Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Analyse My Hjt Log


  • This topic is locked This topic is locked
14 replies to this topic

#1 siddhant

siddhant

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 19 August 2008 - 11:32 AM

hi guys its me again
lol
this time its for my friend though,he has a new comp and 2885 infected files,i downloaded hjt and ot scanit and im posting hjt logs he also does not have any antivirus programs,his download speed is at 6 KBps on a 256kbps connection,he has windows xp, most of the infected files are infected with cyber terrorist virus,loads of spyware and adware too,you guys are the only ones that can help so ty again people.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:15 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\csrcs.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\rhcgjej0evb1\rhcgjej0evb1.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\pphcljej0evb1.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\ASHOK\LOCALS~1\Temp\1.tmp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\DOCUME~1\ASHOK\LOCALS~1\Temp\5.tmp
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\faceback.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\faceback1688.exe 61A847B5BBF72813349330466188719AB689201522886B092CBD44BD8689220221DD325762E902BC9ED7286138F75F2F0C8D6E84A1EF7F506DCD610837F817EBCA9D775A67
O4 - HKLM\..\Run: [lphcljej0evb1] C:\WINDOWS\system32\lphcljej0evb1.exe
O4 - HKLM\..\Run: [SMrhcgjej0evb1] C:\Program Files\rhcgjej0evb1\rhcgjej0evb1.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX5500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAP.EXE /FU "C:\WINDOWS\TEMP\E_SA9.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Somefox] C:\DOCUME~1\ASHOK\LOCALS~1\Temp\1.tmp.exe
O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{31093CED-C67F-46B8-A87E-42987CC120F8}: NameServer = 218.248.255.162 218.248.255.139
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9618 bytes

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:45 AM

Posted 28 August 2008 - 08:35 PM

:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you would still like help, please post a new HiJack This log below, as things may have changed on your system.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:45 AM

Posted 02 September 2008 - 08:24 PM

Hello, siddhant.
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:45 AM

Posted 09 September 2008 - 11:17 PM

Topic Reopened. Please post your logs below.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 siddhant

siddhant
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 10 September 2008 - 05:40 AM

Thank you for reopening Billy,i dont have Virtuemonde anymore i think,but i definately have some spyware and adware etc,constant popups which claim to be valid windows popups suggesting i download valid antivirus which takes me to some advance antivirus page,i cant change my homepage,theres this annoying little toolbar->security toolbar 7.1 which doesnt wanna leave,i cant find my google toolbar,there could be somthing more but i havnt been ome in a while and my brother didnt use it since this happened!he was reading a text by someone showing ways to become a hacker,he inevitably downloaded some files from somewhere which could have caused this,quick heal scan reveals,keyloggers,trojans and nukers!i have personally downloaded nukenabber to be awares of nuke attacks in the case it happens!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:15 PM, on 9/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Applications\wcs.exe
C:\Program Files\Applications\iebtm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\PROGRA~1\CATCOM~1\QUICKH~1\ONLNSVC.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\OneStep\onestep.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Applications\wcm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Applications\iebtmm.exe
C:\PROGRA~1\CATCOM~1\QUICKH~1\EMLPROXY.EXE
C:\PROGRA~1\CATCOM~1\QUICKH~1\scanwscs.exe
C:\PROGRA~1\CATCOM~1\QUICKH~1\OnlineNT.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\CATCOM~1\QUICKH~1\EMLPROUI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Documents and Settings\ATL_Infotech\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\NukeNabber\nukenabber.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\OneStep\onestep.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\ATL_Infotech\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Satyam Infoway Limited
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0BD44AB1-76A7-4E05-92F4-4B065FE72BD6} - C:\Program Files\Applications\iebt.dll
O2 - BHO: 968070 helper - {157BEF24-1400-4E89-946A-F29F97D703D3} - C:\WINDOWS\system32\968070\968070.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ATL_IN~1\Desktop\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Duhiki - {20001E7A-823D-4E19-ADE2-D6AB53C7C81E} - C:\Program Files\Duhiki\DuhikiToolbar\Duhiki.dll
O3 - Toolbar: Internet Service - {94A5C93F-BD18-4C46-B777-C94C145C3CAB} - C:\Program Files\Applications\iebr.dll
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\CATCOM~1\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [Messenger] C:\PROGRA~1\CATCOM~1\QUICKH~1\SCANMSG.EXE
O4 - HKLM\..\Run: [Startup Scan] C:\PROGRA~1\CATCOM~1\QUICKH~1\Sensor.EXE /LOADRUN
O4 - HKLM\..\Run: [Quick Heal Firewall Pro] "C:\Program Files\Cat Computer\Quick Heal Firewall Pro\qhfw.exe" /waitservice
O4 - HKLM\..\Run: [ResumeQuickupDownload] C:\PROGRA~1\CATCOM~1\QUICKH~1\acappaa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Email Protection] C:\PROGRA~1\CATCOM~1\QUICKH~1\EMLPROUI.EXE
O4 - HKLM\..\RunOnce: [Startup Scan] C:\PROGRA~1\CATCOM~1\QUICKH~1\Sensor.EXE /check
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [DuhikiToolbarNotifier] "C:\Program Files\Duhiki\DuhikiToolbar\DuhikiToolbarNotifier.exe"
O4 - HKCU\..\Run: [Exetender] C:\Program Files\Indiagames GoD\GPlayer.exe /runonstartup
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\ATL_Infotech\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program Files\Applications\wcs.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Applications\iebtm.exe
O4 - Startup: nukenabber.lnk = C:\Program Files\NukeNabber\nukenabber.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: ZMatrix.lnk = C:\Program Files\ZMatrix\matrix.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieextend.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieextend.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\ATL_IN~1\Desktop\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\ATL_IN~1\Desktop\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sify.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213607094859
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92F31F75-8DD0-45D6-B9CF-77B1CDC60231}: NameServer = 218.248.240.208,218.248.240.135
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFD8FA5D-F11F-427C-94B7-DFF3AFB278FF}: NameServer = 218.248.255.162 218.248.255.139
O20 - AppInit_DLLs: C:\PROGRA~1\CATCOM~1\QUICKH~2\wl_hook.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\CATCOM~1\QUICKH~1\ONLNSVC.EXE
O23 - Service: OneStepSearch Service - OneStepSearch.net, Inc. - C:\Program Files\OneStep\onestep.exe
O23 - Service: Quick Heal Mail Protection - Unknown owner - C:\PROGRA~1\CATCOM~1\QUICKH~1\EMLPROXY.EXE
O23 - Service: Quick Heal Firewall Service (QuickHealFirewall) - Agnitum Ltd. - C:\Program Files\Cat Computer\Quick Heal Firewall Pro\qhfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\CATCOM~1\QUICKH~1\scanwscs.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 12094 bytes

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:45 AM

Posted 15 September 2008 - 02:32 PM

Hello, siddhant.
We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 siddhant

siddhant
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 15 September 2008 - 03:06 PM

ComboFix 08-09-15.01 - ATL_Infotech 2008-09-16 1:18:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.218 [GMT 5.5:30]
Running from: C:\Documents and Settings\ATL_Infotech\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ATL_Infotech\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ATL_Infotech\My Documents\My Documents.url
C:\Documents and Settings\ATL_Infotech\My Documents\My Music\My Music.url
C:\Documents and Settings\ATL_Infotech\My Documents\My Pictures\My Pictures.url
C:\Documents and Settings\ATL_Infotech\My Documents\My Videos\My Video.url
C:\Program Files\Applications\iebr.dll
C:\Program Files\Applications\myd.ico
C:\Program Files\Applications\mym.ico
C:\Program Files\Applications\myp.ico
C:\Program Files\Applications\myv.ico
C:\Program Files\Applications\ot.ico
C:\Program Files\Applications\ts.ico
C:\WINDOWS\system32\968070
C:\WINDOWS\system32\968070\968070.dll
C:\WINDOWS\system32\AdCache
C:\WINDOWS\system32\opnmKCRj.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-15 to 2008-09-15 )))))))))))))))))))))))))))))))
.

2008-09-14 05:00 . 2008-09-14 05:00 <DIR> d-------- C:\Program Files\MUSHclient
2008-09-11 08:02 . 2008-09-11 08:02 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-09-10 02:25 . 2008-09-10 02:25 <DIR> d-------- C:\Program Files\PuebloUE
2008-09-09 17:16 . 2008-09-16 01:18 <DIR> d-------- C:\Program Files\Applications
2008-09-07 15:56 . 2008-09-07 15:56 4,708 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-09-07 10:54 . 2008-09-07 10:54 <DIR> d-------- C:\Program Files\OneStep
2008-09-06 22:23 . 2008-09-07 20:36 <DIR> d-------- C:\WINDOWS\system32\WSG32
2008-09-04 19:21 . 2003-07-19 20:47 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-09-04 19:21 . 2005-01-03 12:13 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-09-04 19:19 . 2008-09-04 19:19 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-09-04 19:10 . 2008-09-10 00:52 <DIR> d-------- C:\Program Files\DNA
2008-09-04 19:10 . 2008-09-10 06:03 <DIR> d-------- C:\Documents and Settings\ATL_Infotech\Application Data\DNA
2008-09-04 10:43 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-04 10:43 . 2008-07-18 22:07 210,976 --a------ C:\WINDOWS\system32\muweb.dll
2008-09-04 10:43 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-03 21:48 . 2008-09-03 21:48 <DIR> d-------- C:\Program Files\Sun
2008-09-03 07:00 . 2008-09-03 07:00 <DIR> d-------- C:\Program Files\Windows Live
2008-09-03 07:00 . 2008-09-03 07:02 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-09-03 06:59 . 2008-09-03 07:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-09-03 02:33 . 2008-09-03 02:34 <DIR> d-------- C:\Program Files\WinPcap
2008-09-03 02:17 . 2008-09-03 02:39 <DIR> d-------- C:\Program Files\Cain
2008-09-02 11:59 . 2008-09-02 11:59 <DIR> d-------- C:\Documents and Settings\ATL_Infotech\dwhelper
2008-09-01 21:54 . 2008-09-02 10:35 <DIR> d-------- C:\Program Files\NukeNabber
2008-09-01 21:54 . 2008-09-01 21:54 <DIR> d-------- C:\Documents and Settings\ATL_Infotech\reports
2008-09-01 21:15 . 2008-09-01 21:15 <DIR> d-------- C:\Program Files\Legion
2008-09-01 21:15 . 1997-01-16 00:00 71,680 --a------ C:\WINDOWS\ST5UNST.EXE
2008-09-01 21:15 . 1997-01-16 00:00 29,696 --a------ C:\WINDOWS\system32\VB5StKit.dll
2008-09-01 18:59 . 2008-09-01 18:59 <DIR> d-------- C:\Program Files\WSPingPR
2008-08-28 21:01 . 2008-08-28 21:01 <DIR> d-------- C:\Program Files\UseNeXT
2008-08-28 21:01 . 2008-08-28 21:03 <DIR> d-------- C:\Documents and Settings\ATL_Infotech\Application Data\UseNeXT
2008-08-28 17:13 . 2008-08-28 16:27 134,783 --a------ C:\WINDOWS\1z55d2u.jpg
2008-08-28 16:21 . 2008-08-28 16:19 150,080 --a------ C:\WINDOWS\2226889020_ce8c067008.jpg
2008-08-28 16:15 . 2008-08-28 16:15 2,192,640 --a------ C:\WINDOWS\system32\kernel1.exe
2008-08-28 16:14 . 2008-06-21 05:01 211 --ahs---- C:\BOOT.BKK
2008-08-27 18:10 . 2008-08-27 18:10 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-08-27 18:05 . 2008-08-27 18:05 <DIR> d-------- C:\Program Files\PC Wizard 2008
2008-08-27 18:05 . 2007-09-15 16:11 27,136 --a------ C:\WINDOWS\system32\PCWizard.cpl
2008-08-27 05:30 . 2008-08-27 05:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-27 05:25 . 2008-08-27 05:25 <DIR> d-------- C:\Program Files\Bonjour
2008-08-27 05:10 . 2008-08-27 05:10 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-08-26 22:34 . 2008-09-15 19:25 45 --a------ C:\TEST.XML
2008-08-26 12:29 . 2008-09-03 19:44 <DIR> d-------- C:\Temp
2008-08-26 12:13 . 2008-08-26 12:13 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-08-26 11:26 . 2008-09-09 17:02 <DIR> d-------- C:\Remote Programs
2008-08-26 11:26 . 2008-08-26 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Exetender
2008-08-26 11:26 . 2006-08-24 11:14 3,262 --------- C:\WINDOWS\Indiagames.ico
2008-08-26 11:26 . 2008-08-26 11:26 70 --a------ C:\WINDOWS\GPlrLanc.dat
2008-08-26 11:25 . 2008-09-03 21:28 <DIR> d-------- C:\Program Files\Indiagames GoD
2008-08-26 11:25 . 2007-05-27 12:33 53,314 --------- C:\WINDOWS\ExentInfo.exe
2008-08-26 09:30 . 2008-08-26 09:30 68 --a------ C:\WINDOWS\ZMatrixSS.ini
2008-08-26 09:29 . 2008-08-26 09:30 <DIR> d-------- C:\Program Files\ZMatrix
2008-08-26 09:21 . 2008-08-26 12:26 <DIR> d-------- C:\Documents and Settings\ATL_Infotech\Application Data\.ZMatrix
2008-08-26 08:44 . 2008-08-26 08:44 <DIR> d-------- C:\Program Files\Duhiki
2008-08-26 08:09 . 2008-08-26 09:37 <DIR> d-------- C:\Program Files\FileSubmit
2008-08-26 08:07 . 2008-08-26 08:07 <DIR> d-------- C:\Program Files\TGTSoft
2008-08-26 02:06 . 2008-08-26 03:11 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-20 22:06 . 2008-08-21 14:10 <DIR> d-------- C:\Documents and Settings\ATL_Infotech\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 16:17 --------- d-----w C:\Program Files\Java
2008-08-28 09:40 --------- d-----w C:\Program Files\Google
2008-08-26 23:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-26 05:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-15 22:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-28 09:43 98,304 ----a-w C:\WINDOWS\DUMP2ac9.tmp
2008-07-27 17:17 98,304 ----a-w C:\WINDOWS\DUMP5256.tmp
2008-07-27 16:23 30,848 ----a-w C:\WINDOWS\system32\drivers\Cim26.sys
2008-07-27 13:49 --------- d-----w C:\Program Files\PC Drivers HeadQuarters
2008-07-24 08:20 --------- d-----w C:\Program Files\tempgames
2008-07-24 08:19 --------- d-----w C:\Program Files\temp games
2008-07-24 08:18 --------- d-----w C:\Documents and Settings\ATL_Infotech\Application Data\InstallShield
2008-07-18 16:40 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 16:40 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 16:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 16:40 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 16:39 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 16:39 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 16:39 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 16:39 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-16 12:06 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-06-16 12:06 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-06-09 03:08 811 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [2008-07-17 2599224]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-25 1372160]
"DuhikiToolbarNotifier"="C:\Program Files\Duhiki\DuhikiToolbar\DuhikiToolbarNotifier.exe" [2008-08-13 152264]
"Exetender"="C:\Program Files\Indiagames GoD\GPlayer.exe" [2007-05-27 1820160]
"Google Update"="C:\Documents and Settings\ATL_Infotech\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-04-25 589824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-16 185896]
"On-Line Protection"="C:\PROGRA~1\CATCOM~1\QUICKH~1\CATEYE.EXE" [2008-06-16 210560]
"Startup Scan"="C:\PROGRA~1\CATCOM~1\QUICKH~1\Sensor.EXE" [2008-06-16 145024]
"Quick Heal Firewall Pro"="C:\Program Files\Cat Computer\Quick Heal Firewall Pro\qhfw.exe" [2007-01-15 87040]
"ResumeQuickupDownload"="C:\PROGRA~1\CATCOM~1\QUICKH~1\acappaa.exe" [2008-06-18 46456]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
"Email Protection"="C:\PROGRA~1\CATCOM~1\QUICKH~1\EMLPROUI.EXE" [2008-06-16 267904]
"VTTimer"="VTTimer.exe" [2005-03-07 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-10 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Startup Scan"="C:\PROGRA~1\CATCOM~1\QUICKH~1\Sensor.EXE" [2008-06-16 145024]

C:\Documents and Settings\ATL_Infotech\Start Menu\Programs\Startup\
nukenabber.lnk - C:\Program Files\NukeNabber\nukenabber.exe [2008-09-01 292967]
PowerReg Scheduler.exe [2008-07-19 256000]
ZMatrix.lnk - C:\Program Files\ZMatrix\matrix.exe [2003-05-25 114688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-05-25 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Program Files\\TGTSoft\\StyleXP\\Logon\\CurrentLogon.EXE"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"D:\\games\\Age of empires\\age2_x1.exe"=
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\NukeNabber\\nukenabber.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"D:\\games\\Softnyx\\RakionIS\\Bin\\rakion.bin"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9864:TCP"= 9864:TCP:BitComet 9864 TCP
"9864:UDP"= 9864:UDP:BitComet 9864 UDP

R0 ScreenNT;ScreenNT;C:\WINDOWS\system32\drivers\ScreenNT.sys [2008-06-16 13696]
R1 VFILT;Quick Heal Kernel Driver;C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\FILTNT.SYS [2007-01-15 125248]
R2 EMLSS;EMLSS;C:\WINDOWS\system32\drivers\emltdi.sys [2008-06-16 6659]
R2 OneStepSearch Service;OneStepSearch Service;C:\Program Files\OneStep\onestep.exe C:\Program Files\OneStep\onestep.dll Service [ ]
R2 OnlineNT;OnlineNT;C:\PROGRA~1\CATCOM~1\QUICKH~1\ONLINENT.SYS [2008-06-16 32128]
S3 ADBLOCK.DLL;Quick Heal PlugIn (ADBLOCK.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\ADBLOCK.DLL [2007-01-15 33600]
S3 ARP.DLL;Quick Heal PlugIn (ARP.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\ARP.DLL [2007-01-15 17440]
S3 CONTENT.DLL;Quick Heal PlugIn (CONTENT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\CONTENT.DLL [2007-01-15 4896]
S3 DNSCACHE.DLL;Quick Heal PlugIn (DNSCACHE.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\DNSCACHE.DLL [2007-01-15 14304]
S3 FTPFILT.DLL;Quick Heal PlugIn (FTPFILT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\FTPFILT.DLL [2007-01-15 9024]
S3 gel90xne;gel90xne;C:\DOCUME~1\ATL_IN~1\LOCALS~1\Temp\gel90xne.sys [ ]
S3 HTMLFILT.DLL;Quick Heal PlugIn (HTMLFILT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\HTMLFILT.DLL [2007-01-15 11552]
S3 HTTPFILT.DLL;Quick Heal PlugIn (HTTPFILT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\HTTPFILT.DLL [2007-01-15 13248]
S3 iadusb;USB IAD LAN Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2007-06-13 30336]
S3 IMAPFILT.DLL;Quick Heal PlugIn (IMAPFILT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\IMAPFILT.DLL [2007-01-15 7200]
S3 MAILFILT.DLL;Quick Heal PlugIn (MAILFILT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\MAILFILT.DLL [2007-01-15 14912]
S3 NNTPFILT.DLL;Quick Heal PlugIn (NNTPFILT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\NNTPFILT.DLL [2007-01-15 6752]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2008-05-22 34576]
S3 POP3FILT.DLL;Quick Heal PlugIn (POP3FILT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\POP3FILT.DLL [2007-01-15 9984]
S3 PROTECT.DLL;Quick Heal PlugIn (PROTECT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\PROTECT.DLL [2007-01-15 16960]
S3 SECRET.DLL;Quick Heal PlugIn (SECRET.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\SECRET.DLL [2007-01-15 9696]
S3 XDva076;XDva076;C:\WINDOWS\system32\XDva076.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\ATL_Infotech\Application Data\Mozilla\Firefox\Profiles\h58pck2q.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF -: plugin - C:\Documents and Settings\ATL_Infotech\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 01:23:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\CATCOM~1\QUICKH~1\ONLNSVC.EXE
C:\Program Files\OneStep\onestep.exe
C:\PROGRA~1\CATCOM~1\QUICKH~1\EMLPROXY.EXE
C:\PROGRA~1\VIA\RAID\RAID_T~1.EXE
C:\PROGRA~1\Java\JRE16~2.0_0\bin\jusched.exe
C:\PROGRA~1\COMMON~1\Real\UPDATE~1\REALSC~1.EXE
C:\PROGRA~1\CATCOM~1\QUICKH~1\SCANWSCS.EXE
C:\PROGRA~1\CATCOM~1\QUICKH~1\ONLINENT.EXE
C:\PROGRA~1\DAEMON~1\daemon.exe
C:\PROGRA~1\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\OneStep\onestep.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-16 1:35:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-15 20:04:53

Pre-Run: 3,988,439,040 bytes free
Post-Run: 4,037,046,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (bootscreen)" /noexecute=optin /fastdetect /KERNEL=kernel1.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

245 --- E O F --- 2008-09-11 02:33:00

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:45 AM

Posted 15 September 2008 - 05:51 PM

Hello, siddhant.
You have a Peer-To-Peer program installed.
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case UseNEXT). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/164134/please-analyse-my-hjt-log/
    
    driver::
    XDva076
    gel90xne
    
    file::
    C:\WINDOWS\1z55d2u.jpg
    C:\WINDOWS\2226889020_ce8c067008.jpg
    C:\WINDOWS\DUMP2ac9.tmp
    C:\WINDOWS\DUMP5256.tmp
    
    suspect::[54]
    C:\WINDOWS\system32\kernel1.exe
    C:\Program Files\NukeNabber\nukenabber.exe
    
    folder::
    C:\Temp
    
    rootkit::
    C:\DOCUME~1\ATL_IN~1\LOCALS~1\Temp\gel90xne.sys
    C:\WINDOWS\system32\XDva076.sys
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 siddhant

siddhant
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 16 September 2008 - 12:12 AM

thanks again billy!about the file sharing progs etc!some in my large family are bonafied pirates :thumbsup: the point being that since im the youngest brother i have the least rights over.....well anything,BUT i am still the one who is put to charge to clean up their (my great brothers) mess!is there any way i can send them to jail without my parents knowing it was me!??lol!!im seriously considering this!




ComboFix 08-09-15.01 - ATL_Infotech 2008-09-16 10:18:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.197 [GMT 5.5:30]
Running from: C:\Documents and Settings\ATL_Infotech\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ATL_Infotech\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp
C:\WINDOWS\1z55d2u.jpg
C:\WINDOWS\2226889020_ce8c067008.jpg
C:\WINDOWS\DUMP2ac9.tmp
C:\WINDOWS\DUMP5256.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GEL90XNE
-------\Legacy_XDVA076
-------\Service_gel90xne
-------\Service_XDva076


((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 )))))))))))))))))))))))))))))))
.

2008-09-14 05:00 . 2008-09-14 05:00 <DIR> d-------- C:\Program Files\MUSHclient
2008-09-11 08:02 . 2008-09-11 08:02 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-09-10 02:25 . 2008-09-10 02:25 <DIR> d-------- C:\Program Files\PuebloUE
2008-09-09 17:16 . 2008-09-16 01:18 <DIR> d-------- C:\Program Files\Applications
2008-09-07 15:56 . 2008-09-07 15:56 4,708 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-09-07 10:54 . 2008-09-07 10:54 <DIR> d-------- C:\Program Files\OneStep
2008-09-06 22:23 . 2008-09-07 20:36 <DIR> d-------- C:\WINDOWS\system32\WSG32
2008-09-04 19:21 . 2003-07-19 20:47 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-09-04 19:21 . 2005-01-03 12:13 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-09-04 19:19 . 2008-09-04 19:19 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-09-04 19:10 . 2008-09-10 00:52 <DIR> d-------- C:\Program Files\DNA
2008-09-04 19:10 . 2008-09-10 06:03 <DIR> d-------- C:\Documents and Settings\ATL_Infotech\Application Data\DNA
2008-09-04 10:43 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-04 10:43 . 2008-07-18 22:07 210,976 --a------ C:\WINDOWS\system32\muweb.dll
2008-09-04 10:43 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-03 21:48 . 2008-09-03 21:48 <DIR> d-------- C:\Program Files\Sun
2008-09-03 07:00 . 2008-09-03 07:00 <DIR> d-------- C:\Program Files\Windows Live
2008-09-03 07:00 . 2008-09-03 07:02 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-09-03 06:59 . 2008-09-03 07:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-09-03 02:33 . 2008-09-03 02:34 <DIR> d-------- C:\Program Files\WinPcap
2008-09-03 02:17 . 2008-09-03 02:39 <DIR> d-------- C:\Program Files\Cain
2008-09-02 11:59 . 2008-09-02 11:59 <DIR> d-------- C:\Documents and Settings\ATL_Infotech\dwhelper
2008-09-01 21:54 . 2008-09-16 10:18 <DIR> d-------- C:\Program Files\NukeNabber
2008-09-01 21:54 . 2008-09-01 21:54 <DIR> d-------- C:\Documents and Settings\ATL_Infotech\reports
2008-09-01 21:15 . 2008-09-01 21:15 <DIR> d-------- C:\Program Files\Legion
2008-09-01 21:15 . 1997-01-16 00:00 71,680 --a------ C:\WINDOWS\ST5UNST.EXE
2008-09-01 21:15 . 1997-01-16 00:00 29,696 --a------ C:\WINDOWS\system32\VB5StKit.dll
2008-09-01 18:59 . 2008-09-01 18:59 <DIR> d-------- C:\Program Files\WSPingPR
2008-08-28 21:01 . 2008-08-28 21:01 <DIR> d-------- C:\Program Files\UseNeXT
2008-08-28 21:01 . 2008-08-28 21:03 <DIR> d-------- C:\Documents and Settings\ATL_Infotech\Application Data\UseNeXT
2008-08-28 16:15 . 2008-08-28 16:15 2,192,640 --a------ C:\WINDOWS\system32\kernel1.exe
2008-08-28 16:14 . 2008-06-21 05:01 211 --ahs---- C:\BOOT.BKK
2008-08-27 18:10 . 2008-08-27 18:10 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-08-27 18:05 . 2008-08-27 18:05 <DIR> d-------- C:\Program Files\PC Wizard 2008
2008-08-27 18:05 . 2007-09-15 16:11 27,136 --a------ C:\WINDOWS\system32\PCWizard.cpl
2008-08-27 05:30 . 2008-08-27 05:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-27 05:25 . 2008-08-27 05:25 <DIR> d-------- C:\Program Files\Bonjour
2008-08-27 05:10 . 2008-08-27 05:10 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-08-26 22:34 . 2008-09-15 19:25 45 --a------ C:\TEST.XML
2008-08-26 12:13 . 2008-08-26 12:13 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-08-26 11:26 . 2008-09-09 17:02 <DIR> d-------- C:\Remote Programs
2008-08-26 11:26 . 2008-08-26 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Exetender
2008-08-26 11:26 . 2006-08-24 11:14 3,262 --------- C:\WINDOWS\Indiagames.ico
2008-08-26 11:26 . 2008-08-26 11:26 70 --a------ C:\WINDOWS\GPlrLanc.dat
2008-08-26 11:25 . 2008-09-03 21:28 <DIR> d-------- C:\Program Files\Indiagames GoD
2008-08-26 11:25 . 2007-05-27 12:33 53,314 --------- C:\WINDOWS\ExentInfo.exe
2008-08-26 09:30 . 2008-08-26 09:30 68 --a------ C:\WINDOWS\ZMatrixSS.ini
2008-08-26 09:29 . 2008-08-26 09:30 <DIR> d-------- C:\Program Files\ZMatrix
2008-08-26 09:21 . 2008-08-26 12:26 <DIR> d-------- C:\Documents and Settings\ATL_Infotech\Application Data\.ZMatrix
2008-08-26 08:44 . 2008-08-26 08:44 <DIR> d-------- C:\Program Files\Duhiki
2008-08-26 08:09 . 2008-08-26 09:37 <DIR> d-------- C:\Program Files\FileSubmit
2008-08-26 08:07 . 2008-08-26 08:07 <DIR> d-------- C:\Program Files\TGTSoft
2008-08-26 02:06 . 2008-08-26 03:11 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-20 22:06 . 2008-08-21 14:10 <DIR> d-------- C:\Documents and Settings\ATL_Infotech\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-15 19:58 --------- d-----w C:\Program Files\BitComet
2008-09-03 16:17 --------- d-----w C:\Program Files\Java
2008-08-28 09:40 --------- d-----w C:\Program Files\Google
2008-08-26 23:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-26 05:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-15 22:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-27 16:23 30,848 ----a-w C:\WINDOWS\system32\drivers\Cim26.sys
2008-07-27 13:49 --------- d-----w C:\Program Files\PC Drivers HeadQuarters
2008-07-24 08:20 --------- d-----w C:\Program Files\tempgames
2008-07-24 08:19 --------- d-----w C:\Program Files\temp games
2008-07-24 08:18 --------- d-----w C:\Documents and Settings\ATL_Infotech\Application Data\InstallShield
2008-07-18 16:40 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 16:40 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 16:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 16:40 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 16:39 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 16:39 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 16:39 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 16:39 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-16 12:06 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-06-16 12:06 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-06-09 03:08 811 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [2008-07-17 2599224]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-25 1372160]
"DuhikiToolbarNotifier"="C:\Program Files\Duhiki\DuhikiToolbar\DuhikiToolbarNotifier.exe" [2008-08-13 152264]
"Exetender"="C:\Program Files\Indiagames GoD\GPlayer.exe" [2007-05-27 1820160]
"Google Update"="C:\Documents and Settings\ATL_Infotech\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-04-25 589824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-16 185896]
"On-Line Protection"="C:\PROGRA~1\CATCOM~1\QUICKH~1\CATEYE.EXE" [2008-06-16 210560]
"Startup Scan"="C:\PROGRA~1\CATCOM~1\QUICKH~1\Sensor.EXE" [2008-06-16 145024]
"Quick Heal Firewall Pro"="C:\Program Files\Cat Computer\Quick Heal Firewall Pro\qhfw.exe" [2007-01-15 87040]
"ResumeQuickupDownload"="C:\PROGRA~1\CATCOM~1\QUICKH~1\acappaa.exe" [2008-06-18 46456]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
"Email Protection"="C:\PROGRA~1\CATCOM~1\QUICKH~1\EMLPROUI.EXE" [2008-06-16 267904]
"VTTimer"="VTTimer.exe" [2005-03-07 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-10 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Startup Scan"="C:\PROGRA~1\CATCOM~1\QUICKH~1\Sensor.EXE" [2008-06-16 145024]

C:\Documents and Settings\ATL_Infotech\Start Menu\Programs\Startup\
nukenabber.lnk - C:\Program Files\NukeNabber\nukenabber.exe [2008-09-01 292967]
PowerReg Scheduler.exe [2008-07-19 256000]
ZMatrix.lnk - C:\Program Files\ZMatrix\matrix.exe [2003-05-25 114688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-05-25 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Program Files\\TGTSoft\\StyleXP\\Logon\\CurrentLogon.EXE"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"D:\\games\\Age of empires\\age2_x1.exe"=
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\NukeNabber\\nukenabber.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"D:\\games\\Softnyx\\RakionIS\\Bin\\rakion.bin"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9864:TCP"= 9864:TCP:BitComet 9864 TCP
"9864:UDP"= 9864:UDP:BitComet 9864 UDP

R0 ScreenNT;ScreenNT;C:\WINDOWS\system32\drivers\ScreenNT.sys [2008-06-16 13696]
R1 VFILT;Quick Heal Kernel Driver;C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\FILTNT.SYS [2007-01-15 125248]
R2 EMLSS;EMLSS;C:\WINDOWS\system32\drivers\emltdi.sys [2008-06-16 6659]
R2 OnlineNT;OnlineNT;C:\PROGRA~1\CATCOM~1\QUICKH~1\ONLINENT.SYS [2008-06-16 32128]
S3 ADBLOCK.DLL;Quick Heal PlugIn (ADBLOCK.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\ADBLOCK.DLL [2007-01-15 33600]
S3 ARP.DLL;Quick Heal PlugIn (ARP.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\ARP.DLL [2007-01-15 17440]
S3 CONTENT.DLL;Quick Heal PlugIn (CONTENT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\CONTENT.DLL [2007-01-15 4896]
S3 DNSCACHE.DLL;Quick Heal PlugIn (DNSCACHE.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\DNSCACHE.DLL [2007-01-15 14304]
S3 FTPFILT.DLL;Quick Heal PlugIn (FTPFILT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\FTPFILT.DLL [2007-01-15 9024]
S3 HTMLFILT.DLL;Quick Heal PlugIn (HTMLFILT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\HTMLFILT.DLL [2007-01-15 11552]
S3 HTTPFILT.DLL;Quick Heal PlugIn (HTTPFILT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\HTTPFILT.DLL [2007-01-15 13248]
S3 iadusb;USB IAD LAN Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2007-06-13 30336]
S3 IMAPFILT.DLL;Quick Heal PlugIn (IMAPFILT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\IMAPFILT.DLL [2007-01-15 7200]
S3 MAILFILT.DLL;Quick Heal PlugIn (MAILFILT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\MAILFILT.DLL [2007-01-15 14912]
S3 NNTPFILT.DLL;Quick Heal PlugIn (NNTPFILT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\NNTPFILT.DLL [2007-01-15 6752]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2008-05-22 34576]
S3 POP3FILT.DLL;Quick Heal PlugIn (POP3FILT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\POP3FILT.DLL [2007-01-15 9984]
S3 PROTECT.DLL;Quick Heal PlugIn (PROTECT.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\PROTECT.DLL [2007-01-15 16960]
S3 SECRET.DLL;Quick Heal PlugIn (SECRET.DLL);C:\Program Files\Cat Computer\Quick Heal Firewall Pro\kernel\SECRET.DLL [2007-01-15 9696]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 10:22:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\CATCOM~1\QUICKH~1\ONLNSVC.EXE
C:\Program Files\OneStep\onestep.exe
C:\PROGRA~1\CATCOM~1\QUICKH~1\EMLPROXY.EXE
C:\PROGRA~1\CATCOM~1\QUICKH~1\SCANWSCS.EXE
C:\PROGRA~1\VIA\RAID\RAID_T~1.EXE
C:\PROGRA~1\Java\JRE16~2.0_0\bin\jusched.exe
C:\PROGRA~1\COMMON~1\Real\UPDATE~1\REALSC~1.EXE
C:\PROGRA~1\CATCOM~1\QUICKH~1\ONLINENT.EXE
C:\Program Files\OneStep\onestep.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-16 10:36:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-16 05:06:15
ComboFix2.txt 2008-09-15 20:05:05

Pre-Run: 4,032,729,088 bytes free
Post-Run: 4,018,745,344 bytes free

216 --- E O F --- 2008-09-11 02:33:00

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:45 AM

Posted 16 September 2008 - 05:42 AM

Hello, siddhant.
You should also know about this program installed on this machine:

C:\Program Files\WinPcap
C:\Program Files\Cain


Cain is a password cracking utility that can be VERY DANGEROUS!! Did you install this application? If not, I suggest you remove "Cain and Abel" and "WinPCap" from Add/Remove Programs.

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Your Microsoft Windows installation is out of date.
Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Please let me know of any problems you may have encountered.

In your next reply, please include the following:
  • ESET OnlineScan's Log
  • A new HJT Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 siddhant

siddhant
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 17 September 2008 - 01:53 PM

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3448 (20080917)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=14b3b82d7f50cf44a4158796095f1fa3
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-09-17 05:48:56
# local_time=2008-09-17 11:18:56 (+0530, India Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=437453
# found=23
# scan_time=16272
C:\Documents and Settings\ATL_Infotech\My Documents\Downloads\advanced_keylogger.zip Win32/Spy.AdvancedKeyLogger.18 trojan (deleted) 00000000000000000000000000000000
C:\Documents and Settings\ATL_Infotech\My Documents\Downloads\advanced_keylogger.zip »ZIP »advanced_keylogger.exe Win32/Spy.AdvancedKeyLogger.18 trojan (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\ATL_Infotech\My Documents\Downloads\advanced_keylogger.zip »ZIP »advanced_keylogger.exe »NSIS »kmonitor.exe Win32/Spy.AdvancedKeyLogger.18 trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Downloads\bleepslap.zip Win16/Nuker.bleepSlap.A trojan (deleted) 00000000000000000000000000000000
C:\Downloads\bleepslap.zip »ZIP »Bs.exe Win16/Nuker.bleepSlap.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Downloads\Divint.zip Win32/Nuker.Divine.2 trojan (deleted) 00000000000000000000000000000000
C:\Downloads\Divint.zip »ZIP »Divint.exe Win32/Nuker.Divine.2 trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Downloads\john171w.zip Win32/HackTool.John.NAA trojan (deleted) 00000000000000000000000000000000
C:\Downloads\john171w.zip »ZIP »john1701/run/john-386.exe Win32/HackTool.John.NAA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Downloads\Nuke-it.zip Win32/Nuker.b trojan (deleted) 00000000000000000000000000000000
C:\Downloads\Nuke-it.zip »ZIP »Nuke_it.exe Win32/Nuker.b trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Downloads\winnuke.zip BeOS/Nuker.Win.A trojan (deleted) 00000000000000000000000000000000
C:\Downloads\winnuke.zip »ZIP »winnuke/winnuke.net_server.PPC BeOS/Nuker.Win.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Downloads\winnuke\winnuke\winnuke.net_server.PPC BeOS/Nuker.Win.A trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Applications\iebt.dll Win32/TrojanDownloader.Zlob.CLB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Applications\iebtm.exe Win32/TrojanDownloader.Zlob.CLB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Applications\iebtmm.exe Win32/TrojanDownloader.Zlob.CLB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Applications\wcm.exe Win32/TrojanDownloader.Zlob.CLB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Applications\wcu.exe Win32/TrojanDownloader.Zlob.CLB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\Applications\iebr.dll.vir Win32/TrojanDownloader.Zlob.CLB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\opnmKCRj.dll.vir a variant of Win32/Adware.Virtumonde.NBJ application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\968070\968070.dll.vir Win32/BHO.NGW trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\drivers\Cim26.sys Win32/Wigon trojan (unable to clean - deleted) 00000000000000000000000000000000








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:12 AM, on 9/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\CATCOM~1\QUICKH~1\OnlineNT.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\CATCOM~1\QUICKH~1\EMLPROUI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Documents and Settings\ATL_Infotech\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\CATCOM~1\QUICKH~1\ONLNSVC.EXE
C:\Program Files\OneStep\onestep.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\CATCOM~1\QUICKH~1\EMLPROXY.EXE
C:\PROGRA~1\CATCOM~1\QUICKH~1\scanwscs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\OneStep\onestep.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\ATL_Infotech\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ATL_IN~1\Desktop\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Duhiki - {20001E7A-823D-4E19-ADE2-D6AB53C7C81E} - C:\Program Files\Duhiki\DuhikiToolbar\Duhiki.dll
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\CATCOM~1\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [Startup Scan] C:\PROGRA~1\CATCOM~1\QUICKH~1\Sensor.EXE /LOADRUN
O4 - HKLM\..\Run: [Quick Heal Firewall Pro] "C:\Program Files\Cat Computer\Quick Heal Firewall Pro\qhfw.exe" /waitservice
O4 - HKLM\..\Run: [ResumeQuickupDownload] C:\PROGRA~1\CATCOM~1\QUICKH~1\acappaa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Email Protection] C:\PROGRA~1\CATCOM~1\QUICKH~1\EMLPROUI.EXE
O4 - HKLM\..\RunOnce: [Startup Scan] C:\PROGRA~1\CATCOM~1\QUICKH~1\Sensor.EXE /check
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [DuhikiToolbarNotifier] "C:\Program Files\Duhiki\DuhikiToolbar\DuhikiToolbarNotifier.exe"
O4 - HKCU\..\Run: [Exetender] C:\Program Files\Indiagames GoD\GPlayer.exe /runonstartup
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\ATL_Infotech\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: nukenabber.lnk = C:\Program Files\NukeNabber\nukenabber.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: ZMatrix.lnk = C:\Program Files\ZMatrix\matrix.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\ATL_IN~1\Desktop\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\ATL_IN~1\Desktop\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sify.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213607094859
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92F31F75-8DD0-45D6-B9CF-77B1CDC60231}: NameServer = 218.248.240.208,218.248.240.135
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFD8FA5D-F11F-427C-94B7-DFF3AFB278FF}: NameServer = 218.248.255.162 218.248.255.139
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\CATCOM~1\QUICKH~1\ONLNSVC.EXE
O23 - Service: OneStepSearch Service - OneStepSearch.net, Inc. - C:\Program Files\OneStep\onestep.exe
O23 - Service: Quick Heal Mail Protection - Unknown owner - C:\PROGRA~1\CATCOM~1\QUICKH~1\EMLPROXY.EXE
O23 - Service: Quick Heal Firewall Service (QuickHealFirewall) - Agnitum Ltd. - C:\Program Files\Cat Computer\Quick Heal Firewall Pro\qhfw.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\CATCOM~1\QUICKH~1\scanwscs.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 10456 bytes

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:45 AM

Posted 17 September 2008 - 08:14 PM

Hello, siddhant.
Hmm.. that last check turned up a lot more than I wanted to have show there...

Please run this so we can get a more detailed look at what's going on.

We need to run OTScanIt
Before running a new scan let's clean out the temporary folders.
Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • In the Rootkit Search area select Yes
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      Reg - Disabled MS Config Items
      Reg - File Associations
      Reg - Uninstall List
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post.

In your next reply, please include the following:
  • OTScanIt Report

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 siddhant

siddhant
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 18 September 2008 - 02:07 PM

oh damn!i dont know what the hell he did to the comp but please billy fix it cause its my neck on the line here!and i had to paste this!it doesnt allow me to upload it!its 358.83k in size and the max single upload size is 153.17k so im pasting it right here! also there was a code,/code bracket around the report which i removed for ease of use!



OTScanIt logfile created on: 9/19/2008 12:30:22 AM
OTScanIt by OldTimer - Version 1.0.19.0 Folder = C:\Documents and Settings\ATL_Infotech\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.48 Mb Total Physical Memory | 196.75 Mb Available Physical Memory | 43.97% Memory free
1.03 Gb Paging File | 0.65 Gb Available in Paging File | 62.92% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39.06 Gb Total Space | 2.34 Gb Free Space | 6.00% Space Free | Partition Type: NTFS
Drive D: | 35.49 Gb Total Space | 0.66 Gb Free Space | 1.86% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 1.02 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ATL
Current User Name: ATL_Infotech
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On

[Processes - Non-Microsoft Only]
stylexpservice.exe -> %ProgramFiles%\TGTSoft\StyleXP\StyleXPService.exe -> [Ver = 0, 20, 0, 3000 | Size = 372736 bytes | Modified Date = 5/25/2006 12:01:06 AM | Attr = ]
onlnsvc.exe -> %ProgramFiles%\Cat Computer\Quick Heal\ONLNSVC.EXE -> [Ver = | Size = 95872 bytes | Modified Date = 6/16/2008 6:31:40 PM | Attr = ]
onestep.exe -> %ProgramFiles%\OneStep\onestep.exe -> OneStepSearch.net, Inc. [Ver = 1, 0, 0, 0 | Size = 4608 bytes | Modified Date = 9/4/2008 2:46:00 AM | Attr = ]
emlproxy.exe -> %ProgramFiles%\Cat Computer\Quick Heal\EMLPROXY.EXE -> [Ver = | Size = 50816 bytes | Modified Date = 6/16/2008 6:31:39 PM | Attr = ]
scanwscs.exe -> %ProgramFiles%\Cat Computer\Quick Heal\SCANWSCS.EXE -> [Ver = | Size = 79488 bytes | Modified Date = 6/16/2008 6:31:40 PM | Attr = ]
raid_tool.exe -> %ProgramFiles%\VIA\RAID\raid_tool.exe -> VIA Technologies [Ver = 4, 0, 6, 0 | Size = 589824 bytes | Modified Date = 4/25/2005 4:52:32 PM | Attr = R ]
vttrayp.exe -> %SystemRoot%\system32\VTTrayp.exe -> S3 Graphics Co., Ltd. [Ver = 2.00.36-0308B | Size = 147456 bytes | Modified Date = 3/10/2005 11:03:28 PM | Attr = R ]
onlinent.exe -> %ProgramFiles%\Cat Computer\Quick Heal\ONLINENT.EXE -> CAT Computer Services Pvt. Ltd [Ver = 1.0.0.1 | Size = 206464 bytes | Modified Date = 6/16/2008 6:31:40 PM | Attr = ]
emlproui.exe -> %ProgramFiles%\Cat Computer\Quick Heal\EMLPROUI.EXE -> CAT Computer Services Pvt. Ltd [Ver = 1.0.0.1 | Size = 267904 bytes | Modified Date = 6/16/2008 6:31:39 PM | Attr = ]
daemon.exe -> %ProgramFiles%\DAEMON Tools Lite\daemon.exe -> DT Soft Ltd [Ver = 4.12.3.0 | Size = 486856 bytes | Modified Date = 4/1/2008 3:09:48 PM | Attr = ]
bitcomet.exe -> %ProgramFiles%\BitComet\BitComet.exe -> www.BitComet.com [Ver = 1.03 | Size = 2599224 bytes | Modified Date = 7/17/2008 7:20:18 PM | Attr = ]
stylexp.exe -> %ProgramFiles%\TGTSoft\StyleXP\StyleXP.exe -> [Ver = 0, 30, 19, 0 | Size = 1372160 bytes | Modified Date = 5/25/2006 12:01:39 AM | Attr = ]
wzqkpick.exe -> %ProgramFiles%\WinZip\WZQKPICK.EXE -> WinZip Computing, Inc. [Ver = 1.0 (32-bit) | Size = 118784 bytes | Modified Date = 12/17/2004 9:00:00 AM | Attr = ]
onestep.exe -> %ProgramFiles%\OneStep\onestep.exe -> OneStepSearch.net, Inc. [Ver = 1, 0, 0, 0 | Size = 4608 bytes | Modified Date = 9/4/2008 2:46:00 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(FLEXnet Licensing Service) FLEXnet Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> Macrovision Europe Ltd. [Ver = 11.03.005 | Size = 654848 bytes | Modified Date = 8/27/2008 5:10:24 AM | Attr = ]
(NT Online Protection) NT Online Protection [Win32_Own | Auto | Running] -> %ProgramFiles%\Cat Computer\Quick Heal\ONLNSVC.EXE -> [Ver = | Size = 95872 bytes | Modified Date = 6/16/2008 6:31:40 PM | Attr = ]
(OneStepSearch Service) OneStepSearch Service [Win32_Own | Auto | Running] -> %ProgramFiles%\OneStep\onestep.exe -> OneStepSearch.net, Inc. [Ver = 1, 0, 0, 0 | Size = 4608 bytes | Modified Date = 9/4/2008 2:46:00 AM | Attr = ]
(Quick Heal Mail Protection) Quick Heal Mail Protection [Win32_Own | Auto | Running] -> %ProgramFiles%\Cat Computer\Quick Heal\EMLPROXY.EXE -> [Ver = | Size = 50816 bytes | Modified Date = 6/16/2008 6:31:39 PM | Attr = ]
(QuickHealFirewall) Quick Heal Firewall Service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\qhfw.exe -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 87040 bytes | Modified Date = 1/15/2007 3:33:52 PM | Attr = ]
(ScanWscS) Quick Heal Helper Service WSC [Win32_Own | Auto | Running] -> %ProgramFiles%\Cat Computer\Quick Heal\SCANWSCS.EXE -> [Ver = | Size = 79488 bytes | Modified Date = 6/16/2008 6:31:40 PM | Attr = ]
(StyleXPService) StyleXPService [Win32_Own | Auto | Running] -> %ProgramFiles%\TGTSoft\StyleXP\StyleXPService.exe -> [Ver = 0, 20, 0, 3000 | Size = 372736 bytes | Modified Date = 5/25/2006 12:01:06 AM | Attr = ]

[Driver Services - Non-Microsoft Only]
(ADBLOCK.DLL) Quick Heal PlugIn (ADBLOCK.DLL) [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\Kernel\adblock.dll -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 33600 bytes | Modified Date = 1/15/2007 3:33:42 PM | Attr = ]
(ARP.DLL) Quick Heal PlugIn (ARP.DLL) [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\Kernel\arp.dll -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 17440 bytes | Modified Date = 1/15/2007 3:33:56 PM | Attr = ]
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\ComboFix\catchme.sys -> File not found
(CONTENT.DLL) Quick Heal PlugIn (CONTENT.DLL) [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\Kernel\content.dll -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 4896 bytes | Modified Date = 1/15/2007 3:33:44 PM | Attr = ]
(DNSCACHE.DLL) Quick Heal PlugIn (DNSCACHE.DLL) [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\Kernel\dnscache.dll -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 14304 bytes | Modified Date = 1/15/2007 3:33:40 PM | Attr = ]
(FTPFILT.DLL) Quick Heal PlugIn (FTPFILT.DLL) [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\Kernel\ftpfilt.dll -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 9024 bytes | Modified Date = 1/15/2007 3:33:44 PM | Attr = ]
(HTMLFILT.DLL) Quick Heal PlugIn (HTMLFILT.DLL) [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\Kernel\htmlfilt.dll -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 11552 bytes | Modified Date = 1/15/2007 3:33:40 PM | Attr = ]
(HTTPFILT.DLL) Quick Heal PlugIn (HTTPFILT.DLL) [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\Kernel\httpfilt.dll -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 13248 bytes | Modified Date = 1/15/2007 3:33:40 PM | Attr = ]
(IMAPFILT.DLL) Quick Heal PlugIn (IMAPFILT.DLL) [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\Kernel\imapfilt.dll -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 7200 bytes | Modified Date = 1/15/2007 3:33:44 PM | Attr = ]
(MAILFILT.DLL) Quick Heal PlugIn (MAILFILT.DLL) [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\Kernel\mailfilt.dll -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 14912 bytes | Modified Date = 1/15/2007 3:33:42 PM | Attr = ]
(MREMPR5) MREMPR5 NDIS Protocol Driver [Kernel | On_Demand | Stopped] -> %CommonProgramFiles%\Motive\MREMPR5.sys -> Motive, Inc. [Ver = 503.1658.1 | Size = 19345 bytes | Modified Date = 2/13/2007 10:59:04 PM | Attr = ]
(MRENDIS5) MRENDIS5 NDIS Protocol Driver [Kernel | On_Demand | Stopped] -> %CommonProgramFiles%\Motive\MRENDIS5.sys -> Motive, Inc. [Ver = 503.1658.0 | Size = 18003 bytes | Modified Date = 2/13/2007 10:59:04 PM | Attr = ]
(NNTPFILT.DLL) Quick Heal PlugIn (NNTPFILT.DLL) [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\Kernel\nntpfilt.dll -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 6752 bytes | Modified Date = 1/15/2007 3:33:44 PM | Attr = ]
(NPPTNT2) NPPTNT2 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\npptNT2.sys -> INCA Internet Co., Ltd. [Ver = 2005, 1, 5, 1 | Size = 4682 bytes | Modified Date = 1/3/2005 12:13:08 PM | Attr = ]
(OnlineNT) OnlineNT [Kernel | Auto | Running] -> %ProgramFiles%\Cat Computer\Quick Heal\ONLINENT.SYS -> [Ver = 8.0 built by: WinDDK | Size = 32128 bytes | Modified Date = 6/16/2008 6:31:40 PM | Attr = ]
(POP3FILT.DLL) Quick Heal PlugIn (POP3FILT.DLL) [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\Kernel\pop3filt.dll -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 9984 bytes | Modified Date = 1/15/2007 3:33:42 PM | Attr = ]
(PROTECT.DLL) Quick Heal PlugIn (PROTECT.DLL) [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\Kernel\protect.dll -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 16960 bytes | Modified Date = 1/15/2007 3:33:46 PM | Attr = ]
(RTL8023xp) Realtek 10/100/1000 PCI NIC Family NDIS XP Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\Rtnicxp.sys -> Realtek Semiconductor Corporation [Ver = 5.687.0225.2008 built by: WinDDK | Size = 105088 bytes | Modified Date = 2/25/2008 12:54:56 PM | Attr = ]
(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\RTL8139.sys -> Realtek Semiconductor Corporation [Ver = 5.398.613.2003 built by: WinDDK | Size = 20992 bytes | Modified Date = 8/4/2004 4:01:34 AM | Attr = ]
(ScreenNT) ScreenNT [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\SCREENNT.SYS -> [Ver = 1.00 built by: WinDDK | Size = 13696 bytes | Modified Date = 6/16/2008 6:31:40 PM | Attr = ]
(SECRET.DLL) Quick Heal PlugIn (SECRET.DLL) [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\Kernel\secret.dll -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 9696 bytes | Modified Date = 1/15/2007 3:33:56 PM | Attr = ]
(sptd) sptd [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\sptd.sys -> [Ver = | Size = 717296 bytes | Modified Date = 6/18/2008 3:41:04 PM | Attr = ]
(VFILT) Quick Heal Kernel Driver [Kernel | System | Running] -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\Kernel\filtnt.sys -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 125248 bytes | Modified Date = 1/15/2007 3:33:38 PM | Attr = ]
(viagfx) viagfx [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\vtmini.sys -> Copyright © VIA/S3 Graphics Co, Ltd. [Ver = 6.14.10.0226-16.94.44.09 | Size = 227712 bytes | Modified Date = 6/1/2005 12:36:54 AM | Attr = R ]
(viamraid) viamraid [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\viamraid.sys -> VIA Technologies inc,.ltd [Ver = 5.1.2600.430 | Size = 60928 bytes | Modified Date = 4/25/2005 4:52:40 PM | Attr = R ]
(X4HSX32) X4HSX32 [Kernel | Auto | Running] -> %ProgramFiles%\Indiagames GoD\X4HSX32.sys -> Exent Technologies Ltd. [Ver = 05.00.51.00 | Size = 31400 bytes | Modified Date = 12/13/2006 9:34:06 AM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Email Protection -> %ProgramFiles%\Cat Computer\Quick Heal\EMLPROUI.EXE [C:\PROGRA~1\CATCOM~1\QUICKH~1\EMLPROUI.EXE] -> CAT Computer Services Pvt. Ltd [Ver = 1.0.0.1 | Size = 267904 bytes | Modified Date = 6/16/2008 6:31:39 PM | Attr = ]
googletalk -> %ProgramFiles%\Google\Google Talk\googletalk.exe [C:\Program Files\Google\Google Talk\googletalk.exe /autostart] -> Google [Ver = 1,0,0,104 | Size = 3739648 bytes | Modified Date = 1/2/2007 2:52:02 AM | Attr = ]
On-Line Protection -> %ProgramFiles%\Cat Computer\Quick Heal\CATEYE.EXE [C:\PROGRA~1\CATCOM~1\QUICKH~1\CATEYE.EXE] -> CAT Computer Services Pvt. Ltd [Ver = 1.0.0.1 | Size = 210560 bytes | Modified Date = 6/16/2008 6:31:39 PM | Attr = ]
Quick Heal Firewall Pro -> %ProgramFiles%\Cat Computer\Quick Heal Firewall Pro\qhfw.exe ["C:\Program Files\Cat Computer\Quick Heal Firewall Pro\qhfw.exe" /waitservice] -> Agnitum Ltd. [Ver = 3.5.464.7315 | Size = 87040 bytes | Modified Date = 1/15/2007 3:33:52 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\QTTask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> Apple Inc. [Ver = 7.5 (861) | Size = 413696 bytes | Modified Date = 5/27/2008 10:50:30 AM | Attr = ]
RaidTool -> %ProgramFiles%\VIA\RAID\raid_tool.exe [C:\Program Files\VIA\RAID\raid_tool.exe] -> VIA Technologies [Ver = 4, 0, 6, 0 | Size = 589824 bytes | Modified Date = 4/25/2005 4:52:32 PM | Attr = R ]
ResumeQuickupDownload -> %ProgramFiles%\Cat Computer\Quick Heal\acappaa.exe [C:\PROGRA~1\CATCOM~1\QUICKH~1\acappaa.exe] -> Quick Heal Technologies (P) Ltd. [Ver = 1.0.0.1 | Size = 46456 bytes | Modified Date = 6/18/2008 1:50:06 PM | Attr = ]
SoundMan -> %SystemRoot%\SOUNDMAN.EXE [SOUNDMAN.EXE] -> Realtek Semiconductor Corp. [Ver = 5.1.0.40 | Size = 77824 bytes | Modified Date = 6/20/2005 3:12:20 AM | Attr = R ]
Startup Scan -> %ProgramFiles%\Cat Computer\Quick Heal\SENSOR.EXE [C:\PROGRA~1\CATCOM~1\QUICKH~1\Sensor.EXE /LOADRUN] -> CAT Computer Services Pvt. Ltd [Ver = 1, 0, 0, 1 | Size = 145024 bytes | Modified Date = 6/16/2008 6:31:40 PM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 144784 bytes | Modified Date = 6/10/2008 4:27:04 AM | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe ["C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot] -> RealNetworks, Inc. [Ver = 0.1.1.45 | Size = 185896 bytes | Modified Date = 6/16/2008 5:36:09 PM | Attr = ]
VTTimer -> %SystemRoot%\system32\VTTimer.exe [VTTimer.exe] -> S3 Graphics, Inc. [Ver = 2.00.01-0307 | Size = 53248 bytes | Modified Date = 3/7/2005 9:03:28 AM | Attr = R ]
VTTrayp -> %SystemRoot%\system32\VTTrayp.exe [VTtrayp.exe] -> S3 Graphics Co., Ltd. [Ver = 2.00.36-0308B | Size = 147456 bytes | Modified Date = 3/10/2005 11:03:28 PM | Attr = R ]
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ->
Startup Scan -> %ProgramFiles%\Cat Computer\Quick Heal\SENSOR.EXE [C:\PROGRA~1\CATCOM~1\QUICKH~1\Sensor.EXE /check] -> CAT Computer Services Pvt. Ltd [Ver = 1, 0, 0, 1 | Size = 145024 bytes | Modified Date = 6/16/2008 6:31:40 PM | Attr = ]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
BitComet -> %ProgramFiles%\BitComet\BitComet.exe ["C:\Program Files\BitComet\BitComet.exe" /tray] -> www.BitComet.com [Ver = 1.03 | Size = 2599224 bytes | Modified Date = 7/17/2008 7:20:18 PM | Attr = ]
DAEMON Tools Lite -> %ProgramFiles%\DAEMON Tools Lite\daemon.exe ["C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun] -> DT Soft Ltd [Ver = 4.12.3.0 | Size = 486856 bytes | Modified Date = 4/1/2008 3:09:48 PM | Attr = ]
DuhikiToolbarNotifier -> %ProgramFiles%\Duhiki\DuhikiToolbar\DuhikiToolbarNotifier.exe ["C:\Program Files\Duhiki\DuhikiToolbar\DuhikiToolbarNotifier.exe"] -> Market Precision, Inc [Ver = 1.2.0.0 | Size = 152264 bytes | Modified Date = 8/13/2008 12:21:38 AM | Attr = ]
Exetender -> %ProgramFiles%\Indiagames GoD\GPlayer.exe [C:\Program Files\Indiagames GoD\GPlayer.exe /runonstartup] -> Exent Technologies Ltd. [Ver = 06.01.31.00 | Size = 1820160 bytes | Modified Date = 5/27/2007 1:04:06 PM | Attr = ]
Google Update -> %UserProfile%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe ["C:\Documents and Settings\ATL_Infotech\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c] -> Google Inc. [Ver = 1.2.131.7 | Size = 133104 bytes | Modified Date = 9/3/2008 4:28:30 AM | Attr = ]
STYLEXP -> %ProgramFiles%\TGTSoft\StyleXP\StyleXP.exe [C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide] -> [Ver = 0, 30, 19, 0 | Size = 1372160 bytes | Modified Date = 5/25/2006 12:01:39 AM | Attr = ]
updateMgr -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0] -> Adobe Systems Incorporated [Ver = 3.1.0.10 | Size = 313472 bytes | Modified Date = 3/30/2006 4:45:08 PM | Attr = R ]
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.1.0.2008042300 | Size = 29696 bytes | Modified Date = 4/23/2008 3:38:16 AM | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\WinZip Quick Pick.lnk -> %ProgramFiles%\WinZip\WZQKPICK.EXE -> WinZip Computing, Inc. [Ver = 1.0 (32-bit) | Size = 118784 bytes | Modified Date = 12/17/2004 9:00:00 AM | Attr = ]
< ATL_Infotech Startup Folder > -> C:\Documents and Settings\ATL_Infotech\Start Menu\Programs\Startup ->
%UserProfile%\Start Menu\Programs\Startup\nukenabber.lnk -> %ProgramFiles%\NukeNabber\nukenabber.exe -> DSI [Ver = 2.9.0.1224 | Size = 292967 bytes | Modified Date = 1/10/1999 1:58:56 AM | Attr = ]
-> %UserProfile%\Start Menu\Programs\Startup\PowerReg Scheduler.exe -> [Ver = 2, 0, 0, 1 | Size = 256000 bytes | Modified Date = 7/19/2008 10:28:33 PM | Attr = ]
%UserProfile%\Start Menu\Programs\Startup\ZMatrix.lnk -> %ProgramFiles%\ZMatrix\matrix.exe -> Happy Dude [Ver = 1.5.2.0 | Size = 114688 bytes | Modified Date = 5/25/2003 5:46:31 PM | Attr = ]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Size = 1033216 bytes | Modified Date = 6/13/2007 3:53:07 PM | Attr = ]
*MultiFile Done* -> ->
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit ->
C:\WINDOWS\system32\userinit.exe -> %SystemRoot%\system32\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 24576 bytes | Modified Date = 8/4/2004 10:26:58 AM | Attr = ]
*MultiFile Done* -> ->
*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost ->
C:\Program -> -> File not found
Files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE -> -> File not found
*MultiFile Done* -> ->
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
rundll32 shell32 -> %SystemRoot%\system32\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.3241 (xpsp_sp2_gdr.071025-1248) | Size = 8454656 bytes | Modified Date = 10/26/2007 9:06:51 AM | Attr = ]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\sysdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 298496 bytes | Modified Date = 8/4/2004 10:26:58 AM | Attr = ]
*MultiFile Done* -> ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLegacyLogonScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLogoffScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunLogonScriptSync -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideStartupScripts -> 0 ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLegacyLogonScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLogoffScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideStartupScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunLogonScriptSync -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync -> 0 ->
< CDROM Autorun Setting > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup ->
SCSI miniport -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\drivers\cdrom.sys [system32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49536 bytes | Modified Date = 8/4/2004 8:29:54 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 ->
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable ->
NEC MBR-7 -> -> File not found
NEC MBR-7.4 -> -> File not found
PIONEER CHANGR DRM-1804X -> -> File not found
PIONEER CD-ROM DRM-6324X -> -> File not found
PIONEER CD-ROM DRM-624X -> -> File not found
TORiSAN CD-ROM CDR_C36 -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> ->
< Drives with AutoRun files > -> ->
AUTOEXEC.QH [] -> %SystemDrive%\AUTOEXEC.QH [ NTFS ] -> [Ver = | Size = 0 bytes | Modified Date = 7/27/2008 9:52:55 PM | Attr = ]
< HOSTS File > (27 bytes and 1 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Bar -> http://internetsearchservice.com/ie6.html ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Default_Search_URL -> http://internetsearchservice.com ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKEY_CURRENT_USER\: Main\\Start Page -> about:blank ->
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4601 domain(s) found. ->
41 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4644 domain(s) found. ->
free_aol.com [http] -> Trusted sites ->
44 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 78 range(s) found. ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 12/18/2006 4:16:42 AM | Attr = ]
{3049C3E9-B461-4BC5-8870-4C09146192CA} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Real\RealPlayer\rpbrowserrecordplugin.dll [RealPlayer Download and Record Plugin for Internet Explorer] -> RealPlayer [Ver = 1.0.1.57 | Size = 308856 bytes | Modified Date = 6/16/2008 5:36:25 PM | Attr = ]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\BitComet\tools\BitCometBHO_1.2.6.26.dll [BitComet Helper] -> BitComet [Ver = 20080626 | Size = 656696 bytes | Modified Date = 6/26/2008 10:51:58 AM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\DOCUME~1\ATL_IN~1\Desktop\SPYBOT~1\SDHelper.dll [Spybot-S&D IE Protection] -> File not found
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 509328 bytes | Modified Date = 6/10/2008 4:27:02 AM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [Google Toolbar Helper] -> Google Inc. [Ver = 2, 0, 114, 6 | Size = 696320 bytes | Modified Date = 6/16/2008 3:19:19 PM | Attr = R ]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{20001E7A-823D-4E19-ADE2-D6AB53C7C81E} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Duhiki\DuhikiToolbar\Duhiki.dll [Duhiki] -> Market Precision, Inc [Ver = 1.2.0.0 | Size = 914128 bytes | Modified Date = 8/13/2008 12:21:06 AM | Attr = ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> Google Inc. [Ver = 2, 0, 114, 6 | Size = 696320 bytes | Modified Date = 6/16/2008 3:19:19 PM | Attr = R ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 132496 bytes | Modified Date = 6/10/2008 4:27:02 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 509328 bytes | Modified Date = 6/10/2008 4:27:02 AM | Attr = ]
{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [BitComet] -> File not found
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\DOCUME~1\ATL_IN~1\Desktop\SPYBOT~1\SDHelper.dll [Spybot - Search & Destroy Configuration] -> File not found
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} [HKEY_LOCAL_MACHINE] -> [BitComet] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
&D&ownload &with BitComet -> %ProgramFiles%\BitComet\BitComet.exe -> www.BitComet.com [Ver = 1.03 | Size = 2599224 bytes | Modified Date = 7/17/2008 7:20:18 PM | Attr = ]
&D&ownload all video with BitComet -> %ProgramFiles%\BitComet\BitComet.exe -> www.BitComet.com [Ver = 1.03 | Size = 2599224 bytes | Modified Date = 7/17/2008 7:20:18 PM | Attr = ]
&D&ownload all with BitComet -> %ProgramFiles%\BitComet\BitComet.exe -> www.BitComet.com [Ver = 1.03 | Size = 2599224 bytes | Modified Date = 7/17/2008 7:20:18 PM | Attr = ]
&Google Search -> %ProgramFiles%\Google\GoogleToolbar1.dll -> Google Inc. [Ver = 2, 0, 114, 6 | Size = 696320 bytes | Modified Date = 6/16/2008 3:19:19 PM | Attr = R ]
Backward Links -> %ProgramFiles%\Google\GoogleToolbar1.dll -> Google Inc. [Ver = 2, 0, 114, 6 | Size = 696320 bytes | Modified Date = 6/16/2008 3:19:19 PM | Attr = R ]
Cached Snapshot of Page -> %ProgramFiles%\Google\GoogleToolbar1.dll -> Google Inc. [Ver = 2, 0, 114, 6 | Size = 696320 bytes | Modified Date = 6/16/2008 3:19:19 PM | Attr = R ]
Similar Pages -> %ProgramFiles%\Google\GoogleToolbar1.dll -> Google Inc. [Ver = 2, 0, 114, 6 | Size = 696320 bytes | Modified Date = 6/16/2008 3:19:19 PM | Attr = R ]
Translate into English -> %ProgramFiles%\Google\GoogleToolbar1.dll -> Google Inc. [Ver = 2, 0, 114, 6 | Size = 696320 bytes | Modified Date = 6/16/2008 3:19:19 PM | Attr = R ]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find...=%s&mime=%s ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{229C35AF-8F7B-4288-B6DB-E7BCD7F83423} -> (USB IAD LAN Modem) ->
{92F31F75-8DD0-45D6-B9CF-77B1CDC60231} -> 218.248.240.208,218.248.240.135 (Realtek RTL8139/810x Family Fast Ethernet NIC) ->
< Winsock2 Catalogs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ ->
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -> %ProgramFiles%\Bonjour\mdnsNSP.dll -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 94208 bytes | Modified Date = 2/28/2006 12:42:30 PM | Attr = ]
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{17492023-C23A-453E-A040-C7C580BBF700}[HKEY_LOCAL_MACHINE] -> http://download.microsoft.com/download/8/b...heckControl.cab[Windows Genuine Advantage Validation Tool] ->
{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}[HKEY_LOCAL_MACHINE] -> http://www.eset.eu/buxus/docs/OnlineScanner.cab[OnlineScanner Control] ->
{6414512B-B978-451D-A0D8-FCFDF33E833C}[HKEY_LOCAL_MACHINE] -> http://www.update.microsoft.com/windowsupd...b?1213607094859[WUWebControl Class] ->
{6A060448-60F9-11D5-A6CD-0002B31F7455}[HKEY_LOCAL_MACHINE] -> [ExentInf Class] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[Java Plug-in 1.6.0_07] ->
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}[HKEY_LOCAL_MACHINE] -> http://support.f-secure.com/ols/fscax.cab[F-Secure Online Scanner 3.3] ->
{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[Java Plug-in 1.6.0_06] ->
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[Java Plug-in 1.6.0_07] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[Java Plug-in 1.6.0_07] ->
{E8F628B5-259A-4734-97EE-BA914D7BE941}[HKEY_LOCAL_MACHINE] -> http://plugin.driveragent.com/files/driveragent.cab[Driver Agent ActiveX Control] ->
Microsoft XML Parser for Java[HKEY_LOCAL_MACHINE] -> file://C:\WINDOWS\Java\classes\xmldso.cab[Reg Error: Key does not exist or could not be opened.] ->
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/auc_lib.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/auc_lib.dll\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/auc_lib.dll\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ca.pub\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ca.pub\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ca.pub\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/driveragent.ocx\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/driveragent.ocx\\.Owner -> {E8F628B5-259A-4734-97EE-BA914D7BE941} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/driveragent.ocx\\{E8F628B5-259A-4734-97EE-BA914D7BE941} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/daas_s.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/daas_s.dll\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/daas_s.dll\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ExentCtl.ocx\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ExentCtl.ocx\\.Owner -> {6A060448-60F9-11D5-A6CD-0002B31F7455} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ExentCtl.ocx\\{6A060448-60F9-11D5-A6CD-0002B31F7455} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/fscax.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/fscax.dll\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/fscax.dll\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gatelauncher.exe\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gatelauncher.exe\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gatelauncher.exe\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/LegitCheckControl.DLL\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/LegitCheckControl.DLL\\.Owner -> Unknown Owner ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/LegitCheckControl.DLL\\{17492023-C23A-453E-A040-C7C580BBF700} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/lnod32apiA.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/lnod32apiA.dll\\.Owner -> {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/lnod32apiA.dll\\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/lnod32apiW.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/lnod32apiW.dll\\.Owner -> {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/lnod32apiW.dll\\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/lnod32umc.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/lnod32umc.dll\\.Owner -> {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/lnod32umc.dll\\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/lnod32upd.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/lnod32upd.dll\\.Owner -> {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/lnod32upd.dll\\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/mfc42.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/mfc42.dll\\.Owner -> Unknown Owner ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/mfc42.dll\\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcrt.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcrt.dll\\.Owner -> Unknown Owner ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcrt.dll\\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/olepro32.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/olepro32.dll\\.Owner -> Unknown Owner ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/olepro32.dll\\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/OnlineScanner.ocx\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/OnlineScanner.ocx\\.Owner -> {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/OnlineScanner.ocx\\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/OnlineScannerDLLA.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/OnlineScannerDLLA.dll\\.Owner -> {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/OnlineScannerDLLA.dll\\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/OnlineScannerDLLW.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/OnlineScannerDLLW.dll\\.Owner -> {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/OnlineScannerDLLW.dll\\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/OnlineScannerLang.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/OnlineScannerLang.dll\\.Owner -> {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/OnlineScannerLang.dll\\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/OnlineScannerUninstaller.exe\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/OnlineScannerUninstaller.exe\\.Owner -> {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/OnlineScannerUninstaller.exe\\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/unicows.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/unicows.dll\\.Owner -> Unknown Owner ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/unicows.dll\\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/wuweb.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/wuweb.dll\\.Owner -> Unknown Owner ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/wuweb.dll\\{6414512B-B978-451D-A0D8-FCFDF33E833C} -> ->


[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937AD} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A93843} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D69} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages ->
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 8/4/2004 10:26:44 AM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> 0 [binary data] ->
*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages ->
kerberos -> %SystemRoot%\system32\kerberos.dll -> Microsoft Corporation [Ver = 5.1.2600.2698 (xpsp_sp2_gdr.050614-1522) | Size = 295936 bytes | Modified Date = 6/15/2005 11:19:30 PM | Attr = ]
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 8/4/2004 10:26:44 AM | Attr = ]
schannel -> %SystemRoot%\system32\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.3126 (xpsp_sp2_gdr.070425-0226) | Size = 144896 bytes | Modified Date = 4/25/2007 7:51:15 PM | Attr = ]
wdigest -> %SystemRoot%\system32\wdigest.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49152 bytes | Modified Date = 8/4/2004 10:26:48 AM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 920 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing -> [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 ->
*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages ->
scecli -> %SystemRoot%\system32\scecli.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 180224 bytes | Modified Date = 8/4/2004 10:26:46 AM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\enabledcom -> y ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> ->
*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder ->
Windows NT Access Provider -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> %SystemRoot%\system32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 118784 bytes | Modified Date = 8/4/2004 10:26:46 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> 7A 5E C0 42 F6 B8 A4 53 72 F0 8F 11 7A 53 F9 21 38 62 31 34 61 30 61 65 00 FD 07 00 2C 4D 00 00 34 FA 07 00 56 82 7C 75 20 FA 07 00 40 FD 07 00 4C FD 07 00 07 08 9D 1D 14 B8 14 45 F3 3A CE 8B [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> 6F A0 CD 16 A1 66 6F AD 82 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> AC CC F0 E4 0D 2E [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth132 -> %SystemRoot%\system32\iissuba.dll [IISSUBA] -> Microsoft Corporation [Ver = 6.0.2600.0 (xpclient.010817-1148) | Size = 9216 bytes | Modified Date = 8/7/2004 5:46:52 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminclientsec -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminserversec -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> 87 CC D9 75 11 3B 0C 6B D3 5B 3D A1 8E 0C CD 4C [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> 9A E2 E0 7A 73 C6 C8 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> 00 CE 2E 70 DF 79 C4 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> 00 CE 2E 70 DF 79 C4 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> 00 CE 2E 70 DF 79 C4 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Windows Firewall/Internet Connection Sharing (ICS) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> %SystemRoot%\system32\svchost.exe [%SystemRoot%\System32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 10:26:58 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 11563 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> %SystemRoot%\system32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 331264 bytes | Modified Date = 8/4/2004 10:26:44 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> %SystemRoot%\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 140800 bytes | Modified Date = 8/4/2004 10:26:58 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> %SystemRoot%\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 140800 bytes | Modified Date = 8/4/2004 10:26:58 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\BitComet\BitComet.exe -> %ProgramFiles%\BitComet\BitComet.exe [C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client] -> www.BitComet.com [Ver = 1.03 | Size = 2599224 bytes | Modified Date = 7/17/2008 7:20:18 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\games\Age of empires\age2_x1.exe -> D:\games\Age of empires\age2_x1.exe [D:\games\Age of empires\age2_x1.exe:*:Enabled:Age of Empires II Expansion] -> Microsoft Corporation [Ver = 00.07.22.0627 | Size = 2695213 bytes | Modified Date = 6/13/2008 5:15:13 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe -> %ProgramFiles%\Microsoft Games\Rise of Nations\thrones.exe [C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe:*:Enabled:Rise of Nations] -> Big Huge Games, Inc. [Ver = 01.14.05.0600 | Size = 520235 bytes | Modified Date = 4/2/2004 5:32:50 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Real\RealPlayer\realplay.exe -> %ProgramFiles%\Real\RealPlayer\realplay.exe [C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer] -> RealNetworks, Inc. [Ver = 11.0.0.446 | Size = 214560 bytes | Modified Date = 6/16/2008 5:36:11 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Bonjour\mDNSResponder.exe -> %ProgramFiles%\Bonjour\mDNSResponder.exe [C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour] -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 229376 bytes | Modified Date = 2/28/2006 12:42:38 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Google\Google Talk\googletalk.exe -> %ProgramFiles%\Google\Google Talk\googletalk.exe [C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk] -> Google [Ver = 1,0,0,104 | Size = 3739648 bytes | Modified Date = 1/2/2007 2:52:02 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\NukeNabber\nukenabber.exe -> %ProgramFiles%\NukeNabber\nukenabber.exe [C:\Program Files\NukeNabber\nukenabber.exe:*:Enabled:NukeNabber] -> DSI [Ver = 2.9.0.1224 | Size = 292967 bytes | Modified Date = 1/10/1999 1:58:56 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Messenger\msmsgs.exe -> %ProgramFiles%\Messenger\msmsgs.exe [C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger] -> Microsoft Corporation [Ver = 4.7.3001 | Size = 1694208 bytes | Modified Date = 10/13/2004 9:54:37 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\DNA\btdna.exe -> %ProgramFiles%\DNA\btdna.exe [C:\Program Files\DNA\btdna.exe:*:Enabled:DNA] -> BitTorrent, Inc. [Ver = 2.2.0.11930 | Size = 342848 bytes | Modified Date = 9/4/2008 7:10:41 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\games\Softnyx\RakionIS\Bin\rakion.bin -> D:\games\Softnyx\RakionIS\Bin\rakion.bin [D:\games\Softnyx\RakionIS\Bin\rakion.bin:*:Enabled:rakion] -> [Ver = | Size = 1403392 bytes | Modified Date = 9/9/2008 2:39:00 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\9864:TCP -> 9864:TCP:*:Enabled:BitComet 9864 TCP ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\9864:UDP -> 9864:UDP:*:Enabled:BitComet 9864 UDP ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\All -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> %SystemRoot%\system32\svchost.exe [%systemroot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 10:26:58 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> %SystemRoot%\system32\wuauserv.dll [C:\WINDOWS\system32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.3790.2180 (xpsp_sp2_rtm.040803-2158) | Size = 6656 bytes | Modified Date = 8/4/2004 10:26:48 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Description -> Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. ->
*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DependOnService ->
RPCSS -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size = 397824 bytes | Modified Date = 7/26/2005 10:09:49 AM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DisplayName -> Remote Registry ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ImagePath -> %SystemRoot%\system32\svchost.exe [%SystemRoot%\system32\svchost.exe -k LocalService] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 10:26:58 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ObjectName -> NT AUTHORITY\LocalService ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Group -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\FailureActions -> 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 E0 AD 08 00 01 00 00 00 E8 03 00 00 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\\ServiceDll -> %SystemRoot%\system32\regsvc.dll [%SystemRoot%\system32\regsvc.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 59904 bytes | Modified Date = 8/4/2004 10:26:46 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\\Security -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\0 -> Root\LEGACY_REMOTEREGISTRY\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Type -> 16 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Start -> 4 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ImagePath -> %SystemRoot%\system32\tlntsvr.exe [C:\WINDOWS\system32\tlntsvr.exe] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 73216 bytes | Modified Date = 8/4/2004 10:26:58 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DisplayName -> Telnet ->
*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnService ->
RPCSS -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size = 397824 bytes | Modified Date = 7/26/2005 10:09:49 AM | Attr = ]
TCPIP -> -> File not found
NTLMSSP -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnGroup -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Description -> Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\\Security -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\EnableAutodial -> 0 ->
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ ->
.bat [@ = batfile] -> "%1" %* ->
.cmd [@ = cmdfile] -> "%1" %* ->
.com [@ = ComFile] -> "%1" %* ->
.exe [@ = exefile] -> "%1" %* ->
.html [@ = FirefoxHTML] -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> Mozilla Corporation [Ver = 1.9.0.1 | Size = 307712 bytes | Modified Date = 7/3/2008 7:22:30 AM | Attr = ]
.pif [@ = piffile] -> "%1" %* ->
.scr [@ = scrfile] -> "%1" /S ->
< Uninstall List [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ ->
{0046FA01-C5B9-4985-BACB-398DC480FC05} -> Adobe Photoshop CS3
{01501EBA-EC35-4F9F-8889-3BE346E5DA13} -> MSXML4 Parser
{02DFF6B1-1654-411C-8D7B-FD6052EF016F} -> Apple Software Update
{04AF207D-9A77-465A-8B76-991F6AB66245} -> Adobe Help Viewer CS3
{08B32819-6EEF-4057-AEDA-5AB681A36A23} -> Adobe Bridge Start Meeting
{08CA9554-B5FE-4313-938F-D4A417B81175} -> QuickTime
{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E} -> MSXML 6.0 Parser (KB933579)
{0AD84416-63A4-4CF3-BDDF-8FA866711FB0} -> Civilization III
{0AF3FEAE-B651-4421-97EF-4808A588B4E5} -> LastChaos
{0D499481-22C6-4B25-8AC2-6D3F6C885FB9} -> OpenOffice.org Installer 1.0
{0ED47137-C071-46CC-A243-E5E33271E10E} -> Windows Live Sign-in Assistant
{15095BF3-A3D7-4DDF-B193-3A496881E003} -> Microsoft .NET Framework 3.0
{15DF6FD4-7653-4BBA-B4E7-87C5B1273FED} -> Uninstall Phoenix Dynasty Online
{184CE391-7E0E-4C63-9935-D7A10EDFD3C6} -> Adobe WinSoft Linguistics Plugin
{20D4A895-748C-4D88-871C-FDB1695B0169} -> Platform
{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk -> Google Talk (remove only)
{2318C2B1-4965-11d4-9B18-009027A5CD4F} -> Google Toolbar for Internet Explorer
{29E5EA97-5F74-4A57-B8B2-D4F169117183} -> Adobe Stock Photos CS3
{2B43252C-A1E3-4C47-927C-9F2C276D3515} -> S3GSetup
{2B7BDADB-EC8C-4C54-B5DD-CE45A016D3A7} -> Indiagames GoD Player
{3248F0A8-6813-11D6-A77B-00B0D0160060} -> Java™ 6 Update 6
{3248F0A8-6813-11D6-A77B-00B0D0160070} -> Java™ 6 Update 7
{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227} -> WebFldrs XP
{3E5DA526-F420-45A6-9F27-D2B5246D6823} -> Free Natural Text to Speech Reader 2008
{428102E6-8A39-48B9-8389-847F5A44A600} -> MSXML 4.0
{491DD792-AD81-429C-9EB4-86DD3D22E333} -> Windows Communication Foundation
{51846830-E7B2-4218-8968-B77F0FF475B8} -> Adobe Color EU Extra Settings
{54793AA1-5001-42F4-ABB6-C364617C6078} -> Adobe Linguistics CS3
{54BB0384-1C33-488F-A95B-877E480D3EDC} -> MSXML 4.0
{552171BC-30F8-3B29-9C4F-E3FE590B7CAC} -> Google Gears
{6ABE0BEE-D572-4FE8-B434-9E72A289431B} -> Adobe Fonts All
{6B976ADF-8AE8-434E-B282-A06C7F624D2F} -> Python 2.5.2
{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61} -> Adobe Asset Services CS3
{7131646D-CD3C-40F4-97B9-CD9E4E6262EF} -> Microsoft .NET Framework 2.0
{7299052b-02a4-4627-81f2-1818da5d550d} -> Microsoft Visual C++ 2005 Redistributable
{7C9AD221-994C-45B2-B46D-26F5735158CF} -> Sony Vegas Pro 8.0
{7D1B85BD-AA07-48B8-808D-67A4067FC6BD} -> Windows Workflow Foundation
{7F1C5D75-E232-4C2B-A394-E5FB7FBB3D66} -> Sonic Foundry Sound Forge 6.0d
{802771A9-A856-4A41-ACF7-1450E523C923} -> Adobe XMP Panels CS3
{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00} -> Microsoft Silverlight
{8D2BA474-F406-4710-9AE4-D4F22D21F0DD} -> Adobe Device Central CS3
{8E6808E2-613D-4FCD-81A2-6C8FA8E03312} -> Adobe Type Support
{90110409-6000-11D3-8CFE-0150048383C9} -> Microsoft Office Professional Edition 2003
{90176341-0A8B-4CCC-A78D-F862228A6B95} -> Adobe Anchor Service CS3
{94FB906A-CF42-4128-A509-D353026A607E} -> REALTEK Gigabit and Fast Ethernet NIC Driver
{95655ED4-7CA5-46DF-907F-7144877A32E5} -> Adobe Color NA Recommended Settings
{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E} -> Visual C++ 8.0 CRT (x86) WinSXS MSM
{9C9824D9-9000-4373-A6A5-D0E5D4831394} -> Adobe Bridge CS3
{A2B242BD-FF8D-4840-9DAA-9170EABEC59C} -> Adobe CMaps
{A2D81E70-2A98-4A08-A628-94388B063C5E} -> Adobe Color - Photoshop Specific
{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320} -> Windows Live installer
{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5} -> PDF Settings
{AC76BA86-7AD7-1033-7B44-A71000000002} -> Adobe Reader 7.1.0
{ADC85DF2-4B39-466C-88A4-5A307E8048B3} -> 155496
{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C} -> Adobe Camera Raw 4.0
{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 -> Spybot - Search & Destroy
{B8E576AE-7C76-4D37-B448-0D2010F2E417} -> Legend Of Ares
{B9B35331-B7E4-4E5C-BF4C-7BC87856124D} -> Adobe Default Language CS3
{BAF78226-3200-4DB4-BE33-4D922A799840} -> Windows Presentation Foundation
{C04E32E0-0416-434D-AFB9-6969D703A9EF} -> MSXML 4.0 SP2 (KB936181)
{C2D69781-F392-4118-A5A7-C7E9C38DBFC2} -> Adobe ExtendScript Toolkit 2
{D0DFF92A-492E-4C40-B862-A74A173C25C5} -> Adobe Version Cue CS3 Client
{D1BB4446-AE9C-4256-9A7F-4D46604D2462} -> Adobe Setup
{D2559B88-CC9D-4B48-81BB-F492BAA9C48C} -> Adobe PDF Library Files
{D91CAA43-FE2E-40C1-9359-DE6115FD35C8} -> 182327
{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9} -> Adobe Color Common Settings
{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029} -> Adobe Color JA Extra Settings
{E51B4CD9-A0A6-4324-B26A-31B3F2DE26CE} -> Black and White
{E69AE897-9E0B-485C-8552-7841F48D42D8} -> Adobe Update Manager CS3
{E96EC7BF-DDDA-4B86-A2D9-7D733B0578A0} -> NavyFIELD Europe (EN)
{FB08F381-6533-4108-B7DD-039E11FBC27E} -> Realtek AC'97 Audio
7-Zip -> 7-Zip 4.58 beta
Add/Remove Plus! 2003 -> Add/Remove Plus! 2003
Adobe Flash Player ActiveX -> Adobe Flash Player ActiveX
Adobe_2ac78060bc5856b0c1cf873bb919b58 -> Adobe Photoshop CS3
AdVantage_DAEM -> AdVantage (Powering DAEMON Tools)
BitComet -> BitComet 1.03
Connection Manager -> Connection Manager
DriverAgent.exe -> DriverAgent by TouchStone Software
DuhikiToolbar -> Duhiki Toolbar
EsetOnlineScanner -> ESET Online Scanner
exent_193650 -> RollerCoaster Tycoon 2
exent_200950 -> Hitman 2 - Silent Assassin
exent_255650 -> Neverwinter Nights - Shadows of Undrentide
exent_433450 -> Farenheit
FoxyTunesForFirefox -> FoxyTunes for Firefox
Future Cop LAPD -> Future Cop LAPD
GoldenKeylogger -> Golden Keylogger
HijackThis -> HijackThis 2.0.2
Hitman - Codename 47 -> Hitman - Codename 47
IDNMitigationAPIs -> Microsoft Internationalized Domain Names Mitigation APIs
ie7 -> Windows Internet Explorer 7
InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169} -> VIA Platform Device Manager
isoHunt Toolbar -> isoHunt Toolbar
KB873339 -> Windows XP Hotfix - KB873339
KB885835 -> Windows XP Hotfix - KB885835
KB885836 -> Windows XP Hotfix - KB885836
KB886185 -> Windows XP Hotfix - KB886185
KB887472 -> Windows XP Hotfix - KB887472
KB888302 -> Windows XP Hotfix - KB888302
KB890046 -> Security Update for Windows XP (KB890046)
KB890859 -> Windows XP Hotfix - KB890859
KB891781 -> Windows XP Hotfix - KB891781
KB893756 -> Security Update for Windows XP (KB893756)
KB893803 -> Windows Installer 3.1 (KB893803)
KB893803v2 -> Windows Installer 3.1 (KB893803)
KB894391 -> Update for Windows XP (KB894391)
KB896358 -> Security Update for Windows XP (KB896358)
KB896423 -> Security Update for Windows XP (KB896423)
KB896428 -> Security Update for Windows XP (KB896428)
KB898461 -> Update for Windows XP (KB898461)
KB899587 -> Security Update for Windows XP (KB899587)
KB899591 -> Security Update for Windows XP (KB899591)
KB900485 -> Update for Windows XP (KB900485)
KB900725 -> Security Update for Windows XP (KB900725)
KB901017 -> Security Update for Windows XP (KB901017)
KB901214 -> Security Update for Windows XP (KB901214)
KB902400 -> Security Update for Windows XP (KB902400)
KB905414 -> Security Update for Windows XP (KB905414)
KB905749 -> Security Update for Windows XP (KB905749)
KB908519 -> Security Update for Windows XP (KB908519)
KB908531 -> Update for Windows XP (KB908531)
KB910437 -> Update for Windows XP (KB910437)
KB911280 -> Update for Windows XP (KB911280)
KB911562 -> Security Update for Windows XP (KB911562)
KB911564 -> Security Update for Windows Media Player (KB911564)
KB911927 -> Security Update for Windows XP (KB911927)
KB913580 -> Security Update for Windows XP (KB913580)
KB914388 -> Security Update for Windows XP (KB914388)
KB914389 -> Security Update for Windows XP (KB914389)
KB915865 -> Hotfix for Windows XP (KB915865)
KB916595 -> Update for Windows XP (KB916595)
KB918118 -> Security Update for Windows XP (KB918118)
KB918439 -> Security Update for Windows XP (KB918439)
KB920213 -> Security Update for Windows XP (KB920213)
KB920670 -> Security Update for Windows XP (KB920670)
KB920683 -> Security Update for Windows XP (KB920683)
KB920685 -> Security Update for Windows XP (KB920685)
KB920872 -> Update for Windows XP (KB920872)
KB922582 -> Update for Windows XP (KB922582)
KB922819 -> Security Update for Windows XP (KB922819)
KB923191 -> Security Update for Windows XP (KB923191)
KB923414 -> Security Update for Windows XP (KB923414)
KB923980 -> Security Update for Windows XP (KB923980)
KB924270 -> Security Update for Windows XP (KB924270)
KB924667 -> Security Update for Windows XP (KB924667)
KB925398_WMP64 -> Security Update for Windows Media Player 6.4 (KB925398)
KB925720 -> Update for Windows XP (KB925720)
KB925902 -> Security Update for Windows XP (KB925902)
KB926255 -> Security Update for Windows XP (KB926255)
KB926436 -> Security Update for Windows XP (KB926436)
KB927779 -> Security Update for Windows XP (KB927779)
KB927802 -> Security Update for Windows XP (KB927802)
KB927891 -> Update for Windows XP (KB927891)
KB928255 -> Security Update for Windows XP (KB928255)
KB928843 -> Security Update for Windows XP (KB928843)
KB929123 -> Security Update for Windows XP (KB929123)
KB930178 -> Security Update for Windows XP (KB930178)
KB930916 -> Update for Windows XP (KB930916)
KB931261 -> Security Update for Windows XP (KB931261)
KB931784 -> Security Update for Windows XP (KB931784)
KB932168 -> Security Update for Windows XP (KB932168)
KB932823-v3 -> Update for Windows XP (KB932823-v3)
KB933729 -> Security Update for Windows XP (KB933729)
KB935839 -> Security Update for Windows XP (KB935839)
KB935840 -> Security Update for Windows XP (KB935840)
KB936021 -> Security Update for Windows XP (KB936021)
KB936357 -> Update for Windows XP (KB936357)
KB936782_WMP9 -> Security Update for Windows Media Player 9 (KB936782)
KB937894 -> Security Update for Windows XP (KB937894)
KB938127-IE7 -> Security Update for Windows Internet Explorer 7 (KB938127)
KB938464 -> Security Update for Windows XP (KB938464)
KB938828 -> Update for Windows XP (KB938828)
KB941202 -> Security Update for Windows XP (KB941202)
KB941569 -> Security Update for Windows XP (KB941569)
KB941644 -> Security Update for Windows XP (KB941644)
KB941693 -> Security Update for Windows XP (KB941693)
KB942763 -> Update for Windows XP (KB942763)
KB943055 -> Security Update for Windows XP (KB943055)
KB943460 -> Security Update for Windows XP (KB943460)
KB943485 -> Security Update for Windows XP (KB943485)
KB944653 -> Security Update for Windows XP (KB944653)
KB945553 -> Security Update for Windows XP (KB945553)
KB946026 -> Security Update for Windows XP (KB946026)
KB946648 -> Security Update for Windows XP (KB946648)
KB948590 -> Security Update for Windows XP (KB948590)
KB950749 -> Security Update for Windows XP (KB950749)
KB950759-IE7 -> Security Update for Windows Internet Explorer 7 (KB950759)
KB950760 -> Security Update for Windows XP (KB950760)
KB950762 -> Security Update for Windows XP (KB950762)
KB950974 -> Security Update for Windows XP (KB950974)
KB951066 -> Security Update for Windows XP (KB951066)
KB951072-v2 -> Update for Windows XP (KB951072-v2)
KB951376 -> Security Update for Windows XP (KB951376)
KB951376-v2 -> Security Update for Windows XP (KB951376-v2)
KB951698 -> Security Update for Windows XP (KB951698)
KB951748 -> Security Update for Windows XP (KB951748)
KB952287 -> Hotfix for Windows XP (KB952287)
KB952954 -> Security Update for Windows XP (KB952954)
KB953838-IE7 -> Security Update for Windows Internet Explorer 7 (KB953838)
KB953839 -> Security Update for Windows XP (KB953839)
Microsoft .NET Framework 2.0 -> Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0 -> Microsoft .NET Framework 3.0
Mozilla Firefox (3.0.1) -> Mozilla Firefox (3.0.1)
MSNINST -> MSN
MUSHclient -> MUSHclient (remove only)
NLSDownlevelMapping -> Microsoft National Language Support Downlevel APIs
NukeNabber 2.9b -> NukeNabber 2.9b
OneStep -> OneStepSearch 1.0 build 178
PC Wizard 2008_is1 -> PC Wizard 2008.1.85.1
POKéGAME32 -> POKéMON Simulator 3.6
PuebloUE_is1 -> Pueblo/UE 2.61
Quick Heal -> Quick Heal
Quick Heal Firewall Pro_is1 -> Quick Heal Firewall Pro
Rakion International_is1 -> Rakion International
RealPlayer 6.0 -> RealPlayer
RiseOfNationsExpansion 1.0 -> Rise of Nations
ST5UNST #1 -> Legion
StyleXP -> StyleXP (remove only)
Talisman Online_is1 -> TalismanOnline_1385
UseNeXT_is1 -> UseNeXT
VIA/S3G UniChrome Family Win2K/XP Display -> VIA/S3G Display Driver
VLC media player -> VideoLAN VLC media player 0.8.6b
Warning Center -> Warning Center
WIC -> Windows Imaging Component
Winamp3 -> Winamp3 (remove only)
WinRAR archiver -> WinRAR archiver
WinZip -> WinZip
XpsEPSC -> XML Paper Specification Shared Components Pack 1.0
ZMatrix_is1 -> ZMatrix 1.5.2
< Uninstall List [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ ->
BitTorrent DNA -> DNA
Google Chrome -> Google Chrome


[Files/Folders - Created Within 30 days]
Boot.bak -> %SystemDrive%\Boot.bak -> [Ver = | Size = 354 bytes | Created Date = 9/16/2008 1:18:17 AM | Attr = ]
BOOT.BKK -> %SystemDrive%\BOOT.BKK -> [Ver = | Size = 211 bytes | Created Date = 8/28/2008 4:14:24 PM | Attr = HS]
cmdcons -> %SystemDrive%\cmdcons -> [Folder | Created Date = 9/16/2008 1:18:07 AM | Attr = ]
cmldr -> %SystemDrive%\cmldr -> [Ver = | Size = 260272 bytes | Created Date = 9/16/2008 1:18:14 AM | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Created Date = 9/17/2008 6:35:59 PM | Attr = HS]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 9/16/2008 1:17:01 AM | Attr = ]
RECYCLER -> %SystemDrive%\RECYCLER -> [Folder | Created Date = 9/19/2008 12:28:17 AM | Attr = HS]
Remote Programs -> %SystemDrive%\Remote Programs -> [Folder | Created Date = 8/26/2008 11:26:00 AM | Attr = ]
TEST.XML -> %SystemDrive%\TEST.XML -> [Ver = | Size = 45 bytes | Created Date = 8/26/2008 10:34:28 PM | Attr = ]
CatRoot_bak -> %SystemRoot%\System32\CatRoot_bak -> [Folder | Created Date = 8/26/2008 2:06:29 AM | Attr = ]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
CmdLineExt03.dll -> %SystemRoot%\System32\CmdLineExt03.dll -> [Ver = | Size = 43520 bytes | Created Date = 8/26/2008 12:13:43 PM | Attr = ]
java.exe -> %SystemRoot%\System32\java.exe -> [Ver = | Size = 0 bytes | Created Date = 9/3/2008 9:47:53 PM | Attr = ]
MRT.INI -> %SystemRoot%\System32\MRT.INI -> [Ver = | Size = 197 bytes | Created Date = 9/11/2008 8:02:44 AM | Attr = ]
nppt9x.vxd -> %SystemRoot%\System32\nppt9x.vxd -> [Ver = | Size = 5174 bytes | Created Date = 9/4/2008 7:21:26 PM | Attr = ]
npptNT2.sys -> %SystemRoot%\System32\npptNT2.sys -> INCA Internet Co., Ltd. [Ver = 2005, 1, 5, 1 | Size = 4682 bytes | Created Date = 9/4/2008 7:21:26 PM | Attr = ]
PCWizard.cpl -> %SystemRoot%\System32\PCWizard.cpl -> [Ver = 2008, 1, 8, 0 | Size = 27136 bytes | Created Date = 8/27/2008 6:05:18 PM | Attr = ]
WSG32 -> %SystemRoot%\System32\WSG32 -> [Folder | Created Date = 9/6/2008 10:23:25 PM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 9/16/2008 1:17:30 AM | Attr = ]
ExentInfo.exe -> %SystemRoot%\ExentInfo.exe -> Exent Technologies Ltd. [Ver = 06.01.31.00 | Size = 53314 bytes | Created Date = 8/26/2008 11:25:52 AM | Attr = ]
fdsv.exe -> %SystemRoot%\fdsv.exe -> Smallfrogs Studio [Ver = 1, 2, 0, 22 | Size = 89504 bytes | Created Date = 9/16/2008 1:16:58 AM | Attr = ]
GPlrLanc.dat -> %SystemRoot%\GPlrLanc.dat -> [Ver = | Size = 70 bytes | Created Date = 8/26/2008 11:26:03 AM | Attr = ]
grep.exe -> %SystemRoot%\grep.exe -> [Ver = | Size = 80412 bytes | Created Date = 9/16/2008 1:16:58 AM | Attr = ]
Indiagames.ico -> %SystemRoot%\Indiagames.ico -> [Ver = | Size = 3262 bytes | Created Date = 8/26/2008 11:26:03 AM | Attr = ]
NIRCMD.EXE -> %SystemRoot%\NIRCMD.EXE -> NirSoft [Ver = 2.10 | Size = 28672 bytes | Created Date = 9/16/2008 1:51:30 PM | Attr = ]
sed.exe -> %SystemRoot%\sed.exe -> [Ver = | Size = 98816 bytes | Created Date = 9/16/2008 1:16:58 AM | Attr = ]
swxcacls.exe -> %SystemRoot%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 9/16/2008 1:16:58 AM | Attr = ]
temp -> %SystemRoot%\temp -> [Folder | Created Date = 9/16/2008 10:36:33 AM | Attr = ]
VFind.exe -> %SystemRoot%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 9/16/2008 1:16:58 AM | Attr = ]
zip.exe -> %SystemRoot%\zip.exe -> [Ver = | Size = 68096 bytes | Created Date = 9/16/2008 1:16:58 AM | Attr = ]
ZMatrixSS.ini -> %SystemRoot%\ZMatrixSS.ini -> [Ver = | Size = 68 bytes | Created Date = 8/26/2008 9:30:08 AM | Attr = ]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
Exetender -> %AllUsersProfile%\Application Data\Exetender -> [Folder | Created Date = 8/26/2008 11:26:02 AM | Attr = ]
FLEXnet -> %AllUsersProfile%\Application Data\FLEXnet -> [Folder | Created Date = 8/27/2008 5:30:43 AM | Attr = ]
WLInstaller -> %AllUsersProfile%\Application Data\WLInstaller -> [Folder | Created Date = 9/3/2008 6:59:51 AM | Attr = ]
.ZMatrix -> %AppData%\.ZMatrix -> [Folder | Created Date = 8/26/2008 9:21:16 AM | Attr = ]
DNA -> %AppData%\DNA -> [Folder | Created Date = 9/4/2008 7:10:13 PM | Attr = ]
dvdcss -> %AppData%\dvdcss -> [Folder | Created Date = 8/20/2008 10:06:28 PM | Attr = ]
UseNeXT -> %AppData%\UseNeXT -> [Folder | Created Date = 8/28/2008 9:01:16 PM | Attr = ]
Cooliris -> %UserProfile%\Local Settings\Application Data\Cooliris -> [Folder | Created Date = 9/2/2008 11:59:44 AM | Attr = ]
DNA -> %UserProfile%\Local Settings\Application Data\DNA -> [Folder | Created Date = 9/4/2008 7:10:15 PM | Attr = ]
PCHealth -> %UserProfile%\Local Settings\Application Data\PCHealth -> [Folder | Created Date = 9/3/2008 7:12:58 AM | Attr = ]
TouchStoneSoftware -> %UserProfile%\Local Settings\Application Data\TouchStoneSoftware -> [Folder | Created Date = 8/27/2008 6:10:42 PM | Attr = ]
Widgets -> %UserProfile%\Local Settings\Application Data\Widgets -> [Folder | Created Date = 8/26/2008 8:44:53 AM | Attr = ]
WMTools Downloaded Files -> %UserProfile%\Local Settings\Application Data\WMTools Downloaded Files -> [Folder | Created Date = 8/31/2008 7:43:31 PM | Attr = ]
microsoft -> %AllUsersProfile%\Documents\microsoft -> [Folder | Created Date = 9/17/2008 6:36:03 PM | Attr = ]
1z55d2u.jpg -> %UserProfile%\My Documents\1z55d2u.jpg -> [Ver = | Size = 134783 bytes | Created Date = 8/28/2008 4:27:51 PM | Attr = ]
2226889020_ce8c067008.jpg -> %UserProfile%\My Documents\2226889020_ce8c067008.jpg -> [Ver = | Size = 150080 bytes | Created Date = 8/28/2008 4:20:48 PM | Attr = ]
Downloads -> %UserProfile%\My Documents\Downloads -> [Folder | Created Date = 9/3/2008 4:36:05 AM | Attr = ]
LOTR The Return of the King ™ Data -> %UserProfile%\My Documents\LOTR The Return of the King ™ Data -> [Folder | Created Date = 8/22/2008 2:38:53 AM | Attr = ]
mix fer sleep.b4s -> %UserProfile%\My Documents\mix fer sleep.b4s -> [Ver = | Size = 2581 bytes | Created Date = 8/24/2008 3:30:31 AM | Attr = ]
muscle%20woman%202.jpg -> %UserProfile%\My Documents\muscle%20woman%202.jpg -> [Ver = | Size = 35360 bytes | Created Date = 8/31/2008 3:46:05 PM | Attr = ]
Thumbs.db -> %UserProfile%\My Documents\Thumbs.db -> [Ver = | Size = 16384 bytes | Created Date = 9/15/2008 2:24:00 AM | Attr = HS]
@Alternate Data Stream - 0 bytes -> %UserProfile%\My Documents\Thumbs.db:encryptable
UseNeXT -> %UserProfile%\My Documents\UseNeXT -> [Folder | Created Date = 8/28/2008 9:01:17 PM | Attr = ]
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [Ver = | Size = 2852559 bytes | Created Date = 9/16/2008 1:07:58 AM | Attr = R ]
EVERYTHING IS HERE -> %UserProfile%\Desktop\EVERYTHING IS HERE -> [Folder | Created Date = 8/28/2008 5:14:32 PM | Attr = ]
OTScanIt -> %UserProfile%\Desktop\OTScanIt -> [Folder | Created Date = 9/19/2008 12:27:57 AM | Attr = ]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe -> [Ver = | Size = 576581 bytes | Created Date = 9/19/2008 12:26:39 AM | Attr = ]
Pueblo UE.lnk -> %UserProfile%\Desktop\Pueblo UE.lnk -> [Ver = | Size = 640 bytes | Created Date = 9/10/2008 2:25:45 AM | Attr = ]
nukenabber.lnk -> %UserProfile%\Start Menu\Programs\Startup\nukenabber.lnk -> [Ver = | Size = 740 bytes | Created Date = 9/1/2008 9:54:14 PM | Attr = ]
ZMatrix.lnk -> %UserProfile%\Start Menu\Programs\Startup\ZMatrix.lnk -> [Ver = | Size = 673 bytes | Created Date = 8/26/2008 9:30:08 AM | Attr = ]
INCA Shared -> %CommonProgramFiles%\INCA Shared -> [Folder | Created Date = 9/4/2008 7:19:39 PM | Attr = ]
Macrovision Shared -> %CommonProgramFiles%\Macrovision Shared -> [Folder | Created Date = 8/27/2008 5:10:24 AM | Attr = ]
WindowsLiveInstaller -> %CommonProgramFiles%\WindowsLiveInstaller -> [Folder | Created Date = 9/3/2008 7:00:21 AM | Attr = HS]
Applications -> %ProgramFiles%\Applications -> [Folder | Created Date = 9/9/2008 5:16:05 PM | Attr = ]
Bonjour -> %ProgramFiles%\Bonjour -> [Folder | Created Date = 8/27/2008 5:25:10 AM | Attr = ]
Cain -> %ProgramFiles%\Cain -> [Folder | Created Date = 9/3/2008 2:17:24 AM | Attr = ]
DNA -> %ProgramFiles%\DNA -> [Folder | Created Date = 9/4/2008 7:10:13 PM | Attr = ]
Duhiki -> %ProgramFiles%\Duhiki -> [Folder | Created Date = 8/26/2008 8:44:53 AM | Attr = ]
FileSubmit -> %ProgramFiles%\FileSubmit -> [Folder | Created Date = 8/26/2008 8:09:25 AM | Attr = ]
Indiagames GoD -> %ProgramFiles%\Indiagames GoD -> [Folder | Created Date = 8/26/2008 11:25:50 AM | Attr = ]
Legion -> %ProgramFiles%\Legion -> [Folder | Created Date = 9/1/2008 9:15:18 PM | Attr = ]
Microsoft Silverlight -> %ProgramFiles%\Microsoft Silverlight -> [Folder | Created Date = 9/17/2008 6:36:25 PM | Attr = ]
MUSHclient -> %ProgramFiles%\MUSHclient -> [Folder | Created Date = 9/14/2008 5:00:35 AM | Attr = ]
NukeNabber -> %ProgramFiles%\NukeNabber -> [Folder | Created Date = 9/1/2008 9:54:13 PM | Attr = ]
OneStep -> %ProgramFiles%\OneStep -> [Folder | Created Date = 9/7/2008 10:54:24 AM | Attr = ]
PC Wizard 2008 -> %ProgramFiles%\PC Wizard 2008 -> [Folder | Created Date = 8/27/2008 6:05:12 PM | Attr = ]
PuebloUE -> %ProgramFiles%\PuebloUE -> [Folder | Created Date = 9/10/2008 2:25:36 AM | Attr = ]
Sun -> %ProgramFiles%\Sun -> [Folder | Created Date = 9/3/2008 9:48:49 PM | Attr = ]
TGTSoft -> %ProgramFiles%\TGTSoft -> [Folder | Created Date = 8/26/2008 8:07:10 AM | Attr = ]
UseNeXT -> %ProgramFiles%\UseNeXT -> [Folder | Created Date = 8/28/2008 9:01:08 PM | Attr = ]
Windows Live -> %ProgramFiles%\Windows Live -> [Folder | Created Date = 9/3/2008 7:00:05 AM | Attr = ]
WSPingPR -> %ProgramFiles%\WSPingPR -> [Folder | Created Date = 9/1/2008 6:59:23 PM | Attr = ]
ZMatrix -> %ProgramFiles%\ZMatrix -> [Folder | Created Date = 8/26/2008 9:29:57 AM | Attr = ]

[Files/Folders - Modified Within 30 days]
Boot.bak -> %SystemDrive%\Boot.bak -> [Ver = | Size = 354 bytes | Modified Date = 8/28/2008 4:15:10 PM | Attr = ]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 424 bytes | Modified Date = 9/16/2008 1:18:18 AM | Attr = RHS]
TEST.XML -> %SystemDrive%\TEST.XML -> [Ver = | Size = 45 bytes | Modified Date = 9/15/2008 7:25:27 PM | Attr = ]
hosts -> %SystemRoot%\System32\drivers\etc\hosts -> [Ver = | Size = 27 bytes | Modified Date = 9/16/2008 10:22:32 AM | Attr = ]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
CmdLineExt03.dll -> %SystemRoot%\System32\CmdLineExt03.dll -> [Ver = | Size = 43520 bytes | Modified Date = 8/26/2008 12:13:43 PM | Attr = ]
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [Ver = | Size = 1478328 bytes | Modified Date = 9/4/2008 10:15:20 PM | Attr = ]
MRT.INI -> %SystemRoot%\System32\MRT.INI -> [Ver = | Size = 197 bytes | Modified Date = 9/11/2008 8:02:44 AM | Attr = ]
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [Ver = | Size = 68064 bytes | Modified Date = 9/7/2008 3:56:52 PM | Attr = ]
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [Ver = | Size = 433400 bytes | Modified Date = 9/7/2008 3:56:52 PM | Attr = ]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 9/19/2008 12:07:13 AM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 9/19/2008 12:06:05 AM | Attr = S]
GPlrLanc.dat -> %SystemRoot%\GPlrLanc.dat -> [Ver = | Size = 70 bytes | Modified Date = 8/26/2008 11:26:03 AM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1374 bytes | Modified Date = 8/26/2008 8:17:59 PM | Attr = ]
NIRCMD.EXE -> %SystemRoot%\NIRCMD.EXE -> NirSoft [Ver = 2.10 | Size = 28672 bytes | Modified Date = 9/16/2008 1:51:30 PM | Attr = ]
ODBC.INI -> %SystemRoot%\ODBC.INI -> [Ver = | Size = 498 bytes | Modified Date = 9/19/2008 12:06:41 AM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 9/16/2008 10:22:44 AM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 3116 bytes | Modified Date = 9/6/2008 12:33:49 AM | Attr = ]
ZMatrixSS.ini -> %SystemRoot%\ZMatrixSS.ini -> [Ver = | Size = 68 bytes | Modified Date = 8/26/2008 9:30:08 AM | Attr = ]
AppleSoftwareUpdate.job -> %SystemRoot%\tasks\AppleSoftwareUpdate.job -> [Ver = | Size = 284 bytes | Modified Date = 9/13/2008 6:59:03 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 9/19/2008 12:06:08 AM | Attr = H ]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader -> [Folder | Modified Date = 6/20/2008 8:27:46 PM | Attr = ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [Ver = | Size = 7422 bytes | Modified Date = 9/19/2008 12:27:05 AM | Attr = ]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [Ver = | Size = 7037 bytes | Modified Date = 9/19/2008 12:27:05 AM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA -> [Folder | Modified Date = 6/11/2008 12:12:52 AM | Attr = ]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat -> [Ver = | Size = 8206 bytes | Modified Date = 5/24/2008 5:22:10 PM | Attr = ]
C:\Documents and Settings\ATL_Infotech\Local Settings\temp\ -> C:\Documents and Settings\ATL_Infotech\Local Settings\temp -> [Folder | Modified Date = 9/19/2008 12:30:18 AM | Attr = ]
Perflib_Perfdata_444.dat -> C:\Documents and Settings\ATL_Infotech\Local Settings\temp\Perflib_Perfdata_444.dat -> [Ver = | Size = 16384 bytes | Modified Date = 9/19/2008 12:16:55 AM | Attr = ]
1 C:\Documents and Settings\ATL_Infotech\Local Settings\temp\*.tmp files -> C:\Documents and Settings\ATL_Infotech\Local Settings\temp\*.tmp ->
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [Ver = | Size = 82432 bytes | Modified Date = 9/17/2008 9:55:16 PM | Attr = ]
GDIPFONTCACHEV1.DAT -> %UserProfile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT -> [Ver = | Size = 42576 bytes | Modified Date = 9/5/2008 12:27:01 AM | Attr = ]
IconCache.db -> %UserProfile%\Local Settings\Application Data\IconCache.db -> [Ver = | Size = 2817866 bytes | Modified Date = 9/17/2008 5:26:39 AM | Attr = H ]
1z55d2u.jpg -> %UserProfile%\My Documents\1z55d2u.jpg -> [Ver = | Size = 134783 bytes | Modified Date = 8/28/2008 4:27:26 PM | Attr = ]
2226889020_ce8c067008.jpg -> %UserProfile%\My Documents\2226889020_ce8c067008.jpg -> [Ver = | Size = 150080 bytes | Modified Date = 8/28/2008 4:19:45 PM | Attr = ]
mix fer sleep.b4s -> %UserProfile%\My Documents\mix fer sleep.b4s -> [Ver = | Size = 2581 bytes | Modified Date = 8/24/2008 3:30:31 AM | Attr = ]
muscle%20woman%202.jpg -> %UserProfile%\My Documents\muscle%20woman%202.jpg -> [Ver = | Size = 35360 bytes | Modified Date = 8/31/2008 3:44:59 PM | Attr = ]
sidpkmnusls.pgs -> %UserProfile%\My Documents\sidpkmnusls.pgs -> [Ver = | Size = 92858 bytes | Modified Date = 8/22/2008 2:38:35 AM | Attr = ]
Thumbs.db -> %UserProfile%\My Documents\Thumbs.db -> [Ver = | Size = 16384 bytes | Modified Date = 9/15/2008 2:24:01 AM | Attr = HS]
@Alternate Data Stream - 0 bytes -> %UserProfile%\My Documents\Thumbs.db:encryptable
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [Ver = | Size = 2852559 bytes | Modified Date = 9/16/2008 1:09:27 AM | Attr = R ]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe -> [Ver = | Size = 576581 bytes | Modified Date = 9/19/2008 12:27:03 AM | Attr = ]
Pueblo UE.lnk -> %UserProfile%\Desktop\Pueblo UE.lnk -> [Ver = | Size = 640 bytes | Modified Date = 9/10/2008 2:25:45 AM | Attr = ]
nukenabber.lnk -> %UserProfile%\Start Menu\Programs\Startup\nukenabber.lnk -> [Ver = | Size = 740 bytes | Modified Date = 9/1/2008 9:54:14 PM | Attr = ]
ZMatrix.lnk -> %UserProfile%\Start Menu\Programs\Startup\ZMatrix.lnk -> [Ver = | Size = 673 bytes | Modified Date = 8/26/2008 9:30:08 AM | Attr = ]

[CatchMe Rootkit Scan by GMER]
< Windows folder & sub-folders >
scanning hidden processes ...
IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:c1,ba,63,f7,9d,18,36,cc,87,97,f0,ac,f2,48,26,b1,e8,77,8e,3d,1e,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,b1,cd,1c,8c,3f,6c,29,2e,d9,c8,52,63,ef,2d,b5,2b,17,..
"khjeh"=hex:83,e3,5a,e6,aa,6c,e4,8f,6e,99,55,e9,1b,86,43,a0,b2,8f,a2,27,1c,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:4f,af,65,1a,f5,ff,68,e5,5f,2a,aa,e4,49,d1,4f,d8,51,05,a4,4e,33,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:cc,aa,d2,d5,cb,27,98,70,f3,69,2b,b7,ab,cf,13,3c,a4,21,20,30,2c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:c1,ba,63,f7,9d,18,36,cc,87,97,f0,ac,f2,48,26,b1,e8,77,8e,3d,1e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,b1,cd,1c,8c,3f,6c,29,2e,d9,c8,52,63,ef,2d,b5,2b,17,..
"khjeh"=hex:83,e3,5a,e6,aa,6c,e4,8f,6e,99,55,e9,1b,86,43,a0,b2,8f,a2,27,1c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:4f,af,65,1a,f5,ff,68,e5,5f,2a,aa,e4,49,d1,4f,d8,51,05,a4,4e,33,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:cc,aa,d2,d5,cb,27,98,70,f3,69,2b,b7,ab,cf,13,3c,a4,21,20,30,2c,..
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\Web\Wallpaper\Thumbs.db:encryptable 0 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1
< Document and Settings folder & sub folders >
scanning hidden files ...
IPC error: 2 The system cannot find the file specified.
C:\Documents and Settings\All Users\Application Data\TEMP:888AFB86 110 bytes
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\ATL_Infotech\Application Data\Real\RealPlayer Downloads\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\BleepingComputer.com - Malware and Spyware Removal School Admissions.url:favicon 1406 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Comments on Adobe Photoshop CS3 Extended + Crack adobe photoshop isoHunt - the BitTorrent and P2P search engine.url:favicon 894 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Comments on Sony Vegas Pro 8.0b Build 217-AVCHD-MPG-AC3 FIXED Sony Vegas isoHunt - the BitTorrent and P2P search engine.url:favicon 894 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\conversations - Definition from the Merriam-Webster Online Dictionary.url:favicon 1150 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Releases » All sins of a solar empire isoHunt - the BitTorrent and P2P search engine.url:favicon 894 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\romsite.net Direct download all nds and gba roms for free. No account required.url:favicon 1406 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Saishuu-Hentai.net Download Free Hentai movies. Latest hentai..url:favicon 198 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Tagged - Video Player.url:favicon 1406 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\TERI DEEWANI -14 OF TODAY'S BIGGEST SUFI HITS songs - Artists - Songs, Soundtrack, Music, Lyrics, Videos and Trailers - TERI DEEWANI -14 OF TODAY'S BIGGEST SUFI HITS - Smableeps.com.url:favicon 1406 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\The 100 Greatest Horror Movies from BHM, Updated and Expanded for 2008!.url:favicon 3638 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\http--www.bleepingcomputer.com-forums-topic153179.html.url:favicon 1406 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Indiagames GoD Tadkalive - Social Networking Site for GoD's and Gamers (Powered by Invision Power Board).url:favicon 1406 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\IT-Docs,Gamedev,Hacker,Programmer learn computing isoHunt - the BitTorrent and P2P search engine.url:favicon 894 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\making my come in earnest ----- motherboard.url:favicon 1406 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Mixing Music Tutorial TheWhippinpost.url:favicon 4150 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\New ePSXe v.1.7.0 compatibility list thread - SnesOrama Emulation Community.url:favicon 2550 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Online Football Manager - Manage your favourite football team.url:favicon 766 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Torrent - [Libitina] The Thrilla In Manila Ali vs Frazier III BitTorrentMonster.url:favicon 6894 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Travian comx.url:favicon 1406 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\V I P E R L A I R .com - PCI Express Primer.url:favicon 3638 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\We are sorry for the temporary outage..url:favicon 1406 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Webcam girls Hottie getting naked PicVi.url:favicon 1406 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Windows Explorer Keeps Closing And Restarting! Help!.url:favicon 1406 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\www.aldostools.com - Playstation emulators and PSX Tools by Aldo Vargas.url:favicon 3262 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\WWW.CRACKS.AM - the oldest and largest source of cracks, patches, keygens and serials - since 1999!.url:favicon 894 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\XP Themes, Vista Themes, XP Logins, XP Boot Screens, Desktop Themes, Wallpapers, Screensavers.url:favicon 25214 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\YouTube - CardShark88's Channel.url:favicon 1150 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\http--ww.smableeps.com-index.cfmPage=Audio&SubPage=ShowTracks&AlbumID=39.url:favicon 1406 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\THEORY11 Underground Magic & Cardistry Epicenter Learn Magic Tricks & Card Flourishing.url:favicon 3638 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Download music, movies, games, software! The Pirate Bay - The world's largest BitTorrent tracker.url:favicon 824 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\DownloadNova - All of your questions about downloading and download nova are answered here..url:favicon 2550 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Final Fantasy Tactics A2 Grimoire of the Rift MULTi4 (E)(EXiMiUS) - Google Search.url:favicon 1150 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Free Browser List - Onrpg Free MMORPG Forums.url:favicon 1078 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Free low spec MMOS CHECK THIS! - Onrpg Free MMORPG Forums.url:favicon 1078 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Fulldls.com - Related torrents to Magician - David Copperfield Collection - Magic torrent.url:favicon 1150 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\GameSpot Forums - PC Games - low spec games..url:favicon 1406 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\gamespy Top 25 PSone Games of All-Time.url:favicon 1078 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\Google Docs - Slavehack.url:favicon 318 bytes
C:\Documents and Settings\ATL_Infotech\Favorites\HTML Text Formatting.url:favicon 318 bytes
C:\Documents and Settings\ATL_Infotech\Local Settings\Application Data\Microsoft\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\ATL_Infotech\My Documents\Downloads\New Folder\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\ATL_Infotech\My Documents\Downloads\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\ATL_Infotech\My Documents\My Pictures\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\ATL_Infotech\My Documents\My Pictures\Google Talk Received Images\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\ATL_Infotech\My Documents\Thumbs.db:encryptable 0 bytes
scan completed successfully
hidden files: 104

< End of report >

Edited by siddhant, 18 September 2008 - 02:11 PM.


#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:45 AM

Posted 18 September 2008 - 10:18 PM

Hello, siddhant.
Don't worry.. you did everything fine.

Just wanted one more look when that ESET scan came back with that much stuff :spacer:

You now appear to be clean. Congratulations!

We need to remove ComboFix
  • Click START then RUN
  • Now type or copy Combofix /u in the runbox and click OK.
    Note the space between the X and the U, it needs to be there.
    Posted Image
We need to clean up our tools.
  • Please download OTMoveIt2 by OldTimer and save it to your desktop.
  • Click the Clean Up button.
    Posted Image
  • Accept any prompts.
  • This will remove any tools we used, including OTMoveIt, and will require a reboot.
Below are some steps to follow in order to dramatically lower the chances of reinfection.
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
  • Set a New Restore Point to prevent possible reinfection from an old one.
    Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
    You can view a video of the following instructions.
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Then go to Start > Run and type: Cleanmgr
    • Click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    Note: You should only do this once!
    :thumbsup:
  • Make sure you install all the security updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications.
    Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.
    :)
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
    :)
  • Make Internet Explorer more secure
    • Click Start -> Run
    • Type "Inetcpl.cpl" (without quotes) & click OK.
    • Click on the Security tab.
    • Click "Reset all zones to default level"
    • Make sure the Internet Zone is selected & click "Custom level"
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Click OK, then Apply, then OK to exit the Internet Properties page.
    :)
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing themselves on your computer.
    If you don't know what ActiveX controls are, see here
    You can download SpywareBlaster from here.
    :spacer:
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date!
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:45 AM

Posted 21 September 2008 - 12:35 AM

Hello, siddhant.
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users