 2008 - Appl.doc:Zone.Identifier
hjt.lnk -> %UserProfile%\Desktop\hjt.lnk ->  [Ver =  | Size = 560 bytes | Modified Date = 1/27/2008 1:47:35 AM | Attr =	]
ResumeLena.doc -> %UserProfile%\Desktop\ResumeLena.doc ->  [Ver =  | Size = 32768 bytes | Modified Date = 2/12/2008 9:55:52 PM | Attr =	]
VLADDOOB-1.htm -> %UserProfile%\Desktop\VLADDOOB-1.htm ->  [Ver =  | Size = 8046 bytes | Modified Date = 2/5/2008 11:22:49 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\VLADDOOB-1.htm:Zone.Identifier
WinPFind35u -> %UserProfile%\Desktop\WinPFind35u ->  [Folder | Created Date = 2/16/2008 10:25:58 PM | Attr =	]

[Files/Folders - Modified Within 30 days]
avenger -> %SystemDrive%\avenger ->  [Folder | Modified Date = 2/18/2008 10:03:51 PM | Attr =	]
boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 211 bytes | Modified Date = 2/13/2008 10:17:41 PM | Attr =  HS]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Modified Date = 1/29/2008 8:57:10 AM | Attr =  HS]
Documents and Settings -> %SystemDrive%\Documents and Settings ->  [Folder | Modified Date = 2/18/2008 6:56:51 PM | Attr =	]
Downloads -> %SystemDrive%\Downloads ->  [Folder | Modified Date = 2/16/2008 10:21:46 PM | Attr =	]
hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 536203264 bytes | Modified Date = 2/18/2008 10:00:42 PM | Attr =  HS]
My EAC -> %SystemDrive%\My EAC ->  [Folder | Modified Date = 2/11/2008 6:34:50 PM | Attr =	]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 1/27/2008 1:47:06 AM | Attr = R  ]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 1/28/2008 12:21:20 AM | Attr =  HS]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 2/18/2008 11:38:53 PM | Attr =	]
etc -> %SystemRoot%\System32\drivers\etc ->  [Folder | Modified Date = 1/27/2008 4:24:24 AM | Attr =	]
1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> 
5_exception.nls -> %SystemRoot%\System32\5_exception.nls ->  [Ver =  | Size = 0 bytes | Modified Date = 2/6/2008 12:41:30 AM | Attr =	]
CatRoot2 -> %SystemRoot%\System32\CatRoot2 ->  [Folder | Modified Date = 2/18/2008 10:06:23 PM | Attr =	]
3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
DLL.0LL -> %SystemRoot%\System32\DLL.0LL ->  [Ver =  | Size = 13824 bytes | Modified Date = 2/18/2008 10:01:40 PM | Attr =	]
dllcache -> %SystemRoot%\System32\dllcache ->  [Folder | Modified Date = 1/27/2008 5:42:08 AM | Attr = RHS]
drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 2/18/2008 10:01:21 PM | Attr =	]
kcopt.dll -> %SystemRoot%\System32\kcopt.dll ->  [Ver =  | Size = 574 bytes | Modified Date = 2/18/2008 10:01:37 PM | Attr =	]
KERNELDRV.0XE -> %SystemRoot%\System32\KERNELDRV.0XE ->  [Ver =  | Size = 39424 bytes | Modified Date = 2/16/2008 8:24:36 PM | Attr =	]
ksvcl.dll -> %SystemRoot%\System32\ksvcl.dll ->  [Ver =  | Size = 303 bytes | Modified Date = 2/18/2008 10:01:40 PM | Attr =	]
LANMANWRK.0XE -> %SystemRoot%\System32\LANMANWRK.0XE ->  [Ver =  | Size = 14336 bytes | Modified Date = 2/14/2008 4:11:51 PM | Attr =	]
qmopt.dll -> %SystemRoot%\System32\qmopt.dll ->  [Ver =  | Size = 724 bytes | Modified Date = 2/18/2008 11:32:39 PM | Attr =	]
Restore -> %SystemRoot%\System32\Restore ->  [Folder | Modified Date = 1/28/2008 12:21:20 AM | Attr =	]
SpoonUninstall-dBpoweramp WavPack Codec.bmp -> %SystemRoot%\System32\SpoonUninstall-dBpoweramp WavPack Codec.bmp ->  [Ver =  | Size = 33846 bytes | Modified Date = 1/25/2008 11:27:00 PM | Attr =	]
SpoonUninstall-dBpoweramp WavPack Codec.dat -> %SystemRoot%\System32\SpoonUninstall-dBpoweramp WavPack Codec.dat ->  [Ver =  | Size = 3008 bytes | Modified Date = 1/25/2008 11:27:13 PM | Attr =	]
SpoonUninstall.exe -> %SystemRoot%\System32\SpoonUninstall.exe ->  [Ver =  | Size = 429432 bytes | Modified Date = 1/25/2008 11:26:38 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %SystemRoot%\System32\SpoonUninstall.exe:Zone.Identifier
wbem -> %SystemRoot%\System32\wbem ->  [Folder | Modified Date = 1/27/2008 5:41:53 AM | Attr =	]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 2228 bytes | Modified Date = 2/18/2008 8:32:19 AM | Attr =	]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 2/18/2008 10:00:48 PM | Attr =   S]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 2/18/2008 11:49:31 PM | Attr =   S]
1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 1/29/2008 8:13:09 AM | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 1/29/2008 8:13:04 AM | Attr =  HS]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini ->  [Ver =  | Size = 116 bytes | Modified Date = 1/26/2008 8:53:48 PM | Attr =	]
Network Diagnostic -> %SystemRoot%\Network Diagnostic ->  [Folder | Modified Date = 2/15/2008 12:36:01 PM | Attr =	]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 2/16/2008 10:22:56 PM | Attr =	]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 253 bytes | Modified Date = 2/13/2008 10:17:41 PM | Attr =	]
system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 2/18/2008 11:38:41 PM | Attr =	]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 2/18/2008 10:01:39 PM | Attr =	]
win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 743 bytes | Modified Date = 2/13/2008 10:17:41 PM | Attr =	]
wininit.ini -> %SystemRoot%\wininit.ini ->  [Ver =  | Size = 747 bytes | Modified Date = 1/27/2008 12:46:12 AM | Attr =	]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 2/18/2008 10:00:53 PM | Attr =  H ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 6549 bytes | Modified Date = 12/31/2007 8:53:24 AM | Attr =	]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 6164 bytes | Modified Date = 12/31/2007 8:53:24 AM | Attr =	]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat ->  [Ver =  | Size = 8206 bytes | Modified Date = 10/8/2005 7:25:58 PM | Attr =	]
fsgk32.exe -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\fsgk32.exe -> F-Secure Corp. [Ver = 7.50.13332.1 | Size = 368640 bytes | Modified Date = 2/18/2008 10:08:34 PM | Attr =	]
fssm32.exe -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\fssm32.exe -> F-Secure Corp. [Ver = 7.50.13332.1 | Size = 446464 bytes | Modified Date = 2/18/2008 10:08:34 PM | Attr =	]
lsse.dll -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Spyware\lsse.dll -> Lavasoft [Ver = 1.0.35.0 | Size = 184320 bytes | Modified Date = 2/18/2008 10:08:34 PM | Attr =	]
AVPFPI0.dll -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\AVPFPI0.dll -> Kaspersky Lab [Ver = 7.0.171.8410 | Size = 147538 bytes | Modified Date = 2/18/2008 10:08:33 PM | Attr =	]
avpproxy.dll -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\avpproxy.dll -> F-Secure Corporation [Ver = 1.2.12160 | Size = 77910 bytes | Modified Date = 2/18/2008 10:08:33 PM | Attr =	]
daas_s.dll -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\daas_s.dll -> F-Secure Corporation [Ver = 6.00.12471 | Size = 500120 bytes | Modified Date = 5/7/2007 4:38:46 PM | Attr =	]
DFFPI.DLL -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\DFFPI.DLL -> F-Secure Corporation [Ver = 1.02.37 | Size = 151552 bytes | Modified Date = 2/18/2008 10:08:33 PM | Attr =	]
fm4av.dll -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\fm4av.dll ->  [Ver =  | Size = 486912 bytes | Modified Date = 2/18/2008 10:08:34 PM | Attr =	]
fpinor.dll -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\fpinor.dll -> F-Secure Corporation [Ver = 1.20.13100 | Size = 113664 bytes | Modified Date = 2/18/2008 10:08:34 PM | Attr =	]
fsbl.dll -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\fsbl.dll -> F-Secure Corporation [Ver = 1, 0, 0, 1 | Size = 49152 bytes | Modified Date = 2/18/2008 10:08:34 PM | Attr =	]
fsbld.dll -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\fsbld.dll -> F-Secure Corporation [Ver = 1, 0, 0, 64 | Size = 524288 bytes | Modified Date = 2/18/2008 10:08:37 PM | Attr =	]
fsgkiapi.dll -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\fsgkiapi.dll -> F-Secure Corp. [Ver = 7.50.13330.18100 | Size = 68096 bytes | Modified Date = 2/18/2008 10:08:34 PM | Attr =	]
FSHKE.dll -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\FSHKE.dll -> F-Secure Corporation [Ver = 1, 0, 0, 4 | Size = 61440 bytes | Modified Date = 2/18/2008 10:08:34 PM | Attr =	]
FSLFPI.dll -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\FSLFPI.dll -> F-Secure Corporation [Ver = 2.04.02 | Size = 237664 bytes | Modified Date = 2/18/2008 10:08:34 PM | Attr =	]
fssubmit.dll -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\fssubmit.dll -> F-Secure Corporation [Ver = 1.0.11 | Size = 651264 bytes | Modified Date = 2/18/2008 10:08:34 PM | Attr =	]
lsse.dll -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\lsse.dll -> Lavasoft [Ver = 1.0.35.0 | Size = 184320 bytes | Modified Date = 2/18/2008 10:08:34 PM | Attr =	]
Nse_w32.dll -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\Nse_w32.dll ->  [Ver =  | Size = 506936 bytes | Modified Date = 2/18/2008 10:08:21 PM | Attr =	]
segrules.dat -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\segrules.dat ->  [Ver =  | Size = 707 bytes | Modified Date = 2/18/2008 10:06:46 PM | Attr =	]
ext.dat -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\ext.dat ->  [Ver =  | Size = 444 bytes | Modified Date = 2/18/2008 10:08:35 PM | Attr =	]
fshke.dat -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\fshke.dat ->  [Ver =  | Size = 84 bytes | Modified Date = 2/18/2008 10:08:36 PM | Attr =	]
orion.dat -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\orion.dat ->  [Ver =  | Size = 744347 bytes | Modified Date = 2/18/2008 10:07:15 PM | Attr =	]
orioneng.dat -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\orioneng.dat ->  [Ver =  | Size = 1325 bytes | Modified Date = 2/18/2008 10:07:15 PM | Attr =	]
orionfin.dat -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\orionfin.dat ->  [Ver =  | Size = 1599 bytes | Modified Date = 2/18/2008 10:07:15 PM | Attr =	]
perf.dat -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\perf.dat ->  [Ver =  | Size = 128 bytes | Modified Date = 2/18/2008 11:49:31 PM | Attr =	]
sae.dat -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\sae.dat ->  [Ver =  | Size = 243 bytes | Modified Date = 2/18/2008 10:08:35 PM | Attr =	]
sai.dat -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\sai.dat ->  [Ver =  | Size = 1348 bytes | Modified Date = 2/18/2008 10:08:35 PM | Attr =	]
FS@swdb.ini -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Spyware\FS@swdb.ini ->  [Ver =  | Size = 205 bytes | Modified Date = 2/18/2008 10:07:57 PM | Attr =	]
FS@av.ini -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\FS@av.ini ->  [Ver =  | Size = 203 bytes | Modified Date = 2/18/2008 10:08:35 PM | Attr =	]
FS@avpe.ini -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\FS@avpe.ini ->  [Ver =  | Size = 205 bytes | Modified Date = 2/18/2008 10:07:51 PM | Attr =	]
FS@bleng.ini -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\FS@bleng.ini ->  [Ver =  | Size = 241 bytes | Modified Date = 2/18/2008 10:08:37 PM | Attr =	]
FS@hkeng.ini -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\FS@hkeng.ini ->  [Ver =  | Size = 206 bytes | Modified Date = 2/18/2008 10:08:36 PM | Attr =	]
FS@libra.ini -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\FS@libra.ini ->  [Ver =  | Size = 206 bytes | Modified Date = 2/18/2008 10:07:17 PM | Attr =	]
FS@ols3bin.ini -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\FS@ols3bin.ini ->  [Ver =  | Size = 175 bytes | Modified Date = 2/18/2008 10:08:34 PM | Attr =	]
FS@orion.ini -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\FS@orion.ini ->  [Ver =  | Size = 206 bytes | Modified Date = 2/18/2008 10:07:15 PM | Attr =	]
FS@peg.ini -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\FS@peg.ini ->  [Ver =  | Size = 204 bytes | Modified Date = 2/18/2008 10:08:20 PM | Attr =	]
verdicts.ini -> C:\Documents and Settings\Owner\Local Settings\Temp\OnlineScanner\Anti-Virus\verdicts.ini ->  [Ver =  | Size = 2539 bytes | Modified Date = 2/18/2008 10:07:51 PM | Attr =	]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Prevx -> %AllUsersProfile%\Application Data\Prevx ->  [Folder | Modified Date = 1/29/2008 8:55:48 AM | Attr =	]
QTSBandwidthCache -> %AllUsersProfile%\Application Data\QTSBandwidthCache ->  [Ver =  | Size = 1759 bytes | Modified Date = 1/20/2008 8:09:02 PM | Attr =	]
foobar2000 -> %AppData%\foobar2000 ->  [Folder | Modified Date = 2/16/2008 1:29:20 AM | Attr =	]
HouseCall 6.6 -> %AppData%\HouseCall 6.6 ->  [Folder | Modified Date = 1/27/2008 4:25:59 AM | Attr =	]
uTorrent -> %AppData%\uTorrent ->  [Folder | Modified Date = 2/17/2008 12:16:09 PM | Attr =	]
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ->  [Ver =  | Size = 146432 bytes | Modified Date = 2/4/2008 5:26:34 PM | Attr =	]
B of A -> %UserProfile%\My Documents\B of A ->  [Folder | Modified Date = 2/15/2008 4:13:56 PM | Attr =	]
chckbk.xls -> %UserProfile%\My Documents\chckbk.xls ->  [Ver =  | Size = 317952 bytes | Modified Date = 2/18/2008 8:42:44 AM | Attr =	]
music.xls -> %UserProfile%\My Documents\music.xls ->  [Ver =  | Size = 25600 bytes | Modified Date = 2/13/2008 9:30:29 PM | Attr =	]
My Videos -> %UserProfile%\My Documents\My Videos ->  [Folder | Modified Date = 1/22/2008 6:43:08 PM | Attr = R  ]
NeroVision -> %UserProfile%\My Documents\NeroVision ->  [Folder | Modified Date = 1/26/2008 8:47:12 PM | Attr =	]
re -> %UserProfile%\My Documents\re ->  [Folder | Modified Date = 2/5/2008 12:45:50 AM | Attr =	]
ResumeLena1.doc -> %UserProfile%\My Documents\ResumeLena1.doc ->  [Ver =  | Size = 27648 bytes | Modified Date = 2/12/2008 9:56:03 PM | Attr =	]
WYS -> %UserProfile%\My Documents\WYS ->  [Folder | Modified Date = 2/16/2008 4:56:59 PM | Attr =	]
???????.txt -> %UserProfile%\My Documents\женщина.txt ->  [Ver =  | Size = 2226 bytes | Modified Date = 4/10/2007 3:58:15 PM | Attr =	]
???.txt -> %UserProfile%\My Documents\тай.txt ->  [Ver =  | Size = 7236 bytes | Modified Date = 3/12/2007 9:43:51 PM | Attr =	]
100OLYMP -> %UserProfile%\Desktop\100OLYMP ->  [Folder | Modified Date = 2/9/2008 5:44:03 PM | Attr =	]
BU 14 evals.xls -> %UserProfile%\Desktop\BU 14 evals.xls ->  [Ver =  | Size = 67072 bytes | Modified Date = 2/14/2008 10:43:41 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\BU 14 evals.xls:Zone.Identifier
comcast payment02-13.pdf -> %UserProfile%\Desktop\comcast payment02-13.pdf ->  [Ver =  | Size = 13331 bytes | Modified Date = 2/14/2008 12:37:19 AM | Attr =	]
comcast01-18.pdf -> %UserProfile%\Desktop\comcast01-18.pdf ->  [Ver =  | Size = 1377347 bytes | Modified Date = 2/14/2008 12:34:59 AM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\comcast01-18.pdf:Zone.Identifier
comcast12-18.pdf -> %UserProfile%\Desktop\comcast12-18.pdf ->  [Ver =  | Size = 163340 bytes | Modified Date = 2/14/2008 12:34:35 AM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\comcast12-18.pdf:Zone.Identifier
Drop in Sports Feb Vac 2008 - Appl.doc -> %UserProfile%\Desktop\Drop in Sports Feb Vac 2008 - Appl.doc ->  [Ver =  | Size = 33280 bytes | Modified Date = 2/13/2008 10:27:51 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Drop in Sports Feb Vac 2008 - Appl.doc:Zone.Identifier
hjt.lnk -> %UserProfile%\Desktop\hjt.lnk ->  [Ver =  | Size = 560 bytes | Modified Date = 1/27/2008 1:47:35 AM | Attr =	]
old docs -> %UserProfile%\Desktop\old docs ->  [Folder | Modified Date = 1/22/2008 6:41:16 PM | Attr =	]
ResumeLena.doc -> %UserProfile%\Desktop\ResumeLena.doc ->  [Ver =  | Size = 32768 bytes | Modified Date = 2/12/2008 9:55:52 PM | Attr =	]
uTorrent.exe -> %UserProfile%\Desktop\uTorrent.exe ->  [Ver =  | Size = 219952 bytes | Modified Date = 1/29/2008 5:17:09 PM | Attr =	]
VLADDOOB-1.htm -> %UserProfile%\Desktop\VLADDOOB-1.htm ->  [Ver =  | Size = 8046 bytes | Modified Date = 2/5/2008 11:22:49 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\VLADDOOB-1.htm:Zone.Identifier
WinPFind35u -> %UserProfile%\Desktop\WinPFind35u ->  [Folder | Modified Date = 2/18/2008 11:57:38 PM | Attr =	]

< End of report >


#12 Sesmu

Sesmu
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 19 February 2008 - 12:08 AM

and this is F-Secure report. One thing I'd like to know though: why did it only rename most of the viruses and not remove? Should I remove them myself?

Scanning Report
Monday, February 18, 2008 22:08:41 - 23:39:56
Computer name: VLAD 
Scanning type: Scan system for viruses, rootkits, spyware 
Target: C:\ 


--------------------------------------------------------------------------------

Result: 28 malware found
Email-Worm.Win32.Agent.e (virus) 
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\WINPFIND35U\MOVEDFILES\02182008_215705\WINDOWS\SYSTEM32\DRIVERS\SYG42.SYS (Renamed & Submitted) 
Packed.Win32.NSAnti.r (virus) 
C:\WINDOWS\SYSTEM32\WINSLS31.EXE (Submitted) 
Rootkit.Win32.Agent.vc (virus) 
C:\WINDOWS\SYSTEM32\LANMANDRV.SYS (Submitted) 
Tracking Cookie (spyware) 
System (Disinfected) 
System 
System 
System 
System 
System 
System 
Trojan-Downloader.Win32.Agent.ggt (virus) 
C:\WINDOWS\WEK30(2).SYS (Renamed & Submitted) 
C:\WINDOWS\WEK30(3).SYS (Renamed & Submitted) 
C:\WINDOWS\WEK30(4).SYS (Renamed & Submitted) 
C:\WINDOWS\WEK30(5).SYS (Renamed & Submitted) 
C:\WINDOWS\WEK30(6).SYS (Renamed & Submitted) 
C:\WINDOWS\WEK30(7).SYS (Renamed & Submitted) 
C:\WINDOWS\WEK30(8).SYS (Renamed & Submitted) 
C:\WINDOWS\WEK30(9).SYS (Renamed & Submitted) 
C:\WINDOWS\WEK30.SYS (Renamed & Submitted) 
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\WINPFIND35U\MOVEDFILES\02182008_215705\WINDOWS\SYSTEM32\DRIVERS\WEK30.SYS (Renamed & Submitted) 
Trojan-Downloader.Win32.Agent.hos (virus) 
C:\WINDOWS\SYSTEM32\KERNELDRV.EXE (Renamed & Submitted) 
Trojan-Dropper.Win32.Agent.drt (virus) 
C:\WINDOWS\SYSTEM32\LANMANWRK.EXE (Renamed & Submitted) 
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\WINPFIND35U\MOVEDFILES\02182008_215705\WINDOWS\SYSTEM32\87422.EXE (Renamed & Submitted) 
Trojan-Spy.Win32.Small.it (virus) 
C:\WINDOWS\SYSTEM32\DLL.DLL (Renamed & Submitted) 
Trojan.Win32.Agent.eub (virus) 
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\WINPFIND35U\MOVEDFILES\02182008_215705\WINDOWS\SYSTEM32\LOGCRYPT.DLL (Renamed & Submitted) 
W32/Adclicker.BAX (virus) 
C:\DOCUMENTS AND SETTINGS\OWNER\OPEN.EXE (Submitted) 
W32/Banker.BWNT (virus) 
C:\PROGRAM FILES\UTORRENT\COMPLETED\ACDSEE PHOTO MANAGER V10.0 BUILD 219\KEYGEN\KEYGEN.EXE (Submitted) 
Win32.TrojanDownloader.Nurech (spyware) 
System (Disinfected) 

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 36759 
System: 4642 
Not scanned: 3 
Actions:
Disinfected: 2 
Renamed: 16 
Deleted: 0 
None: 10 
Submitted: 20 
Files not scanned:
C:\HIBERFIL.SYS 
C:\PAGEFILE.SYS 
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT 

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 7.0.171, 2008-02-18 
F-Secure Blacklight: 1.0.64 
F-Secure Draco: 1.0.35, 0597-150-72 
F-Secure Libra: 2.4.2, 2008-02-18 
F-Secure Orion: 1.2.37, 2008-02-19 
F-Secure Pegasus: 1.20.0, 2008-01-13 
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQXJPG SWF 
Use Advanced heuristics


#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:02 PM

Posted 19 February 2008 - 01:38 AM

Hi Sesmu. Well, let's try it again with a twist. First, copy these directions into Notepad and save them on your desktop. We will be booting to Safe Mode and you will need this information and the ability to copy/paste some of it during the fix.

Now please follow these steps in order:

Step #1

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #2

Now we will need to disable the driver for this thing. Please do the following:
  • Click Start, click Control Panel, click Performance and Maintenance, and then click System.
  • On the Hardware tab, click Device Manager.
  • Click the View menu and if there is no checkmark in front of Show hidden devices then click on it to activate it.
  • Scroll down the list of devices and double-click Non-Plug and Play Drivers.
  • Locate the lanmandrv device and right click it and then click the Properties option.
  • Click the Driver tab.
  • In the Startup section select Disable from the drop-down list.
  • Click General tab.
  • In the Device Usage drop-down list select Do not use this device (disable).
  • Click the Ok button and you should be prompted to reboot. You can reboot normally.
Step #3

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
CO_Mon
lanmandrv
Pcouffin
Files to delete:
%SystemRoot%\System32\DLL.0LL
%SystemRoot%\system32\Drivers\CO_Mon.sys
%SystemRoot%\System32\kcopt.dll
%SystemRoot%\System32\KERNELDRV.0XE
%SystemRoot%\System32\ksvcl.dll
%SystemRoot%\System32\lanmandrv.sys
%SystemRoot%\System32\LANMANWRK.0XE
%SystemRoot%\System32\qmopt.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #4

Start WinPFind35U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Driver Services - Non-Microsoft Only]
NY -> (CO_Mon) CO_Mon [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\Drivers\CO_Mon.sys
NY -> (Pcouffin) Low level access layer for CD devices [Kernel | On_Demand | Stopped] -> System32\Drivers\Pcouffin.sys
YY -> (lanmandrv) lanmandrv [Kernel | System | Running] -> %SystemRoot%\System32\lanmandrv.sys
[Files/Folders - Created Within 30 days]
NY -> DLL.0LL -> %SystemRoot%\System32\DLL.0LL
NY -> kcopt.dll -> %SystemRoot%\System32\kcopt.dll
NY -> KERNELDRV.0XE -> %SystemRoot%\System32\KERNELDRV.0XE
NY -> ksvcl.dll -> %SystemRoot%\System32\ksvcl.dll
NY -> LANMANWRK.0XE -> %SystemRoot%\System32\LANMANWRK.0XE
NY -> qmopt.dll -> %SystemRoot%\System32\qmopt.dll
[Files/Folders - Modified Within 30 days]
NY -> DLL.0LL -> %SystemRoot%\System32\DLL.0LL
NY -> kcopt.dll -> %SystemRoot%\System32\kcopt.dll
NY -> KERNELDRV.0XE -> %SystemRoot%\System32\KERNELDRV.0XE
NY -> ksvcl.dll -> %SystemRoot%\System32\ksvcl.dll
NY -> LANMANWRK.0XE -> %SystemRoot%\System32\LANMANWRK.0XE
NY -> qmopt.dll -> %SystemRoot%\System32\qmopt.dll
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. You might be asked to reboot if any of the files could not be moved during the fix. If so, choose Yes and reboot normally. If you are not asked to reboot, cLick the Ok button on the finished message and Notepad will open with a log of actions taken during the fix. Post that information back here. My guess is that we will still need to use Avenger again to remove the left-over files but it should not give us the problems it did previously.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 Sesmu

Sesmu
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 19 February 2008 - 10:12 AM

Hi OldTimer,

this time everything went smoothly. Here's the Avenger's log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mbqxrulq

*******************

Script file located at: \??\C:\WINDOWS\ifkubgcc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver CO_Mon unloaded successfully.
Driver lanmandrv unloaded successfully.
Driver Pcouffin unloaded successfully.
File C:\WINDOWS\System32\DLL.0LL deleted successfully.


File C:\WINDOWS\system32\Drivers\CO_Mon.sys not found!
Deletion of file C:\WINDOWS\system32\Drivers\CO_Mon.sys failed!

Could not process line:
C:\WINDOWS\system32\Drivers\CO_Mon.sys
Status: 0xc0000034

File C:\WINDOWS\System32\kcopt.dll deleted successfully.
File C:\WINDOWS\System32\KERNELDRV.0XE deleted successfully.
File C:\WINDOWS\System32\ksvcl.dll deleted successfully.
File C:\WINDOWS\System32\lanmandrv.sys deleted successfully.
File C:\WINDOWS\System32\LANMANWRK.0XE deleted successfully.
File C:\WINDOWS\System32\qmopt.dll deleted successfully.
File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat deleted successfully.
File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

And here's the WinPFind35u log:
Explorer killed successfully
[Driver Services - Non-Microsoft Only]
Unable to stop service CO_Mon .
Unable to delete service CO_Mon .
File C:\WINDOWS\system32\Drivers\CO_Mon.sys not found.
Unable to stop service Pcouffin .
Unable to delete service Pcouffin .
File System32\Drivers\Pcouffin.sys not found.
Unable to stop service lanmandrv .
Unable to delete service lanmandrv .
File C:\WINDOWS\System32\lanmandrv.sys not found.
[Files/Folders - Created Within 30 days]
File C:\WINDOWS\System32\DLL.0LL not found!
File C:\WINDOWS\System32\kcopt.dll not found!
File C:\WINDOWS\System32\KERNELDRV.0XE not found!
File C:\WINDOWS\System32\ksvcl.dll not found!
File C:\WINDOWS\System32\LANMANWRK.0XE not found!
File C:\WINDOWS\System32\qmopt.dll not found!
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\System32\DLL.0LL not found!
File C:\WINDOWS\System32\kcopt.dll not found!
File C:\WINDOWS\System32\KERNELDRV.0XE not found!
File C:\WINDOWS\System32\ksvcl.dll not found!
File C:\WINDOWS\System32\LANMANWRK.0XE not found!
File C:\WINDOWS\System32\qmopt.dll not found!
File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat not found!
File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat not found!
[Empty Temp Folders]
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
WinPFind35U Version Beta52 fix logfile created on 02192008_100546

I didn't need to run WinPFind35u scan again, did I?

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:02 PM

Posted 19 February 2008 - 10:34 AM

Hi Sesmu. That all looks good. Go ahead and run a final WinPFind35u scan and we should be able to call it good :thumbsup:

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users