Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Hiding Between The Platters


  • This topic is locked This topic is locked
10 replies to this topic

#1 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:02 AM

Posted 29 April 2008 - 06:34 PM

Here it is OT...

OTScanIt logfile created on: 4/29/2008 7:16:42 PM
OTScanIt by OldTimer - Version 1.0.11.8	 Folder = C:\Documents and Settings\administrator\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
503.36 Mb Total Physical Memory | 174.67 Mb Available Physical Memory | 34.70% Memory free
1.20 Gb Paging File | 0.93 Gb Available in Paging File | 77.54% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 17.74 Gb Free Space | 47.60% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FDJ-V05-LAPTOP
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users

[Processes - Non-Microsoft Only]
xtagent.exe -> %SystemRoot%\system32\novell\xtagent.exe -> Novell, Inc. [Ver = 1.2.3.1 | Size = 61440 bytes | Modified Date = 1/10/2005 1:36:52 PM | Attr =	]
savservice.exe -> %ProgramFiles%\Sophos\Sophos Anti-Virus\SavService.exe -> Sophos Plc [Ver = 1.0.0.3755 | Size = 98304 bytes | Modified Date = 3/19/2008 1:04:51 PM | Attr =	]
cbevtsvc.exe -> %SystemRoot%\system32\CbEvtSvc.exe ->  [Ver =  | Size = 91648 bytes | Modified Date = 4/28/2008 3:56:01 PM | Attr =	]
hasplms.exe -> %SystemRoot%\system32\hasplms.exe -> Aladdin Knowledge Systems Ltd. [Ver = 12.10.1.2148 | Size = 535807 bytes | Modified Date = 3/15/2007 3:48:26 PM | Attr =	]
nalntsrv.exe -> %ProgramFiles%\Novell\ZENworks\NALNTSRV.EXE -> Novell, Inc. [Ver = 6.5.20.0 | Size = 112128 bytes | Modified Date = 9/9/2005 12:54:44 PM | Attr =	]
zenrem32.exe -> %ProgramFiles%\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe -> Novell, Inc. [Ver = 6,5,2,0 | Size = 163840 bytes | Modified Date = 9/1/2005 12:49:34 PM | Attr =	]
savadminservice.exe -> %ProgramFiles%\Sophos\Sophos Anti-Virus\SAVAdminService.exe -> Sophos Plc [Ver = 1.0.0.3730 | Size = 69632 bytes | Modified Date = 3/19/2008 1:02:36 PM | Attr =	]
managementagentnt.exe -> %ProgramFiles%\Sophos\Remote Management System\ManagementAgentNT.exe -> Sophos Plc [Ver = 3,0,4,1735 | Size = 266240 bytes | Modified Date = 3/19/2008 1:02:17 PM | Attr =	]
alsvc.exe -> %ProgramFiles%\Sophos\AutoUpdate\ALsvc.exe -> Sophos Plc [Ver = 3.7.19.161 | Size = 172032 bytes | Modified Date = 3/19/2008 1:06:23 PM | Attr =	]
routernt.exe -> %ProgramFiles%\Sophos\Remote Management System\RouterNT.exe -> Sophos Plc [Ver = 3,0,4,1735 | Size = 790528 bytes | Modified Date = 3/19/2008 1:02:01 PM | Attr =	]
smagent.exe -> %ProgramFiles%\Analog Devices\SoundMAX\SMAgent.exe -> Analog Devices, Inc. [Ver = 3, 2, 6, 0 | Size = 45056 bytes | Modified Date = 9/20/2002 2:50:10 PM | Attr =	]
tablet.exe -> %SystemRoot%\system32\Tablet.exe -> Wacom Technology, Corp. [Ver = 4.94-3 | Size = 753664 bytes | Modified Date = 12/6/2005 12:00:44 AM | Attr =	]
uaservice.exe -> %ProgramFiles%\Lightspeed Systems\User Agent\UAService.exe -> Lightspeed Systems [Ver = 1.01.05 | Size = 262144 bytes | Modified Date = 5/29/2007 1:50:12 PM | Attr =	]
wm.exe -> %ProgramFiles%\Novell\ZENworks\WM.EXE -> Novell, Inc. [Ver = v6.5.2 (20050104) | Size = 149024 bytes | Modified Date = 9/8/2005 11:38:50 AM | Attr =	]
wmrundll.exe -> %ProgramFiles%\Novell\ZENworks\WMRUNDLL.EXE -> Novell, Inc. [Ver = v6.5.2 (20050104) | Size = 12224 bytes | Modified Date = 9/8/2005 11:38:48 AM | Attr =	]
igfxtray.exe -> %SystemRoot%\system32\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.4308 | Size = 94208 bytes | Modified Date = 4/25/2005 10:32:12 AM | Attr =	]
hkcmd.exe -> %SystemRoot%\system32\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4308 | Size = 77824 bytes | Modified Date = 4/25/2005 10:29:00 AM | Attr =	]
igfxpers.exe -> %SystemRoot%\system32\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4308 | Size = 114688 bytes | Modified Date = 4/25/2005 10:32:52 AM | Attr =	]
smax4pnp.exe -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4PNP.exe -> Analog Devices, Inc. [Ver = 5, 0, 2, 2 | Size = 1388544 bytes | Modified Date = 10/14/2004 9:11:10 AM | Attr =	]
smax4.exe -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4.exe -> Analog Devices, Inc. [Ver = 5, 0, 2, 6 | Size = 860160 bytes | Modified Date = 9/23/2004 12:41:54 PM | Attr =	]
agrsmmsg.exe -> %SystemRoot%\AGRSMMSG.exe -> Agere Systems [Ver = 2.1.41.10 2.1.41.10 06/29/2004 09:06:35 | Size = 88363 bytes | Modified Date = 8/24/2004 11:20:10 AM | Attr =	]
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.2.23 31Mar06 | Size = 761946 bytes | Modified Date = 3/31/2006 4:01:48 PM | Attr =	]
nwtray.exe -> %SystemRoot%\system32\nwtray.exe -> Novell, Inc. [Ver = v4.90 | Size = 28672 bytes | Modified Date = 3/12/2002 11:37:28 AM | Attr = R  ]
eabservr.exe -> %ProgramFiles%\HPQ\Quick Launch Buttons\eabservr.exe -> Hewlett-Packard  [Ver = 5, 1, 1, 2 | Size = 290816 bytes | Modified Date = 12/3/2004 1:24:20 PM | Attr =	]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.5.1 | Size = 98304 bytes | Modified Date = 8/17/2006 9:16:44 AM | Attr =	]
hpwqtbx.exe -> %ProgramFiles%\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe -> Hewlett-Packard Company [Ver = 2005.0117.0.0 | Size = 335872 bytes | Modified Date = 1/17/2005 4:49:04 PM | Attr =	]
hpwuschd.exe -> %ProgramFiles%\HP\HP Software Update\hpwuSchd.exe -> Hewlett-Packard [Ver = 1, 0, 0, 3 | Size = 49152 bytes | Modified Date = 8/4/2003 5:28:18 PM | Attr =	]
hpcmpmgr.exe -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 12/22/2003 8:38:42 AM | Attr =	]
ekij5000mui.exe -> %SystemRoot%\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe -> Eastman Kodak Company [Ver = 2.5.112.0 | Size = 753664 bytes | Modified Date = 3/7/2007 10:04:42 AM | Attr =	]
pwrisovm.exe -> %ProgramFiles%\PowerISO\PWRISOVM.EXE -> PowerISO Computing, Inc. [Ver = 3, 4, 0, 0 | Size = 196608 bytes | Modified Date = 9/9/2006 5:16:11 AM | Attr =	]
almon.exe -> %ProgramFiles%\Sophos\AutoUpdate\ALMon.exe -> Sophos Plc [Ver = 3.10.54.138 | Size = 245760 bytes | Modified Date = 11/16/2007 5:26:37 PM | Attr =	]
hpqtra08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 5.35.0.035 | Size = 237568 bytes | Modified Date = 9/16/2003 5:19:24 AM | Attr =	]
nalagent.exe -> %ProgramFiles%\Novell\ZENworks\NalAgent.exe -> Novell, Inc [Ver = 6.5.20.0 | Size = 382976 bytes | Modified Date = 9/9/2005 12:54:18 PM | Attr =	]
tabuserw.exe -> %SystemRoot%\system32\WTablet\TabUserW.exe -> Wacom Technology, Corp. [Ver = 4.94-3 | Size = 114688 bytes | Modified Date = 12/5/2005 11:59:02 PM | Attr =	]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.11.8 | Size = 372224 bytes | Modified Date = 4/28/2008 6:33:24 PM | Attr =	]

[Win32 Services - Non-Microsoft Only]
(CbEvtSvc) CbEvtSvc [Win32_Own | Auto | Running] -> %SystemRoot%\system32\CbEvtSvc.exe ->  [Ver =  | Size = 91648 bytes | Modified Date = 4/28/2008 3:56:01 PM | Attr =	]
(cusrvc) Client Update Service for Novell [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\system32\cusrvc.exe -> Novell, Inc. [Ver = v4.91 | Size = 36864 bytes | Modified Date = 1/18/2005 10:17:56 AM | Attr = R  ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 12:56:50 AM | Attr =	]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 11/19/2007 10:32:45 PM | Attr =	]
(hasplms) HASP License Manager [Win32_Own | Auto | Running] -> %SystemRoot%\system32\hasplms.exe -> Aladdin Knowledge Systems Ltd. [Ver = 12.10.1.2148 | Size = 535807 bytes | Modified Date = 3/15/2007 3:48:26 PM | Attr =	]
(hpqwmi) HP WMI Interface [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\HPQ\shared\hpqwmi.exe -> Hewlett-Packard Development Company, L.P. [Ver = 1, 0, 4, 2 | Size = 98304 bytes | Modified Date = 11/18/2004 12:32:56 AM | Attr =	]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 10.50.125 | Size = 73728 bytes | Modified Date = 10/22/2004 3:24:18 AM | Attr =	]
(NALNTSERVICE) Novell Application Launcher [Win32_Own | Auto | Running] -> %ProgramFiles%\Novell\ZENworks\NALNTSRV.EXE -> Novell, Inc. [Ver = 6.5.20.0 | Size = 112128 bytes | Modified Date = 9/9/2005 12:54:44 PM | Attr =	]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\system32\hpzipm12.exe -> HP [Ver = 7, 0, 0, 0 | Size = 65795 bytes | Modified Date = 1/5/2004 3:27:32 AM | Attr =	]
(Remote Management Agent) Novell ZENworks Remote Management Agent [Win32_Own | Auto | Running] -> %ProgramFiles%\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe -> Novell, Inc. [Ver = 6,5,2,0 | Size = 163840 bytes | Modified Date = 9/1/2005 12:49:34 PM | Attr =	]
(SAVAdminService) Sophos Anti-Virus status reporter [Win32_Own | Unknown | Running] ->  -> File not found
(SAVService) Sophos Anti-Virus [Win32_Own | Unknown | Running] ->  -> File not found
(Sophos Agent) Sophos Agent [Win32_Own | Auto | Running] -> %ProgramFiles%\Sophos\Remote Management System\ManagementAgentNT.exe -> Sophos Plc [Ver = 3,0,4,1735 | Size = 266240 bytes | Modified Date = 3/19/2008 1:02:17 PM | Attr =	]
(Sophos AutoUpdate Service) Sophos AutoUpdate Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Sophos\AutoUpdate\ALsvc.exe -> Sophos Plc [Ver = 3.7.19.161 | Size = 172032 bytes | Modified Date = 3/19/2008 1:06:23 PM | Attr =	]
(Sophos Message Router) Sophos Message Router [Win32_Own | Auto | Running] -> %ProgramFiles%\Sophos\Remote Management System\RouterNT.exe -> Sophos Plc [Ver = 3,0,4,1735 | Size = 790528 bytes | Modified Date = 3/19/2008 1:02:01 PM | Attr =	]
(SoundMAX Agent Service (default)) SoundMAX Agent Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Analog Devices\SoundMAX\SMAgent.exe -> Analog Devices, Inc. [Ver = 3, 2, 6, 0 | Size = 45056 bytes | Modified Date = 9/20/2002 2:50:10 PM | Attr =	]
(TabletService) TabletService [Win32_Own | Auto | Running] -> %SystemRoot%\system32\Tablet.exe -> Wacom Technology, Corp. [Ver = 4.94-3 | Size = 753664 bytes | Modified Date = 12/6/2005 12:00:44 AM | Attr =	]
(UAService) User Agent Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lightspeed Systems\User Agent\UAService.exe -> Lightspeed Systems [Ver = 1.01.05 | Size = 262144 bytes | Modified Date = 5/29/2007 1:50:12 PM | Attr =	]
(XTAgent) Novell XTier Agent Services [Win32_Own | Auto | Running] -> %SystemRoot%\system32\novell\xtagent.exe -> Novell, Inc. [Ver = 1.2.3.1 | Size = 61440 bytes | Modified Date = 1/10/2005 1:36:52 PM | Attr =	]
(ZFDWM) Workstation Manager [Win32_Own | Auto | Running] -> %ProgramFiles%\Novell\ZENworks\WM.EXE -> Novell, Inc. [Ver = v6.5.2 (20050104) | Size = 149024 bytes | Modified Date = 9/8/2005 11:38:50 AM | Attr =	]

[Driver Services - Non-Microsoft Only]
(aeaudio) aeaudio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\aeaudio.sys -> Andrea Electronics Corporation [Ver = 4.0.1.11 built by: WinDDK | Size = 127744 bytes | Modified Date = 11/8/2004 2:10:36 PM | Attr =	]
(AFS2K) AFS2K [Kernel | System | Running] -> %SystemRoot%\system32\drivers\AFS2K.SYS -> Oak Technology Inc. [Ver = 3.1.21.1103 | Size = 35840 bytes | Modified Date = 10/7/2004 9:16:04 PM | Attr =	]
(AgereSoftModem) Agere Systems Soft Modem [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\AGRSM.sys -> Agere Systems [Ver = 2.1.41.10 2.1.41.10 06/29/2004 09:07:15 | Size = 1268204 bytes | Modified Date = 8/24/2004 11:20:08 AM | Attr =	]
(aksfridge) HASP Fridge [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\aksfridge.sys -> Aladdin Knowledge Systems Ltd. [Ver = 1.21 | Size = 351744 bytes | Modified Date = 3/12/2007 9:48:56 PM | Attr =	]
(akshasp) Aladdin HASP Key [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\akshasp.sys -> Aladdin Knowledge Systems Ltd. [Ver = 4.14 | Size = 329856 bytes | Modified Date = 3/6/2007 10:39:12 PM | Attr =	]
(akshhl) Aladdin HASP HL Key [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\akshhl.sys -> Aladdin Knowledge Systems Ltd. [Ver = 1.11 | Size = 135424 bytes | Modified Date = 3/6/2007 10:39:20 PM | Attr =	]
(aksusb) Aladdin USB Key [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\aksusb.sys -> Aladdin Knowledge Systems Ltd. [Ver = 3.14 | Size = 99712 bytes | Modified Date = 3/6/2007 10:39:20 PM | Attr =	]
(bcm4sbxp) Broadcom 440x 10/100 Integrated Controller [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\bcm4sbxp.sys -> Broadcom Corporation [Ver = 4.25.0.0 built by: WinDDK | Size = 44928 bytes | Modified Date = 5/26/2004 3:18:18 PM | Attr =	]
(BlankScr) HBDevice [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\blankscr.sys -> Novell Inc. [Ver = 6, 5, 1, 0 | Size = 6899 bytes | Modified Date = 1/17/2005 12:23:18 PM | Attr =	]
(Darpan) Darpan [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\Darpan.sys -> Novell, Inc. [Ver = 6.5.1.0 | Size = 2773 bytes | Modified Date = 1/10/2005 11:37:52 AM | Attr =	]
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 799744 bytes | Modified Date = 8/3/2004 11:07:18 PM | Attr =	]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153344 bytes | Modified Date = 8/3/2004 11:07:18 PM | Attr =	]
(dmload) dmload [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr =	]
(eabfiltr) eabfiltr [Kernel | System | Running] -> %SystemRoot%\system32\drivers\eabfiltr.sys -> Hewlett-Packard Company [Ver = 4.20.01.03 | Size = 7432 bytes | Modified Date = 4/14/2004 7:36:50 AM | Attr =	]
(eabusb) eabusb [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\EabUsb.sys -> Hewlett-Packard Company [Ver = 4.10.02.02 | Size = 5220 bytes | Modified Date = 6/6/2003 11:46:16 AM | Attr =	]
(Hardlock) Hardlock [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\hardlock.sys -> Aladdin Knowledge Systems Ltd. [Ver = 3.43 | Size = 694272 bytes | Modified Date = 3/6/2007 10:39:20 PM | Attr =	]
(Haspnt) Haspnt [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\Haspnt.sys -> Aladdin Knowledge Systems [Ver = 4.65 | Size = 47616 bytes | Modified Date = 1/5/2007 6:18:24 PM | Attr =	]
(HPZid412) IEEE-1284.4 Driver HPZid412 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\hpzid412.sys -> HP [Ver = 7, 0, 0, 0 | Size = 51056 bytes | Modified Date = 1/5/2004 3:27:32 AM | Attr = R  ]
(HPZipr12) Print Class Driver for IEEE-1284.4 HPZipr12 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\HPZipr12.sys -> HP [Ver = 7, 0, 0, 0 | Size = 16496 bytes | Modified Date = 1/5/2004 3:27:34 AM | Attr = R  ]
(HPZius12) USB to IEEE-1284.4 Translation Driver HPZius12 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\HPZius12.sys -> HP [Ver = 7, 0, 0, 0 | Size = 21488 bytes | Modified Date = 1/5/2004 3:27:34 AM | Attr = R  ]
(ialm) ialm [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ialmnt5.sys -> Intel Corporation [Ver = 6.14.10.4308 | Size = 889628 bytes | Modified Date = 4/25/2005 10:56:18 AM | Attr =	]
(NetwareWorkstation) Novell Client for Windows [File_System | Auto | Running] -> %SystemRoot%\system32\NetWare\nwfs.sys -> Novell, Inc. [Ver = 4.91.1.1 | Size = 497743 bytes | Modified Date = 10/27/2005 5:38:46 PM | Attr = R  ]
(NICM) Novell InterService Communication Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\nicm.sys -> Novell, Inc. [Ver = 3.0.0.3 | Size = 38848 bytes | Modified Date = 8/19/2004 1:34:06 PM | Attr = R  ]
(NWDHCP) Novell DHCP Inform Client [File_System | Auto | Running] -> %SystemRoot%\system32\NetWare\nwdhcp.sys -> Novell, Inc. [Ver = 4.91.1.0 | Size = 18353 bytes | Modified Date = 11/10/2005 8:53:00 AM | Attr = R  ]
(NWDNS) Novell DNS Name Space Service Provider [File_System | On_Demand | Running] -> %SystemRoot%\system32\NetWare\nwdns.sys -> Novell, Inc. [Ver = 4.91.1.0 | Size = 35568 bytes | Modified Date = 9/29/2005 1:04:46 PM | Attr = R  ]
(NWFILTER) Novell UNC Path Filter [Kernel | Boot | Running] -> %SystemRoot%\system32\NetWare\nwfilter.sys -> Novell, Inc. [Ver = 4.91.1.1 | Size = 15891 bytes | Modified Date = 5/26/2005 7:14:00 PM | Attr = R  ]
(NWHOST) Novell Host File Name Space Service Provider [File_System | On_Demand | Running] -> %SystemRoot%\system32\NetWare\nwhost.sys -> Novell, Inc. [Ver = 4.91.1.1 | Size = 9297 bytes | Modified Date = 10/12/2005 2:12:18 PM | Attr = R  ]
(NWSAP) Novell SAP Name Space Provider [File_System | On_Demand | Stopped] -> %SystemRoot%\system32\NetWare\nwsap.sys ->  [Ver =  | Size = 23232 bytes | Modified Date = 2/26/2003 3:51:18 PM | Attr = R  ]
(NWSIPX32) Novell NetWare IPX/SPX Transport Interface [File_System | Auto | Stopped] -> %SystemRoot%\system32\NetWare\nwsipx32.sys -> Novell, Inc. [Ver = 4.91.1.1 | Size = 39731 bytes | Modified Date = 10/27/2005 5:15:14 PM | Attr = R  ]
(NWSLP) Novell SLP Name Space Service Provider [File_System | On_Demand | Running] -> %SystemRoot%\system32\NetWare\nwslp.sys -> Novell, Inc. [Ver = 4.91.0.1 | Size = 20332 bytes | Modified Date = 1/3/2005 3:51:38 PM | Attr = R  ]
(NWSNS) Novell Simple Naming Services [File_System | On_Demand | Running] -> %SystemRoot%\system32\NetWare\nwsns.sys -> Novell, Inc. [Ver = 4.91.1.1 | Size = 6128 bytes | Modified Date = 10/12/2005 2:11:32 PM | Attr = R  ]
(PenClass) Pen Class [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\PenClass.sys -> Wacom Technology Corporation [Ver = 4.00 | Size = 8138 bytes | Modified Date = 11/30/2005 12:50:42 AM | Attr =	]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr =	]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\PxHelp20.sys -> Sonic Solutions [Ver = 2.03.28a | Size = 20640 bytes | Modified Date = 2/1/2005 6:03:00 AM | Attr =	]
(RESMGR) Novell NetWare Resource Manager [Kernel | Auto | Running] -> %SystemRoot%\system32\NetWare\resmgr.sys -> Novell, Inc. [Ver = 4.90 | Size = 27249 bytes | Modified Date = 6/1/2004 7:19:34 PM | Attr = R  ]
(SAVOnAccessControl) SAVOnAccessControl [File_System | System | Running] -> %SystemRoot%\system32\drivers\savonaccesscontrol.sys -> Sophos Plc [Ver = 3.7.2.250 | Size = 101120 bytes | Modified Date = 3/19/2008 1:03:50 PM | Attr =	]
(SAVOnAccessFilter) SAVOnAccessFilter [File_System | System | Running] -> %SystemRoot%\system32\drivers\savonaccessfilter.sys -> Sophos Plc [Ver = 3.7.2.250 | Size = 33408 bytes | Modified Date = 3/19/2008 1:03:26 PM | Attr =	]
(SCDEmu) SCDEmu [Kernel | System | Running] -> %SystemRoot%\system32\drivers\scdemu.sys -> PowerISO Computing, Inc. [Ver = 3, 4, 0, 0 | Size = 30988 bytes | Modified Date = 9/9/2006 5:31:39 AM | Attr =	]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\secdrv.sys -> Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.03.086 | Size = 20480 bytes | Modified Date = 11/13/2007 6:25:53 AM | Attr =	]
(Sentinel) Sentinel [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\SENTINEL.SYS -> Rainbow Technologies, Inc. [Ver = SSD5.41.0 | Size = 76288 bytes | Modified Date = 3/30/2006 3:28:40 PM | Attr =	]
(smwdm) smwdm [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\smwdm.sys -> Analog Devices, Inc. [Ver = 5.12.01.5250 | Size = 259840 bytes | Modified Date = 10/13/2004 2:25:54 PM | Attr =	]
(Sntnlusb) Rainbow USB SuperPro [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\SNTNLUSB.SYS -> Rainbow Technologies Inc. [Ver = SSD5.41.0 | Size = 26120 bytes | Modified Date = 3/30/2006 3:29:20 PM | Attr = R  ]
(SRVLOC) Novell Service Location [File_System | Auto | Running] -> %SystemRoot%\system32\NetWare\srvloc.sys -> Novell, Inc. [Ver = 4.91.0.1 | Size = 155761 bytes | Modified Date = 10/27/2005 5:21:08 PM | Attr = R  ]
(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\SynTP.sys -> Synaptics, Inc. [Ver = 8.2.23 31Mar06 | Size = 193056 bytes | Modified Date = 3/31/2006 3:41:40 PM | Attr =	]
(w29n51) Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\w29n51.sys -> Intel® Corporation [Ver = 9004-13 Driver | Size = 2208512 bytes | Modified Date = 4/21/2006 5:06:26 PM | Attr =	]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
AGRSMMSG -> %SystemRoot%\AGRSMMSG.exe [AGRSMMSG.exe] -> Agere Systems [Ver = 2.1.41.10 2.1.41.10 06/29/2004 09:06:35 | Size = 88363 bytes | Modified Date = 8/24/2004 11:20:10 AM | Attr =	]
DXDllRegExe ->  [dxdllreg.exe] -> File not found
eabconfg.cpl -> %ProgramFiles%\HPQ\Quick Launch Buttons\eabservr.exe [C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start] -> Hewlett-Packard  [Ver = 5, 1, 1, 2 | Size = 290816 bytes | Modified Date = 12/3/2004 1:24:20 PM | Attr =	]
EKIJ5000StatusMonitor -> %SystemRoot%\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe] -> Eastman Kodak Company [Ver = 2.5.112.0 | Size = 753664 bytes | Modified Date = 3/7/2007 10:04:42 AM | Attr =	]
HotKeysCmds -> %SystemRoot%\system32\hkcmd.exe [C:\WINDOWS\System32\hkcmd.exe] -> Intel Corporation [Ver = 3.0.0.4308 | Size = 77824 bytes | Modified Date = 4/25/2005 10:29:00 AM | Attr =	]
HP Component Manager -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe ["C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"] -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 12/22/2003 8:38:42 AM | Attr =	]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\hpwuSchd.exe ["C:\Program Files\HP\HP Software Update\HPWuSchd.exe"] -> Hewlett-Packard [Ver = 1, 0, 0, 3 | Size = 49152 bytes | Modified Date = 8/4/2003 5:28:18 PM | Attr =	]
HPWQTOOLBOX -> %ProgramFiles%\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe [C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"] -> Hewlett-Packard Company [Ver = 2005.0117.0.0 | Size = 335872 bytes | Modified Date = 1/17/2005 4:49:04 PM | Attr =	]
IgfxTray -> %SystemRoot%\system32\igfxtray.exe [C:\WINDOWS\System32\igfxtray.exe] -> Intel Corporation [Ver = 3.0.0.4308 | Size = 94208 bytes | Modified Date = 4/25/2005 10:32:12 AM | Attr =	]
NWTRAY -> %SystemRoot%\system32\nwtray.exe [NWTRAY.EXE] -> Novell, Inc. [Ver = v4.90 | Size = 28672 bytes | Modified Date = 3/12/2002 11:37:28 AM | Attr = R  ]
Persistence -> %SystemRoot%\system32\igfxpers.exe [C:\WINDOWS\System32\igfxpers.exe] -> Intel Corporation [Ver = 3.0.0.4308 | Size = 114688 bytes | Modified Date = 4/25/2005 10:32:52 AM | Attr =	]
PWRISOVM.EXE -> %ProgramFiles%\PowerISO\PWRISOVM.EXE [C:\Program Files\PowerISO\PWRISOVM.EXE] -> PowerISO Computing, Inc. [Ver = 3, 4, 0, 0 | Size = 196608 bytes | Modified Date = 9/9/2006 5:16:11 AM | Attr =	]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> Apple Computer, Inc. [Ver = 6.5.1 | Size = 98304 bytes | Modified Date = 8/17/2006 9:16:44 AM | Attr =	]
SoundMAX -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4.exe ["C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray] -> Analog Devices, Inc. [Ver = 5, 0, 2, 6 | Size = 860160 bytes | Modified Date = 9/23/2004 12:41:54 PM | Attr =	]
SoundMAXPnP -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4PNP.exe [C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe] -> Analog Devices, Inc. [Ver = 5, 0, 2, 2 | Size = 1388544 bytes | Modified Date = 10/14/2004 9:11:10 AM | Attr =	]
SynTPEnh -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [C:\Program Files\Synaptics\SynTP\SynTPEnh.exe] -> Synaptics, Inc. [Ver = 8.2.23 31Mar06 | Size = 761946 bytes | Modified Date = 3/31/2006 4:01:48 PM | Attr =	]
UpdateManager -> %CommonProgramFiles%\Sonic\Update Manager\sgtray.exe ["C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r] -> Sonic Solutions [Ver = 1.01.32a | Size = 110592 bytes | Modified Date = 8/19/2003 1:01:00 AM | Attr =	]
WatchDog -> %ProgramFiles%\InterVideo\DVD Check\DVDCheck.exe [C:\Program Files\InterVideo\DVD Check\DVDCheck.exe] -> InterVideo Inc. [Ver = 1, 0, 0, 2 | Size = 184320 bytes | Modified Date = 12/8/2004 6:44:36 PM | Attr =	]
ZENRC Tray Icon -> %SystemRoot%\system32\zentray.exe [C:\WINDOWS\system32\zentray.exe] -> Novell, Inc. [Ver = 6.5.1.0 | Size = 40960 bytes | Modified Date = 1/17/2005 11:33:28 AM | Attr =	]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< administrator Startup Folder > -> C:\Documents and Settings\administrator\Start Menu\Programs\Startup -> 
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 9/23/2005 10:05:26 PM | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\Application Explorer.lnk -> %ProgramFiles%\Novell\ZENworks\NalView.exe -> Novell, Inc [Ver = 6.5.20.0 | Size = 35840 bytes | Modified Date = 9/8/2005 11:32:44 AM | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk -> %ProgramFiles%\Sophos\AutoUpdate\ALMon.exe -> Sophos Plc [Ver = 3.10.54.138 | Size = 245760 bytes | Modified Date = 11/16/2007 5:26:37 PM | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\DVD Check.lnk -> %ProgramFiles%\InterVideo\DVD Check\DVDCheck.exe -> InterVideo Inc. [Ver = 1, 0, 0, 2 | Size = 184320 bytes | Modified Date = 12/8/2004 6:44:36 PM | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 5.35.0.035 | Size = 237568 bytes | Modified Date = 9/16/2003 5:19:24 AM | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\TabUserW.exe.lnk -> %SystemRoot%\system32\WTablet\TabUserW.exe -> Wacom Technology, Corp. [Ver = 4.94-3 | Size = 114688 bytes | Modified Date = 12/5/2005 11:59:02 PM | Attr =	]
< Columbia Startup Folder > -> C:\Documents and Settings\Columbia\Start Menu\Programs\Startup -> 
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup -> 
< RHOGUE Startup Folder > -> C:\Documents and Settings\RHOGUE\Start Menu\Programs\Startup -> 
< TSC Startup Folder > -> C:\Documents and Settings\TSC\Start Menu\Programs\Startup -> 
< YSD1 Startup Folder > -> C:\Documents and Settings\YSD1\Start Menu\Programs\Startup -> 
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs -> 
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls -> 
C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL -> %SystemDrive%\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL -> File not found
C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL -> %ProgramFiles%\Sophos\Sophos Anti-Virus\sophos_detoured.dll -> Sophos Plc [Ver = 1.0.0.3770 | Size = 173056 bytes | Modified Date = 3/19/2008 1:03:28 PM | Attr =	]
*MultiFile Done* -> -> 
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -> 
{66186F05-BBBB-4a39-864F-72D84615C679} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\sockins32.dll [WebProxy] -> ThinkPad [Ver = 1, 0, 0, 1 | Size = 32768 bytes | Modified Date = 4/28/2008 8:40:36 PM | Attr =	]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
{763370C4-268E-4308-A60C-D8DA0342BE32} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Novell\ZENworks\NalShell.dll [] -> Novell, Inc [Ver = 6.5.20.0 | Size = 430080 bytes | Modified Date = 9/9/2005 12:54:28 PM | Attr =	]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*GinaDLL* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\GinaDLL -> 
NWGINA.DLL -> %SystemRoot%\system32\nwgina.dll -> Novell, Inc. [Ver = v6.5.1 (20050908) | Size = 356433 bytes | Modified Date = 10/25/2005 10:37:36 AM | Attr = R  ]
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon settings [HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500] > -> HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
igfxcui -> %SystemRoot%\system32\igfxdev.dll -> Intel Corporation [Ver = 3.0.0.4308 | Size = 131072 bytes | Modified Date = 4/25/2005 10:28:06 AM | Attr =	]
NetIdentity Notification -> %SystemRoot%\system32\novell\xtnotify.dll -> Novell, Inc. [Ver = 1.2.3 | Size = 24576 bytes | Modified Date = 1/10/2005 1:36:58 PM | Attr =	]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\CompatibleRUPSecurity -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DontDisplayLastUserName -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\LegalNoticeText ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\ShutdownWithoutLogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\UndockWithoutLogon -> 1 -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr -> 1 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 1 -> 
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500] > -> HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop -> 0 -> 
HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 
HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr -> 1 -> 
HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 1 -> 
< CDROM Autorun Settings > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup -> 
SCSI miniport ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> C:\WINDOWS\system32\drivers\cdrom.sys [System32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49536 bytes | Modified Date = 8/3/2004 10:59:54 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 -> 
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable -> 
NEC	 MBR-7	->  -> File not found
NEC	 MBR-7.4  ->  -> File not found
PIONEER CHANGR DRM-1804X ->  -> File not found
PIONEER CD-ROM DRM-6324X ->  -> File not found
PIONEER CD-ROM DRM-624X  ->  -> File not found
TORiSAN CD-ROM CDR_C36 ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\0 -> IDE\CdRomTSSTcorp_CDW/DVD_TS-L462A_______________HP17____\345a333430313231343720202020202020202020 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\NextInstance -> 1 -> 
< Drives - Autoruns > ->  -> 
AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] ->  [Ver =  | Size = 0 bytes | Modified Date = 8/16/2006 1:55:05 PM | Attr =	]
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> file://c:/windows/homepage.html -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> file://c:/windows/homepage.html -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> file://c:/windows/homepage.html -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> file://c:/windows/homepage.html -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.google.com/ie -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://www.google.com/ie -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Page -> file://c:/windows/homepage.html -> 
HKEY_CURRENT_USER\: Main\\Start Page -> file://c:/windows/homepage.html -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> -> 
HKEY_USERS\.DEFAULT\: ProxyEnable -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> -> 
HKEY_USERS\S-1-5-18\: ProxyEnable -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> -> 
HKEY_USERS\S-1-5-19\: ProxyEnable -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> -> 
HKEY_USERS\S-1-5-20\: ProxyEnable -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\] > -> -> 
HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm -> 
HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\: Main\\Search Page -> file://c:/windows/homepage.html -> 
HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\: Main\\Start Page -> file://c:/windows/homepage.html -> 
HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\: ProxyEnable -> 0 -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\] > -> HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\] > -> HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 12/18/2006 4:16:42 AM | Attr =	]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 11/19/2007 10:32:44 PM | Attr = R  ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 3, 0, 1225, 9868 | Size = 734704 bytes | Modified Date = 4/9/2008 7:47:23 PM | Attr =	]
{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\sockins32.dll [Microsoft copyright] -> ThinkPad [Ver = 1, 0, 0, 1 | Size = 32768 bytes | Modified Date = 4/28/2008 8:40:36 PM | Attr =	]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Bars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Bars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Bars [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Bars [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Bars [HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\] > -> HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 11/19/2007 10:32:44 PM | Attr = R  ]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Sun Java Console] -> File not found
{A5ABA0BB-F195-40d8-A5E9-0801153E6597}:{2151DA8C-C5B6-4B4F-86AB-BDA449BF8747} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\EverNote\EverNote\enbar.dll [Add to EverNote] -> EverNote Corporation [Ver = 1, 0, 0, 33 | Size = 229376 bytes | Modified Date = 10/17/2005 2:07:52 PM | Attr =	]
{C1994287-422F-47aa-8E5E-6323E210A125}:{4B5F7606-8666-4D5A-9780-DB92A9D8812B} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Novell\ZENworks\AxNalServer.dll [Novell delivered applications] -> Novell, Inc [Ver = 6.5.20.0 | Size = 516096 bytes | Modified Date = 9/8/2005 11:34:34 AM | Attr =	]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{11A44031-9B91-4788-9C65-A8A1F71B4577} -> 85.255.114.18,85.255.112.102   (Intel(R) PRO/Wireless 2200BG Network Connection) -> 
{4EAFB4E5-A922-4BBE-A865-98C6CD482A55} -> 85.255.114.18,85.255.112.102   (1394 Net Adapter) -> 
{CC64AD94-3163-4E7F-906C-FAD73E0D01F0} -> 85.255.114.18,85.255.112.102   (Broadcom 440x 10/100 Integrated Controller) -> 
< Winsock2 Catalogs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ -> 
NameSpace_Catalog5\Catalog_Entries\000000000004 [Novell Directory Services Name Provider] -> %SystemRoot%\system32\NetWare\nwws2nds.dll -> Novell, Inc. [Ver = 4.91 | Size = 36947 bytes | Modified Date = 10/27/2005 5:24:08 PM | Attr = R  ]
NameSpace_Catalog5\Catalog_Entries\000000000005 [Novell IPX/SPX SAP Name Provider] -> %SystemRoot%\system32\NetWare\nwws2sap.dll -> Novell, Inc. [Ver = 4.91 | Size = 32851 bytes | Modified Date = 10/27/2005 5:24:08 PM | Attr = R  ]
NameSpace_Catalog5\Catalog_Entries\000000000006 [Novell SLP Provider] -> %SystemRoot%\system32\NetWare\nwws2slp.dll -> Novell, Inc. [Ver = 4.91 | Size = 49235 bytes | Modified Date = 10/27/2005 5:24:10 PM | Attr = R  ]
< Default Protocols [HKEY_USERS\.DEFAULT\] - Select to Repair > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults -> 
shell -> shell protocol not assigned -> 
< Default Protocols [HKEY_USERS\S-1-5-18\] - Select to Repair > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults -> 
shell -> shell protocol not assigned -> 
< Default Protocols [HKEY_USERS\S-1-5-19\] - Select to Repair > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults -> 
shell -> shell protocol not assigned -> 
< Default Protocols [HKEY_USERS\S-1-5-20\] - Select to Repair > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults -> 
shell -> shell protocol not assigned -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
cetihpz:{CF184AD3-CDCB-4168-A3F7-8E447D129300} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll[CZipHandler Object] -> Hewlett-Packard Company [Ver = 2.1.4 | Size = 81920 bytes | Modified Date = 12/22/2003 8:38:40 AM | Attr =	]
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{149E45D8-163E-4189-86FC-45022AB2B6C9}[HKEY_LOCAL_MACHINE] -> file://C:\Program Files\Mystery P.I. - The Lottery Ticket\Images\stg_drm.ocx[SpinTop DRM Control] -> 
{166B1BCA-3F9C-11CF-8075-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab[Shockwave ActiveX Control] -> 
{238F6F83-B8B4-11CF-8771-00A024541EE3}[HKEY_LOCAL_MACHINE] -> https://nfuse.scdmh.org/Citrix/ICAWEB/en/ica32/wficac.cab[Citrix ICA Client] -> 
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}[HKEY_LOCAL_MACHINE] -> http://office.microsoft.com/officeupdate/content/opuc3.cab[Office Update Installation Engine] -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C}[HKEY_LOCAL_MACHINE] -> http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155758070514[WUWebControl Class] -> 
{6A060448-60F9-11D5-A6CD-0002B31F7455}[HKEY_LOCAL_MACHINE] -> [ExentInf Class] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab[Java Plug-in 1.4.2_05] -> 
{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab[Java Plug-in 1.4.2_05] -> 
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/stg_drm.ocx\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/stg_drm.ocx\\.Owner -> {149E45D8-163E-4189-86FC-45022AB2B6C9} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/stg_drm.ocx\\{149E45D8-163E-4189-86FC-45022AB2B6C9} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ExentCtl.ocx\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ExentCtl.ocx\\.Owner -> {6A060448-60F9-11D5-A6CD-0002B31F7455} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ExentCtl.ocx\\{6A060448-60F9-11D5-A6CD-0002B31F7455} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/stg_drm.ocx\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/stg_drm.ocx\\.Owner -> {149E45D8-163E-4189-86FC-45022AB2B6C9} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/stg_drm.ocx\\{149E45D8-163E-4189-86FC-45022AB2B6C9} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/opuc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/opuc.dll\\.Owner -> {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/opuc.dll\\{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/wuweb.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/wuweb.dll\\.Owner -> {6414512B-B978-451D-A0D8-FCFDF33E833C} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/wuweb.dll\\{6414512B-B978-451D-A0D8-FCFDF33E833C} ->  -> 


[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937AD} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A93843} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D69} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\\System.EnterpriseServices.Thunk.dll ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\\DisableMonitoring -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> -> 
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ not found. -> -> 
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ not found. -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 8/4/2004 12:56:44 AM | Attr =	]
nwv1_0 -> %SystemRoot%\system32\nwv1_0.dll -> Novell, Inc. [Ver = v4.71 (000217) | Size = 8480 bytes | Modified Date = 2/17/2000 7:54:28 AM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> 0  [binary data] -> 
*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> 
kerberos -> %SystemRoot%\system32\kerberos.dll -> Microsoft Corporation [Ver = 5.1.2600.2698 (xpsp_sp2_gdr.050614-1522) | Size = 295936 bytes | Modified Date = 6/15/2005 1:49:30 PM | Attr =	]
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 8/4/2004 12:56:44 AM | Attr =	]
schannel -> %SystemRoot%\system32\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.3126 (xpsp_sp2_gdr.070425-0226) | Size = 144896 bytes | Modified Date = 4/25/2007 10:21:15 AM | Attr =	]
wdigest -> %SystemRoot%\system32\wdigest.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49152 bytes | Modified Date = 8/4/2004 12:56:48 AM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 964 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 -> 
*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages -> 
scecli -> %SystemRoot%\system32\scecli.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 180224 bytes | Modified Date = 8/4/2004 12:56:46 AM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\AuditBaseObjects -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\CrashOnAuditFail -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\DisableDomainCreds -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\EveryoneIncludesAnonymous -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\FIPSAlgorithmPolicy -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ForceGuest -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\FullPrivilegeAuditing ->  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LimitBlankPasswordUse -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LmCompatibilityLevel -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\NoDefaultAdminOwner -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\NoLMHash -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\RestrictAnonymous -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\RestrictAnonymousSAM -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> -> 
*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder -> 
Windows NT Access Provider ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> C:\WINDOWS\system32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 118784 bytes | Modified Date = 8/4/2004 12:56:46 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> 33 27 0D FD 2B 7C 4C EA 16 0D 8B 88 52 C7 B9 32 30 32 37 37 34 64 62 37 00 68 07 00 01 00 00 00 DC 00 00 00 E0 00 00 00 48 FA 06 00 97 55 5A 74 04 00 00 00 A0 FD 06 00 B8 FD 06 00 39 02 73 8C  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> A3 14 6F CA 2E B8 EA AD 5B  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> 7F 28 C7 13 5C 4E  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth132 -> C:\WINDOWS\system32\iissuba.dll [IISSUBA] -> Microsoft Corporation [Ver = 6.0.2600.0 (xpclient.010817-1148) | Size = 9216 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\NTLMMinClientSec -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\NTLMMinServerSec -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> B5 7B 04 57 25 71 AD E2 EE 51 47 42 48 AC 58 E2  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> 2A 98 A2 C0 9E 8A C8 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> 00 CE 2E 70 DF 79 C4 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> 00 CE 2E 70 DF 79 C4 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> 00 CE 2E 70 DF 79 C4 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> C:\WINDOWS\system32\svchost.exe [%SystemRoot%\System32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 12:56:58 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Windows Firewall/Internet Connection Sharing (ICS) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup ->  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 7141 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> C:\WINDOWS\system32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 331264 bytes | Modified Date = 8/4/2004 12:56:44 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 140800 bytes | Modified Date = 8/4/2004 12:56:58 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 140800 bytes | Modified Date = 8/4/2004 12:56:58 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Novell\GroupWise\grpwise.exe -> C:\Novell\GroupWise\grpwise.exe [C:\Novell\GroupWise\grpwise.exe:*:Enabled:Novell GroupWise] -> Novell, Inc. [Ver = 7.0.1 | Size = 5836860 bytes | Modified Date = 6/13/2006 6:14:54 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Novell\GroupWise\notify.exe -> C:\Novell\GroupWise\notify.exe [C:\Novell\GroupWise\notify.exe:*:Enabled:Novell Notify] -> Novell, Inc. [Ver = 7.0.1 | Size = 192570 bytes | Modified Date = 6/13/2006 6:20:52 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE -> C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE [C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE:*:Enabled:Outlook] -> Microsoft Corporation [Ver = 11.0.8118 | Size = 196368 bytes | Modified Date = 11/23/2006 9:56:04 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IncrediMail\bin\ImApp.exe -> C:\Program Files\IncrediMail\bin\ImApp.exe [C:\Program Files\IncrediMail\bin\ImApp.exe:*:Enabled:IncrediMail] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IncrediMail\bin\IncMail.exe -> C:\Program Files\IncrediMail\bin\IncMail.exe [C:\Program Files\IncrediMail\bin\IncMail.exe:*:Enabled:IncrediMail] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IncrediMail\bin\ImpCnt.exe -> C:\Program Files\IncrediMail\bin\ImpCnt.exe [C:\Program Files\IncrediMail\bin\ImpCnt.exe:*:Enabled:IncrediMail] -> IncrediMail, Ltd. [Ver = 5, 6, 8, 3358 | Size = 95672 bytes | Modified Date = 1/23/2008 1:43:42 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Magentic\bin\MgImp.exe -> C:\Program Files\Magentic\bin\MgImp.exe [C:\Program Files\Magentic\bin\MgImp.exe:*:Enabled:Magentic] -> IncrediMail, Ltd. [Ver = 1, 3, 1, 0633 | Size = 75144 bytes | Modified Date = 3/9/2008 11:00:42 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Magentic\bin\Magentic.exe -> C:\Program Files\Magentic\bin\Magentic.exe [C:\Program Files\Magentic\bin\Magentic.exe:*:Enabled:Magentic] ->  [Ver = 1, 3, 1, 0633 | Size = 480648 bytes | Modified Date = 3/9/2008 11:00:40 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Magentic\bin\MgApp.exe -> C:\Program Files\Magentic\bin\MgApp.exe [C:\Program Files\Magentic\bin\MgApp.exe:*:Enabled:Magentic] ->  [Ver = 1, 3, 1, 0633 | Size = 112008 bytes | Modified Date = 3/9/2008 11:00:42 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP -> 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP -> 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1947:TCP -> 1947:TCP:*:Enabled:HASP SRM  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1947:UDP -> 1947:UDP:*:Enabled:HASP SRM  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{CC64AD94-3163-4E7F-906C-FAD73E0D01F0} -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{4EAFB4E5-A922-4BBE-A865-98C6CD482A55} -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{11A44031-9B91-4788-9C65-A8A1F71B4577} -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> C:\WINDOWS\system32\svchost.exe [%systemRoot%\System32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 12:56:58 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> C:\WINDOWS\system32\wuauserv.dll [C:\WINDOWS\system32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.3790.2180 (xpsp_sp2_rtm.040803-2158) | Size = 6656 bytes | Modified Date = 8/4/2004 12:56:48 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Description -> Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. -> 
*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DependOnService -> 
RPCSS -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size = 397824 bytes | Modified Date = 7/26/2005 12:39:49 AM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DisplayName -> Remote Registry -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ImagePath -> C:\WINDOWS\system32\svchost.exe [%SystemRoot%\system32\svchost.exe -k LocalService] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 12:56:58 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ObjectName -> NT AUTHORITY\LocalService -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Group ->  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\FailureActions -> 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 E0 AD 08 00 01 00 00 00 E8 03 00 00  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\\ServiceDll -> C:\WINDOWS\system32\regsvc.dll [%SystemRoot%\system32\regsvc.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 59904 bytes | Modified Date = 8/4/2004 12:56:46 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\0 -> Root\LEGACY_REMOTEREGISTRY\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Type -> 16 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Start -> 3 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ImagePath -> C:\WINDOWS\system32\tlntsvr.exe [C:\WINDOWS\System32\tlntsvr.exe] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 73216 bytes | Modified Date = 8/4/2004 12:56:58 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DisplayName -> Telnet -> 
*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnService -> 
RPCSS -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size = 397824 bytes | Modified Date = 7/26/2005 12:39:49 AM | Attr =	]
TCPIP ->  -> File not found
NTLMSSP ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnGroup ->  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Description -> Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 -> 


[Files/Folders - Created Within 30 days]
CbEvtSvc.exe -> %SystemRoot%\System32\CbEvtSvc.exe ->  [Ver =  | Size = 91648 bytes | Created Date = 4/28/2008 3:56:02 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %SystemRoot%\System32\CbEvtSvc.exe:Zone.Identifier
lt.res -> %SystemRoot%\System32\lt.res ->  [Ver =  | Size = 251 bytes | Created Date = 4/28/2008 8:48:27 PM | Attr =	]
sft.res -> %SystemRoot%\System32\sft.res ->  [Ver =  | Size = 7286 bytes | Created Date = 4/28/2008 8:40:36 PM | Attr =	]
sockins32.dll -> %SystemRoot%\System32\sockins32.dll -> ThinkPad [Ver = 1, 0, 0, 1 | Size = 32768 bytes | Created Date = 4/28/2008 8:40:36 PM | Attr =	]
homepage.html -> %SystemRoot%\homepage.html ->  [Ver =  | Size = 1296 bytes | Created Date = 4/28/2008 8:48:28 PM | Attr =	]
ie7updates -> %SystemRoot%\ie7updates ->  [Folder | Created Date = 4/20/2008 5:44:20 PM | Attr =	]
4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
index.html -> %SystemRoot%\index.html ->  [Ver =  | Size = 1950 bytes | Created Date = 4/28/2008 8:40:36 PM | Attr =	]
promo1.html -> %SystemRoot%\promo1.html ->  [Ver =  | Size = 285 bytes | Created Date = 4/28/2008 8:48:28 PM | Attr =	]
promo2.html -> %SystemRoot%\promo2.html ->  [Ver =  | Size = 285 bytes | Created Date = 4/28/2008 8:48:30 PM | Attr =	]
promo3.html -> %SystemRoot%\promo3.html ->  [Ver =  | Size = 285 bytes | Created Date = 4/28/2008 8:48:30 PM | Attr =	]
promo4.html -> %SystemRoot%\promo4.html ->  [Ver =  | Size = 502 bytes | Created Date = 4/28/2008 8:48:31 PM | Attr =	]
promo5.html -> %SystemRoot%\promo5.html ->  [Ver =  | Size = 480 bytes | Created Date = 4/28/2008 8:48:31 PM | Attr =	]
promo6.html -> %SystemRoot%\promo6.html ->  [Ver =  | Size = 509 bytes | Created Date = 4/28/2008 8:48:31 PM | Attr =	]
promogif1.gif -> %SystemRoot%\promogif1.gif ->  [Ver =  | Size = 24351 bytes | Created Date = 4/28/2008 8:48:30 PM | Attr =	]
promogif2.gif -> %SystemRoot%\promogif2.gif ->  [Ver =  | Size = 24066 bytes | Created Date = 4/28/2008 8:48:30 PM | Attr =	]
promogif3.gif -> %SystemRoot%\promogif3.gif ->  [Ver =  | Size = 57546 bytes | Created Date = 4/28/2008 8:48:30 PM | Attr =	]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
Windows Genuine Advantage -> %AllUsersProfile%\Application Data\Windows Genuine Advantage ->  [Folder | Created Date = 4/21/2008 7:53:21 AM | Attr =	]
desktop.ini -> %AppData%\desktop.ini ->  [Ver =  | Size = 62 bytes | Created Date = 4/29/2008 7:08:45 PM | Attr =  HS]
Identities -> %AppData%\Identities ->  [Folder | Created Date = 4/29/2008 7:09:47 PM | Attr =	]
Microsoft -> %AppData%\Microsoft ->  [Folder | Created Date = 4/29/2008 7:08:37 PM | Attr =   S]
Sonic -> %AppData%\Sonic ->  [Folder | Created Date = 4/29/2008 7:10:36 PM | Attr =	]
GDIPFONTCACHEV1.DAT -> %UserProfile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT ->  [Ver =  | Size = 81680 bytes | Created Date = 4/29/2008 7:09:18 PM | Attr =	]
Microsoft -> %UserProfile%\Local Settings\Application Data\Microsoft ->  [Folder | Created Date = 4/29/2008 7:08:48 PM | Attr =	]
desktop.ini -> %UserProfile%\My Documents\desktop.ini ->  [Ver =  | Size = 84 bytes | Created Date = 4/29/2008 7:09:11 PM | Attr =  HS]
My Music -> %UserProfile%\My Documents\My Music ->  [Folder | Created Date = 4/29/2008 7:09:11 PM | Attr = R  ]
My Pictures -> %UserProfile%\My Documents\My Pictures ->  [Folder | Created Date = 4/29/2008 7:09:11 PM | Attr = R  ]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Created Date = 4/29/2008 7:12:31 PM | Attr =	]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 542996 bytes | Created Date = 4/29/2008 7:11:46 PM | Attr =	]
desktop.ini -> %UserProfile%\Start Menu\Programs\Startup\desktop.ini ->  [Ver =  | Size = 84 bytes | Created Date = 4/29/2008 7:08:37 PM | Attr =  HS]

[Files/Folders - Modified Within 30 days]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Modified Date = 4/29/2008 7:10:03 PM | Attr =  H ]
Documents and Settings -> %SystemDrive%\Documents and Settings ->  [Folder | Modified Date = 4/29/2008 7:08:35 PM | Attr =	]
NALCache -> %SystemDrive%\NALCache ->  [Folder | Modified Date = 4/29/2008 7:10:47 PM | Attr =  H ]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 4/29/2008 7:09:52 PM | Attr = R  ]
RECYCLER -> %SystemDrive%\RECYCLER ->  [Folder | Modified Date = 4/29/2008 7:16:18 PM | Attr =  HS]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 4/29/2008 7:10:53 PM | Attr =	]
CatRoot2 -> %SystemRoot%\System32\CatRoot2 ->  [Folder | Modified Date = 4/29/2008 12:03:02 PM | Attr =	]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
CbEvtSvc.exe -> %SystemRoot%\System32\CbEvtSvc.exe ->  [Ver =  | Size = 91648 bytes | Modified Date = 4/28/2008 3:56:01 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %SystemRoot%\System32\CbEvtSvc.exe:Zone.Identifier
dllcache -> %SystemRoot%\System32\dllcache ->  [Folder | Modified Date = 4/21/2008 7:53:17 AM | Attr = RHS]
drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 4/20/2008 8:59:43 PM | Attr =	]
en-US -> %SystemRoot%\System32\en-US ->  [Folder | Modified Date = 4/20/2008 5:49:50 PM | Attr =	]
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT ->  [Ver =  | Size = 282128 bytes | Modified Date = 4/20/2008 6:14:24 PM | Attr =	]
GroupPolicy -> %SystemRoot%\System32\GroupPolicy ->  [Folder | Modified Date = 4/29/2008 7:09:08 PM | Attr =  H ]
lt.res -> %SystemRoot%\System32\lt.res ->  [Ver =  | Size = 251 bytes | Modified Date = 4/28/2008 8:48:31 PM | Attr =	]
perfc009.dat -> %SystemRoot%\System32\perfc009.dat ->  [Ver =  | Size = 54010 bytes | Modified Date = 4/21/2008 7:44:00 AM | Attr =	]
perfh009.dat -> %SystemRoot%\System32\perfh009.dat ->  [Ver =  | Size = 383822 bytes | Modified Date = 4/21/2008 7:44:00 AM | Attr =	]
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI ->  [Ver =  | Size = 443556 bytes | Modified Date = 4/21/2008 7:44:00 AM | Attr =	]
sft.res -> %SystemRoot%\System32\sft.res ->  [Ver =  | Size = 7286 bytes | Modified Date = 4/28/2008 8:48:27 PM | Attr =	]
sockins32.dll -> %SystemRoot%\System32\sockins32.dll -> ThinkPad [Ver = 1, 0, 0, 1 | Size = 32768 bytes | Modified Date = 4/28/2008 8:40:36 PM | Attr =	]
tablet.dat -> %SystemRoot%\System32\tablet.dat ->  [Ver =  | Size = 16106 bytes | Modified Date = 4/29/2008 7:08:30 PM | Attr =	]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 2206 bytes | Modified Date = 4/29/2008 7:09:24 PM | Attr =	]
$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 4/20/2008 8:59:14 PM | Attr =  H ]
4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 4/29/2008 7:07:56 PM | Attr =   S]
homepage.html -> %SystemRoot%\homepage.html ->  [Ver =  | Size = 1296 bytes | Modified Date = 4/28/2008 8:48:28 PM | Attr =	]
ie7updates -> %SystemRoot%\ie7updates ->  [Folder | Modified Date = 4/20/2008 5:44:20 PM | Attr =	]
imsins.BAK -> %SystemRoot%\imsins.BAK ->  [Ver =  | Size = 1374 bytes | Modified Date = 4/20/2008 8:59:35 PM | Attr =	]
index.html -> %SystemRoot%\index.html ->  [Ver =  | Size = 1950 bytes | Modified Date = 4/28/2008 8:48:28 PM | Attr =	]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 4/21/2008 8:12:55 AM | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 4/29/2008 7:10:03 PM | Attr =  HS]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 4/29/2008 7:12:53 PM | Attr =	]
promo1.html -> %SystemRoot%\promo1.html ->  [Ver =  | Size = 285 bytes | Modified Date = 4/28/2008 8:48:28 PM | Attr =	]
promo2.html -> %SystemRoot%\promo2.html ->  [Ver =  | Size = 285 bytes | Modified Date = 4/28/2008 8:48:30 PM | Attr =	]
promo3.html -> %SystemRoot%\promo3.html ->  [Ver =  | Size = 285 bytes | Modified Date = 4/28/2008 8:48:30 PM | Attr =	]
promo4.html -> %SystemRoot%\promo4.html ->  [Ver =  | Size = 502 bytes | Modified Date = 4/28/2008 8:48:31 PM | Attr =	]
promo5.html -> %SystemRoot%\promo5.html ->  [Ver =  | Size = 480 bytes | Modified Date = 4/28/2008 8:48:31 PM | Attr =	]
promo6.html -> %SystemRoot%\promo6.html ->  [Ver =  | Size = 509 bytes | Modified Date = 4/28/2008 8:48:31 PM | Attr =	]
promogif1.gif -> %SystemRoot%\promogif1.gif ->  [Ver =  | Size = 24351 bytes | Modified Date = 4/28/2008 8:48:30 PM | Attr =	]
promogif2.gif -> %SystemRoot%\promogif2.gif ->  [Ver =  | Size = 24066 bytes | Modified Date = 4/28/2008 8:48:30 PM | Attr =	]
promogif3.gif -> %SystemRoot%\promogif3.gif ->  [Ver =  | Size = 57546 bytes | Modified Date = 4/28/2008 8:48:30 PM | Attr =	]
system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 4/29/2008 7:08:29 PM | Attr =	]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 4/29/2008 7:10:32 PM | Attr =	]
WPCMAPI.INI -> %SystemRoot%\WPCMAPI.INI ->  [Ver =  | Size = 86 bytes | Modified Date = 4/29/2008 7:46:23 AM | Attr =	]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 4/29/2008 7:08:07 PM | Attr =  H ]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader ->  [Folder | Modified Date = 8/16/2006 9:58:59 PM | Attr =	]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 4232 bytes | Modified Date = 4/20/2008 6:17:38 PM | Attr =	]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 4617 bytes | Modified Date = 4/20/2008 6:17:38 PM | Attr =	]
C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA ->  [Folder | Modified Date = 8/17/2006 9:58:59 AM | Attr =	]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat ->  [Ver =  | Size = 8206 bytes | Modified Date = 8/17/2006 9:58:59 AM | Attr =	]
C:\WINDOWS\Temp\sophos_autoupdate1.dir\ -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\ ->  [Folder | Modified Date = 4/29/2008 7:08:29 PM | Attr =	]
ALUpdate.exe -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\ALUpdate.exe -> Sophos Plc [Ver = 5.5.15.161 | Size = 606208 bytes | Modified Date = 3/19/2008 1:06:18 PM | Attr =	]
C:\WINDOWS\Temp\sophos_autoupdate1.dir\ -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\ ->  [Folder | Modified Date = 4/29/2008 7:08:29 PM | Attr =	]
boost_date_time-vc71-mt-1_32.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll ->  [Ver =  | Size = 45056 bytes | Modified Date = 11/16/2007 5:26:34 PM | Attr =	]
ChannelUpdater.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\ChannelUpdater.dll -> Sophos Plc [Ver = 1.1.8.161 | Size = 94208 bytes | Modified Date = 3/19/2008 1:06:23 PM | Attr =	]
CidSync.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\CidSync.dll -> Sophos Plc [Ver = 3.2.3.131 | Size = 176128 bytes | Modified Date = 11/16/2007 5:26:36 PM | Attr =	]
crypto.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\crypto.dll ->  [Ver =  | Size = 20480 bytes | Modified Date = 11/16/2007 5:26:36 PM | Attr =	]
InstlMgr.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\InstlMgr.dll ->  [Ver = 1.0.3.1 | Size = 86016 bytes | Modified Date = 3/8/2006 6:19:10 PM | Attr =	]
libcurl.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\libcurl.dll -> The cURL library, http://curl.haxx.se/ [Ver = 7.15.0 | Size = 159744 bytes | Modified Date = 1/11/2007 8:38:01 AM | Attr =	]
libeay32.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\libeay32.dll ->  [Ver =  | Size = 745472 bytes | Modified Date = 11/16/2007 5:26:32 PM | Attr =	]
Logger.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\Logger.dll ->  [Ver = 1.0.7.1 | Size = 266240 bytes | Modified Date = 3/8/2006 6:19:10 PM | Attr =	]
MSVCP71.DLL -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\MSVCP71.DLL -> Microsoft Corporation [Ver = 7.10.3077.0 | Size = 499712 bytes | Modified Date = 3/9/2005 10:25:34 AM | Attr =	]
MSVCR71.DLL -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\MSVCR71.DLL -> Microsoft Corporation [Ver = 7.10.3052.4 | Size = 348160 bytes | Modified Date = 3/9/2005 10:26:04 AM | Attr =	]
retailer.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\retailer.dll -> Sophos Plc [Ver = 1.1.7.144 | Size = 208896 bytes | Modified Date = 11/16/2007 5:26:39 PM | Attr =	]
SharedRes.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\SharedRes.dll -> Sophos Plc [Ver = 1.4.38.131 | Size = 18432 bytes | Modified Date = 11/16/2007 5:26:39 PM | Attr =	]
xmlcpp.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\xmlcpp.dll ->  [Ver =  | Size = 14336 bytes | Modified Date = 11/16/2007 5:26:37 PM | Attr =	]
xmlparse.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\xmlparse.dll ->  [Ver =  | Size = 57344 bytes | Modified Date = 11/16/2007 5:26:31 PM | Attr =	]
xmltok.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\xmltok.dll ->  [Ver =  | Size = 73728 bytes | Modified Date = 11/16/2007 5:26:33 PM | Attr =	]
C:\WINDOWS\Temp\ -> C:\WINDOWS\Temp ->  [Folder | Modified Date = 4/29/2008 7:10:32 PM | Attr =	]
Perflib_Perfdata_3c8.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_3c8.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 9/15/2006 7:29:40 AM | Attr =	]
Perflib_Perfdata_458.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_458.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 11/19/2007 10:12:25 PM | Attr =	]
Perflib_Perfdata_470.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_470.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 10/10/2007 7:29:14 AM | Attr =	]
Perflib_Perfdata_510.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_510.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 1/16/2008 8:49:00 AM | Attr =	]
Perflib_Perfdata_55c.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_55c.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 12/29/2007 10:17:03 PM | Attr =	]
Perflib_Perfdata_57c.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_57c.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 1/17/2008 8:48:28 AM | Attr =	]
Perflib_Perfdata_5a8.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_5a8.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 1/13/2008 9:09:37 PM | Attr =	]
Perflib_Perfdata_5d0.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_5d0.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 11/26/2007 8:41:24 AM | Attr =	]
Perflib_Perfdata_65c.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_65c.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 4/29/2008 7:09:17 PM | Attr =	]
Perflib_Perfdata_7b4.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_7b4.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 3/22/2008 8:06:16 PM | Attr =	]
Perflib_Perfdata_c0.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_c0.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2/19/2008 7:30:22 PM | Attr =	]
6 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp -> 
C:\WINDOWS\Temp\sophos_autoupdate1.dir\ -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\ ->  [Folder | Modified Date = 4/29/2008 7:08:29 PM | Attr =	]
scf.dat -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\scf.dat ->  [Ver =  | Size = 2970 bytes | Modified Date = 3/19/2008 1:06:16 PM | Attr =	]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
QuickTime -> %AllUsersProfile%\Application Data\QuickTime ->  [Folder | Modified Date = 4/21/2008 3:06:01 PM | Attr =	]
TEMP -> %AllUsersProfile%\Application Data\TEMP ->  [Folder | Modified Date = 4/11/2008 10:20:41 AM | Attr =	]
@Alternate Data Stream - 103 bytes -> %AllUsersProfile%\Application Data\TEMP:64648EF8
@Alternate Data Stream - 128 bytes -> %AllUsersProfile%\Application Data\TEMP:D31BE97C
@Alternate Data Stream - 119 bytes -> %AllUsersProfile%\Application Data\TEMP:F1C0B203
Windows Genuine Advantage -> %AllUsersProfile%\Application Data\Windows Genuine Advantage ->  [Folder | Modified Date = 4/21/2008 7:53:21 AM | Attr =	]
Identities -> %AppData%\Identities ->  [Folder | Modified Date = 4/29/2008 7:09:47 PM | Attr =	]
Microsoft -> %AppData%\Microsoft ->  [Folder | Modified Date = 4/29/2008 7:09:22 PM | Attr =   S]
Sonic -> %AppData%\Sonic ->  [Folder | Modified Date = 4/29/2008 7:10:36 PM | Attr =	]
GDIPFONTCACHEV1.DAT -> %UserProfile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT ->  [Ver =  | Size = 81680 bytes | Modified Date = 4/29/2008 7:09:18 PM | Attr =	]
Microsoft -> %UserProfile%\Local Settings\Application Data\Microsoft ->  [Folder | Modified Date = 4/29/2008 7:10:06 PM | Attr =	]
desktop.ini -> %UserProfile%\My Documents\desktop.ini ->  [Ver =  | Size = 84 bytes | Modified Date = 4/29/2008 7:10:03 PM | Attr =  HS]
My Music -> %UserProfile%\My Documents\My Music ->  [Folder | Modified Date = 4/29/2008 7:10:03 PM | Attr = R  ]
My Pictures -> %UserProfile%\My Documents\My Pictures ->  [Folder | Modified Date = 4/29/2008 7:10:03 PM | Attr = R  ]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Modified Date = 4/29/2008 7:14:28 PM | Attr =	]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 542996 bytes | Modified Date = 4/29/2008 4:36:26 PM | Attr =	]
Microsoft Shared -> %CommonProgramFiles%\Microsoft Shared ->  [Folder | Modified Date = 4/29/2008 7:09:52 PM | Attr =	]
System -> %CommonProgramFiles%\System ->  [Folder | Modified Date = 4/29/2008 7:09:52 PM | Attr =	]

< End of report >

Thanks

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:02 AM

Posted 29 April 2008 - 07:07 PM

Hi Rigel. We have a few items to remove but it should go fairly easy. Just follow the steps below in order.

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
CbEvtSvc
Files to delete:
%systemroot%\index.html
%systemroot%\promo1.html
%systemroot%\promo2.html
%systemroot%\promo3.html
%systemroot%\promo4.html
%systemroot%\promo5.html
%systemroot%\promo6.html
%systemroot%\promogif1.gif
%systemroot%\promogif2.gif
%systemroot%\promogif3.gif
%systemroot%\system32\cbevtsvc.exe
%systemroot%\system32\lt.res
%systemroot%\system32\sft.res
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> cbevtsvc.exe -> %SystemRoot%\system32\CbEvtSvc.exe
[Win32 Services - Non-Microsoft Only]
YY -> (CbEvtSvc) CbEvtSvc [Win32_Own | Auto | Running] -> %SystemRoot%\system32\CbEvtSvc.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> DXDllRegExe -> [dxdllreg.exe]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YN -> C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL -> %SystemDrive%\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\] > -> HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IncrediMail\bin\ImApp.exe -> C:\Program Files\IncrediMail\bin\ImApp.exe [C:\Program Files\IncrediMail\bin\ImApp.exe:*:Enabled:IncrediMail]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IncrediMail\bin\IncMail.exe -> C:\Program Files\IncrediMail\bin\IncMail.exe [C:\Program Files\IncrediMail\bin\IncMail.exe:*:Enabled:IncrediMail]
[Files/Folders - Created Within 30 days]
NY -> CbEvtSvc.exe -> %SystemRoot%\System32\CbEvtSvc.exe
NY -> lt.res -> %SystemRoot%\System32\lt.res
NY -> sft.res -> %SystemRoot%\System32\sft.res
NY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> index.html -> %SystemRoot%\index.html
NY -> promo1.html -> %SystemRoot%\promo1.html
NY -> promo2.html -> %SystemRoot%\promo2.html
NY -> promo3.html -> %SystemRoot%\promo3.html
NY -> promo4.html -> %SystemRoot%\promo4.html
NY -> promo5.html -> %SystemRoot%\promo5.html
NY -> promo6.html -> %SystemRoot%\promo6.html
NY -> promogif1.gif -> %SystemRoot%\promogif1.gif
NY -> promogif2.gif -> %SystemRoot%\promogif2.gif
NY -> promogif3.gif -> %SystemRoot%\promogif3.gif
[Files/Folders - Modified Within 30 days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> CbEvtSvc.exe -> %SystemRoot%\System32\CbEvtSvc.exe
NY -> lt.res -> %SystemRoot%\System32\lt.res
NY -> sft.res -> %SystemRoot%\System32\sft.res
NY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> promo1.html -> %SystemRoot%\promo1.html
NY -> promo2.html -> %SystemRoot%\promo2.html
NY -> promo3.html -> %SystemRoot%\promo3.html
NY -> promo4.html -> %SystemRoot%\promo4.html
NY -> promo5.html -> %SystemRoot%\promo5.html
NY -> promo6.html -> %SystemRoot%\promo6.html
NY -> promogif1.gif -> %SystemRoot%\promogif1.gif
NY -> promogif2.gif -> %SystemRoot%\promogif2.gif
NY -> promogif3.gif -> %SystemRoot%\promogif3.gif
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 103 bytes -> %AllUsersProfile%\Application Data\TEMP:64648EF8
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersProfile%\Application Data\TEMP:D31BE97C
NY -> @Alternate Data Stream - 119 bytes -> %AllUsersProfile%\Application Data\TEMP:F1C0B203
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Just use the default settings.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Step #5

Post the following back here by copy/pasting them into the reply:The Avenger report (c:\Avenger.txt)
The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
The online anti-virus scan report.
Attach the following back here in the reply:The new OTScanIt scan log
]
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 rigel

rigel

    FD-BC

  • Topic Starter

  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:02 AM

Posted 29 April 2008 - 10:06 PM

Ok OT, quite a bit of information to give you - step by step

Step 1 I ran Avenger as instructed - as administrator - It ran but then told me I did not have admin rights to modify the registry. Avenger then rebooted and prodiced a log file - see step 5

Step 2 I ran OTScanIt and that was sucessful. The computer rebooted - Here is the log from that run per step 2
Explorer killed successfully
[Processes - Non-Microsoft Only]
Unable to kill process cbevtsvc.exe .
File C:\WINDOWS\system32\CbEvtSvc.exe not found.
[Win32 Services - Non-Microsoft Only]
Unable to stop service CbEvtSvc .
Unable to delete service CbEvtSvc .
File C:\WINDOWS\system32\CbEvtSvc.exe not found.
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\DXDllRegExe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IncrediMail\bin\ImApp.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IncrediMail\bin\IncMail.exe deleted successfully.
[Files/Folders - Created Within 30 days]
File C:\WINDOWS\System32\CbEvtSvc.exe not found!
File C:\WINDOWS\System32\lt.res not found!
File C:\WINDOWS\System32\sft.res not found!
C:\WINDOWS\msdownld.tmp folder deleted successfully.
File C:\WINDOWS\index.html not found!
File C:\WINDOWS\promo1.html not found!
File C:\WINDOWS\promo2.html not found!
File C:\WINDOWS\promo3.html not found!
File C:\WINDOWS\promo4.html not found!
File C:\WINDOWS\promo5.html not found!
File C:\WINDOWS\promo6.html not found!
File C:\WINDOWS\promogif1.gif not found!
File C:\WINDOWS\promogif2.gif not found!
File C:\WINDOWS\promogif3.gif not found!
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\System32\CbEvtSvc.exe not found!
File C:\WINDOWS\System32\lt.res not found!
File C:\WINDOWS\System32\sft.res not found!
File C:\WINDOWS\promo1.html not found!
File C:\WINDOWS\promo2.html not found!
File C:\WINDOWS\promo3.html not found!
File C:\WINDOWS\promo4.html not found!
File C:\WINDOWS\promo5.html not found!
File C:\WINDOWS\promo6.html not found!
File C:\WINDOWS\promogif1.gif not found!
File C:\WINDOWS\promogif2.gif not found!
File C:\WINDOWS\promogif3.gif not found!
File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat not found!
File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat not found!
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:64648EF8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D31BE97C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:F1C0B203 deleted successfully.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\YD6MYI4X\topic144490[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\EIO9BF6M\iframe[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\hlktmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_79c.dat scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.11.8 fix logfile created on 04292008_203229

Files moved on Reboot...
C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\YD6MYI4X\topic144490[1].htm moved successfully.
C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\EIO9BF6M\iframe[2].htm moved successfully.
C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_79c.dat not found!

Step 3 The F-Secure scanner ran and >I think< cleaned 4 zlob infections. The scanner blanked the screen and came back after a few seconds closing the IE window. Unknown if this was successful.

Step 4 was successful log to follow in step 5

Step 5: Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "CbEvtSvc" deleted successfully.
File "C:\WINDOWS\index.html" deleted successfully.
File "C:\WINDOWS\promo1.html" deleted successfully.
File "C:\WINDOWS\promo2.html" deleted successfully.
File "C:\WINDOWS\promo3.html" deleted successfully.
File "C:\WINDOWS\promo4.html" deleted successfully.
File "C:\WINDOWS\promo5.html" deleted successfully.
File "C:\WINDOWS\promo6.html" deleted successfully.
File "C:\WINDOWS\promogif1.gif" deleted successfully.
File "C:\WINDOWS\promogif2.gif" deleted successfully.
File "C:\WINDOWS\promogif3.gif" deleted successfully.
File "C:\WINDOWS\system32\cbevtsvc.exe" deleted successfully.
File "C:\WINDOWS\system32\lt.res" deleted successfully.
File "C:\WINDOWS\system32\sft.res" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

OTScanIt log from step 4:
OTScanIt logfile created on: 4/29/2008 10:41:16 PM
OTScanIt by OldTimer - Version 1.0.11.8	 Folder = C:\Documents and Settings\administrator\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
503.36 Mb Total Physical Memory | 259.15 Mb Available Physical Memory | 51.48% Memory free
1.20 Gb Paging File | 0.91 Gb Available in Paging File | 75.82% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 17.87 Gb Free Space | 47.95% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FDJ-V05-LAPTOP
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
xtagent.exe -> %SystemRoot%\system32\novell\xtagent.exe -> Novell, Inc. [Ver = 1.2.3.1 | Size = 61440 bytes | Modified Date = 1/10/2005 1:36:52 PM | Attr =	]
savservice.exe -> %ProgramFiles%\Sophos\Sophos Anti-Virus\SavService.exe -> Sophos Plc [Ver = 1.0.0.3755 | Size = 98304 bytes | Modified Date = 3/19/2008 1:04:51 PM | Attr =	]
hasplms.exe -> %SystemRoot%\system32\hasplms.exe -> Aladdin Knowledge Systems Ltd. [Ver = 12.10.1.2148 | Size = 535807 bytes | Modified Date = 3/15/2007 3:48:26 PM | Attr =	]
nalntsrv.exe -> %ProgramFiles%\Novell\ZENworks\NALNTSRV.EXE -> Novell, Inc. [Ver = 6.5.20.0 | Size = 112128 bytes | Modified Date = 9/9/2005 12:54:44 PM | Attr =	]
zenrem32.exe -> %ProgramFiles%\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe -> Novell, Inc. [Ver = 6,5,2,0 | Size = 163840 bytes | Modified Date = 9/1/2005 12:49:34 PM | Attr =	]
savadminservice.exe -> %ProgramFiles%\Sophos\Sophos Anti-Virus\SAVAdminService.exe -> Sophos Plc [Ver = 1.0.0.3730 | Size = 69632 bytes | Modified Date = 3/19/2008 1:02:36 PM | Attr =	]
managementagentnt.exe -> %ProgramFiles%\Sophos\Remote Management System\ManagementAgentNT.exe -> Sophos Plc [Ver = 3,0,4,1735 | Size = 266240 bytes | Modified Date = 3/19/2008 1:02:17 PM | Attr =	]
alsvc.exe -> %ProgramFiles%\Sophos\AutoUpdate\ALsvc.exe -> Sophos Plc [Ver = 3.7.19.161 | Size = 172032 bytes | Modified Date = 3/19/2008 1:06:23 PM | Attr =	]
routernt.exe -> %ProgramFiles%\Sophos\Remote Management System\RouterNT.exe -> Sophos Plc [Ver = 3,0,4,1735 | Size = 790528 bytes | Modified Date = 3/19/2008 1:02:01 PM | Attr =	]
smagent.exe -> %ProgramFiles%\Analog Devices\SoundMAX\SMAgent.exe -> Analog Devices, Inc. [Ver = 3, 2, 6, 0 | Size = 45056 bytes | Modified Date = 9/20/2002 2:50:10 PM | Attr =	]
tablet.exe -> %SystemRoot%\system32\Tablet.exe -> Wacom Technology, Corp. [Ver = 4.94-3 | Size = 753664 bytes | Modified Date = 12/6/2005 12:00:44 AM | Attr =	]
uaservice.exe -> %ProgramFiles%\Lightspeed Systems\User Agent\UAService.exe -> Lightspeed Systems [Ver = 1.01.05 | Size = 262144 bytes | Modified Date = 5/29/2007 1:50:12 PM | Attr =	]
wm.exe -> %ProgramFiles%\Novell\ZENworks\WM.EXE -> Novell, Inc. [Ver = v6.5.2 (20050104) | Size = 149024 bytes | Modified Date = 9/8/2005 11:38:50 AM | Attr =	]
igfxtray.exe -> %SystemRoot%\system32\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.4308 | Size = 94208 bytes | Modified Date = 4/25/2005 10:32:12 AM | Attr =	]
hkcmd.exe -> %SystemRoot%\system32\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4308 | Size = 77824 bytes | Modified Date = 4/25/2005 10:29:00 AM | Attr =	]
igfxsrvc.exe -> %SystemRoot%\system32\igfxsrvc.exe -> Intel Corporation [Ver = 3.0.0.4308 | Size = 155648 bytes | Modified Date = 4/25/2005 10:28:52 AM | Attr =	]
igfxpers.exe -> %SystemRoot%\system32\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4308 | Size = 114688 bytes | Modified Date = 4/25/2005 10:32:52 AM | Attr =	]
smax4pnp.exe -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4PNP.exe -> Analog Devices, Inc. [Ver = 5, 0, 2, 2 | Size = 1388544 bytes | Modified Date = 10/14/2004 9:11:10 AM | Attr =	]
smax4.exe -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4.exe -> Analog Devices, Inc. [Ver = 5, 0, 2, 6 | Size = 860160 bytes | Modified Date = 9/23/2004 12:41:54 PM | Attr =	]
agrsmmsg.exe -> %SystemRoot%\AGRSMMSG.exe -> Agere Systems [Ver = 2.1.41.10 2.1.41.10 06/29/2004 09:06:35 | Size = 88363 bytes | Modified Date = 8/24/2004 11:20:10 AM | Attr =	]
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.2.23 31Mar06 | Size = 761946 bytes | Modified Date = 3/31/2006 4:01:48 PM | Attr =	]
nwtray.exe -> %SystemRoot%\system32\nwtray.exe -> Novell, Inc. [Ver = v4.90 | Size = 28672 bytes | Modified Date = 3/12/2002 11:37:28 AM | Attr = R  ]
eabservr.exe -> %ProgramFiles%\HPQ\Quick Launch Buttons\eabservr.exe -> Hewlett-Packard  [Ver = 5, 1, 1, 2 | Size = 290816 bytes | Modified Date = 12/3/2004 1:24:20 PM | Attr =	]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.5.1 | Size = 98304 bytes | Modified Date = 8/17/2006 9:16:44 AM | Attr =	]
wmrundll.exe -> %ProgramFiles%\Novell\ZENworks\WMRUNDLL.EXE -> Novell, Inc. [Ver = v6.5.2 (20050104) | Size = 12224 bytes | Modified Date = 9/8/2005 11:38:48 AM | Attr =	]
hpwqtbx.exe -> %ProgramFiles%\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe -> Hewlett-Packard Company [Ver = 2005.0117.0.0 | Size = 335872 bytes | Modified Date = 1/17/2005 4:49:04 PM | Attr =	]
hpwuschd.exe -> %ProgramFiles%\HP\HP Software Update\hpwuSchd.exe -> Hewlett-Packard [Ver = 1, 0, 0, 3 | Size = 49152 bytes | Modified Date = 8/4/2003 5:28:18 PM | Attr =	]
hpcmpmgr.exe -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 12/22/2003 8:38:42 AM | Attr =	]
ekij5000mui.exe -> %SystemRoot%\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe -> Eastman Kodak Company [Ver = 2.5.112.0 | Size = 753664 bytes | Modified Date = 3/7/2007 10:04:42 AM | Attr =	]
pwrisovm.exe -> %ProgramFiles%\PowerISO\PWRISOVM.EXE -> PowerISO Computing, Inc. [Ver = 3, 4, 0, 0 | Size = 196608 bytes | Modified Date = 9/9/2006 5:16:11 AM | Attr =	]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 12/2/2007 8:15:23 PM | Attr =	]
almon.exe -> %ProgramFiles%\Sophos\AutoUpdate\ALMon.exe -> Sophos Plc [Ver = 3.10.54.138 | Size = 245760 bytes | Modified Date = 11/16/2007 5:26:37 PM | Attr =	]
hpqtra08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 5.35.0.035 | Size = 237568 bytes | Modified Date = 9/16/2003 5:19:24 AM | Attr =	]
tabuserw.exe -> %SystemRoot%\system32\WTablet\TabUserW.exe -> Wacom Technology, Corp. [Ver = 4.94-3 | Size = 114688 bytes | Modified Date = 12/5/2005 11:59:02 PM | Attr =	]
nalagent.exe -> %ProgramFiles%\Novell\ZENworks\NalAgent.exe -> Novell, Inc [Ver = 6.5.20.0 | Size = 382976 bytes | Modified Date = 9/9/2005 12:54:18 PM | Attr =	]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.11.8 | Size = 372224 bytes | Modified Date = 4/28/2008 6:33:24 PM | Attr =	]

[Win32 Services - Non-Microsoft Only]
(cusrvc) Client Update Service for Novell [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\system32\cusrvc.exe -> Novell, Inc. [Ver = v4.91 | Size = 36864 bytes | Modified Date = 1/18/2005 10:17:56 AM | Attr = R  ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 12:56:50 AM | Attr =	]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 11/19/2007 10:32:45 PM | Attr =	]
(hasplms) HASP License Manager [Win32_Own | Auto | Running] -> %SystemRoot%\system32\hasplms.exe -> Aladdin Knowledge Systems Ltd. [Ver = 12.10.1.2148 | Size = 535807 bytes | Modified Date = 3/15/2007 3:48:26 PM | Attr =	]
(hpqwmi) HP WMI Interface [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\HPQ\shared\hpqwmi.exe -> Hewlett-Packard Development Company, L.P. [Ver = 1, 0, 4, 2 | Size = 98304 bytes | Modified Date = 11/18/2004 12:32:56 AM | Attr =	]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 10.50.125 | Size = 73728 bytes | Modified Date = 10/22/2004 3:24:18 AM | Attr =	]
(NALNTSERVICE) Novell Application Launcher [Win32_Own | Auto | Running] -> %ProgramFiles%\Novell\ZENworks\NALNTSRV.EXE -> Novell, Inc. [Ver = 6.5.20.0 | Size = 112128 bytes | Modified Date = 9/9/2005 12:54:44 PM | Attr =	]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\system32\hpzipm12.exe -> HP [Ver = 7, 0, 0, 0 | Size = 65795 bytes | Modified Date = 1/5/2004 3:27:32 AM | Attr =	]
(Remote Management Agent) Novell ZENworks Remote Management Agent [Win32_Own | Auto | Running] -> %ProgramFiles%\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe -> Novell, Inc. [Ver = 6,5,2,0 | Size = 163840 bytes | Modified Date = 9/1/2005 12:49:34 PM | Attr =	]
(SAVAdminService) Sophos Anti-Virus status reporter [Win32_Own | Unknown | Running] ->  -> File not found
(SAVService) Sophos Anti-Virus [Win32_Own | Unknown | Running] ->  -> File not found
(Sophos Agent) Sophos Agent [Win32_Own | Auto | Running] -> %ProgramFiles%\Sophos\Remote Management System\ManagementAgentNT.exe -> Sophos Plc [Ver = 3,0,4,1735 | Size = 266240 bytes | Modified Date = 3/19/2008 1:02:17 PM | Attr =	]
(Sophos AutoUpdate Service) Sophos AutoUpdate Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Sophos\AutoUpdate\ALsvc.exe -> Sophos Plc [Ver = 3.7.19.161 | Size = 172032 bytes | Modified Date = 3/19/2008 1:06:23 PM | Attr =	]
(Sophos Message Router) Sophos Message Router [Win32_Own | Auto | Running] -> %ProgramFiles%\Sophos\Remote Management System\RouterNT.exe -> Sophos Plc [Ver = 3,0,4,1735 | Size = 790528 bytes | Modified Date = 3/19/2008 1:02:01 PM | Attr =	]
(SoundMAX Agent Service (default)) SoundMAX Agent Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Analog Devices\SoundMAX\SMAgent.exe -> Analog Devices, Inc. [Ver = 3, 2, 6, 0 | Size = 45056 bytes | Modified Date = 9/20/2002 2:50:10 PM | Attr =	]
(TabletService) TabletService [Win32_Own | Auto | Running] -> %SystemRoot%\system32\Tablet.exe -> Wacom Technology, Corp. [Ver = 4.94-3 | Size = 753664 bytes | Modified Date = 12/6/2005 12:00:44 AM | Attr =	]
(UAService) User Agent Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lightspeed Systems\User Agent\UAService.exe -> Lightspeed Systems [Ver = 1.01.05 | Size = 262144 bytes | Modified Date = 5/29/2007 1:50:12 PM | Attr =	]
(XTAgent) Novell XTier Agent Services [Win32_Own | Auto | Running] -> %SystemRoot%\system32\novell\xtagent.exe -> Novell, Inc. [Ver = 1.2.3.1 | Size = 61440 bytes | Modified Date = 1/10/2005 1:36:52 PM | Attr =	]
(ZFDWM) Workstation Manager [Win32_Own | Auto | Running] -> %ProgramFiles%\Novell\ZENworks\WM.EXE -> Novell, Inc. [Ver = v6.5.2 (20050104) | Size = 149024 bytes | Modified Date = 9/8/2005 11:38:50 AM | Attr =	]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
AGRSMMSG -> %SystemRoot%\AGRSMMSG.exe [AGRSMMSG.exe] -> Agere Systems [Ver = 2.1.41.10 2.1.41.10 06/29/2004 09:06:35 | Size = 88363 bytes | Modified Date = 8/24/2004 11:20:10 AM | Attr =	]
eabconfg.cpl -> %ProgramFiles%\HPQ\Quick Launch Buttons\eabservr.exe [C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start] -> Hewlett-Packard  [Ver = 5, 1, 1, 2 | Size = 290816 bytes | Modified Date = 12/3/2004 1:24:20 PM | Attr =	]
EKIJ5000StatusMonitor -> %SystemRoot%\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe] -> Eastman Kodak Company [Ver = 2.5.112.0 | Size = 753664 bytes | Modified Date = 3/7/2007 10:04:42 AM | Attr =	]
HotKeysCmds -> %SystemRoot%\system32\hkcmd.exe [C:\WINDOWS\System32\hkcmd.exe] -> Intel Corporation [Ver = 3.0.0.4308 | Size = 77824 bytes | Modified Date = 4/25/2005 10:29:00 AM | Attr =	]
HP Component Manager -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe ["C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"] -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 12/22/2003 8:38:42 AM | Attr =	]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\hpwuSchd.exe ["C:\Program Files\HP\HP Software Update\HPWuSchd.exe"] -> Hewlett-Packard [Ver = 1, 0, 0, 3 | Size = 49152 bytes | Modified Date = 8/4/2003 5:28:18 PM | Attr =	]
HPWQTOOLBOX -> %ProgramFiles%\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe [C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"] -> Hewlett-Packard Company [Ver = 2005.0117.0.0 | Size = 335872 bytes | Modified Date = 1/17/2005 4:49:04 PM | Attr =	]
IgfxTray -> %SystemRoot%\system32\igfxtray.exe [C:\WINDOWS\System32\igfxtray.exe] -> Intel Corporation [Ver = 3.0.0.4308 | Size = 94208 bytes | Modified Date = 4/25/2005 10:32:12 AM | Attr =	]
NWTRAY -> %SystemRoot%\system32\nwtray.exe [NWTRAY.EXE] -> Novell, Inc. [Ver = v4.90 | Size = 28672 bytes | Modified Date = 3/12/2002 11:37:28 AM | Attr = R  ]
Persistence -> %SystemRoot%\system32\igfxpers.exe [C:\WINDOWS\System32\igfxpers.exe] -> Intel Corporation [Ver = 3.0.0.4308 | Size = 114688 bytes | Modified Date = 4/25/2005 10:32:52 AM | Attr =	]
PWRISOVM.EXE -> %ProgramFiles%\PowerISO\PWRISOVM.EXE [C:\Program Files\PowerISO\PWRISOVM.EXE] -> PowerISO Computing, Inc. [Ver = 3, 4, 0, 0 | Size = 196608 bytes | Modified Date = 9/9/2006 5:16:11 AM | Attr =	]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> Apple Computer, Inc. [Ver = 6.5.1 | Size = 98304 bytes | Modified Date = 8/17/2006 9:16:44 AM | Attr =	]
SoundMAX -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4.exe ["C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray] -> Analog Devices, Inc. [Ver = 5, 0, 2, 6 | Size = 860160 bytes | Modified Date = 9/23/2004 12:41:54 PM | Attr =	]
SoundMAXPnP -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4PNP.exe [C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe] -> Analog Devices, Inc. [Ver = 5, 0, 2, 2 | Size = 1388544 bytes | Modified Date = 10/14/2004 9:11:10 AM | Attr =	]
SynTPEnh -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [C:\Program Files\Synaptics\SynTP\SynTPEnh.exe] -> Synaptics, Inc. [Ver = 8.2.23 31Mar06 | Size = 761946 bytes | Modified Date = 3/31/2006 4:01:48 PM | Attr =	]
UpdateManager -> %CommonProgramFiles%\Sonic\Update Manager\sgtray.exe ["C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r] -> Sonic Solutions [Ver = 1.01.32a | Size = 110592 bytes | Modified Date = 8/19/2003 1:01:00 AM | Attr =	]
WatchDog -> %ProgramFiles%\InterVideo\DVD Check\DVDCheck.exe [C:\Program Files\InterVideo\DVD Check\DVDCheck.exe] -> InterVideo Inc. [Ver = 1, 0, 0, 2 | Size = 184320 bytes | Modified Date = 12/8/2004 6:44:36 PM | Attr =	]
ZENRC Tray Icon -> %SystemRoot%\system32\zentray.exe [C:\WINDOWS\system32\zentray.exe] -> Novell, Inc. [Ver = 6.5.1.0 | Size = 40960 bytes | Modified Date = 1/17/2005 11:33:28 AM | Attr =	]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe] -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 12/2/2007 8:15:23 PM | Attr =	]
< administrator Startup Folder > -> C:\Documents and Settings\administrator\Start Menu\Programs\Startup -> 
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 9/23/2005 10:05:26 PM | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\Application Explorer.lnk -> %ProgramFiles%\Novell\ZENworks\NalView.exe -> Novell, Inc [Ver = 6.5.20.0 | Size = 35840 bytes | Modified Date = 9/8/2005 11:32:44 AM | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk -> %ProgramFiles%\Sophos\AutoUpdate\ALMon.exe -> Sophos Plc [Ver = 3.10.54.138 | Size = 245760 bytes | Modified Date = 11/16/2007 5:26:37 PM | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\DVD Check.lnk -> %ProgramFiles%\InterVideo\DVD Check\DVDCheck.exe -> InterVideo Inc. [Ver = 1, 0, 0, 2 | Size = 184320 bytes | Modified Date = 12/8/2004 6:44:36 PM | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 5.35.0.035 | Size = 237568 bytes | Modified Date = 9/16/2003 5:19:24 AM | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\TabUserW.exe.lnk -> %SystemRoot%\system32\WTablet\TabUserW.exe -> Wacom Technology, Corp. [Ver = 4.94-3 | Size = 114688 bytes | Modified Date = 12/5/2005 11:59:02 PM | Attr =	]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs -> 
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls -> 
C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL -> %ProgramFiles%\Sophos\Sophos Anti-Virus\sophos_detoured.dll -> Sophos Plc [Ver = 1.0.0.3770 | Size = 173056 bytes | Modified Date = 3/19/2008 1:03:28 PM | Attr =	]
*MultiFile Done* -> -> 
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -> 
{66186F05-BBBB-4a39-864F-72D84615C679} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [WebProxy] -> File not found
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
{763370C4-268E-4308-A60C-D8DA0342BE32} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Novell\ZENworks\NalShell.dll [] -> Novell, Inc [Ver = 6.5.20.0 | Size = 430080 bytes | Modified Date = 9/9/2005 12:54:28 PM | Attr =	]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*GinaDLL* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\GinaDLL -> 
NWGINA.DLL -> %SystemRoot%\system32\nwgina.dll -> Novell, Inc. [Ver = v6.5.1 (20050908) | Size = 356433 bytes | Modified Date = 10/25/2005 10:37:36 AM | Attr = R  ]
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
igfxcui -> %SystemRoot%\system32\igfxdev.dll -> Intel Corporation [Ver = 3.0.0.4308 | Size = 131072 bytes | Modified Date = 4/25/2005 10:28:06 AM | Attr =	]
NetIdentity Notification -> %SystemRoot%\system32\novell\xtnotify.dll -> Novell, Inc. [Ver = 1.2.3 | Size = 24576 bytes | Modified Date = 1/10/2005 1:36:58 PM | Attr =	]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\CompatibleRUPSecurity -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DontDisplayLastUserName -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\LegalNoticeText ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\ShutdownWithoutLogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\UndockWithoutLogon -> 1 -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr -> 1 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 1 -> 
< CDROM Autorun Settings > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup -> 
SCSI miniport ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> C:\WINDOWS\system32\drivers\cdrom.sys [System32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49536 bytes | Modified Date = 8/3/2004 10:59:54 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 -> 
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable -> 
NEC	 MBR-7	->  -> File not found
NEC	 MBR-7.4  ->  -> File not found
PIONEER CHANGR DRM-1804X ->  -> File not found
PIONEER CD-ROM DRM-6324X ->  -> File not found
PIONEER CD-ROM DRM-624X  ->  -> File not found
TORiSAN CD-ROM CDR_C36 ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\0 -> IDE\CdRomTSSTcorp_CDW/DVD_TS-L462A_______________HP17____\345a333430313231343720202020202020202020 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\NextInstance -> 1 -> 
< Drives - Autoruns > ->  -> 
AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] ->  [Ver =  | Size = 0 bytes | Modified Date = 8/16/2006 1:55:05 PM | Attr =	]
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> file://c:/windows/homepage.html -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> file://c:/windows/homepage.html -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> file://c:/windows/homepage.html -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.google.com/ie -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://www.google.com/ie -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Start Page -> file://c:/windows/homepage.html -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 12/18/2006 4:16:42 AM | Attr =	]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 11/19/2007 10:32:44 PM | Attr = R  ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 3, 0, 1225, 9868 | Size = 734704 bytes | Modified Date = 4/9/2008 7:47:23 PM | Attr =	]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 11/19/2007 10:32:44 PM | Attr = R  ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 11/19/2007 10:32:44 PM | Attr = R  ]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Sun Java Console] -> File not found
{A5ABA0BB-F195-40d8-A5E9-0801153E6597}:{2151DA8C-C5B6-4B4F-86AB-BDA449BF8747} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\EverNote\EverNote\enbar.dll [Add to EverNote] -> EverNote Corporation [Ver = 1, 0, 0, 33 | Size = 229376 bytes | Modified Date = 10/17/2005 2:07:52 PM | Attr =	]
{C1994287-422F-47aa-8E5E-6323E210A125}:{4B5F7606-8666-4D5A-9780-DB92A9D8812B} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Novell\ZENworks\AxNalServer.dll [Novell delivered applications] -> Novell, Inc [Ver = 6.5.20.0 | Size = 516096 bytes | Modified Date = 9/8/2005 11:34:34 AM | Attr =	]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{11A44031-9B91-4788-9C65-A8A1F71B4577} -> 85.255.114.18,85.255.112.102   (Intel(R) PRO/Wireless 2200BG Network Connection) -> 
{4EAFB4E5-A922-4BBE-A865-98C6CD482A55} -> 85.255.114.18,85.255.112.102   (1394 Net Adapter) -> 
{CC64AD94-3163-4E7F-906C-FAD73E0D01F0} -> 85.255.114.18,85.255.112.102   (Broadcom 440x 10/100 Integrated Controller) -> 
< Winsock2 Catalogs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ -> 
NameSpace_Catalog5\Catalog_Entries\000000000004 [Novell Directory Services Name Provider] -> %SystemRoot%\system32\NetWare\nwws2nds.dll -> Novell, Inc. [Ver = 4.91 | Size = 36947 bytes | Modified Date = 10/27/2005 5:24:08 PM | Attr = R  ]
NameSpace_Catalog5\Catalog_Entries\000000000005 [Novell IPX/SPX SAP Name Provider] -> %SystemRoot%\system32\NetWare\nwws2sap.dll -> Novell, Inc. [Ver = 4.91 | Size = 32851 bytes | Modified Date = 10/27/2005 5:24:08 PM | Attr = R  ]
NameSpace_Catalog5\Catalog_Entries\000000000006 [Novell SLP Provider] -> %SystemRoot%\system32\NetWare\nwws2slp.dll -> Novell, Inc. [Ver = 4.91 | Size = 49235 bytes | Modified Date = 10/27/2005 5:24:10 PM | Attr = R  ]
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
cetihpz:{CF184AD3-CDCB-4168-A3F7-8E447D129300} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll[CZipHandler Object] -> Hewlett-Packard Company [Ver = 2.1.4 | Size = 81920 bytes | Modified Date = 12/22/2003 8:38:40 AM | Attr =	]
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{149E45D8-163E-4189-86FC-45022AB2B6C9}[HKEY_LOCAL_MACHINE] -> file://C:\Program Files\Mystery P.I. - The Lottery Ticket\Images\stg_drm.ocx[SpinTop DRM Control] -> 
{166B1BCA-3F9C-11CF-8075-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab[Shockwave ActiveX Control] -> 
{238F6F83-B8B4-11CF-8771-00A024541EE3}[HKEY_LOCAL_MACHINE] -> https://nfuse.scdmh.org/Citrix/ICAWEB/en/ica32/wficac.cab[Citrix ICA Client] -> 
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}[HKEY_LOCAL_MACHINE] -> http://office.microsoft.com/officeupdate/content/opuc3.cab[Office Update Installation Engine] -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C}[HKEY_LOCAL_MACHINE] -> http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155758070514[WUWebControl Class] -> 
{6A060448-60F9-11D5-A6CD-0002B31F7455}[HKEY_LOCAL_MACHINE] -> [ExentInf Class] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab[Java Plug-in 1.4.2_05] -> 
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}[HKEY_LOCAL_MACHINE] -> http://support.f-secure.com/ols/fscax.cab[F-Secure Online Scanner 3.3] -> 
{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab[Java Plug-in 1.4.2_05] -> 
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/auc_lib.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/auc_lib.dll\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/auc_lib.dll\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ca.pub\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ca.pub\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ca.pub\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/stg_drm.ocx\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/stg_drm.ocx\\.Owner -> {149E45D8-163E-4189-86FC-45022AB2B6C9} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/stg_drm.ocx\\{149E45D8-163E-4189-86FC-45022AB2B6C9} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/daas_s.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/daas_s.dll\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/daas_s.dll\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ExentCtl.ocx\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ExentCtl.ocx\\.Owner -> {6A060448-60F9-11D5-A6CD-0002B31F7455} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ExentCtl.ocx\\{6A060448-60F9-11D5-A6CD-0002B31F7455} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/fscax.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/fscax.dll\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/fscax.dll\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gatelauncher.exe\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gatelauncher.exe\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gatelauncher.exe\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/stg_drm.ocx\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/stg_drm.ocx\\.Owner -> {149E45D8-163E-4189-86FC-45022AB2B6C9} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/stg_drm.ocx\\{149E45D8-163E-4189-86FC-45022AB2B6C9} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/opuc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/opuc.dll\\.Owner -> {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/opuc.dll\\{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/wuweb.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/wuweb.dll\\.Owner -> {6414512B-B978-451D-A0D8-FCFDF33E833C} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/wuweb.dll\\{6414512B-B978-451D-A0D8-FCFDF33E833C} ->  -> 



[Files/Folders - Created Within 30 days]
Avenger -> %SystemDrive%\Avenger ->  [Folder | Created Date = 4/29/2008 8:24:58 PM | Attr =	]
fsaua.data -> %SystemDrive%\fsaua.data ->  [Folder | Created Date = 4/29/2008 8:38:35 PM | Attr =	]
sockins32.dll -> %SystemRoot%\System32\sockins32.dll -> ThinkPad [Ver = 1, 0, 0, 1 | Size = 32768 bytes | Created Date = 4/28/2008 8:40:36 PM | Attr =	]
homepage.html -> %SystemRoot%\homepage.html ->  [Ver =  | Size = 1296 bytes | Created Date = 4/28/2008 8:48:28 PM | Attr =	]
ie7updates -> %SystemRoot%\ie7updates ->  [Folder | Created Date = 4/20/2008 5:44:20 PM | Attr =	]

[Files/Folders - Modified Within 30 days]
Avenger -> %SystemDrive%\Avenger ->  [Folder | Modified Date = 4/29/2008 8:26:23 PM | Attr =	]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Modified Date = 4/29/2008 7:10:03 PM | Attr =  H ]
Documents and Settings -> %SystemDrive%\Documents and Settings ->  [Folder | Modified Date = 4/29/2008 7:08:35 PM | Attr =	]
fsaua.data -> %SystemDrive%\fsaua.data ->  [Folder | Modified Date = 4/29/2008 8:38:35 PM | Attr =	]
NALCache -> %SystemDrive%\NALCache ->  [Folder | Modified Date = 4/29/2008 8:36:25 PM | Attr =  H ]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 4/29/2008 7:09:52 PM | Attr = R  ]
RECYCLER -> %SystemDrive%\RECYCLER ->  [Folder | Modified Date = 4/29/2008 7:16:18 PM | Attr =  HS]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 4/29/2008 8:36:28 PM | Attr =	]
CatRoot2 -> %SystemRoot%\System32\CatRoot2 ->  [Folder | Modified Date = 4/29/2008 8:38:25 PM | Attr =	]
dllcache -> %SystemRoot%\System32\dllcache ->  [Folder | Modified Date = 4/21/2008 7:53:17 AM | Attr = RHS]
drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 4/29/2008 8:24:58 PM | Attr =	]
en-US -> %SystemRoot%\System32\en-US ->  [Folder | Modified Date = 4/20/2008 5:49:50 PM | Attr =	]
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT ->  [Ver =  | Size = 282128 bytes | Modified Date = 4/20/2008 6:14:24 PM | Attr =	]
GroupPolicy -> %SystemRoot%\System32\GroupPolicy ->  [Folder | Modified Date = 4/29/2008 8:34:59 PM | Attr =  H ]
perfc009.dat -> %SystemRoot%\System32\perfc009.dat ->  [Ver =  | Size = 54010 bytes | Modified Date = 4/21/2008 7:44:00 AM | Attr =	]
perfh009.dat -> %SystemRoot%\System32\perfh009.dat ->  [Ver =  | Size = 383822 bytes | Modified Date = 4/21/2008 7:44:00 AM | Attr =	]
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI ->  [Ver =  | Size = 443556 bytes | Modified Date = 4/21/2008 7:44:00 AM | Attr =	]
sockins32.dll -> %SystemRoot%\System32\sockins32.dll -> ThinkPad [Ver = 1, 0, 0, 1 | Size = 32768 bytes | Modified Date = 4/28/2008 8:40:36 PM | Attr =	]
tablet.dat -> %SystemRoot%\System32\tablet.dat ->  [Ver =  | Size = 16106 bytes | Modified Date = 4/29/2008 8:34:39 PM | Attr =	]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 2206 bytes | Modified Date = 4/29/2008 8:35:20 PM | Attr =	]
$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 4/20/2008 8:59:14 PM | Attr =  H ]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 4/29/2008 8:34:10 PM | Attr =   S]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 4/29/2008 8:41:48 PM | Attr =   S]
homepage.html -> %SystemRoot%\homepage.html ->  [Ver =  | Size = 1296 bytes | Modified Date = 4/28/2008 8:48:28 PM | Attr =	]
ie7updates -> %SystemRoot%\ie7updates ->  [Folder | Modified Date = 4/20/2008 5:44:20 PM | Attr =	]
imsins.BAK -> %SystemRoot%\imsins.BAK ->  [Ver =  | Size = 1374 bytes | Modified Date = 4/20/2008 8:59:35 PM | Attr =	]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 4/21/2008 8:12:55 AM | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 4/29/2008 7:10:03 PM | Attr =  HS]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 4/29/2008 9:22:56 PM | Attr =	]
system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 4/29/2008 8:34:39 PM | Attr =	]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 4/29/2008 10:37:18 PM | Attr =	]
WPCMAPI.INI -> %SystemRoot%\WPCMAPI.INI ->  [Ver =  | Size = 86 bytes | Modified Date = 4/29/2008 7:46:23 AM | Attr =	]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 4/29/2008 8:34:17 PM | Attr =  H ]
C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA ->  [Folder | Modified Date = 8/17/2006 9:58:59 AM | Attr =	]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat ->  [Ver =  | Size = 8206 bytes | Modified Date = 8/17/2006 9:58:59 AM | Attr =	]
C:\WINDOWS\Temp\sophos_autoupdate1.dir\ -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\ ->  [Folder | Modified Date = 4/29/2008 8:34:40 PM | Attr =	]
ALUpdate.exe -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\ALUpdate.exe -> Sophos Plc [Ver = 5.5.15.161 | Size = 606208 bytes | Modified Date = 3/19/2008 1:06:18 PM | Attr =	]
C:\WINDOWS\Temp\sophos_autoupdate1.dir\ -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\ ->  [Folder | Modified Date = 4/29/2008 8:34:40 PM | Attr =	]
boost_date_time-vc71-mt-1_32.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll ->  [Ver =  | Size = 45056 bytes | Modified Date = 11/16/2007 5:26:34 PM | Attr =	]
ChannelUpdater.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\ChannelUpdater.dll -> Sophos Plc [Ver = 1.1.8.161 | Size = 94208 bytes | Modified Date = 3/19/2008 1:06:23 PM | Attr =	]
CidSync.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\CidSync.dll -> Sophos Plc [Ver = 3.2.3.131 | Size = 176128 bytes | Modified Date = 11/16/2007 5:26:36 PM | Attr =	]
crypto.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\crypto.dll ->  [Ver =  | Size = 20480 bytes | Modified Date = 11/16/2007 5:26:36 PM | Attr =	]
libcurl.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\libcurl.dll -> The cURL library, http://curl.haxx.se/ [Ver = 7.15.0 | Size = 159744 bytes | Modified Date = 1/11/2007 8:38:01 AM | Attr =	]
libeay32.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\libeay32.dll ->  [Ver =  | Size = 745472 bytes | Modified Date = 11/16/2007 5:26:32 PM | Attr =	]
MSVCP71.DLL -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\MSVCP71.DLL -> Microsoft Corporation [Ver = 7.10.3077.0 | Size = 499712 bytes | Modified Date = 3/9/2005 10:25:34 AM | Attr =	]
MSVCR71.DLL -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\MSVCR71.DLL -> Microsoft Corporation [Ver = 7.10.3052.4 | Size = 348160 bytes | Modified Date = 3/9/2005 10:26:04 AM | Attr =	]
retailer.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\retailer.dll -> Sophos Plc [Ver = 1.1.7.144 | Size = 208896 bytes | Modified Date = 11/16/2007 5:26:39 PM | Attr =	]
SharedRes.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\SharedRes.dll -> Sophos Plc [Ver = 1.4.38.131 | Size = 18432 bytes | Modified Date = 11/16/2007 5:26:39 PM | Attr =	]
xmlcpp.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\xmlcpp.dll ->  [Ver =  | Size = 14336 bytes | Modified Date = 11/16/2007 5:26:37 PM | Attr =	]
xmlparse.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\xmlparse.dll ->  [Ver =  | Size = 57344 bytes | Modified Date = 11/16/2007 5:26:31 PM | Attr =	]
xmltok.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\xmltok.dll ->  [Ver =  | Size = 73728 bytes | Modified Date = 11/16/2007 5:26:33 PM | Attr =	]
C:\WINDOWS\Temp\ -> C:\WINDOWS\Temp ->  [Folder | Modified Date = 4/29/2008 10:37:39 PM | Attr =	]
Perflib_Perfdata_6a0.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_6a0.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 4/29/2008 8:35:10 PM | Attr =	]
C:\WINDOWS\Temp\sophos_autoupdate1.dir\ -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\ ->  [Folder | Modified Date = 4/29/2008 8:34:40 PM | Attr =	]
scf.dat -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\scf.dat ->  [Ver =  | Size = 2970 bytes | Modified Date = 3/19/2008 1:06:16 PM | Attr =	]
C:\WINDOWS\Temp\sophos_autoupdate1.dir\ -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\ ->  [Folder | Modified Date = 4/29/2008 8:34:40 PM | Attr =	]
ALUpdate.exe -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\ALUpdate.exe -> Sophos Plc [Ver = 5.5.15.161 | Size = 606208 bytes | Modified Date = 3/19/2008 1:06:18 PM | Attr =	]
C:\WINDOWS\Temp\sophos_autoupdate1.dir\ -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\ ->  [Folder | Modified Date = 4/29/2008 8:34:40 PM | Attr =	]
boost_date_time-vc71-mt-1_32.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll ->  [Ver =  | Size = 45056 bytes | Modified Date = 11/16/2007 5:26:34 PM | Attr =	]
ChannelUpdater.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\ChannelUpdater.dll -> Sophos Plc [Ver = 1.1.8.161 | Size = 94208 bytes | Modified Date = 3/19/2008 1:06:23 PM | Attr =	]
CidSync.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\CidSync.dll -> Sophos Plc [Ver = 3.2.3.131 | Size = 176128 bytes | Modified Date = 11/16/2007 5:26:36 PM | Attr =	]
crypto.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\crypto.dll ->  [Ver =  | Size = 20480 bytes | Modified Date = 11/16/2007 5:26:36 PM | Attr =	]
libcurl.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\libcurl.dll -> The cURL library, http://curl.haxx.se/ [Ver = 7.15.0 | Size = 159744 bytes | Modified Date = 1/11/2007 8:38:01 AM | Attr =	]
libeay32.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\libeay32.dll ->  [Ver =  | Size = 745472 bytes | Modified Date = 11/16/2007 5:26:32 PM | Attr =	]
MSVCP71.DLL -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\MSVCP71.DLL -> Microsoft Corporation [Ver = 7.10.3077.0 | Size = 499712 bytes | Modified Date = 3/9/2005 10:25:34 AM | Attr =	]
MSVCR71.DLL -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\MSVCR71.DLL -> Microsoft Corporation [Ver = 7.10.3052.4 | Size = 348160 bytes | Modified Date = 3/9/2005 10:26:04 AM | Attr =	]
retailer.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\retailer.dll -> Sophos Plc [Ver = 1.1.7.144 | Size = 208896 bytes | Modified Date = 11/16/2007 5:26:39 PM | Attr =	]
SharedRes.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\SharedRes.dll -> Sophos Plc [Ver = 1.4.38.131 | Size = 18432 bytes | Modified Date = 11/16/2007 5:26:39 PM | Attr =	]
xmlcpp.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\xmlcpp.dll ->  [Ver =  | Size = 14336 bytes | Modified Date = 11/16/2007 5:26:37 PM | Attr =	]
xmlparse.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\xmlparse.dll ->  [Ver =  | Size = 57344 bytes | Modified Date = 11/16/2007 5:26:31 PM | Attr =	]
xmltok.dll -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\xmltok.dll ->  [Ver =  | Size = 73728 bytes | Modified Date = 11/16/2007 5:26:33 PM | Attr =	]
C:\WINDOWS\Temp\ -> C:\WINDOWS\Temp ->  [Folder | Modified Date = 4/29/2008 10:37:39 PM | Attr =	]
Perflib_Perfdata_6a0.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_6a0.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 4/29/2008 8:35:10 PM | Attr =	]
C:\WINDOWS\Temp\sophos_autoupdate1.dir\ -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\ ->  [Folder | Modified Date = 4/29/2008 8:34:40 PM | Attr =	]
scf.dat -> C:\WINDOWS\Temp\sophos_autoupdate1.dir\scf.dat ->  [Ver =  | Size = 2970 bytes | Modified Date = 3/19/2008 1:06:16 PM | Attr =	]

< End of report >

I cannot give you a copy of F-Secure's report due to the browser closing. The computer still displays a Malware warning at the opening of IE

Thanks for all the help. I hope I gave you all that you asked for without screwing up to badly. Let me know if I should run the Kaspersky Online Scanner.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:02 AM

Posted 29 April 2008 - 10:53 PM

Hey Rigel. I think I know what it is. I thought these were part of the netowrks proxy but I bet they are not lol. Run the fix below.

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> {66186F05-BBBB-4a39-864F-72D84615C679} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [WebProxy]
[Files/Folders - Created Within 30 days]
NY -> sockins32.dll -> %SystemRoot%\System32\sockins32.dll
NY -> homepage.html -> %SystemRoot%\homepage.html
[Files/Folders - Modified Within 30 days]
NY -> sockins32.dll -> %SystemRoot%\System32\sockins32.dll
NY -> homepage.html -> %SystemRoot%\homepage.html
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.
I will review the information when it comes back in.

There is also probably an ActiveX that goes with that dll so let's see if that is installed.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Click the None button on the toolbar.
  • Under Additional Scans click the checkboxes in front of the following items to select them:

    • Reg - ActiveX StubPath
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 rigel

rigel

    FD-BC

  • Topic Starter

  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:02 AM

Posted 30 April 2008 - 08:06 AM

Good morning OT!

Log after fix: code tags added - end of report not noted on this log.
Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebProxy deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66186F05-BBBB-4a39-864F-72D84615C679}\ not found.
[Files/Folders - Created Within 30 days]
C:\WINDOWS\System32\sockins32.dll unregistered successfully.
C:\WINDOWS\System32\sockins32.dll moved successfully.
C:\WINDOWS\homepage.html moved successfully.
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\System32\sockins32.dll not found!
File C:\WINDOWS\homepage.html not found!
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\QBAZFRR7\topic144490[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\01Q8UZ0D\iframe[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\hlktmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_31c.dat scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.11.8 fix logfile created on 04302008_083437

Files moved on Reboot...
C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\QBAZFRR7\topic144490[1].htm moved successfully.
C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\01Q8UZ0D\iframe[2].htm moved successfully.
C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_31c.dat not found!

Log file checking activex
OTScanIt logfile created on: 4/30/2008 8:53:17 AM
OTScanIt by OldTimer - Version 1.0.11.8	 Folder = C:\Documents and Settings\administrator\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
503.36 Mb Total Physical Memory | 183.07 Mb Available Physical Memory | 36.37% Memory free
1.20 Gb Paging File | 0.91 Gb Available in Paging File | 76.26% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 17.92 Gb Free Space | 48.10% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FDJ-V05-LAPTOP
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users

[Registry - Additional Scans - Non-Microsoft Only]
< ActiveX StubPath [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608500} [HKEY_LOCAL_MACHINE] -> C:\WINDOWS\system32\java.exe [(default): Java (Sun); IsInstalled: 1] ->  [Ver =  | Size = 45161 bytes | Modified Date = 6/3/2004 9:09:14 PM | Attr =	]
{0fde1f56-0d59-4fd7-9624-e3df6b419d0e} [HKEY_LOCAL_MACHINE] ->  [(default): Internet Explorer ReadMe; IsInstalled: 01 00 00 00  [binary data]] -> 
{0fde1f56-0d59-4fd7-9624-e3df6b419d0f} [HKEY_LOCAL_MACHINE] ->  [(default): IEEX; IsInstalled: 01 00 00 00  [binary data]] -> 
{10072CEC-8CC1-11D1-986E-00A0C955B42F} [HKEY_LOCAL_MACHINE] ->  [(default): Vector Graphics Rendering (VML); IsInstalled: 1] -> 
{166B1BCA-3F9C-11CF-8075-444553540000} [HKEY_LOCAL_MACHINE] ->  [(default): Macromedia Shockwave Director 10.0.1; IsInstalled: 01 00 00 00  [binary data]] -> 
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} [StubPath] ->  [ComponentID: NetShow; IsInstalled: 1] -> 
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [StubPath] ->  [(default): Microsoft Windows Media Player 6.4; IsInstalled: 1] -> 
{233C1507-6A77-46A4-9443-F871F945D258} [HKEY_LOCAL_MACHINE] ->  [(default): Adobe Shockwave Director 10.1.3; IsInstalled: 01 00 00 00  [binary data]] -> 
{283807B5-2C60-11D0-A31D-00AA00B92C03} [HKEY_LOCAL_MACHINE] ->  [(default): DirectAnimation; IsInstalled: 1] -> 
{2A202491-F00D-11cf-87CC-0020AFEECF20} [HKEY_LOCAL_MACHINE] ->  [(default): Adobe Shockwave Director 10.1.3; IsInstalled: 01 00 00 00  [binary data]] -> 
{2C7339CF-2B09-4501-B3F3-F3508C9228ED} [StubPath] -> %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [(default): Themes Setup; IsInstalled: 1] -> 
{36f8ec70-c29a-11d1-b5c7-0000f8051515} [HKEY_LOCAL_MACHINE] ->  [(default): Dynamic HTML Data Binding for Java; IsInstalled: 1] -> 
{3af36230-a269-11d1-b5bf-0000f8051515} [HKEY_LOCAL_MACHINE] ->  [(default): Offline Browsing Pack; IsInstalled: 1] -> 
{3bf42070-b3b1-11d1-b5c5-0000f8051515} [HKEY_LOCAL_MACHINE] ->  [(default): Uniscribe; IsInstalled: 1] -> 
{411EDCF7-755D-414E-A74B-3DCD6583F589} [HKEY_LOCAL_MACHINE] ->  [(default): Microsoft .NET Framework 1.1 Service Pack 1 (KB867460); IsInstalled: 1] -> 
{4278c270-a269-11d1-b5bf-0000f8051515} [HKEY_LOCAL_MACHINE] ->  [(default): Advanced Authoring; IsInstalled: 1] -> 
{44BBA840-CC51-11CF-AAFA-00AA00B6015C} [StubPath] -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [(default): Microsoft Outlook Express 6; IsInstalled: 1] -> 
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [StubPath] -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT [(default): NetMeeting 3.01; IsInstalled: 01 00 00 00  [binary data]] -> 
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKEY_LOCAL_MACHINE] ->  [(default): DirectShow; IsInstalled: 1] -> 
{44BBA855-CC51-11CF-AAFA-00AA00B6015F} [HKEY_LOCAL_MACHINE] ->  [(default): DirectDrawEx; IsInstalled: 1] -> 
{45ea75a0-a269-11d1-b5bf-0000f8051515} [HKEY_LOCAL_MACHINE] ->  [(default): Internet Explorer Help; IsInstalled: 1] -> 
{4f216970-c90c-11d1-b5c7-0000f8051515} [HKEY_LOCAL_MACHINE] ->  [(default): DirectAnimation Java Classes; IsInstalled: 1] -> 
{4f645220-306d-11d2-995d-00c04f98bbc9} [HKEY_LOCAL_MACHINE] ->  [(default): Microsoft Windows Script 5.6; IsInstalled: 1] -> 
{5945c046-1e7d-11d1-bc44-00c04fd912be} [StubPath] -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser [(default): Windows Messenger 4.7; IsInstalled: 1] -> 
{5A8D6EE0-3E18-11D0-821E-444553540000} [HKEY_LOCAL_MACHINE] -> Reg Error: Value  does not exist or could not be read. [ComponentID: ICW; IsInstalled: 1] -> File not found
{5fd399c0-a70a-11d1-9948-00c04f98bbc9} [HKEY_LOCAL_MACHINE] ->  [(default): Internet Explorer Setup Tools; IsInstalled: 1] -> 
{630b1da0-b465-11d1-9948-00c04f98bbc9} [HKEY_LOCAL_MACHINE] ->  [(default): Browsing Enhancements; IsInstalled: 1] -> 
{6BF52A52-394A-11d3-B153-00C04F79FAA6} [StubPath] -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub [(default): Microsoft Windows Media Player; IsInstalled: 1] -> 
{6fab99d0-bab8-11d1-994a-00c04f98bbc9} [HKEY_LOCAL_MACHINE] ->  [(default): MSN Site Access; IsInstalled: 1] -> 
{73FA19D0-2D75-11D2-995D-00C04F98BBC9} [StubPath] ->  [(default): Web Folders; IsInstalled: 1] -> 
{7790769C-0471-11d2-AF11-00C04FA35D02} [StubPath] -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [(default): Address Book 5; IsInstalled: 1] -> 
{89820200-ECBD-11cf-8B85-00AA005B4340} [StubPath] -> regsvr32.exe /s /n /i:U shell32.dll [(default): Windows Desktop Update; IsInstalled: 1] -> 
{89820200-ECBD-11cf-8B85-00AA005B4383} [StubPath] -> C:\WINDOWS\system32\ie4uinit.exe -BaseSettings [(default): Internet Explorer; IsInstalled: 1] -> 
{89B4C1CD-B018-4511-B0A1-5476DBF70820} [StubPath] -> C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install [ComponentID: DOTNETFRAMEWORKS; IsInstalled: 1] -> 
{8D1D0E9A-C799-4D28-9E29-0061D1E66E43} [HKEY_LOCAL_MACHINE] ->  [(default): Microsoft .NET Framework 1.1 Hotfix (KB928366); IsInstalled: 1] -> 
{9381D8F2-0288-11D0-9501-00AA00B911A5} [HKEY_LOCAL_MACHINE] ->  [(default): Dynamic HTML Data Binding; IsInstalled: 1] -> 
{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} [StubPath] -> %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl [(default): CRLUpdate; IsInstalled: 1] -> 
{C9E9A340-D1F1-11D0-821E-444553540600} [HKEY_LOCAL_MACHINE] ->  [(default): Internet Explorer Core Fonts; IsInstalled: 1] -> 
{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} [HKEY_LOCAL_MACHINE] ->  [(default): .NET Framework] -> 
{CC2A9BA0-3BDD-11D0-821E-444553540000} [HKEY_LOCAL_MACHINE] ->  [(default): Task Scheduler; IsInstalled: 1] -> 
{CDD7975E-60F8-41d5-8149-19E51D6F71D0} [HKEY_LOCAL_MACHINE] -> Reg Error: Value  does not exist or could not be read. [ComponentID: Windows Movie Maker v2.1; IsInstalled: 01 00 00 00  [binary data]] -> File not found
{D27CDB6E-AE6D-11cf-96B8-444553540000} [HKEY_LOCAL_MACHINE] ->  [(default): Adobe Flash Player; IsInstalled: 01 00 00 00  [binary data]] -> 
{de5aed00-a4bf-11d1-9948-00c04f98bbc9} [HKEY_LOCAL_MACHINE] ->  [(default): HTML Help; IsInstalled: 1] -> 
{E92B03AB-B707-11d2-9CBD-0000F87A369E} [HKEY_LOCAL_MACHINE] ->  [(default): Active Directory Service Interface; IsInstalled: 01 00 00 00  [binary data]] -> 
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} [StubPath] -> C:\WINDOWS\system32\ieudinit.exe [(default): IE7 Uninstall Stub; IsInstalled: 1] -> 
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [StubPath] -> C:\WINDOWS\inf\unregmp2.exe /ShowWMP [(default): Windows Media Player; IsInstalled: 0] -> 
>{26923b43-4d38-484f-9b9e-de460746276c} [StubPath] -> C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig [(default): Internet Explorer; IsInstalled: 1] -> 
>{60B49E34-C7CC-11D0-8953-00A0C90347FF} [StubPath] -> RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [(default): Browser Customizations; IsInstalled: 1] -> 
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS [StubPath] -> RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [(default): Browser Customizations; IsInstalled: 1] -> 
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} [StubPath] -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE [(default): Outlook Express; IsInstalled: 1] -> 
< ActiveX StubPath [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\ -> 
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} [HKEY_LOCAL_MACHINE] ->  [HKLM: Microsoft NetShow Player] -> 
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [HKEY_LOCAL_MACHINE] ->  [HKLM: Windows Media Player] -> 
{2C7339CF-2B09-4501-B3F3-F3508C9228ED} [HKEY_LOCAL_MACHINE] ->  [(no name)] -> 
{44BBA840-CC51-11CF-AAFA-00AA00B6015C} [HKEY_LOCAL_MACHINE] ->  [(no name)] -> 
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKEY_LOCAL_MACHINE] ->  [(no name)] -> 
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKEY_LOCAL_MACHINE] ->  [(no name)] -> 
{5945c046-1e7d-11d1-bc44-00c04fd912be} [HKEY_LOCAL_MACHINE] ->  [(no name)] -> 
{6BF52A52-394A-11d3-B153-00C04F79FAA6} [HKEY_LOCAL_MACHINE] ->  [HKLM: Windows Media Player] -> 
{73FA19D0-2D75-11D2-995D-00C04F98BBC9} [HKEY_LOCAL_MACHINE] ->  [(no name)] -> 
{7790769C-0471-11d2-AF11-00C04FA35D02} [HKEY_LOCAL_MACHINE] ->  [(no name)] -> 
{89820200-ECBD-11cf-8B85-00AA005B4340} [HKEY_LOCAL_MACHINE] ->  [(no name)] -> 
{89820200-ECBD-11cf-8B85-00AA005B4383} [HKEY_LOCAL_MACHINE] ->  [(no name)] -> 
{89B4C1CD-B018-4511-B0A1-5476DBF70820} [HKEY_LOCAL_MACHINE] -> Reg Error: Value  does not exist or could not be read. [(no name)] -> File not found
{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} [HKEY_LOCAL_MACHINE] ->  [(no name)] -> 
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} [HKEY_LOCAL_MACHINE] ->  [(no name)] -> 
>{26923b43-4d38-484f-9b9e-de460746276c} [HKEY_LOCAL_MACHINE] ->  [(no name)] -> 
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} [HKEY_LOCAL_MACHINE] ->  [(no name)] -> 
< ActiveX StubPath [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\ -> 
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [HKLM: Microsoft NetShow Player] -> File not found
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not found
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{6BF52A52-394A-11d3-B153-00C04F79FAA6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not found
< ActiveX StubPath [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Active Setup\Installed Components\ -> 
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [HKLM: Microsoft NetShow Player] -> File not found
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not found
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{6BF52A52-394A-11d3-B153-00C04F79FAA6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not found
< ActiveX StubPath [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Active Setup\Installed Components\ -> 
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [HKLM: Microsoft NetShow Player] -> File not found
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not found
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{6BF52A52-394A-11d3-B153-00C04F79FAA6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not found
< ActiveX StubPath [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Active Setup\Installed Components\ -> 
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [HKLM: Microsoft NetShow Player] -> File not found
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not found
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{6BF52A52-394A-11d3-B153-00C04F79FAA6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not found
< ActiveX StubPath [HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\] > -> HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Active Setup\Installed Components\ -> 
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [HKLM: Microsoft NetShow Player] -> File not found
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not found
{2C7339CF-2B09-4501-B3F3-F3508C9228ED} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{44BBA840-CC51-11CF-AAFA-00AA00B6015C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{5945c046-1e7d-11d1-bc44-00c04fd912be} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{66186F05-BBBB-4a39-864F-72D84615C679} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{6BF52A52-394A-11d3-B153-00C04F79FAA6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [HKLM: Windows Media Player] -> File not found
{73FA19D0-2D75-11D2-995D-00C04F98BBC9} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{7790769C-0471-11d2-AF11-00C04FA35D02} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{89820200-ECBD-11cf-8B85-00AA005B4340} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{89820200-ECBD-11cf-8B85-00AA005B4383} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{89B4C1CD-B018-4511-B0A1-5476DBF70820} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
>{26923b43-4d38-484f-9b9e-de460746276c} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
>{60B49E34-C7CC-11D0-8953-00A0C90347FF} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)] -> File not found


< End of report >

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:02 AM

Posted 30 April 2008 - 11:51 AM

Hi Rigel. Yup it's in there. Let's get rid of it.

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Additional Scans - Non-Microsoft Only]
< ActiveX StubPath [HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\] > -> HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Active Setup\Installed Components\
YN -> {66186F05-BBBB-4a39-864F-72D84615C679} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [(no name)]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Other than that how are things running now? Any more messages whrn IE starts? Any other issues?

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 rigel

rigel

    FD-BC

  • Topic Starter

  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:02 AM

Posted 30 April 2008 - 12:09 PM

[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_USERS\S-1-5-21-1481906607-906242103-959738221-500\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186F05-BBBB-4a39-864F-72D84615C679}\\StubPath not found.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.11.8 fix logfile created on 04302008_130516

No more notices about spyware... so far :thumbsup: I am going to reboot a few times just to make sure... brb

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 rigel

rigel

    FD-BC

  • Topic Starter

  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:02 AM

Posted 30 April 2008 - 12:21 PM

Well done OT!!! It looks clean, smells clean, squeeks when I close the lid.

Thank you!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:02 AM

Posted 30 April 2008 - 12:43 PM

Excellent! Now let's do some final cleanup to reset the System Restore points and remove all of the tools we used during the fix and then you are all set.

Step #1

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Step #2

To remove all of the tools we used and the files and folders they created do the following:
  • Start OTScanIt
    Click the CleanUp button
  • OTScanIt will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
  • OTScanIt will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself. Click Yes.
After that you are good to go.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 rigel

rigel

    FD-BC

  • Topic Starter

  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:02 AM

Posted 30 April 2008 - 03:00 PM

Thanks OT - done.

I hope you enjoy a meal on me... Ok a burger a shake, but that's all the money I had :thumbsup:

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:02 AM

Posted 30 April 2008 - 05:12 PM

You are very welcome Rigel. I'll take that burger and a shake lol.

I will now close this topic. If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users