Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Tr/dldr.agent.hkb


  • Please log in to reply
14 replies to this topic

#1 Mattagin

Mattagin

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 AM

Posted 31 January 2008 - 01:20 PM

My wifes computer has been infected with this Trojan and I have used your services in the past for my own computer with great results. I have followed the checklist procedure before posting this thread and here is the HJT Log after all preliminary scanning was done. Thanks in advance for your help.
-------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:12 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3B71576E-CA1D-4199-973E-0538A40DA9EE} - C:\WINDOWS\system32\adsldpca.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/v/8.1.1.1/applet/aces/aces-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/v/8.1.1.1/applet/mah...jong2-en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193108049953
O17 - HKLM\System\CCS\Services\Tcpip\..\{D71649DB-EB3F-44AD-B9B9-2DFE7A320BC1}: NameServer = 142.177.1.2 142.177.129.11
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 4204 bytes

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:19 AM

Posted 04 February 2008 - 08:16 PM

Hello Mattagin and welcome to the BC HijackThis forum. I don;t see anything in the HJT log. Let's see what else we can find.

Before running the scan let's clean out the temporoary folders.

Download ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Mattagin

Mattagin
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 AM

Posted 04 February 2008 - 11:25 PM

WinPFind35 logfile created on: 2/5/2008 12:25:49 AM

WinPFind35U Version Beta42	 Folder = C:\Documents and Settings\Home\Desktop\WinPFind35u

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

 

351.48 Mb Total Physical Memory | 137.15 Mb Available Physical Memory | 39.02% Memory free

854.21 Mb Paging File | 607.05 Mb Available in Paging File | 71.07% Paging File free

Paging file location(s): c:\pagefile.sys 528 1056;

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 16.08 Gb Total Space | 9.08 Gb Free Space | 56.42% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 49.03 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Drive F: | 18.64 Gb Total Space | 18.57 Gb Free Space | 99.65% Space Free | Partition Type: NTFS



Computer Name: BUBSSIS

Current User Name: Home

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user





[Processes - Non-Microsoft Only]

aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft [Ver = 7,0,2,6 | Size = 587096 bytes | Modified Date = 1/4/2008 1:27:08 PM | Attr =	]

jusched.exe -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 5:11:35 AM | Attr =	]

avguard.exe -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avguard.exe -> Avira GmbH [Ver = 7.00.00.82 | Size = 214056 bytes | Modified Date = 10/27/2007 10:11:13 PM | Attr =	]

sched.exe -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\sched.exe -> Avira GmbH [Ver = 7.00.00.62 | Size = 63016 bytes | Modified Date = 8/28/2007 4:16:22 PM | Attr =	]

avgnt.exe -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgnt.exe -> Avira GmbH [Ver = 7.02.00.16 | Size = 249896 bytes | Modified Date = 10/27/2007 10:11:13 PM | Attr =	]

winpfind35u.exe -> %UserDesktop%\WinPFind35u\WinPFind35U.exe -> OldTimer Tools [Ver = 1.0.0.0 | Size = 307712 bytes | Modified Date = 1/31/2008 12:38:16 PM | Attr =	]



[Win32 Services - Non-Microsoft Only]

(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft [Ver = 7,0,2,6 | Size = 587096 bytes | Modified Date = 1/4/2008 1:27:08 PM | Attr =	]

(AntiVirScheduler) AntiVir PersonalEdition Classic Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\sched.exe -> Avira GmbH [Ver = 7.00.00.62 | Size = 63016 bytes | Modified Date = 8/28/2007 4:16:22 PM | Attr =	]

(AntiVirService) AntiVir PersonalEdition Classic Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avguard.exe -> Avira GmbH [Ver = 7.00.00.82 | Size = 214056 bytes | Modified Date = 10/27/2007 10:11:13 PM | Attr =	]

(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/3/2004 6:56:50 PM | Attr =	]



[Driver Services - Non-Microsoft Only]

(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] ->  -> File not found

(abp480n5) abp480n5 [Kernel | Disabled | Stopped] ->  -> File not found

(adpu160m) adpu160m [Kernel | Disabled | Stopped] ->  -> File not found

(Aha154x) Aha154x [Kernel | Disabled | Stopped] ->  -> File not found

(aic78u2) aic78u2 [Kernel | Disabled | Stopped] ->  -> File not found

(aic78xx) aic78xx [Kernel | Disabled | Stopped] ->  -> File not found

(AliIde) AliIde [Kernel | Disabled | Stopped] ->  -> File not found

(amsint) amsint [Kernel | Disabled | Stopped] ->  -> File not found

(asc) asc [Kernel | Disabled | Stopped] ->  -> File not found

(asc3350p) asc3350p [Kernel | Disabled | Stopped] ->  -> File not found

(asc3550) asc3550 [Kernel | Disabled | Stopped] ->  -> File not found

(ASPI32) ASPI32 [Kernel | System | Running] -> %System32%\drivers\ASPI32.SYS -> Adaptec [Ver = 4.60 (1021) | Size = 25244 bytes | Modified Date = 9/10/1999 12:06:00 PM | Attr =	]

(Atdisk) Atdisk [Kernel | Disabled | Stopped] ->  -> File not found

(avgio) avgio [Kernel | System | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgio.sys -> Avira GmbH [Ver = 1.0.0.30 | Size = 11840 bytes | Modified Date = 2/27/2007 6:25:10 PM | Attr =	]

(avgntflt) avgntflt [File_System | On_Demand | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgntflt.sys -> Avira GmbH [Ver = 7.00.00.04 | Size = 48448 bytes | Modified Date = 10/27/2007 10:11:13 PM | Attr =	]

(avipbb) avipbb [Kernel | System | Running] -> %System32%\drivers\avipbb.sys -> AVIRA GmbH [Ver = 1.00.02.13 | Size = 61632 bytes | Modified Date = 10/27/2007 10:11:21 PM | Attr =	]

(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] ->  -> File not found

(Changer) Changer [Kernel | System | Stopped] ->  -> File not found

(CmdIde) CmdIde [Kernel | Disabled | Stopped] ->  -> File not found

(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] ->  -> File not found

(dac960nt) dac960nt [Kernel | Disabled | Stopped] ->  -> File not found

(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 799744 bytes | Modified Date = 8/3/2004 5:07:18 PM | Attr =	]

(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153344 bytes | Modified Date = 8/3/2004 5:07:18 PM | Attr =	]

(dmload) dmload [Kernel | Boot | Running] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr =	]

(dpti2o) dpti2o [Kernel | Disabled | Stopped] ->  -> File not found

(hpn) hpn [Kernel | Disabled | Stopped] ->  -> File not found

(i2omgmt) i2omgmt [Kernel | System | Stopped] ->  -> File not found

(i2omp) i2omp [Kernel | Disabled | Stopped] ->  -> File not found

(ini910u) ini910u [Kernel | Disabled | Stopped] ->  -> File not found

(IntelIde) IntelIde [Kernel | Disabled | Stopped] ->  -> File not found

(lbrtfdc) lbrtfdc [Kernel | System | Stopped] ->  -> File not found

(ltmodem5) LT Modem Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ltmdmnt.sys -> LT [Ver = 8.28 | Size = 625537 bytes | Modified Date = 3/31/2003 5:29:00 PM | Attr =	]

(mgau) mgau [Kernel | On_Demand | Running] -> %System32%\drivers\mgaum.sys -> Matrox Graphics Inc. [Ver = 5.00.2475.1200 (ReleasedBinaries.010308-1115) | Size = 320384 bytes | Modified Date = 8/17/2001 8:50:00 AM | Attr =	]

(mraid35x) mraid35x [Kernel | Disabled | Stopped] ->  -> File not found

(PCIDump) PCIDump [Kernel | System | Stopped] ->  -> File not found

(PCIIde) PCIIde [Kernel | Disabled | Stopped] ->  -> File not found

(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] ->  -> File not found

(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] ->  -> File not found

(PDRELI) PDRELI [Kernel | On_Demand | Stopped] ->  -> File not found

(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] ->  -> File not found

(perc2) perc2 [Kernel | Disabled | Stopped] ->  -> File not found

(perc2hib) perc2hib [Kernel | Disabled | Stopped] ->  -> File not found

(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr =	]

(ql1080) ql1080 [Kernel | Disabled | Stopped] ->  -> File not found

(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] ->  -> File not found

(ql12160) ql12160 [Kernel | Disabled | Stopped] ->  -> File not found

(ql1240) ql1240 [Kernel | Disabled | Stopped] ->  -> File not found

(ql1280) ql1280 [Kernel | Disabled | Stopped] ->  -> File not found

(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [Kernel | On_Demand | Running] -> %System32%\drivers\RTL8139.sys -> Realtek Semiconductor Corporation [Ver = 5.398.613.2003 built by: WinDDK | Size = 20992 bytes | Modified Date = 8/4/2004 1:31:34 AM | Attr =	]

(S3SavageNB) S3SavageNB [Kernel | On_Demand | Running] -> %System32%\drivers\s3gnbm.sys -> S3 Graphics, Inc. [Ver = 6.14.10.0012-13.94.12 | Size = 166912 bytes | Modified Date = 8/3/2004 6:29:52 PM | Attr =	]

(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %System32%\drivers\secdrv.sys ->  [Ver =  | Size = 27440 bytes | Modified Date = 7/17/2004 5:36:38 AM | Attr =	]

(Simbad) Simbad [Kernel | Disabled | Stopped] ->  -> File not found

(Sparrow) Sparrow [Kernel | Disabled | Stopped] ->  -> File not found

(ssmdrv) ssmdrv [Kernel | System | Running] -> %System32%\drivers\ssmdrv.sys -> Avira GmbH [Ver = 7.0.1.1 | Size = 28352 bytes | Modified Date = 3/1/2007 1:34:36 PM | Attr =	]

(symc810) symc810 [Kernel | Disabled | Stopped] ->  -> File not found

(symc8xx) symc8xx [Kernel | Disabled | Stopped] ->  -> File not found

(sym_hi) sym_hi [Kernel | Disabled | Stopped] ->  -> File not found

(sym_u3) sym_u3 [Kernel | Disabled | Stopped] ->  -> File not found

(TosIde) TosIde [Kernel | Disabled | Stopped] ->  -> File not found

(ultra) ultra [Kernel | Disabled | Stopped] ->  -> File not found

(VIAudio) VIA AC'97 Audio Controller (WDM) [Kernel | On_Demand | Running] -> %System32%\drivers\ac97via.sys -> VIA Technologies, Inc. [Ver = 5.10.00.3622 built by: WinDDK | Size = 84480 bytes | Modified Date = 8/3/2004 6:32:32 PM | Attr =	]

(WDICA) WDICA [Kernel | On_Demand | Stopped] ->  -> File not found

(XGCGDDDQ) XGCGDDDQ [Kernel | Auto | Stopped] -> %System32%\xgcgdddq.loj -> File not found



[Registry - Non-Microsoft Only]

< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

Adobe Photo Downloader -> %ProgramFiles%\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe -> Adobe Systems Incorporated [Ver = 3.2.0.77764 | Size = 63712 bytes | Modified Date = 3/9/2007 11:09:58 AM | Attr =	]

Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 39792 bytes | Modified Date = 10/10/2007 7:51:56 PM | Attr =	]

avgnt -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgnt.exe -> Avira GmbH [Ver = 7.02.00.16 | Size = 249896 bytes | Modified Date = 10/27/2007 10:11:13 PM | Attr =	]

SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 5:11:35 AM | Attr =	]

< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 

IMAIL-> Installed = 1 -> 

MAPI-> Installed = 1 -> 

MSFS-> Installed = 1 -> 

< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 

< Home Startup Folder > -> C:\Documents and Settings\Home\Start Menu\Programs\Startup -> 

< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 

< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 

< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 0 -> 

< HOSTS File > (224466 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 

< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 

HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 

HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 

HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> 

HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 

HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 

< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 

HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm -> 

HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_CURRENT_USER\: Main\\Start Page -> http://www.yahoo.com/ -> 

HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 

< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4185 domain(s) found. -> 

33 domain(s) and sub-domain(s) not assigned to a zone.

< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 

< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4184 domain(s) found. -> 

32 domain(s) and sub-domain(s) not assigned to a zone.

< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 

< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 11:08:42 PM | Attr =	]

{3B71576E-CA1D-4199-973E-0538A40DA9EE} [HKEY_LOCAL_MACHINE] -> %System32%\adsldpca.dll [Reg Error: Value  does not exist or could not be read.] -> File not found

{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 5, 0, 11 | Size = 1554256 bytes | Modified Date = 1/28/2008 11:43:28 AM | Attr =	]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 5:11:33 AM | Attr =	]

{77701e16-9bfe-4b63-a5b4-7bd156758a37} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found

{7E853D72-626A-48EC-A868-BA8D5E23E045} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found

< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 

ID [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found

< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 

ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found

WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found

< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 5:11:34 AM | Attr =	]

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 5:11:33 AM | Attr =	]

{85d1f590-48f4-11d9-9669-0800200c9a66}:Exec -> %SystemRoot%\bdoscandel.exe [Uninstall BitDefender Online Scanner v8] ->  [Ver =  | Size = 53248 bytes | Modified Date = 1/9/2008 3:01:48 PM | Attr =	]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 11 | Size = 1554256 bytes | Modified Date = 1/28/2008 11:43:28 AM | Attr =	]

< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 

CmdMapping\\{85d1f590-48f4-11d9-9669-0800200c9a66} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\bdoscandel.exe [Uninstall BitDefender Online Scanner v8] ->  [Ver =  | Size = 53248 bytes | Modified Date = 1/9/2008 3:01:48 PM | Attr =	]

CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 11 | Size = 1554256 bytes | Modified Date = 1/28/2008 11:43:28 AM | Attr =	]

< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 

PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 

PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 

< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform -> 

SV1 ->  -> 

< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 

{BC74E127-B347-48AB-B37D-F8AC7FCCF37F} ->	(Realtek RTL8139 Family PCI Fast Ethernet NIC) -> 

< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 

ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value  does not exist or could not be read.] -> File not found

msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value  does not exist or could not be read.] -> File not found

< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}[HKEY_LOCAL_MACHINE] -> http://www.apple.com/qtactivex/qtplugin.cab[Reg Error: Key does not exist or could not be opened.] -> 

{166B1BCA-3F9C-11CF-8075-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab[Shockwave ActiveX Control] -> 

{17492023-C23A-453E-A040-C7C580BBF700}[HKEY_LOCAL_MACHINE] -> http://go.microsoft.com/fwlink/?linkid=39204[Windows Genuine Advantage Validation Tool] -> 

{3107C2A8-9F0B-4404-A58B-21BD85268FBC}[HKEY_LOCAL_MACHINE] -> http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB[PogoWebLauncher Control] -> 

{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}[HKEY_LOCAL_MACHINE] -> http://download.bitdefender.com/resources/scan8/oscan8.cab[BDSCANONLINE Control] -> 

{5F8469B4-B055-49DD-83F7-62B522420ECC}[HKEY_LOCAL_MACHINE] -> http://upload.facebook.com/controls/FacebookPhotoUploader.cab[Facebook Photo Uploader Control] -> 

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}[HKEY_LOCAL_MACHINE] -> http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193108049953[MUWebControl Class] -> 

{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 

{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab[Java Plug-in 1.6.0_02] -> 

{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 

{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] -> 

Aces Up! by pogo[HKEY_LOCAL_MACHINE] -> http://game1.pogo.com/v/8.1.1.1/applet/aces/aces-en_US.cab[Reg Error: Key does not exist or could not be opened.] -> 

Mah Jong Garden by pogo[HKEY_LOCAL_MACHINE] -> http://game1.pogo.com/v/8.1.1.1/applet/mahjong2/mahjong2-en_US.cab[Reg Error: Key does not exist or could not be opened.] -> 

Microsoft XML Parser for Java[HKEY_LOCAL_MACHINE] -> file://C:\WINDOWS\Java\classes\xmldso.cab[Reg Error: Key does not exist or could not be opened.] -> 





[Registry - Additional Scans - Non-Microsoft Only]

< BotCheck > -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> (binary data) -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction -> (binary data) -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction -> (binary data) -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937AD} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A93843} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D69} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> -> 

Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ not found. -> -> 

Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ not found. -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->

*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 

msv1_0 -> %System32%\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 8/3/2004 6:56:44 PM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> (binary data) -> 

*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> 

kerberos -> %System32%\kerberos.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 294400 bytes | Modified Date = 8/3/2004 6:56:44 PM | Attr =	]

msv1_0 -> %System32%\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 8/3/2004 6:56:44 PM | Attr =	]

schannel -> %System32%\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 144896 bytes | Modified Date = 8/3/2004 6:56:46 PM | Attr =	]

wdigest -> %System32%\wdigest.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49152 bytes | Modified Date = 8/3/2004 6:56:48 PM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 588 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 -> 

*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages -> 

scecli -> %System32%\scecli.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 180224 bytes | Modified Date = 8/3/2004 6:56:46 PM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> -> 

*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder -> 

Windows NT Access Provider ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> C:\WINDOWS\system32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 118784 bytes | Modified Date = 8/3/2004 6:56:46 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth132 -> C:\WINDOWS\system32\iissuba.dll [IISSUBA] -> Microsoft Corporation [Ver = 6.0.2600.0 (xpclient.010817-1148) | Size = 9216 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminclientsec -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminserversec -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup ->  -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Windows Firewall/Internet Connection Sharing (ICS) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> C:\WINDOWS\system32\svchost.exe [%SystemRoot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/3/2004 6:56:58 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 1526 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> C:\WINDOWS\system32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 331264 bytes | Modified Date = 8/3/2004 6:56:44 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 140800 bytes | Modified Date = 8/3/2004 6:56:58 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe -> C:\Program Files\MSN Messenger\msnmsgr.exe [C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1] -> Microsoft Corporation [Ver = 8.1.0178.00 | Size = 5674352 bytes | Modified Date = 1/19/2007 3:54:56 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\livecall.exe -> C:\Program Files\MSN Messenger\livecall.exe [C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)] -> Microsoft Corporation [Ver = 1.1.161.0 | Size = 297752 bytes | Modified Date = 1/4/2007 7:10:02 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DisableNotifications -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 140800 bytes | Modified Date = 8/3/2004 6:56:58 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe -> C:\Program Files\MSN Messenger\msnmsgr.exe [C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1] -> Microsoft Corporation [Ver = 8.1.0178.00 | Size = 5674352 bytes | Modified Date = 1/19/2007 3:54:56 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\livecall.exe -> C:\Program Files\MSN Messenger\livecall.exe [C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)] -> Microsoft Corporation [Ver = 1.1.161.0 | Size = 297752 bytes | Modified Date = 1/4/2007 7:10:02 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> C:\WINDOWS\system32\svchost.exe [%systemroot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/3/2004 6:56:58 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> C:\WINDOWS\system32\wuauserv.dll [C:\WINDOWS\system32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.3790.2180 (xpsp_sp2_rtm.040803-2158) | Size = 6656 bytes | Modified Date = 8/3/2004 6:56:48 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Description -> Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. -> 

*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DependOnService -> 

RPCSS -> %System32%\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 395776 bytes | Modified Date = 8/3/2004 6:56:46 PM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DisplayName -> Remote Registry -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ImagePath -> C:\WINDOWS\system32\svchost.exe [%SystemRoot%\system32\svchost.exe -k LocalService] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/3/2004 6:56:58 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ObjectName -> NT AUTHORITY\LocalService -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Group ->  -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Start -> 2 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Type -> 32 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\FailureActions -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\\ServiceDll -> C:\WINDOWS\system32\regsvc.dll [%SystemRoot%\system32\regsvc.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 59904 bytes | Modified Date = 8/3/2004 6:56:46 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\\Security -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\0 -> Root\LEGACY_REMOTEREGISTRY\0000 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\Count -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\NextInstance -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Type -> 16 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Start -> 4 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ImagePath -> C:\WINDOWS\system32\tlntsvr.exe [C:\WINDOWS\system32\tlntsvr.exe] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 73216 bytes | Modified Date = 8/3/2004 6:56:58 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DisplayName -> Telnet -> 

*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnService -> 

RPCSS -> %System32%\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 395776 bytes | Modified Date = 8/3/2004 6:56:46 PM | Attr =	]

TCPIP ->  -> File not found

NTLMSSP ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnGroup ->  -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ObjectName -> LocalSystem -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Description -> Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\\Security -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 -> 





[Files/Folders - Created Within 30 days]

Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Created Date = 1/28/2008 3:30:01 PM | Attr =	]

hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 368627712 bytes | Created Date = 1/30/2008 9:31:58 AM | Attr =  HS]

BDOSCAN8 -> %SystemRoot%\BDOSCAN8 ->  [Folder | Created Date = 2/4/2008 5:23:47 PM | Attr =	]

6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 

bdoscandel.exe -> %SystemRoot%\bdoscandel.exe ->  [Ver =  | Size = 53248 bytes | Created Date = 1/9/2008 3:01:48 PM | Attr =	]

bdoscandellang.ini -> %SystemRoot%\bdoscandellang.ini ->  [Ver =  | Size = 453 bytes | Created Date = 1/9/2008 3:01:48 PM | Attr =	]

LastGood -> %SystemRoot%\LastGood ->  [Folder | Created Date = 1/31/2008 12:13:42 PM | Attr =	]

[Files Created - Additional Folder Scans - Non-Microsoft Only]

Lavasoft -> %AllUsersAppData%\Lavasoft ->  [Folder | Created Date = 1/31/2008 11:36:42 AM | Attr =	]

MGS -> %AllUsersAppData%\MGS ->  [Folder | Created Date = 1/7/2008 1:31:02 PM | Attr =	]

PlayFirst -> %AllUsersAppData%\PlayFirst ->  [Folder | Created Date = 1/9/2008 8:11:00 AM | Attr =	]

Spybot - Search & Destroy -> %AllUsersAppData%\Spybot - Search & Destroy ->  [Folder | Created Date = 1/31/2008 12:33:51 PM | Attr =	]

WLInstaller -> %AllUsersAppData%\WLInstaller ->  [Folder | Created Date = 1/7/2008 1:56:05 PM | Attr =	]

BigFish -> %UserAppData%\BigFish ->  [Folder | Created Date = 1/22/2008 7:43:34 PM | Attr =	]

dad.rtf -> %UserDocuments%\dad.rtf ->  [Ver =  | Size = 643 bytes | Created Date = 1/17/2008 5:41:42 PM | Attr =	]

Learning At Options Work Activity Program Article.doc -> %UserDocuments%\Learning At Options Work Activity Program Article.doc ->  [Ver =  | Size = 28672 bytes | Created Date = 1/17/2008 6:47:15 PM | Attr =	]

@Alternate Data Stream - 26 bytes -> %UserDocuments%\Learning At Options Work Activity Program Article.doc:Zone.Identifier

Ad-Watch 2007.lnk -> %AllUsersDesktop%\Ad-Watch 2007.lnk ->  [Ver =  | Size = 1790 bytes | Created Date = 1/31/2008 11:36:50 AM | Attr =	]

HijackThis.lnk -> %UserDesktop%\HijackThis.lnk ->  [Ver =  | Size = 1734 bytes | Created Date = 1/31/2008 2:09:28 PM | Attr =	]

WinPFind35u -> %UserDesktop%\WinPFind35u ->  [Folder | Created Date = 2/5/2008 12:09:01 AM | Attr =	]

WinPFind35u.exe -> %UserDesktop%\WinPFind35u.exe ->  [Ver =  | Size = 478495 bytes | Created Date = 2/5/2008 12:07:47 AM | Attr =	]

@Alternate Data Stream - 26 bytes -> %UserDesktop%\WinPFind35u.exe:Zone.Identifier

WindowsLiveInstaller -> %CommonProgramFiles%\WindowsLiveInstaller ->  [Folder | Created Date = 1/7/2008 1:56:39 PM | Attr =	]

Wise Installation Wizard -> %CommonProgramFiles%\Wise Installation Wizard ->  [Folder | Created Date = 1/31/2008 11:35:09 AM | Attr =	]



[Files/Folders - Modified Within 30 days]

Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Modified Date = 1/31/2008 11:37:32 AM | Attr =	]

hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 368627712 bytes | Modified Date = 1/31/2008 12:06:23 PM | Attr =  HS]

Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 1/31/2008 2:09:27 PM | Attr = R  ]

WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 2/4/2008 5:23:48 PM | Attr =	]

etc -> %System32%\drivers\etc ->  [Folder | Modified Date = 1/31/2008 12:35:39 PM | Attr =	]

hosts -> %System32%\drivers\etc\hosts ->  [Ver =  | Size = 224466 bytes | Modified Date = 1/31/2008 12:35:39 PM | Attr = R  ]

AppCert -> %System32%\AppCert ->  [Folder | Modified Date = 1/30/2008 9:33:52 AM | Attr =	]

1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 

CatRoot -> %System32%\CatRoot ->  [Folder | Modified Date = 1/30/2008 9:39:38 AM | Attr =	]

CatRoot2 -> %System32%\CatRoot2 ->  [Folder | Modified Date = 2/4/2008 3:07:49 AM | Attr =	]

config -> %System32%\config ->  [Folder | Modified Date = 1/28/2008 3:31:30 PM | Attr =	]

drivers -> %System32%\drivers ->  [Folder | Modified Date = 2/4/2008 5:22:25 PM | Attr =	]

wbem -> %System32%\wbem ->  [Folder | Modified Date = 1/28/2008 3:30:50 PM | Attr =	]

wpa.dbl -> %System32%\wpa.dbl ->  [Ver =  | Size = 13646 bytes | Modified Date = 1/31/2008 11:47:16 AM | Attr =	]

$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 1/30/2008 9:52:39 AM | Attr =  H ]

6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 

BDOSCAN8 -> %SystemRoot%\BDOSCAN8 ->  [Folder | Modified Date = 2/4/2008 5:34:35 PM | Attr =	]

bdoscandel.exe -> %SystemRoot%\bdoscandel.exe ->  [Ver =  | Size = 53248 bytes | Modified Date = 1/9/2008 3:01:48 PM | Attr =	]

bdoscandellang.ini -> %SystemRoot%\bdoscandellang.ini ->  [Ver =  | Size = 453 bytes | Modified Date = 1/9/2008 3:01:48 PM | Attr =	]

bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 1/31/2008 12:06:25 PM | Attr =   S]

Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 2/4/2008 5:23:51 PM | Attr =   S]

inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 2/4/2008 5:23:47 PM | Attr =  H ]

Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 1/31/2008 11:37:32 AM | Attr =  HS]

LastGood -> %SystemRoot%\LastGood ->  [Folder | Modified Date = 1/31/2008 12:13:42 PM | Attr =	]

Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 2/5/2008 12:20:44 AM | Attr =	]

Registration -> %SystemRoot%\Registration ->  [Folder | Modified Date = 1/28/2008 3:30:47 PM | Attr =	]

system32 -> %System32% ->  [Folder | Modified Date = 1/31/2008 1:22:25 PM | Attr =	]

Tasks -> %SystemRoot%\Tasks ->  [Folder | Modified Date = 1/31/2008 1:21:44 PM | Attr =   S]

Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 2/5/2008 12:19:05 AM | Attr =	]

SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 1/31/2008 12:06:42 PM | Attr =  H ]

qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 20800 bytes | Modified Date = 2/4/2008 3:09:36 AM | Attr =	]

qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 21185 bytes | Modified Date = 2/4/2008 3:09:36 AM | Attr =	]

Perflib_Perfdata_470.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_470.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 1/31/2008 12:09:04 PM | Attr =	]

[Files Modified - Additional Folder Scans - Non-Microsoft Only]

BigFish -> %AllUsersAppData%\BigFish ->  [Folder | Modified Date = 1/22/2008 7:44:09 PM | Attr =	]

Lavasoft -> %AllUsersAppData%\Lavasoft ->  [Folder | Modified Date = 1/31/2008 11:37:13 AM | Attr =	]

MGS -> %AllUsersAppData%\MGS ->  [Folder | Modified Date = 1/7/2008 1:32:12 PM | Attr =	]

PlayFirst -> %AllUsersAppData%\PlayFirst ->  [Folder | Modified Date = 1/28/2008 3:28:29 PM | Attr =	]

Spybot - Search & Destroy -> %AllUsersAppData%\Spybot - Search & Destroy ->  [Folder | Modified Date = 1/31/2008 12:38:30 PM | Attr =	]

TEMP -> %AllUsersAppData%\TEMP ->  [Folder | Modified Date = 1/22/2008 7:59:31 PM | Attr =	]

@Alternate Data Stream - 107 bytes -> %AllUsersAppData%\TEMP:13AA281B

@Alternate Data Stream - 121 bytes -> %AllUsersAppData%\TEMP:1A6AFE3D

@Alternate Data Stream - 127 bytes -> %AllUsersAppData%\TEMP:1DF79F4B

@Alternate Data Stream - 122 bytes -> %AllUsersAppData%\TEMP:22313216

@Alternate Data Stream - 109 bytes -> %AllUsersAppData%\TEMP:260575F1

@Alternate Data Stream - 124 bytes -> %AllUsersAppData%\TEMP:38B32B54

@Alternate Data Stream - 95 bytes -> %AllUsersAppData%\TEMP:3B812EE0

@Alternate Data Stream - 99 bytes -> %AllUsersAppData%\TEMP:3BAD65EA

@Alternate Data Stream - 127 bytes -> %AllUsersAppData%\TEMP:4EFDF5FB

@Alternate Data Stream - 117 bytes -> %AllUsersAppData%\TEMP:77D98D08

@Alternate Data Stream - 110 bytes -> %AllUsersAppData%\TEMP:78E0DF72

@Alternate Data Stream - 106 bytes -> %AllUsersAppData%\TEMP:7972CF54

@Alternate Data Stream - 110 bytes -> %AllUsersAppData%\TEMP:7CA7BED1

@Alternate Data Stream - 107 bytes -> %AllUsersAppData%\TEMP:93F3E4C9

@Alternate Data Stream - 96 bytes -> %AllUsersAppData%\TEMP:98AE08EA

@Alternate Data Stream - 125 bytes -> %AllUsersAppData%\TEMP:CB0EB1DE

@Alternate Data Stream - 109 bytes -> %AllUsersAppData%\TEMP:D31BE97C

@Alternate Data Stream - 105 bytes -> %AllUsersAppData%\TEMP:D885A57E

@Alternate Data Stream - 99 bytes -> %AllUsersAppData%\TEMP:E32966C0

@Alternate Data Stream - 99 bytes -> %AllUsersAppData%\TEMP:FDCAE7B5

WLInstaller -> %AllUsersAppData%\WLInstaller ->  [Folder | Modified Date = 1/7/2008 1:59:15 PM | Attr =	]

BigFish -> %UserAppData%\BigFish ->  [Folder | Modified Date = 1/22/2008 7:43:34 PM | Attr =	]

LimeWire -> %UserAppData%\LimeWire ->  [Folder | Modified Date = 1/16/2008 6:48:01 PM | Attr =	]

PlayFirst -> %UserAppData%\PlayFirst ->  [Folder | Modified Date = 1/9/2008 8:15:55 AM | Attr =	]

IconCache.db -> %LocalAppData%\IconCache.db ->  [Ver =  | Size = 3750912 bytes | Modified Date = 1/31/2008 11:45:45 AM | Attr =  H ]

Microsoft -> %LocalAppData%\Microsoft ->  [Folder | Modified Date = 2/2/2008 5:29:51 PM | Attr =	]

dad.rtf -> %UserDocuments%\dad.rtf ->  [Ver =  | Size = 643 bytes | Modified Date = 1/17/2008 5:41:42 PM | Attr =	]

Incomplete -> %UserDocuments%\Incomplete ->  [Folder | Modified Date = 1/16/2008 7:10:46 PM | Attr =	]

My Downloads -> %UserDocuments%\My Downloads ->  [Folder | Modified Date = 1/31/2008 2:07:30 PM | Attr =	]

My Music -> %UserDocuments%\My Music ->  [Folder | Modified Date = 1/16/2008 7:10:28 PM | Attr =	]

My Sharing Folders.lnk -> %UserDocuments%\My Sharing Folders.lnk ->  [Ver =  | Size = 579 bytes | Modified Date = 2/4/2008 8:15:28 PM | Attr =	]

My Videos -> %UserDocuments%\My Videos ->  [Folder | Modified Date = 1/15/2008 9:23:31 AM | Attr = R  ]

Ad-Watch 2007.lnk -> %AllUsersDesktop%\Ad-Watch 2007.lnk ->  [Ver =  | Size = 1790 bytes | Modified Date = 1/31/2008 11:36:50 AM | Attr =	]

HijackThis.lnk -> %UserDesktop%\HijackThis.lnk ->  [Ver =  | Size = 1734 bytes | Modified Date = 1/31/2008 2:09:28 PM | Attr =	]

WinPFind35u -> %UserDesktop%\WinPFind35u ->  [Folder | Modified Date = 2/5/2008 12:20:34 AM | Attr =	]

WinPFind35u.exe -> %UserDesktop%\WinPFind35u.exe ->  [Ver =  | Size = 478495 bytes | Modified Date = 2/5/2008 12:16:08 AM | Attr =	]

@Alternate Data Stream - 26 bytes -> %UserDesktop%\WinPFind35u.exe:Zone.Identifier

Adobe -> %CommonProgramFiles%\Adobe ->  [Folder | Modified Date = 1/22/2008 1:50:59 AM | Attr =	]

WindowsLiveInstaller -> %CommonProgramFiles%\WindowsLiveInstaller ->  [Folder | Modified Date = 1/28/2008 3:30:02 PM | Attr =	]

Wise Installation Wizard -> %CommonProgramFiles%\Wise Installation Wizard ->  [Folder | Modified Date = 1/31/2008 11:35:09 AM | Attr =	]



< End of report >


#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:19 AM

Posted 05 February 2008 - 01:19 AM

Hi Mattagin. I don't see anything as fara as malware goes. There's a bit of housekeeping we can do while your here so let's take care of that.

Start WinPFind35U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Driver Services - Non-Microsoft Only]
YN -> (XGCGDDDQ) XGCGDDDQ [Kernel | Auto | Stopped] -> %System32%\xgcgdddq.loj
[Registry - Non-Microsoft Only]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {3B71576E-CA1D-4199-973E-0538A40DA9EE} [HKEY_LOCAL_MACHINE] -> %System32%\adsldpca.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {77701e16-9bfe-4b63-a5b4-7bd156758a37} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> ID [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 107 bytes -> %AllUsersAppData%\TEMP:13AA281B
NY -> @Alternate Data Stream - 121 bytes -> %AllUsersAppData%\TEMP:1A6AFE3D
NY -> @Alternate Data Stream - 127 bytes -> %AllUsersAppData%\TEMP:1DF79F4B
NY -> @Alternate Data Stream - 122 bytes -> %AllUsersAppData%\TEMP:22313216
NY -> @Alternate Data Stream - 109 bytes -> %AllUsersAppData%\TEMP:260575F1
NY -> @Alternate Data Stream - 124 bytes -> %AllUsersAppData%\TEMP:38B32B54
NY -> @Alternate Data Stream - 95 bytes -> %AllUsersAppData%\TEMP:3B812EE0
NY -> @Alternate Data Stream - 99 bytes -> %AllUsersAppData%\TEMP:3BAD65EA
NY -> @Alternate Data Stream - 127 bytes -> %AllUsersAppData%\TEMP:4EFDF5FB
NY -> @Alternate Data Stream - 117 bytes -> %AllUsersAppData%\TEMP:77D98D08
NY -> @Alternate Data Stream - 110 bytes -> %AllUsersAppData%\TEMP:78E0DF72
NY -> @Alternate Data Stream - 106 bytes -> %AllUsersAppData%\TEMP:7972CF54
NY -> @Alternate Data Stream - 110 bytes -> %AllUsersAppData%\TEMP:7CA7BED1
NY -> @Alternate Data Stream - 107 bytes -> %AllUsersAppData%\TEMP:93F3E4C9
NY -> @Alternate Data Stream - 96 bytes -> %AllUsersAppData%\TEMP:98AE08EA
NY -> @Alternate Data Stream - 125 bytes -> %AllUsersAppData%\TEMP:CB0EB1DE
NY -> @Alternate Data Stream - 109 bytes -> %AllUsersAppData%\TEMP:D31BE97C
NY -> @Alternate Data Stream - 105 bytes -> %AllUsersAppData%\TEMP:D885A57E
NY -> @Alternate Data Stream - 99 bytes -> %AllUsersAppData%\TEMP:E32966C0
NY -> @Alternate Data Stream - 99 bytes -> %AllUsersAppData%\TEMP:FDCAE7B5

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

Other than that, the machine is clean.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Mattagin

Mattagin
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 AM

Posted 05 February 2008 - 10:50 AM

I have to disable my Avira Antivir to run your program because it always assumes it's a Trojan. Maybe the problem is with AntiVir. But anyways, here is the Fix log.
-----------------------------------------------
[Driver Services - Non-Microsoft Only]
Service XGCGDDDQ stopped successfully.
[Registry - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3B71576E-CA1D-4199-973E-0538A40DA9EE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B71576E-CA1D-4199-973E-0538A40DA9EE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77701e16-9bfe-4b63-a5b4-7bd156758a37}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\ID deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:13AA281B deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1A6AFE3D deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1DF79F4B deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:22313216 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:260575F1 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:38B32B54 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:3B812EE0 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:3BAD65EA deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:4EFDF5FB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:77D98D08 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:78E0DF72 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7972CF54 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7CA7BED1 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:93F3E4C9 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:98AE08EA deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CB0EB1DE deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D31BE97C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D885A57E deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:E32966C0 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:FDCAE7B5 deleted successfully.
< End of fix log >
WinPFind35U Version Beta42 fix logfile created on 02052008_114414

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:19 AM

Posted 05 February 2008 - 11:36 AM

Hi Mattagin. Yes, I should have told you that. I use AntiVir also and I have just told it to ignore the file. Otherwise it was constantly popping up telling me of the "threat". There are a couple of AV's that do not like WPF35.

Looks like everything was taken care of. Any other issues at this time?

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Mattagin

Mattagin
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 AM

Posted 05 February 2008 - 12:36 PM

Well I did a new scan with Antivir and your program wasn't the only threat that it assumed was present. Here is a report.
-----------------------------------------------------------------


AntiVir PersonalEdition Classic
Report file date: Tuesday, February 05, 2008 12:50

Scanning for 1093948 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: BUBSSIS

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 18:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 17:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 20:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 17:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:44:06
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 16:44:06
ANTIVIR2.VDF : 7.0.2.49 1339904 Bytes 1/25/2008 16:44:07
ANTIVIR3.VDF : 7.0.2.96 321024 Bytes 2/5/2008 16:44:07
AVEWIN32.DLL : 7.6.0.62 3240448 Bytes 2/5/2008 16:44:09
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 15:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 12:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 18:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 2/5/2008 16:44:09
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 12:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 17:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 12:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 16:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 17:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 17:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 14:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: F:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, February 05, 2008 12:50

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
22 processes with 22 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'F:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '18' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Home\Desktop\Security Programs\WinPFind35u.exe
[0] Archive type: ZIP SFX (self extracting)
--> WinPFind35u/WinPFind35U.exe
[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
[WARNING] The file was ignored!
C:\Documents and Settings\Home\Desktop\Security Programs\WinPFind35u\WinPFind35U.exe
[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
[WARNING] The file was ignored!
C:\System Volume Information\_restore{1DFDEB95-0EAD-4929-9DB9-F6A761147D71}\RP150\A0016043.exe
[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
[WARNING] The file was ignored!
C:\WINDOWS\system32\AppCert\wsil32.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.hkb
[WARNING] The file was ignored!
Begin scan in 'F:\'


End of the scan: Tuesday, February 05, 2008 13:30
Used time: 40:12 min

The scan has been done completely.

2911 Scanning directories
122109 Files were scanned
4 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
122105 Files not concerned
610 Archives were scanned
6 Warnings
0 Notes

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:19 AM

Posted 05 February 2008 - 03:22 PM

Hi Mattagin. There isn't a definitive answer to the wsil32.dll file. Some AV's say it's bad, some say it's riskware, and some don't say anything one way or the other. Most AV companies say it can be deleted without dire consequenses but no one says what it is really used for. What you could try is simply renaming it and see if anything breaks. If not, then go ahead and delete it. If so, then rename it back. With the information available we'll just have to see.

Let me know what happens.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 Mattagin

Mattagin
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 AM

Posted 05 February 2008 - 08:19 PM

I am a little bit concerned about renaming the file or deleting it. When I clicked on the properties it says that wsil32.dll is Winlogon Startup Initialization Library (WSIL). Wouldn't deleting it cause a problem logging on the computer?
----------------------------------------
I don't know if this makes a difference but googling the file for faqs brought me to jotti's online malware scan and this is what they had to say....
---------------------
Scan taken on 06 Feb 2008 01:34:50 (GMT)
A-Squared Found nothing
AntiVir Found TR/Dldr.Agent.hkb
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.Downloader.W32.Agent.hkb
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Agent.hkb
Fortinet Found nothing
Ikarus Found Trojan-Downloader.Win32.Agent.hkb
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.hkb
NOD32 Found nothing
Norman Virus Control Found W32/Agent.EDBN
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Generic-A
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.Agent.hkb

Edited by Mattagin, 05 February 2008 - 08:47 PM.


#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:19 AM

Posted 05 February 2008 - 09:31 PM

Hi Mattagin. Yeah, I saw other prots of Jotti's report along with a VirusScan report showing none, even with many of the same scanners. If it is bad, renaming it won't hurt anything. It would need to be deleted anyway. Renaming it would be a kind of intermediary step allowing it to be easily restored.

Try renaming it and see what happens.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 Mattagin

Mattagin
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 AM

Posted 05 February 2008 - 10:50 PM

I renamed the file to ws_temp1.dll and AntiVir continues to flag it as Tr/dldr.agent.hkb. Renaming it hasn't seemed to affect perfomance of the computer otherwise so do you think I can delete it?

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:19 AM

Posted 06 February 2008 - 12:51 AM

Hi Mattagin. Yes, AntiVir will continue to flag it no matter what name it has. The file hasn't changed and AntiVir is looking inside of it.

You have a couple of options. Let AntiVir quarantine it or just delete it and then empty the Recycle Bin. Otherwise AntiVir will continue to flag it there.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 Mattagin

Mattagin
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 AM

Posted 06 February 2008 - 10:40 AM

OK I have deleted the file but I also did something I'm not sure about yet. I went into the Registry and did a Find on wsil32.dll and deleted all references to it. We don't seem to be having any problems and I know I shouldn't mess with the Registry because I don't have the expertise...but when it showed up in there in 4 places I thought it would be safe to get rid of it.

Other than that everything seems okay for now. If there is anything else you think I should do please let me know. If not, thank you for your assistance and I will continue to recommend Bleeping Computers to anyone who needs help. It can be a scary world out there in CyberSpace. :thumbsup:

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:19 AM

Posted 06 February 2008 - 05:08 PM

Hi Mattagin. You should be all set. Let's do some final cleanup and then you are free lol.

Step #1

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Step #2

To remove all of the tools we used and the files and folders they created do the following:
  • Start WinPFind35
    Click the CleanUp button
  • WinPFind35 will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
  • WinPFind35 will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself. Click Yes.
After that you are good to go.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 Mattagin

Mattagin
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 AM

Posted 08 February 2008 - 08:37 AM

Sorry for the delay but the final steps have been completed and things seem to be okay apart from AntiVir still flagging WinPFind35. It has been safely removed so hopefully no more complications. Thanks for your help. Keep up the good work. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users