Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Results Are Redirected


  • This topic is locked This topic is locked
16 replies to this topic

#1 Jelly_man

Jelly_man

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 30 August 2008 - 03:22 PM

Hi, a person on another forum that I frequent is having malware troubles. The main symptom that he has described is the redirection of Google Search results. For example, if he googles "Hello", first result is Hello magazine. If he clicks it, he gets redirected to TheFreeDictionary's definition of Hello. He is also unable to make forum posts that contain HijackThis logs, and has to ask people over Instant Messangers to post them for him. BleepingComputer is also seemingly blocked by this malware, meaining he is unable to post this himself.

You can read his original forum post here, as he also describes other symptoms.

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:48 PM, on 30/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\system32\csrss.exe
C:\WINDOW\system32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\svchost.exe
C:\WINDOW\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOW\Explorer.EXE
C:\WINDOW\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\RYAN\Application Data\Mozilla\Profiles\default\4s4fviwn.slt\prefs.j s)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {5C9DD472-6E0E-D741-C444-09655A1519B9} - C:\Program Files\Apaflbcv\kircwljm.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Xfire Music] "C:\Program Files\Xfire\xfiremusic.exe"
O4 - HKLM\..\Run: [wxyripyr] rundll32.exe "C:\Program Files\wxyripyr\gbqrorqf.dll",Init
O4 - HKLM\..\Run: [velqrmlo] rundll32.exe "C:\Program Files\velqrmlo\ngbyhsby.dll",Init
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TFGcm] C:\WINDOW\sunqu.exe
O4 - HKLM\..\Run: [tekucvbd] c:\window\system32\tekucvbd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [PdPYgu] C:\WINDOW\sunqu.exe
O4 - HKLM\..\Run: [pclsdanc] rundll32.exe "C:\Program Files\pclsdanc\rslunmps.dll",Init
O4 - HKLM\..\Run: [gvjymwnm] C:\Program Files\Vwbyprah\gvjymwnm.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOW\dinst.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [BHOZapper] C:\Program Files\BHOZapper\BHOZapper.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [adorttdl] C:\Program Files\Vbijgjng\adorttdl.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ynozujiz] regsvr32 /u "C:\Documents and Settings\All Users.WINDOW\Application Data\ynozujiz.dll"
O4 - HKLM\..\Run: [uxfmhxpl] C:\Program Files\Bhddeivz\uxfmhxpl.exe
O4 - HKLM\..\Run: [lphc5ahj0encj] C:\WINDOW\system32\lphc5ahj0encj.exe
O4 - HKLM\..\Run: [odejetob] regsvr32 /u "C:\Documents and Settings\All Users.WINDOW\Application Data\odejetob.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [zvvktswg] C:\Program Files\Uvonsmcn\zvvktswg.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe" hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'Default user')
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: MOG-O-MATIC.lnk = C:\Program Files\MOG-O-MATIC\MogClient.exe
O4 - Startup: World Community Grid Agent.lnk = C:\Program Files\WorldCommunityGrid\UD.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire2\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (file missing)
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} -
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - (no file)
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOW\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOW\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOW\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOW\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOW\system32\YPCSER~1.EXE

--
End of file - 12032 bytes

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:44 PM

Posted 13 September 2008 - 10:14 PM

Hello, Jelly_man.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you would still like help, please post a new HiJack This log below, as things may have changed on your system.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Jelly_man

Jelly_man
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 14 September 2008 - 01:36 PM

Hi, thanks for finally replying.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:45 AM, on 14/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)
Boot mode: Normal

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\system32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\Ati2evxx.exe
C:\WINDOW\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOW\system32\LEXBCES.EXE
C:\WINDOW\system32\spoolsv.exe
C:\WINDOW\system32\LEXPPS.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOW\system32\PnkBstrA.exe
C:\WINDOW\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOW\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOW\Explorer.EXE
C:\WINDOW\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOW\system32\taskmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\RYAN\Application Data\Mozilla\Profiles\default\4s4fviwn.slt\prefs.j s)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {5C9DD472-6E0E-D741-C444-09655A1519B9} - (no file)
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (file missing)
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} -
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - (no file)
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOW\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOW\system32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOW\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOW\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOW\system32\YPCSER~1.EXE

--
End of file - 8632 bytes

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:44 PM

Posted 15 September 2008 - 03:59 PM

Hello, Jelly_man.
Viewpoint is considered foistware instead of malware because it is installed without users approval, but doesn't spy or do anything "bad". You may like to read this article about the potential of this Viewpoint software here:
http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on Start > Run... > and then paste the following into the "Open" field: "appwiz.cpl" and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, and/or Viewpoint Media Player.

We have to remove some entries in HiJack This
  • Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
    O2 - BHO: (no name) - {5C9DD472-6E0E-D741-C444-09655A1519B9} - (no file)
    O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} -
    O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} -
    O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
    O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - (no file)
  • Close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-Language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe
  • Follow the on screen instructions to install the latest Java version.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log
  • A new HJT Log

Billy3

Edited by Billy O'Neal, 15 September 2008 - 04:00 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Jelly_man

Jelly_man
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 18 September 2008 - 09:50 AM

Hi Billy. I relayed those steps back to the person having the problem, but he is unable to connect to Eset's site; the malware is still blocking it.

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:44 PM

Posted 18 September 2008 - 10:13 PM

Hello, Jelly_man.
We need to run OTScanIt
Before running a new scan let's clean out the temporary folders.
Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • In the Rootkit Search area select Yes
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      Reg - Disabled MS Config Items
      Reg - File Associations
      Reg - Uninstall List
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post.

In your next reply, please include the following:
  • OTScanIt Report

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 Jelly_man

Jelly_man
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 20 September 2008 - 01:29 AM

OTScanIt logfile created on: 19/09/2008 3:25:50 PM

OTScanIt by OldTimer - Version 1.0.19.0	 Folder = C:\Documents and Settings\ryan\Desktop\Anti-Malware_stuff\OTScanIt

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5335.5)

Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

 

510.73 Mb Total Physical Memory | 265.27 Mb Available Physical Memory | 51.94% Memory free

1.22 Gb Paging File | 0.90 Gb Available in Paging File | 73.97% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536;

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOW | %ProgramFiles% = C:\Program Files

Drive C: | 149.05 Gb Total Space | 59.39 Gb Free Space | 39.84% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 628.73 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded



Computer Name: DAVID-REPZ4PHA9

Current User Name: ryan

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Whitelist: On



[Processes - Non-Microsoft Only]

isafe.exe -> %ProgramFiles%\Yahoo!\Antivirus\iSafe.exe -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 259184 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

pnkbstra.exe -> %SystemRoot%\system32\PnkBstrA.exe ->  [Ver =  | Size = 66872 bytes | Modified Date = 01/02/2008 7:13:06 PM | Attr =	]

vetmsg.exe -> %ProgramFiles%\Yahoo!\Antivirus\VetMsg.exe -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 201840 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]



[Win32 Services - Non-Microsoft Only]

(CAISafe) CAISafe [Win32_Own | Auto | Running] -> %ProgramFiles%\Yahoo!\Antivirus\iSafe.exe -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 259184 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

(PnkBstrA) PnkBstrA [Win32_Own | Auto | Running] -> %SystemRoot%\system32\PnkBstrA.exe ->  [Ver =  | Size = 66872 bytes | Modified Date = 01/02/2008 7:13:06 PM | Attr =	]

(rpcapd) Remote Packet Capture Protocol v.0 (experimental) [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\WinPcap\rpcapd.exe -> CACE Technologies [Ver = 3, 1, 0, 27 | Size = 86016 bytes | Modified Date = 02/08/2005 2:18:50 PM | Attr =	]

(VETMSGNT) VET Message Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Yahoo!\Antivirus\VetMsg.exe -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 201840 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]



[Driver Services - Non-Microsoft Only]

(ATI Remote Wonder II) ATI Remote Wonder II [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\ATIRWVD.SYS -> File not found

(CdaC15BA) CdaC15BA [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\CDAC15BA.SYS ->  [Ver =  | Size = 8864 bytes | Modified Date = 13/06/2007 5:44:09 PM | Attr =	]

(dtscsi) dtscsi [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\Drivers\dtscsi.sys -> File not found

(NPF) NetGroup Packet Filter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\npf.sys -> CACE Technologies [Ver = 3, 1, 0, 27 | Size = 32512 bytes | Modified Date = 02/08/2005 2:10:14 PM | Attr =	]

(NPPTNT2) NPPTNT2 [Kernel | System | Running] -> %SystemRoot%\system32\npptNT2.sys -> INCA Internet Co., Ltd. [Ver = 2005, 1, 5, 1 | Size = 4682 bytes | Modified Date = 03/01/2005 8:43:08 PM | Attr =	]

(PSSdk21) PSSdk21 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\Drivers\HNPsSdk.drv -> File not found

(PSSdk23) PSSdk23 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\Drivers\PsSdk23.drv -> File not found

(sf) SFI Service [Kernel | System | Running] -> %SystemRoot%\system32\drivers\sf.sys -> Sonic Focus, Inc [Ver = 5.02.0002.4 | Size = 33248 bytes | Modified Date = 08/05/2003 9:00:56 PM | Attr = R  ]

(sptd) sptd [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\sptd.sys ->  [Ver =  | Size = 717296 bytes | Modified Date = 20/08/2008 7:20:06 PM | Attr =	]

(USBAAPL) Apple Mobile USB Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\Drivers\usbaapl.sys -> File not found

(VET-FILT) VET File System Filter [Kernel | System | Running] -> %SystemRoot%\System32\drivers\Vet-Filt.sys -> Computer Associates International, Inc. [Ver = 11.0.7.8 | Size = 21031 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

(VET-REC) VET File System Recognizer [Kernel | System | Running] -> %SystemRoot%\System32\drivers\Vet-Rec.sys -> Computer Associates International, Inc. [Ver = 11.0.7.8 | Size = 15478 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

(VETEBOOT) VET Boot Scan Engine [Kernel | On_Demand | Running] -> %SystemRoot%\System32\drivers\VetEBoot.sys -> Computer Associates International, Inc. [Ver = 31.1.0.0 | Size = 108360 bytes | Modified Date = 28/07/2007 8:14:24 AM | Attr =	]

(VETEFILE) VET File Scan Engine [Kernel | System | Running] -> %SystemRoot%\System32\drivers\VetEFile.sys -> Computer Associates International, Inc. [Ver = 31.1.0.0 | Size = 879832 bytes | Modified Date = 28/07/2007 8:14:24 AM | Attr =	]

(VETFDDNT) VET Floppy Boot Sector Monitor [Kernel | System | Running] -> %SystemRoot%\System32\drivers\VetFDDNT.sys -> Computer Associates International, Inc. [Ver = 11.0.7.8 | Size = 15735 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

(VETMONNT) VET File Monitor [Kernel | System | Running] -> %SystemRoot%\System32\drivers\vetmonnt.sys -> Computer Associates International, Inc. [Ver = 7.2.0.0 | Size = 26787 bytes | Modified Date = 02/08/2006 8:30:00 AM | Attr =	]



[Registry - Non-Microsoft Only]

< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 144784 bytes | Modified Date = 10/06/2008 4:27:04 AM | Attr =	]

TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe ["C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot] -> RealNetworks, Inc. [Ver = 0.1.1.45 | Size = 185896 bytes | Modified Date = 14/02/2008 6:22:47 PM | Attr =	]

< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

Aim6 -> %ProgramFiles%\AIM6\aim6.exe ["C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp] -> AOL LLC [Ver = 1.4.9.1 | Size = 50472 bytes | Modified Date = 06/08/2008 11:21:06 AM | Attr =	]

< All Users.WINDOW Startup Folder > -> C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup -> 

< ryan Startup Folder > -> C:\Documents and Settings\ryan\Start Menu\Programs\Startup -> 

< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 

< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 

Explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 1033728 bytes | Modified Date = 13/04/2008 8:12:19 PM | Attr =	]

*MultiFile Done* -> -> 

*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 

C:\WINDOW\system32\userinit.exe -> %SystemRoot%\system32\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 26112 bytes | Modified Date = 13/04/2008 8:12:38 PM | Attr =	]

*MultiFile Done* -> -> 

*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost -> 

LogonUI.EXE -> %SystemRoot%\system32\logonui.exe -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 514560 bytes | Modified Date = 13/04/2008 8:12:24 PM | Attr =	]

*MultiFile Done* -> -> 

*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> 

rundll32 shell32 -> %SystemRoot%\system32\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 8461312 bytes | Modified Date = 13/04/2008 8:12:05 PM | Attr =	]

Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\sysdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2105) | Size = 300544 bytes | Modified Date = 13/04/2008 8:12:41 PM | Attr =	]

*MultiFile Done* -> -> 

< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 

AtiExtEvent -> %SystemRoot%\system32\ati2evxx.dll -> ATI Technologies Inc. [Ver = 6.14.10.4176 | Size = 122880 bytes | Modified Date = 29/09/2007 2:57:56 AM | Attr =	]

< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\dontdisplaylastusername -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticecaption ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticetext ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\shutdownwithoutlogon -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\undockwithoutlogon -> 1 -> 

< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispScrSavPage -> 0 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispBackgroundPage -> 0 -> 

< CDROM Autorun Setting > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->

*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup -> 

SCSI miniport ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\drivers\cdrom.sys [System32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2108) | Size = 62976 bytes | Modified Date = 13/04/2008 2:40:46 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 -> 

*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable -> 

NEC	 MBR-7	->  -> File not found

NEC	 MBR-7.4  ->  -> File not found

PIONEER CHANGR DRM-1804X ->  -> File not found

PIONEER CD-ROM DRM-6324X ->  -> File not found

PIONEER CD-ROM DRM-624X  ->  -> File not found

TORiSAN CD-ROM CDR_C36 ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> -> 

< Drives with AutoRun files > ->  -> 

AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] ->  [Ver =  | Size = 0 bytes | Modified Date = 28/02/2005 7:26:09 PM | Attr =	]

autorun.inf [[autorun] | open=setup.exe /autorun | icon=setup\halo1.ico | Name=Halo |  | shell\setup=&Install Halo | shell\setup\command=setup.exe |  | shell\directx=Install &DirectX 9.0b | shell\directx\command=DirectX\dxsetup.exe | ] -> E:\autorun.inf [ CDFS ] ->  [Ver =  | Size = 209 bytes | Modified Date = 11/08/2003 3:57:37 PM | Attr = R  ]

< HOSTS File > (23 bytes and 1 lines) -> C:\WINDOW\System32\drivers\etc\Hosts -> 

127.0.0.1  localhost 

< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 

HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=54729 -> 

HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 

HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 

HKEY_LOCAL_MACHINE\: Main\\Search Bar ->   -> 

HKEY_LOCAL_MACHINE\: Main\\Search Page -> about:blank -> 

HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID} -> 

HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> about:blank -> 

HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://www.google.com/ie -> 

HKEY_LOCAL_MACHINE\: SearchURL\\ -> about:blank[Reg Error: Value provider does not exist or could not be read.] -> 

< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 

HKEY_CURRENT_USER\: Main\\Default_Search_URL ->  -> 

HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOW\system32\blank.htm -> 

HKEY_CURRENT_USER\: Main\\Search Bar ->  -> 

HKEY_CURRENT_USER\: Main\\Search Page -> about:blank -> 

HKEY_CURRENT_USER\: Main\\Start Page -> http://www.msn.com/ -> 

HKEY_CURRENT_USER\: Search\\SearchAssistant ->  -> 

HKEY_CURRENT_USER\: SearchURL\\ -> about:blank[Reg Error: Value provider does not exist or could not be read.] -> 

HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 

< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4785 domain(s) found. -> 

46 domain(s) and sub-domain(s) not assigned to a zone.

< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 

< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5458 domain(s) found. -> 

  .[msn] -> My Computer -> 

51 domain(s) and sub-domain(s) not assigned to a zone.

< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 

1 range(s) not assigned to a zone.

< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 18/12/2006 4:16:42 AM | Attr =	]

{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 6, 0, 12 | Size = 1562448 bytes | Modified Date = 14/08/2008 1:39:52 PM | Attr =	]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\common\yiesrvc.dll [UberButton Class] -> Yahoo! [Ver = 2005, 5, 26, 1 | Size = 181352 bytes | Modified Date = 26/05/2005 12:39:14 PM | Attr =	]

{69A87B7D-DE56-4136-9655-716BA50C19C7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\Web Accelerator\GoogleWebAccToolbar.dll [&Google Web Accelerator Helper] ->  [Ver =  | Size = 237568 bytes | Modified Date = 29/01/2007 9:22:50 PM | Attr =	]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 509328 bytes | Modified Date = 10/06/2008 4:27:02 AM | Attr =	]

{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\browser\YSidebarIEBHO.dll [SidebarAutoLaunch Class] -> Yahoo! Inc. [Ver = 2004, 8, 3, 1 | Size = 124032 bytes | Modified Date = 03/02/2005 6:07:08 PM | Attr =	]

< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 

{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found

< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 

WebBrowser\\{4FCC864F-07EF-4409-95F5-CF62803E7D0E} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found

WebBrowser\\{71B6ACF7-4F0F-4FD8-BB69-6D1A4D271CB7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Mario Forever Toolbar\v3.2.0.0\MarioForever_Toolbar.dll [Mario Forever Toolbar] -> File not found

WebBrowser\\{7FD44536-9DF0-4034-939F-5BD4D98E3187} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\TBONAS\TBONlchr.dll [BestOffers Shopping v1.20] -> File not found

WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found

WebBrowser\\{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\Web Accelerator\GoogleWebAccToolbar.dll [Google Web Accelerator] ->  [Ver =  | Size = 237568 bytes | Modified Date = 29/01/2007 9:22:50 PM | Attr =	]

WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar] -> File not found

< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 132496 bytes | Modified Date = 10/06/2008 4:27:02 AM | Attr =	]

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 509328 bytes | Modified Date = 10/06/2008 4:27:02 AM | Attr =	]

{3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF}:Exec -> %ProgramFiles%\PokerStars\PokerStarsUpdate.exe [PokerStars] -> File not found

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}:{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\common\yiesrvc.dll [Rogers Yahoo! Services] -> Yahoo! [Ver = 2005, 5, 26, 1 | Size = 181352 bytes | Modified Date = 26/05/2005 12:39:14 PM | Attr =	]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 6, 0, 12 | Size = 1562448 bytes | Modified Date = 14/08/2008 1:39:52 PM | Attr =	]

< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 

CmdMapping\\{2499216C-4BA5-11D5-BD9C-000103C116D5} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found

CmdMapping\\{3369AF0D-62E9-4bda-8103-B4C75499B578} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found

CmdMapping\\{3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\PokerStars\PokerStarsUpdate.exe [PokerStars] -> File not found

CmdMapping\\{44226DFF-747E-4edc-B30C-78752E50CD0C} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found

CmdMapping\\{461CC20B-FB6E-4f16-8FE8-C29359DB100E} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found

CmdMapping\\{51085E3D-A958-42A2-A6BE-A6A9B0BAF276} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\browser\ysidebarIE.dll [Rogers Yahoo! Sidebar] -> Yahoo! Inc. [Ver = 2005, 4, 13, 1 | Size = 115816 bytes | Modified Date = 15/04/2005 6:45:04 PM | Attr =	]

CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\common\yiesrvc.dll [UberButton Class] -> Yahoo! [Ver = 2005, 5, 26, 1 | Size = 181352 bytes | Modified Date = 26/05/2005 12:39:14 PM | Attr =	]

CmdMapping\\{6224f700-cba3-4071-b251-47cb894244cd} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found

CmdMapping\\{669695BC-A811-4A9D-8CDF-BA8C795F261C} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found

CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found

CmdMapping\\{B13B4423-2647-4cfc-A4B3-C7D56CB83487} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found

CmdMapping\\{CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found

CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 6, 0, 12 | Size = 1562448 bytes | Modified Date = 14/08/2008 1:39:52 PM | Attr =	]

< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 

&D&ownload &with BitComet -> Reg Error: Value  does not exist or could not be read. -> File not found

&D&ownload all video with BitComet -> Reg Error: Value  does not exist or could not be read. -> File not found

&D&ownload all with BitComet -> Reg Error: Value  does not exist or could not be read. -> File not found

< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 

PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 

PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 

< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform -> 

YPC 3.2.0 -> Yahoo! Parental Controls -> 

< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 

{C052BF1C-B092-411B-B439-9663592003CC} ->	(Intel(R) PRO/100 VE Network Connection) -> 

{F4E35BE6-B10D-4B6E-829F-93C586CF16F5} ->	() -> 

< Winsock2 Catalogs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ -> 

Protocol_Catalog9\Catalog_Entries\000000000001 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000002 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000003 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000004 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000005 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000006 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000007 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000008 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000009 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000010 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000011 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000012 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000013 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000014 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000015 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000016 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000017 -> %SystemRoot%\system32\VetRedir.dll -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 74864 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 

ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value

msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value

< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 

{20A60F0D-9AFA-4515-A0FD-83BD84642501}[HKEY_LOCAL_MACHINE] -> http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab[Checkers Class] -> 

{2917297F-F02B-4B9D-81DF-494B6333150B}[HKEY_LOCAL_MACHINE] -> http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab[Minesweeper Flags Class] -> 

{5C051655-FCD5-4969-9182-770EA5AA5565}[HKEY_LOCAL_MACHINE] -> http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab[Solitaire Showdown Class] -> 

{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 

{B8BE5E93-A60C-4D26-A2DC-220313175592}[HKEY_LOCAL_MACHINE] -> http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab[MSN Games - Installer] -> 

{C3F79A2B-B9B4-4A66-B012-3EE46475B072}[HKEY_LOCAL_MACHINE] -> http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab[MessengerStatsClient Class] -> 

{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab[Java Plug-in 1.6.0_05] -> 

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 

{F5A7706B-B9C0-4C89-A715-7A0C6B05DD48}[HKEY_LOCAL_MACHINE] -> http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab[Minesweeper Flags Class] -> 

DirectAnimation Java Classes[HKEY_LOCAL_MACHINE] -> file://C:\WINDOW\Java\classes\dajava.cab[Reg Error: Key does not exist or could not be opened.] -> 

Microsoft XML Parser for Java[HKEY_LOCAL_MACHINE] -> file://C:\WINDOW\Java\classes\xmldso.cab[Reg Error: Key does not exist or could not be opened.] -> 

< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/CONFLICT.1/MineSweeper.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/CONFLICT.1/MineSweeper.dll\\.Owner -> {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/CONFLICT.1/MineSweeper.dll\\{F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/MessengerStatsPAClient.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/MessengerStatsPAClient.dll\\.Owner -> {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/MessengerStatsPAClient.dll\\{C3F79A2B-B9B4-4A66-B012-3EE46475B072} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/minesweeper.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/minesweeper.dll\\.Owner -> {2917297F-F02B-4B9D-81DF-494B6333150B} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/minesweeper.dll\\{2917297F-F02B-4B9D-81DF-494B6333150B} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/msgrchkr.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/msgrchkr.dll\\.Owner -> {20A60F0D-9AFA-4515-A0FD-83BD84642501} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/msgrchkr.dll\\{20A60F0D-9AFA-4515-A0FD-83BD84642501} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/SolitaireShowdown.dll\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/SolitaireShowdown.dll\\.Owner -> {5C051655-FCD5-4969-9182-770EA5AA5565} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/SolitaireShowdown.dll\\{5C051655-FCD5-4969-9182-770EA5AA5565} ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/ZIntro.ocx\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/ZIntro.ocx\\.Owner -> {B8BE5E93-A60C-4D26-A2DC-220313175592} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOW/Downloaded Program Files/ZIntro.ocx\\{B8BE5E93-A60C-4D26-A2DC-220313175592} ->  -> 





[Registry - Additional Scans - Non-Microsoft Only]

< BotCheck > -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> [Binary data over 100 bytes] -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction -> [Binary data over 100 bytes] -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction -> [Binary data over 100 bytes] -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937AD} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A93843} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D69} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\\System.EnterpriseServices.Thunk.dll ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\\DisableMonitoring -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> -> 

Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ not found. -> -> 

Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ not found. -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->

*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 

msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 132608 bytes | Modified Date = 13/04/2008 8:12:00 PM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> 0  [binary data] -> 

*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> 

kerberos -> %SystemRoot%\system32\kerberos.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 299520 bytes | Modified Date = 13/04/2008 8:11:56 PM | Attr =	]

msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 132608 bytes | Modified Date = 13/04/2008 8:12:00 PM | Attr =	]

schannel -> %SystemRoot%\system32\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 144384 bytes | Modified Date = 13/04/2008 8:12:05 PM | Attr =	]

wdigest -> %SystemRoot%\system32\wdigest.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 49152 bytes | Modified Date = 13/04/2008 8:12:08 PM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 1300 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing ->  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 -> 

*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages -> 

scecli -> %SystemRoot%\system32\scecli.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 181248 bytes | Modified Date = 13/04/2008 8:12:05 PM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> -> 

*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder -> 

Windows NT Access Provider ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> %SystemRoot%\system32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 118784 bytes | Modified Date = 13/04/2008 8:12:02 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> FB 82 CE 89 CB BD 7B B6 10 1E 26 7A FE 12 B5 D0 31 35 30 31 61 65 32 61 00 68 07 00 01 00 00 00 D8 00 00 00 E0 00 00 00 48 FA 06 00 D6 48 5A 74 04 00 00 00 A0 FD 06 00 B8 FD 06 00 7B 72 65 54  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> 9F 74 0D 48 66 93 A9 60 31  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> 48 63 39 3F 51 B3  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\\ntlmminclientsec -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\\ntlmminserversec -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> A0 B4 91 7B 7C DB 18 4B 63 BE EA 2E AD 01 B7 78  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> B0 33 71 D0 C3 0A C9 01  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> 00 54 CF 23 C4 9D C8 01  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> 00 DB 62 27 C4 9D C8 01  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> 00 08 94 28 C4 9D C8 01  [binary data] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> %SystemRoot%\system32\svchost.exe [%SystemRoot%\System32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 14336 bytes | Modified Date = 13/04/2008 8:12:36 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Windows Firewall/Internet Connection Sharing (ICS) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup ->  -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 29878 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> %SystemRoot%\system32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-0852) | Size = 331264 bytes | Modified Date = 13/04/2008 8:11:55 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> %SystemRoot%\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 141312 bytes | Modified Date = 13/04/2008 8:12:34 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\AIM\aim.exe -> %ProgramFiles%\AIM\aim.exe [C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\Windows Live\Messenger\msnmsgr.exe -> %ProgramFiles%\Windows Live\Messenger\msnmsgr.exe [C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger] -> Microsoft Corporation [Ver = 8.5.1302.1018 | Size = 5724184 bytes | Modified Date = 18/10/2007 11:34:02 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\Windows Live\Messenger\livecall.exe -> %ProgramFiles%\Windows Live\Messenger\livecall.exe [C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)] -> Microsoft Corporation [Ver = 1.5.204.0 | Size = 304488 bytes | Modified Date = 02/10/2007 5:18:24 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\Network Diagnostic\xpnetdiag.exe -> %SystemRoot%\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-0852) | Size = 558080 bytes | Modified Date = 13/04/2008 2:53:32 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\1900:UDP -> 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\2869:TCP -> 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DisableNotifications -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> %SystemRoot%\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 141312 bytes | Modified Date = 13/04/2008 8:12:34 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOW\system32\LEXPPS.EXE -> %SystemRoot%\system32\LEXPPS.EXE [C:\WINDOW\system32\LEXPPS.EXE:*:Enabled:LEXPPS.EXE] -> Lexmark International, Inc. [Ver = 9.47 | Size = 174592 bytes | Modified Date = 17/04/2006 1:41:24 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Microsoft Games\Halo Trial\halo.exe -> %ProgramFiles%\Microsoft Games\Halo Trial\halo.exe [C:\Program Files\Microsoft Games\Halo Trial\halo.exe:*:Enabled:Halo] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Messenger\msmsgs.exe -> %ProgramFiles%\Messenger\msmsgs.exe [C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger] -> Microsoft Corporation [Ver = 4.7.3001 | Size = 1695232 bytes | Modified Date = 13/04/2008 8:12:28 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Mozilla Firefox\firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe [C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox] -> Mozilla Corporation [Ver = 1.9.0.1 | Size = 307712 bytes | Modified Date = 17/07/2008 3:19:54 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\BitTorrent\btdownloadgui.exe -> %ProgramFiles%\BitTorrent\btdownloadgui.exe [C:\Program Files\BitTorrent\btdownloadgui.exe:*:Enabled:btdownloadgui] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Microsoft Games\Halo Custom Edition\haloceded.exe -> %ProgramFiles%\Microsoft Games\Halo Custom Edition\haloceded.exe [C:\Program Files\Microsoft Games\Halo Custom Edition\haloceded.exe:*:Enabled:Halo] -> Microsoft Corporation [Ver = 01.00.08.0616 | Size = 1835008 bytes | Modified Date = 06/08/2008 5:03:36 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOW\system32\rtcshare.exe -> %SystemRoot%\system32\rtcshare.exe [C:\WINDOW\system32\rtcshare.exe:*:Disabled:RTC App Sharing] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-0852) | Size = 77312 bytes | Modified Date = 13/04/2008 8:12:33 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Ares\Ares.exe -> %ProgramFiles%\Ares\Ares.exe [C:\Program Files\Ares\Ares.exe:*:Disabled:Ares] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\eDonkey2000\edonkey2000.exe -> %ProgramFiles%\eDonkey2000\edonkey2000.exe [C:\Program Files\eDonkey2000\edonkey2000.exe:*:Disabled:edonkey2000] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Microsoft Games\Halo Custom Edition\haloce.exe -> %ProgramFiles%\Microsoft Games\Halo Custom Edition\haloce.exe [C:\Program Files\Microsoft Games\Halo Custom Edition\haloce.exe:*:Enabled:Halo] -> Microsoft Corporation [Ver = 01.00.08.0616 | Size = 2404352 bytes | Modified Date = 06/08/2008 5:02:07 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\GameSpy Arcade\Aphex.exe -> %ProgramFiles%\GameSpy Arcade\Aphex.exe [C:\Program Files\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\age2_x1.icd -> %ProgramFiles%\Microsoft Games\Age of Empires II\age2_x1\age2_x1.icd [C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\age2_x1.icd:*:Enabled:Age of Empires II Expansion] -> Microsoft Corporation [Ver = 00.07.25.0614 | Size = 2699309 bytes | Modified Date = 15/06/2001 5:37:34 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\mIRC\mirc.exe -> %ProgramFiles%\mIRC\mirc.exe [C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC] -> mIRC Co. Ltd. [Ver = 6.21 | Size = 2076672 bytes | Modified Date = 23/11/2006 11:45:34 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Microsoft Games\Age of Empires II\EMPIRES2.ICD -> %ProgramFiles%\Microsoft Games\Age of Empires II\EMPIRES2.ICD [C:\Program Files\Microsoft Games\Age of Empires II\EMPIRES2.ICD:*:Enabled:Age of Empires II] -> Microsoft Corporation [Ver = 00.14.22.0712 | Size = 2555949 bytes | Modified Date = 28/07/2000 5:33:14 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Ubisoft\Crytek\Far Cry\Bin32\FarCry.exe -> %ProgramFiles%\Ubisoft\Crytek\Far Cry\Bin32\FarCry.exe [C:\Program Files\Ubisoft\Crytek\Far Cry\Bin32\FarCry.exe:*:Enabled:Far Cry] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Xfire\Xfire.exe -> %ProgramFiles%\Xfire\Xfire.exe [C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire] -> Xfire Inc. [Ver = 13133 | Size = 2836304 bytes | Modified Date = 14/11/2007 9:00:40 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\AIM\aim.exe -> %ProgramFiles%\AIM\aim.exe [C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Dobermann\Halozero\halozero.exe -> %ProgramFiles%\Dobermann\Halozero\halozero.exe [C:\Program Files\Dobermann\Halozero\halozero.exe:*:Enabled:Halo Zero																						   ] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\BitComet\BitComet.exe -> %ProgramFiles%\BitComet\BitComet.exe [C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Sony\Station\LaunchPad\_aunchPad.exe -> %ProgramFiles%\Sony\Station\LaunchPad\_aunchPad.exe [C:\Program Files\Sony\Station\LaunchPad\_aunchPad.exe:*:Enabled:_aunchPad] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\LimeWire\LimeWire.exe -> %ProgramFiles%\LimeWire\LimeWire.exe [C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire] -> Lime Wire, LLC [Ver = 1, 0, 0, 2 | Size = 147456 bytes | Modified Date = 17/09/2008 7:23:33 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\StubInstaller.exe -> %SystemDrive%\StubInstaller.exe [C:\StubInstaller.exe:*:Disabled:LimeWire swarmed installer] -> LimeWire [Ver = 1.0.0.2 | Size = 700416 bytes | Modified Date = 31/10/2005 11:56:00 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOW\system32\P2P Networking\P2P Networking.exe -> %SystemRoot%\system32\P2P Networking\P2P Networking.exe [C:\WINDOW\system32\P2P Networking\P2P Networking.exe:*:Enabled:P2P Networking] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\ryan\Desktop\Farcry\Fusion351\Fusion.exe -> %UserProfile%\Desktop\Farcry\Fusion351\Fusion.exe [C:\Documents and Settings\ryan\Desktop\Farcry\Fusion351\Fusion.exe:*:Enabled:Fusion] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\SNES\zsnesw.exe -> %SystemDrive%\SNES\zsnesw.exe [C:\SNES\zsnesw.exe:*:Enabled:zsnesw] ->  [Ver =  | Size = 513024 bytes | Modified Date = 19/01/2005 6:35:44 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Electronic Arts\Battlefield 2142 Demo\BF2142.exe -> %ProgramFiles%\Electronic Arts\Battlefield 2142 Demo\BF2142.exe [C:\Program Files\Electronic Arts\Battlefield 2142 Demo\BF2142.exe:*:Enabled:Battlefield 2] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\ryan\Local Settings\Temp\~os8.tmp\ossproxy.exe -> %UserProfile%\Local Settings\Temp\~os8.tmp\ossproxy.exe [C:\Documents and Settings\ryan\Local Settings\Temp\~os8.tmp\ossproxy.exe:*:Enabled:ossproxy.exe] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\NetMeeting\conf.exe -> %ProgramFiles%\NetMeeting\conf.exe [C:\Program Files\NetMeeting\conf.exe:*:Disabled:Windows NetMeeting] -> Microsoft Corporation [Ver = 5.1.2600.5512 | Size = 1032192 bytes | Modified Date = 13/04/2008 8:12:15 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\jesse.DAVID-REPZ4PHA9\Desktop\New Folder\maplestory\utorrent.exe -> %SystemDrive%\Documents and Settings\jesse.DAVID-REPZ4PHA9\Desktop\New Folder\maplestory\utorrent.exe [C:\Documents and Settings\jesse.DAVID-REPZ4PHA9\Desktop\New Folder\maplestory\utorrent.exe:*:Disabled:utorrent] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\ryan\Desktop\utorrent.exe -> %UserProfile%\Desktop\utorrent.exe [C:\Documents and Settings\ryan\Desktop\utorrent.exe:*:Disabled:Torrent] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\ryan\Desktop\Farcry\utorrent.exe -> %UserProfile%\Desktop\Farcry\utorrent.exe [C:\Documents and Settings\ryan\Desktop\Farcry\utorrent.exe:*:Disabled:Torrent] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\BitTorrent\bittorrent.exe -> %ProgramFiles%\BitTorrent\bittorrent.exe [C:\Program Files\BitTorrent\bittorrent.exe:*:Disabled:BitTorrent] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\DAP\DAP.exe -> %ProgramFiles%\DAP\DAP.exe [C:\Program Files\DAP\DAP.exe:*:Disabled:Download Accelerator Plus] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Hello\Hello.exe -> %ProgramFiles%\Hello\Hello.exe [C:\Program Files\Hello\Hello.exe:*:Disabled:Hello!] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\ryan\Desktop\Music\Torrents\Half-Life\hltv.exe -> %UserProfile%\Desktop\Music\Torrents\Half-Life\hltv.exe [C:\Documents and Settings\ryan\Desktop\Music\Torrents\Half-Life\hltv.exe:*:Disabled:hltv] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\ICQ\Icq.exe -> %ProgramFiles%\ICQ\Icq.exe [C:\Program Files\ICQ\Icq.exe:*:Disabled:ICQ] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Kazaa\kazaa.exe -> %ProgramFiles%\Kazaa\kazaa.exe [C:\Program Files\Kazaa\kazaa.exe:*:Disabled:Kazaa] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Sony\Station\LaunchPad\LaunchPad.exe -> %ProgramFiles%\Sony\Station\LaunchPad\LaunchPad.exe [C:\Program Files\Sony\Station\LaunchPad\LaunchPad.exe:*:Disabled:LaunchPad] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Ubisoft\Red Storm Entertainment\Rainbow Six Lockdown Demo\Lockdown.exe -> %ProgramFiles%\Ubisoft\Red Storm Entertainment\Rainbow Six Lockdown Demo\Lockdown.exe [C:\Program Files\Ubisoft\Red Storm Entertainment\Rainbow Six Lockdown Demo\Lockdown.exe:*:Disabled:Lockdown] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Marathon2\M2.EXE -> %ProgramFiles%\Marathon2\M2.EXE [C:\Program Files\Marathon2\M2.EXE:*:Disabled:Marathon 2- Durandal] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOW\system32\dpvsetup.exe -> %SystemRoot%\system32\dpvsetup.exe [C:\WINDOW\system32\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test] -> Microsoft Corporation [Ver = 5.03.2600.5512 (xpsp.080413-0845) | Size = 83456 bytes | Modified Date = 13/04/2008 8:12:18 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Q3Ademo\quake3.exe -> %SystemDrive%\Q3Ademo\quake3.exe [C:\Q3Ademo\quake3.exe:*:Disabled:quake3] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe -> %ProgramFiles%\Red Chair Software\Anapod Explorer\anamgr.exe [C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe:*:Disabled:Red Chair Manager] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOW\system32\rundll32.exe -> %SystemRoot%\system32\rundll32.exe [C:\WINDOW\system32\rundll32.exe:*:Disabled:Run a DLL as an App] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2105) | Size = 33280 bytes | Modified Date = 13/04/2008 8:12:33 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Teamspeak2_RC2\server_windows.exe -> %ProgramFiles%\Teamspeak2_RC2\server_windows.exe [C:\Program Files\Teamspeak2_RC2\server_windows.exe:*:Disabled:Server] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Skype\Phone\Skype.exe -> %ProgramFiles%\Skype\Phone\Skype.exe [C:\Program Files\Skype\Phone\Skype.exe:*:Disabled:Skype] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Valve\Steam\Steam.exe -> %ProgramFiles%\Valve\Steam\Steam.exe [C:\Program Files\Valve\Steam\Steam.exe:*:Disabled:Steam] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\ryan\Desktop\Music\Torrents\Half-Life\The All-Seeing Eye\eye.exe -> %UserProfile%\Desktop\Music\Torrents\Half-Life\The All-Seeing Eye\eye.exe [C:\Documents and Settings\ryan\Desktop\Music\Torrents\Half-Life\The All-Seeing Eye\eye.exe:*:Disabled:The All-Seeing Eye] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Tremulous\tremulous.exe -> %ProgramFiles%\Tremulous\tremulous.exe [C:\Program Files\Tremulous\tremulous.exe:*:Disabled:tremulous] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Trillian\trillian.exe -> %ProgramFiles%\Trillian\trillian.exe [C:\Program Files\Trillian\trillian.exe:*:Disabled:Trillian] -> Cerulean Studios [Ver = 3, 1, 9, 0 | Size = 1873280 bytes | Modified Date = 11/12/2007 1:00:00 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\ryan\Desktop\ventrilo_srv.exe -> %UserProfile%\Desktop\ventrilo_srv.exe [C:\Documents and Settings\ryan\Desktop\ventrilo_srv.exe:*:Disabled:ventrilo_srv] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\XBC\neXBC.exe -> %ProgramFiles%\XBC\neXBC.exe [C:\Program Files\XBC\neXBC.exe:*:Disabled:XBConnect] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\neXBC\neXBC.exe -> %ProgramFiles%\neXBC\neXBC.exe [C:\Program Files\neXBC\neXBC.exe:*:Disabled:XBConnect] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YServer.exe -> %ProgramFiles%\Yahoo!\Messenger\YServer.exe [C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Disabled:Yahoo! FT Server] -> Yahoo! Inc. [Ver = 3, 0, 0, 0 | Size = 53248 bytes | Modified Date = 31/08/2005 1:54:26 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YPager.exe -> %ProgramFiles%\Yahoo!\Messenger\YPager.exe [C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Disabled:Yahoo! Messenger] ->  [Ver =  | Size = 3084288 bytes | Modified Date = 14/09/2005 1:26:54 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Alien Arena 2007\crx.exe -> %SystemDrive%\Alien Arena 2007\crx.exe [C:\Alien Arena 2007\crx.exe:*:Disabled:crx] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\e frontier\Poser Figure Artist Demo\Poser Figure Artist Demo.exe -> %ProgramFiles%\e frontier\Poser Figure Artist Demo\Poser Figure Artist Demo.exe [C:\Program Files\e frontier\Poser Figure Artist Demo\Poser Figure Artist Demo.exe:*:Enabled:Poser Figure Artist executable file] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Soulseek\slsk.exe -> %ProgramFiles%\Soulseek\slsk.exe [C:\Program Files\Soulseek\slsk.exe:*:Enabled:SoulSeek] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Last.fm\LastFM.exe -> %ProgramFiles%\Last.fm\LastFM.exe [C:\Program Files\Last.fm\LastFM.exe:*:Enabled:LastFM] -> Last.fm [Ver = 1.5.1.29527 | Size = 1138688 bytes | Modified Date = 23/05/2008 11:52:44 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Steam\steamapps\tpblind\half-life 2 deathmatch\hl2.exe -> %ProgramFiles%\Steam\steamapps\tpblind\half-life 2 deathmatch\hl2.exe [C:\Program Files\Steam\steamapps\tpblind\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Steam\steamapps\tpblind\counter-strike source\hl2.exe -> %ProgramFiles%\Steam\steamapps\tpblind\counter-strike source\hl2.exe [C:\Program Files\Steam\steamapps\tpblind\counter-strike source\hl2.exe:*:Enabled:hl2] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Steam\steamapps\starfighterx\counter-strike source\hl2.exe -> %ProgramFiles%\Steam\steamapps\starfighterx\counter-strike source\hl2.exe [C:\Program Files\Steam\steamapps\starfighterx\counter-strike source\hl2.exe:*:Enabled:hl2] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Steam\steamapps\themaladjusted1\counter-strike source\hl2.exe -> %ProgramFiles%\Steam\steamapps\themaladjusted1\counter-strike source\hl2.exe [C:\Program Files\Steam\steamapps\themaladjusted1\counter-strike source\hl2.exe:*:Enabled:hl2] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOW\system32\PnkBstrA.exe -> %SystemRoot%\system32\PnkBstrA.exe [C:\WINDOW\system32\PnkBstrA.exe:*:Enabled:PnkBstrA] ->  [Ver =  | Size = 66872 bytes | Modified Date = 01/02/2008 7:13:06 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOW\system32\PnkBstrB.exe -> %SystemRoot%\system32\PnkBstrB.exe [C:\WINDOW\system32\PnkBstrB.exe:*:Enabled:PnkBstrB] ->  [Ver =  | Size = 107832 bytes | Modified Date = 01/02/2008 7:12:44 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Steam\steamapps\themaladjusted1\day of defeat source\hl2.exe -> %ProgramFiles%\Steam\steamapps\themaladjusted1\day of defeat source\hl2.exe [C:\Program Files\Steam\steamapps\themaladjusted1\day of defeat source\hl2.exe:*:Disabled:hl2] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Steam\steamapps\themaladjusted1\counter-strike\hl.exe -> %ProgramFiles%\Steam\steamapps\themaladjusted1\counter-strike\hl.exe [C:\Program Files\Steam\steamapps\themaladjusted1\counter-strike\hl.exe:*:Enabled:Half-Life Launcher] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Steam\steam.exe -> %ProgramFiles%\Steam\steam.exe [C:\Program Files\Steam\steam.exe:*:Enabled:Steam] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\Loader\aolload.exe -> %CommonProgramFiles%\AOL\Loader\aolload.exe [C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader] -> AOL LLC [Ver = 9.3.2.2 | Size = 10800 bytes | Modified Date = 03/11/2006 3:17:27 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\uTorrent\uTorrent.exe -> %ProgramFiles%\uTorrent\uTorrent.exe [C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:Torrent] -> BitTorrent, Inc. [Ver = 1.8.0.11813 | Size = 267056 bytes | Modified Date = 13/08/2008 6:12:51 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Xfire2\xfire.exe -> %ProgramFiles%\Xfire2\xfire.exe [C:\Program Files\Xfire2\xfire.exe:*:Enabled:Xfire] -> Xfire Inc. [Ver = 13133 | Size = 3068752 bytes | Modified Date = 27/08/2008 5:03:14 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Steam\steamapps\themaladjusted1\half-life 2 deathmatch\hl2.exe -> %ProgramFiles%\Steam\steamapps\themaladjusted1\half-life 2 deathmatch\hl2.exe [C:\Program Files\Steam\steamapps\themaladjusted1\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Microsoft Games\Halo\halo.exe -> %ProgramFiles%\Microsoft Games\Halo\halo.exe [C:\Program Files\Microsoft Games\Halo\halo.exe:*:Enabled:Halo] -> Microsoft Corporation [Ver = 01.00.07.0613 | Size = 3606520 bytes | Modified Date = 26/04/2005 9:30:59 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\ryan\Desktop\Random\New Folder\WoW\WoW-2.0.0-enUS-Installer-downloader.exe -> %UserProfile%\Desktop\Random\New Folder\WoW\WoW-2.0.0-enUS-Installer-downloader.exe [C:\Documents and Settings\ryan\Desktop\Random\New Folder\WoW\WoW-2.0.0-enUS-Installer-downloader.exe:*:Enabled:Blizzard Downloader] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Windows Live\Messenger\msnmsgr.exe -> %ProgramFiles%\Windows Live\Messenger\msnmsgr.exe [C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger] -> Microsoft Corporation [Ver = 8.5.1302.1018 | Size = 5724184 bytes | Modified Date = 18/10/2007 11:34:02 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Windows Live\Messenger\livecall.exe -> %ProgramFiles%\Windows Live\Messenger\livecall.exe [C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)] -> Microsoft Corporation [Ver = 1.5.204.0 | Size = 304488 bytes | Modified Date = 02/10/2007 5:18:24 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe -> %ProgramFiles%\MSN Messenger\msnmsgr.exe [C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Messenger] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\AIM6\aim6.exe -> %ProgramFiles%\AIM6\aim6.exe [C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM] -> AOL LLC [Ver = 1.4.9.1 | Size = 50472 bytes | Modified Date = 06/08/2008 11:21:06 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Microsoft Games\Halo Custom Edition\halo.exe -> %ProgramFiles%\Microsoft Games\Halo Custom Edition\halo.exe [C:\Program Files\Microsoft Games\Halo Custom Edition\halo.exe:*:Enabled:Halo] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Steam\steamapps\themaladjusted1\team fortress 2\hl2.exe -> %ProgramFiles%\Steam\steamapps\themaladjusted1\team fortress 2\hl2.exe [C:\Program Files\Steam\steamapps\themaladjusted1\team fortress 2\hl2.exe:*:Enabled:hl2] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOW\system32\drivers\svchost.exe -> %SystemRoot%\system32\drivers\svchost.exe [C:\WINDOW\system32\drivers\svchost.exe:*:Disabled:svchost] -> File not found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\iTunes\iTunes.exe -> %ProgramFiles%\iTunes\iTunes.exe [C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes] -> Apple Inc. [Ver = 7.7.1.11 | Size = 20252968 bytes | Modified Date = 30/07/2008 10:47:50 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\Network Diagnostic\xpnetdiag.exe -> %SystemRoot%\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-0852) | Size = 558080 bytes | Modified Date = 13/04/2008 2:53:32 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\ryan\Desktop\MSN Lite 7.5.exe -> %UserProfile%\Desktop\MSN Lite 7.5.exe [C:\Documents and Settings\ryan\Desktop\MSN Lite 7.5.exe:*:Enabled:MSN Messenger Lite] -> Microsoft Corporation [Ver = 7.5.0324 | Size = 13820262 bytes | Modified Date = 02/12/2007 5:15:29 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP -> 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP -> 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP -> 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP -> 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP -> 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP -> 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\22478:TCP -> 22478:TCP:*:Enabled:BitComet 22478 TCP -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\22478:UDP -> 22478:UDP:*:Enabled:BitComet 22478 UDP -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\3724:TCP -> 3724:TCP:*:Enabled:Blizzard Downloader: 3724 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\3007:UDP -> 3007:UDP:*:Enabled:Windows Media Format SDK (Iexplore.exe) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\3006:UDP -> 3006:UDP:*:Enabled:Windows Media Format SDK (Iexplore.exe) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\3011:UDP -> 3011:UDP:*:Enabled:Windows Media Format SDK (Iexplore.exe) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\\Security -> [Binary data over 100 bytes] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 272 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> %SystemRoot%\system32\svchost.exe [%systemroot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 14336 bytes | Modified Date = 13/04/2008 8:12:36 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> %SystemRoot%\system32\wuauserv.dll [C:\WINDOW\system32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.3790.5512 (xpsp.080413-0852) | Size = 6656 bytes | Modified Date = 13/04/2008 8:12:11 PM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> [Binary data over 100 bytes] -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 -> 

Reg Error: Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ not found. -> -> 

Reg Error: Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ not found. -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 -> 

< Disabled MSConfig Folder Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\ -> 

C:^Documents and Settings^All Users.WINDOW^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 23/09/2005 10:05:26 PM | Attr =	]

C:^Documents and Settings^All Users.WINDOW^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk -> %ProgramFiles%\Google\Web Accelerator\GoogleWebAccWarden.exe ->  [Ver =  | Size = 1134592 bytes | Modified Date = 09/07/2007 10:24:38 PM | Attr =	]

C:^Documents and Settings^ryan^Start Menu^Programs^Startup^Anapod Manager.lnk -> %ProgramFiles%\Red Chair Software\Anapod Explorer\anamgr.exe -> File not found

C:^Documents and Settings^ryan^Start Menu^Programs^Startup^BitTorrent.lnk -> %ProgramFiles%\BitTorrent\bittorrent.exe -> File not found

C:^Documents and Settings^ryan^Start Menu^Programs^Startup^MOG-O-MATIC.lnk -> %ProgramFiles%\MOG-O-MATIC\MogClient.exe -> File not found

C:^Documents and Settings^ryan^Start Menu^Programs^Startup^World Community Grid Agent.lnk -> %ProgramFiles%\WorldCommunityGrid\UD.EXE -> File not found

C:^Documents and Settings^ryan^Start Menu^Programs^Startup^Xfire.lnk -> %ProgramFiles%\Xfire2\xfire.exe -> Xfire Inc. [Ver = 13133 | Size = 3068752 bytes | Modified Date = 27/08/2008 5:03:14 PM | Attr =	]

< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ -> 

#L"h'9Ӝ3rWC: hkey= key= ->  -> File not found

Adobe Photo Downloader hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe -> Adobe Systems Incorporated [Ver = 3.0.0.49815 | Size = 57344 bytes | Modified Date = 07/06/2005 12:46:24 AM | Attr =	]

adorttdl hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Vbijgjng\adorttdl.exe -> File not found

Aim6 hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\AIM6\aim6.exe -> AOL LLC [Ver = 1.4.9.1 | Size = 50472 bytes | Modified Date = 06/08/2008 11:21:06 AM | Attr =	]

AppleSyncNotifier hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe -> File not found

ATI Launchpad hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\ATI Multimedia\main\launchpd.exe -> File not found

ATI Remote Control hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\ATI Multimedia\RemCtrl\ATIRW.exe -> File not found

ATICCC hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\ATI Technologies\ATI.ACE\cli.exe -> File not found

BHOZapper hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\BHOZapper\BHOZapper.exe -> File not found

CaAvTray hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Yahoo!\Antivirus\CAVTray.exe -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 230512 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

CAVRID hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Yahoo!\Antivirus\CAVRid.exe -> Computer Associates International, Inc. [Ver = Version 11.0.7.8 | Size = 185456 bytes | Modified Date = 11/04/2006 11:49:43 AM | Attr =	]

DAEMON Tools Lite hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\DAEMON Tools\daemon.exe -> DT Soft Ltd [Ver = 4.30.1.0 | Size = 490952 bytes | Modified Date = 08/08/2008 8:11:12 AM | Attr =	]

Dinst hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %SystemRoot%\dinst.exe -> File not found

gvjymwnm hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Vwbyprah\gvjymwnm.exe ->  [Ver =  | Size = 46080 bytes | Modified Date = 03/08/2007 3:52:08 PM | Attr =	]

iTunesHelper hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Inc. [Ver = 7.7.1.11 | Size = 289064 bytes | Modified Date = 30/07/2008 10:47:56 AM | Attr =	]

Lexmark 1200 Series hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Lexmark 1200 Series\lxczbmgr.exe -> Lexmark International, Inc. [Ver = 0.1.1.1 | Size = 57344 bytes | Modified Date = 13/07/2006 1:22:50 AM | Attr =	]

lphc5ahj0encj hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %SystemRoot%\system32\lphc5ahj0encj.exe -> File not found

< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 

.bat [@ = batfile] -> "%1" %* -> 

.cmd [@ = cmdfile] -> "%1" %* -> 

.com [@ = comfile] -> Reg Error: Value  does not exist or could not be read. -> File not found

.exe [@ = exefile] -> "%1" %* -> 

.html [@ = FirefoxHTML] -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> Mozilla Corporation [Ver = 1.9.0.1 | Size = 307712 bytes | Modified Date = 17/07/2008 3:19:54 PM | Attr =	]

.js [@ = JSFile] -> Reg Error: Key does not exist or could not be opened. -> File not found

.pif [@ = piffile] -> "%1" %* -> 

.scr [@ = scrfile] -> "%1" /S -> 

< Uninstall List [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ -> 

{01501EBA-EC35-4F9F-8889-3BE346E5DA13} -> MSXML4 Parser

{04410044-9149-45C6-A806-F2BF9CFCE762} -> Microsoft Encarta Encyclopedia Standard 2004

{06F80017-8F98-4C94-B868-52358569FC32} -> Command & Conquer Generals

{08CA9554-B5FE-4313-938F-D4A417B81175} -> QuickTime

{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E} -> MSXML 6.0 Parser (KB933579)

{0B17F58C-35BE-4DC7-AE85-28E5E1464DB4} -> Halo Antihack.NET v2.0

{0D499481-22C6-4B25-8AC2-6D3F6C885FB9} -> OpenOffice.org Installer 1.0

{184E7118-0295-43C4-B72C-1D54AA75AAF7} -> Windows Live Mail

{1D643CD7-4DD6-11D7-A4E0-000874180BB3} -> Microsoft Money 2004

{21A127AE-2DAF-40B7-8374-34C3E629521C} -> Far Cry (Patch 1.3)

{22D14F78-76EC-45E6-9D40-E8331019C4DF} -> ArcSoft PhotoStudio 5.5

{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52} -> Rhapsody Player Engine

{24508D50-EB8F-4FE6-B69D-B4935D8745EF}_is1 -> Warsow 0.42

{2BA00471-0328-3743-93BD-FA813353A783} -> Microsoft .NET Framework 3.0 Service Pack 1

{2BAC5A28-BB8B-4440-99E7-451DF2E9DBF3} -> ArcSoft Software Suite

{2C272396-11B1-79BD-2BB3-40B9BEE9BCE5} -> Catalyst Control Center Core Implementation

{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C} -> Windows Live Photo Gallery

{2FC099BD-AC9B-33EB-809C-D332E1B27C40} -> Microsoft .NET Framework 3.5

{3248F0A8-6813-11D6-A77B-00B0D0160050} -> Java(TM) 6 Update 5

{3248F0A8-6813-11D6-A77B-00B0D0160070} -> Java(TM) 6 Update 7

{3303E88E-C09C-44FD-9D15-3A0265DB938A} -> Opera 9.0

{33BEE6F3-9987-4F98-A069-97A64EC8321A} -> Microsoft Works Suite Add-in for Microsoft Word

{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227} -> WebFldrs XP

{37477865-A3F1-4772-AD43-AAFC6BCFF99F} -> MSXML 4.0 SP2 (KB927978)

{3C662203-292F-4E9D-AE02-281071C06903} -> Far Cry (Patch 1.33)

{3CEA3FEC-1AF5-4818-89D5-406F627E7337} -> World Community Grid Agent

{3DE0053C-FD9A-483E-B7C9-B06E4392206E} -> iTunes

{3FA7A919-87DA-42B1-814B-86DE8DCA17C2} -> gmax

{4062364A-1290-43E5-8250-6A0C8C74CABC} -> ccc-core-preinstall

{4231395F-C55C-FBAD-E4A5-C0E7D67F32E4} -> Catalyst Control Center Graphics Full New

{43DCF766-6838-4F9A-8C91-D92DA586DFA8} -> Microsoft Windows Journal Viewer

{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B} -> Adobe Photoshop Album Starter Edition 3.0

{4F247A01-4A65-4B16-B4F7-03B551A681FF} -> Anywhere.FM Uploader

{53EF6570-21A4-47ED-A40A-E6470A5677A3} -> Studio 8

{572527DD-05F1-E9EA-5B4F-055ECDD720EB} -> ccc-utility

{5F1788B3-C9CE-4BAD-8293-3B622DA643D1} -> Microsoft Windows Vista Upgrade Advisor

{6A1975EB-27E6-491D-94BC-6355FA25F40F} -> Google Web Accelerator

{6C38413A-C7E4-4225-ADE4-EBFECD69107A} -> Triple Triad Extreme v2

{716E0306-8318-4364-8B8F-0CC4E9376BAC} -> MSXML 4.0 SP2 Parser and SDK

{7299052b-02a4-4627-81f2-1818da5d550d} -> Microsoft Visual C++ 2005 Redistributable

{789289CA-F73A-4A16-A331-54D498CE069F} -> Ventrilo Client

{7A1ADD0C-17F3-47B8-B033-A06E189C835D} -> Microsoft .NET Framework 2.0 Beta 2

{7E37FE5D-833D-8CEC-68DE-665DDDDA06B5} -> Catalyst Control Center Graphics Light

{8704D51E-25B7-4F23-81E7-AA4F54790210} -> Microsoft Streets and Trips 2004

{8C64E145-54BA-11D6-91B1-00500462BE80} -> Microsoft Money 2004 System Pack

{8CC48729-6D2E-11D4-A860-00105AD68F38} -> Galaga Destination Earth

{911B0409-6000-11D3-8CFE-0050048383C9} -> Microsoft Word 2002

{9176251A-4CC1-4DDB-B343-B487195EB397} -> Windows Live Writer

{9559F7CA-5E34-4237-A2D9-D856464AD727} -> Project64 1.6

{9811A185-3D3D-11D6-9E14-00036D172B00} -> Adobe MPEG Encoder

{9B743536-28E5-4A48-A1CC-8600A18386C3} -> Growler Guncam

{A06275F4-324B-4E85-95E6-87B2CD729401} -> Windows Defender

{A49F249F-0C91-497F-86DF-B2585E8E76B7} -> Microsoft Visual C++ 2005 Redistributable

{A5BA14E0-7384-11D4-BAE7-00409631A2C8} -> Macromedia Extension Manager

{A73C3B76-C889-29FF-811E-14AF82CCEBEE} -> ccc-core-static

{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320} -> Windows Live installer

{A8B2C826-3627-52AA-D5B5-D89F178F4A8B} -> Catalyst Control Center Graphics Full Existing

{ABC0976C-723E-CDA4-7F09-378FAF2C2890} -> Skins

{ABFC3441-04FF-4D1A-BBFD-52EC70CE122F} -> GSC

{AC138218-5F23-DCC0-357D-143EF8451483} -> CCC Help English

{AC76BA86-7AD7-1033-7B44-A70900000002} -> Adobe Reader 7.0.9

{AFA4E5FD-ED70-4D92-99D0-162FD56DC986} -> Windows Live Sign-in Assistant

{B1166CA2-9264-C562-AEDE-7C1965CBAAF8} -> Catalyst Control Center Graphics Previews Common

{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 -> Spybot - Search & Destroy

{B508B3F1-A24A-32C0-B310-85786919EF28} -> Microsoft .NET Framework 2.0 Service Pack 1

{B74F042E-E1B9-4A5B-8D46-387BB172F0A4} -> Apple Software Update

{B9966F27-9678-4620-9579-925E3084647E} -> Microsoft Works

{C04E32E0-0416-434D-AFB9-6969D703A9EF} -> MSXML 4.0 SP2 (KB936181)

{C9618743-1A5C-461E-91C4-E013A3D70F3C} -> Adobe Photoshop Album Starter Edition 3.0.1

{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} -> Microsoft .NET Framework 1.1

{CCEB53A5-A252-4CF3-8602-429AB06BF0AE} -> Terragen

{D792A069-B96B-40BA-BCB4-E5651A6E5926} -> Far Cry (Patch 1)

{D824C0C6-AC15-464E-93A4-668822C728FE} -> GSC

{DB52432E-3AD8-41A5-A586-0F065FB6A31E} -> Game Cam

{DBA8B9E1-C6FF-4624-9598-73D3B41A0903} -> Microsoft Picture It! Photo Premium 9

{DD040AAA-F295-492B-AD91-C8DC24488273} -> Photo Explosion Special Edition

{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} -> Ad-Aware 2007

{DF5A03CC-D5AA-43D8-B948-D9903F2AF94A} -> Counter-Strike(TM)

{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E} -> Windows Media Encoder 9 Series

{EE8592F6-FC2B-4AFD-B527-109D127C039F} -> Far Cry (Patch 1.31)

{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8} -> Microsoft SQL Server 2005 Compact Edition [ENU]

{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1} -> Command and ConquerTM Generals Zero Hour

{F5DDF8AC-FF00-45DE-A982-13F6CFF7A944} -> Halo Editing Kit Plus

{F843C6A3-224D-4615-94F8-3C461BD9AEA0} -> Jasc Paint Shop Pro 9

{FE242C4A-4AF0-4E9F-ABFF-92CA3CEE8761} -> MySpaceIM

12345_is1 -> WeGame Client Public Beta 1.0.5

Acoustica Mixcraft 3.1 -> Acoustica Mixcraft 3.1

Adobe Flash Player ActiveX -> Adobe Flash Player ActiveX

Adobe Flash Player Plugin -> Adobe Flash Player Plugin

Age of Empires 2.0 -> Microsoft Age of Empires II

Age of Empires II: The Conquerors Expansion 1.0 -> Microsoft Age of Empires II: The Conquerors Expansion

Alive MP4 Converter_is1 -> Alive MP4 Converter (version 2.0.8.6)

AMIP_iTunes -> AMIP for iTunes (remove only)

ASIO4ALL -> ASIO4ALL

ATI Display Driver -> ATI Display Driver

Audacity_is1 -> Audacity 1.2.4

Audio Editor Pro_is1 -> Audio Editor Pro 2.70

Audiosurf_is1 -> Audiosurf Beta

avi.NET 2.5.8.0 -> avi.NET 2.5.8.0

AviSynth -> AviSynth 2.5

CAL -> Canon Camera Access Library

CameraWindowDVC5 -> Canon Camera Window DC_DV 5 for ZoomBrowser EX

CameraWindowDVC6 -> Canon Camera Window DC_DV 6 for ZoomBrowser EX

CameraWindowMC -> Canon Camera Window MC 6 for ZoomBrowser EX

Canon G.726 WMP-Decoder -> Canon G.726 WMP-Decoder

Cool MP3 Converter_is1 -> Cool MP3 Converter V1.86

CSCLIB -> Canon Camera Support Core Library

DVDAlbum_is1 -> DVD Album 1.1.0

DVDAuthorGUI -> DVDAuthorGUI (remove only)

Easy Screen Capture -> Easy Screen Capture

EOS Utility -> Canon Utilities EOS Utility

Fiddler2 -> Fiddler2 (remove only)

Flock -> Flock 1.2

FLV Player -> FLV Player 2.0, build 24

Fraps -> Fraps (remove only)

Frets on Fire -> Frets On Fire

GoogleVideoPlayer -> Google Video Player

Halo -> Microsoft Halo

Halo 1.0 -> Microsoft Halo

Halo CE -> Microsoft Halo Custom Edition

Halo HEK -> Halo Editing Kit

Halo Zero Final V1.8.3 -> Halo Zero Final V1.8.3

HijackThis -> HijackThis 2.0.2

ie7b2pmx -> Internet Explorer 7 Beta 2 Preview

ImTOO MP4 Video Converter -> ImTOO MP4 Video Converter

InstallShield_{06F80017-8F98-4C94-B868-52358569FC32} -> Command & Conquer Generals

InstallShield_{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1} -> Command and ConquerTM Generals Zero Hour

IrfanView -> IrfanView (remove only)

iScrobbler -> iScrobbler

Jasc Paint Shop Pro 9 GDI+ Patch -> Jasc Paint Shop Pro 9 GDI+ Patch

Jasc Paint Shop Pro 9.01 Patch -> Jasc Paint Shop Pro 9.01 Patch

KB911564 -> Security Update for Windows Media Player (KB911564)

KB911565 -> Security Update for Windows Media Player 10 (KB911565)

KB917734_WMP10 -> Security Update for Windows Media Player 10 (KB917734)

KB923689 -> Security Update for Windows XP (KB923689)

KB925398_WMP64 -> Security Update for Windows Media Player 6.4 (KB925398)

KB926139-v2 -> Windows PowerShell(TM) 1.0

KB936782_WMP10 -> Security Update for Windows Media Player 10 (KB936782)

KB938464 -> Security Update for Windows XP (KB938464)

KB941569 -> Security Update for Windows XP (KB941569)

KB946648 -> Security Update for Windows XP (KB946648)

KB950760 -> Security Update for Windows XP (KB950760)

KB950762 -> Security Update for Windows XP (KB950762)

KB950974 -> Security Update for Windows XP (KB950974)

KB951066 -> Security Update for Windows XP (KB951066)

KB951072-v2 -> Update for Windows XP (KB951072-v2)

KB951376 -> Security Update for Windows XP (KB951376)

KB951376-v2 -> Security Update for Windows XP (KB951376-v2)

KB951698 -> Security Update for Windows XP (KB951698)

KB951748 -> Security Update for Windows XP (KB951748)

KB951978 -> Update for Windows XP (KB951978)

KB952287 -> Hotfix for Windows XP (KB952287)

KB952954 -> Security Update for Windows XP (KB952954)

KB953839 -> Security Update for Windows XP (KB953839)

KB954156_WM9L -> Security Update for Windows Media Encoder (KB954156)

KLiteCodecPack_is1 -> K-Lite Mega Codec Pack 1.58

LastFM_is1 -> Last.fm 1.5.1.29527

Lexmark 1200 Series -> Lexmark 1200 Series

Lexmark X1100 Series -> Lexmark X1100 Series

LimeWire -> LimeWire PRO 4.18.7

Macromedia Shockwave Player -> Macromedia Shockwave Player

Malwarebytes' Anti-Malware_is1 -> Malwarebytes' Anti-Malware

Microsoft .NET Framework 2.0 Beta 2 -> Microsoft .NET Framework 2.0 Beta 2

Microsoft .NET Framework 3.5 -> Microsoft .NET Framework 3.5

mIRC -> mIRC

MovieEditTask -> Canon MovieEdit Task for ZoomBrowser EX

Mozilla Firefox (3.0.1) -> Mozilla Firefox (3.0.1)

Mozilla Firefox (3.0b3) -> Mozilla Firefox (3.0b3)

MSN Music Assistant -> MSN Music Assistant

Multiquence v2.54 -> Multiquence v2.54

Need2FindBar Uninstall ->  

Netscape (7.2) -> Netscape (7.2)

NOD32 v3.x FiX 1.1 by TemDono_is1 -> NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Expire in 2050)

PhotoStitch -> Canon Utilities PhotoStitch

Picasa2 -> Picasa 2

PictureIt_v9 -> Microsoft Picture It! Photo Premium 9

PokerStars -> PokerStars

PowerArchiver_is1 -> PowerArchiver 2004 v9.20

PPTView97 -> Microsoft PowerPoint Viewer 97

PROSet -> Intel(R) PRO Network Adapters and Drivers

Protected Music Converter_is1 -> Protected Music Converter 0.99b

RAW Image Task -> Canon RAW Image Task for ZoomBrowser EX

RealPlayer 6.0 -> RealPlayer

RecordPad -> RecordPad Sound Recorder Uninstall

RemoteCaptureTask -> Canon RemoteCapture Task for ZoomBrowser EX

RHSI SHS -> Rogers Self Healing (remove only)

RNCompiler 6.0 -> Advanced RealMedia Export Plug-in for Premiere 6.0

Rogers Yahoo! Applications -> Rogers Yahoo! Applications

SHS -> Rogers Self Healing (remove only)

Steam App 10 -> Counter-Strike

Steam App 240 -> Counter-Strike: Source

Steam App 30 -> Day of Defeat

Steam App 300 -> Day of Defeat: Source

Steam App 40 -> Deathmatch Classic

Steam App 440 -> Team Fortress 2

Steam App 60 -> Ricochet

Syncrosoft's License Control -> Syncrosoft's License Control

SystemRequirementsLab -> System Requirements Lab

Teamspeak 2 RC2_is1 -> TeamSpeak 2 RC2

Texas Hold'em Video Poker_is1 -> VPHoldem version 1.0.99

Themexp.org File -> Themexp.org File

Trillian -> Trillian

tv_enua -> Lernout & Hauspie TruVoice American English TTS Engine

Universal Media Player -> Universal Media Player

Update Manager -> Rogers Update Manager (remove only)

Video Cleaner -> River Past Video Cleaner

Visual Studio 6.0 Professional Edition -> Microsoft Visual Studio 6.0 Professional Edition

VLC media player -> VideoLAN VLC media player 0.8.5

WavePad -> WavePad Uninstall

WebPost -> Microsoft Web Publishing Wizard 1.53

WgaNotify -> Windows Genuine Advantage Notifications (KB905474)

WIC -> Windows Imaging Component

Winamp -> Winamp

Windows Media Encoder 9 -> Windows Media Encoder 9 Series

Windows Media Format Runtime -> Windows Media Format Runtime

Windows Media Player -> Windows Media Player 10

Windows XP Service Pack -> Windows XP Service Pack 3

WinGTK-2_is1 -> GTK+ 2.6.7-1 runtime environment

WinPcapInst -> WinPcap 3.1

WinRAR archiver -> WinRAR archiver

Works2004Setup -> Microsoft Works 2004 Setup Launcher

Xfire -> Xfire (remove only)

XpsEPSC -> XML Paper Specification Shared Components Pack 1.0

ZoomBrowser EX -> Canon Utilities ZoomBrowser EX

< Uninstall List [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ -> 

MOGClient -> MOG-O-MATIC -- Listening preferences and sharing

Steam App 211 -> Source SDK

Steam App 215 -> Source SDK Base

Steam App 220 -> Half-Life 2

Steam App 240 -> Counter-Strike: Source

Steam App 320 -> Half-Life 2: Deathmatch

uTorrent -> Torrent

VASSAL -> VASSAL





[Files/Folders - Created Within 30 days]

fixwareout -> %SystemDrive%\fixwareout ->  [Folder | Created Date = 30/08/2008 4:07:51 PM | Attr =	]

Vtks Revolt.ttf -> %SystemDrive%\Vtks Revolt.ttf ->  [Ver =  | Size = 158556 bytes | Created Date = 02/09/2008 9:06:10 AM | Attr =	]

en -> %SystemRoot%\System32\en ->  [Folder | Created Date = 30/08/2008 11:52:24 AM | Attr =	]

1 C:\WINDOW\System32\*.tmp files -> C:\WINDOW\System32\*.tmp -> 

pid.inf -> %SystemRoot%\System32\pid.inf ->  [Ver =  | Size = 1261 bytes | Created Date = 28/08/2008 11:26:15 PM | Attr =	]

scripting -> %SystemRoot%\System32\scripting ->  [Folder | Created Date = 30/08/2008 11:52:27 AM | Attr =	]

unnefmim -> %SystemRoot%\System32\unnefmim ->  [Folder | Created Date = 30/08/2008 12:34:10 PM | Attr =	]

windowspowershell -> %SystemRoot%\System32\windowspowershell ->  [Folder | Created Date = 11/09/2008 6:45:03 PM | Attr =	]

xfcodec.dll -> %SystemRoot%\System32\xfcodec.dll ->  [Ver = 33914 | Size = 42320 bytes | Created Date = 27/08/2008 5:03:26 PM | Attr =	]

l2schemas -> %SystemRoot%\l2schemas ->  [Folder | Created Date = 30/08/2008 11:52:25 AM | Attr =	]

14 C:\WINDOW\*.tmp files -> C:\WINDOW\*.tmp -> 

network diagnostic -> %SystemRoot%\network diagnostic ->  [Folder | Created Date = 30/08/2008 11:48:52 AM | Attr =	]

Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Created Date = 30/08/2008 12:19:45 PM | Attr =	]

[Files Created - Additional Folder Scans - Non-Microsoft Only]

acccore -> %AllUsersProfile%\Application Data\acccore ->  [Folder | Created Date = 30/08/2008 3:29:32 PM | Attr =	]

Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes ->  [Folder | Created Date = 12/09/2008 5:05:01 PM | Attr =	]

DAEMON Tools -> %AppData%\DAEMON Tools ->  [Folder | Created Date = 20/08/2008 7:19:37 PM | Attr =	]

Malwarebytes -> %AppData%\Malwarebytes ->  [Folder | Created Date = 12/09/2008 5:05:07 PM | Attr =	]

msnlog -> %UserProfile%\Local Settings\Application Data\msnlog ->  [Folder | Created Date = 22/08/2008 12:36:51 AM | Attr =	]

Anti-Malware_stuff.rar -> %UserProfile%\My Documents\Anti-Malware_stuff.rar ->  [Ver =  | Size = 605777 bytes | Created Date = 19/09/2008 3:22:36 PM | Attr =	]

default.jpg -> %UserProfile%\My Documents\default.jpg ->  [Ver =  | Size = 3249 bytes | Created Date = 18/09/2008 4:28:23 PM | Attr =	]

LimeWire -> %UserProfile%\My Documents\LimeWire ->  [Folder | Created Date = 18/09/2008 4:27:37 PM | Attr =	]

msn logs -> %UserProfile%\My Documents\msn logs ->  [Folder | Created Date = 22/08/2008 12:38:24 AM | Attr =	]

sig1.png -> %UserProfile%\My Documents\sig1.png ->  [Ver =  | Size = 32260 bytes | Created Date = 09/09/2008 5:01:31 PM | Attr =	]

sig2.png -> %UserProfile%\My Documents\sig2.png ->  [Ver =  | Size = 20698 bytes | Created Date = 09/09/2008 5:01:21 PM | Attr =	]

sig3.png -> %UserProfile%\My Documents\sig3.png ->  [Ver =  | Size = 31358 bytes | Created Date = 09/09/2008 5:01:09 PM | Attr =	]

vov.bmp -> %UserProfile%\My Documents\vov.bmp ->  [Ver =  | Size = 404474 bytes | Created Date = 18/09/2008 6:00:03 PM | Attr =	]

ZbThumbnail.info -> %UserProfile%\My Documents\ZbThumbnail.info ->  [Ver =  | Size = 2176 bytes | Created Date = 19/09/2008 10:10:04 AM | Attr =  H ]

AIM 6.lnk -> %AllUsersProfile%\Desktop\AIM 6.lnk ->  [Ver =  | Size = 1674 bytes | Created Date = 30/08/2008 3:29:32 PM | Attr =	]

Anti-Malware_stuff -> %UserProfile%\Desktop\Anti-Malware_stuff ->  [Folder | Created Date = 19/09/2008 3:23:21 PM | Attr =	]

HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk ->  [Ver =  | Size = 1734 bytes | Created Date = 28/08/2008 7:18:26 PM | Attr =	]

Incomplete -> %UserProfile%\Desktop\Incomplete ->  [Folder | Created Date = 18/09/2008 4:25:50 PM | Attr =	]

jre-6u7-windows-i586-p.exe -> %UserProfile%\Desktop\jre-6u7-windows-i586-p.exe ->  [Ver =  | Size = 15984024 bytes | Created Date = 16/09/2008 5:58:30 PM | Attr =	]

Limewire -> %UserProfile%\Desktop\Limewire ->  [Folder | Created Date = 18/09/2008 4:25:47 PM | Attr =	]

LimeWire PRO 4.18.7.lnk -> %UserProfile%\Desktop\LimeWire PRO 4.18.7.lnk ->  [Ver =  | Size = 1588 bytes | Created Date = 18/09/2008 4:24:07 PM | Attr =	]

MSN Lite -> %UserProfile%\Desktop\MSN Lite ->  [Folder | Created Date = 30/08/2008 6:00:12 PM | Attr =	]

spybotsd160.exe -> %UserProfile%\Desktop\spybotsd160.exe -> Safer Networking Limited									 [Ver = 1.6.0				| Size = 14968808 bytes | Created Date = 29/08/2008 2:08:38 AM | Attr =	]

YouTube Downloader.lnk -> %UserProfile%\Desktop\YouTube Downloader.lnk ->  [Ver =  | Size = 797 bytes | Created Date = 25/08/2008 7:10:42 PM | Attr =	]

AIM6 -> %ProgramFiles%\AIM6 ->  [Folder | Created Date = 30/08/2008 3:29:02 PM | Attr =	]

Apaflbcv -> %ProgramFiles%\Apaflbcv ->  [Folder | Created Date = 30/08/2008 3:02:56 PM | Attr =	]

Bhddeivz -> %ProgramFiles%\Bhddeivz ->  [Folder | Created Date = 30/08/2008 12:34:14 PM | Attr =	]

Bhddeivz2 -> %ProgramFiles%\Bhddeivz2 ->  [Folder | Created Date = 30/08/2008 12:34:10 PM | Attr =	]

DAEMON Tools -> %ProgramFiles%\DAEMON Tools ->  [Folder | Created Date = 20/08/2008 7:31:39 PM | Attr =	]

LimeWire -> %ProgramFiles%\LimeWire ->  [Folder | Created Date = 18/09/2008 4:24:00 PM | Attr =	]

Macclkop -> %ProgramFiles%\Macclkop ->  [Folder | Created Date = 30/08/2008 12:33:59 PM | Attr =	]

Malwarebytes' Anti-Malware -> %ProgramFiles%\Malwarebytes' Anti-Malware ->  [Folder | Created Date = 12/09/2008 5:05:01 PM | Attr =	]

Sun -> %ProgramFiles%\Sun ->  [Folder | Created Date = 16/09/2008 11:19:57 AM | Attr =	]

Trend Micro -> %ProgramFiles%\Trend Micro ->  [Folder | Created Date = 28/08/2008 7:18:26 PM | Attr =	]

Uvonsmcn -> %ProgramFiles%\Uvonsmcn ->  [Folder | Created Date = 30/08/2008 3:03:07 PM | Attr =	]

Uvonsmcn2 -> %ProgramFiles%\Uvonsmcn2 ->  [Folder | Created Date = 30/08/2008 3:03:05 PM | Attr =	]

YouTube Downloader -> %ProgramFiles%\YouTube Downloader ->  [Folder | Created Date = 25/08/2008 7:10:40 PM | Attr =	]



[Files/Folders - Modified Within 30 days]

boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 302 bytes | Modified Date = 11/09/2008 7:06:01 PM | Attr = RHS]

IPH.PH -> %SystemDrive%\IPH.PH ->  [Ver =  | Size = 1093 bytes | Modified Date = 30/08/2008 3:29:45 PM | Attr =  H ]

ntldr -> %SystemDrive%\ntldr ->  [Ver =  | Size = 250048 bytes | Modified Date = 30/08/2008 11:48:30 AM | Attr = RHS]

Vtks Revolt.ttf -> %SystemDrive%\Vtks Revolt.ttf ->  [Ver =  | Size = 158556 bytes | Modified Date = 02/09/2008 9:06:10 AM | Attr =	]

sptd.sys -> %SystemRoot%\System32\drivers\sptd.sys ->  [Ver =  | Size = 717296 bytes | Modified Date = 20/08/2008 7:20:06 PM | Attr =	]

1 C:\WINDOW\System32\*.tmp files -> C:\WINDOW\System32\*.tmp -> 

d3d9caps.dat -> %SystemRoot%\System32\d3d9caps.dat ->  [Ver =  | Size = 8140 bytes | Modified Date = 31/08/2008 8:02:39 PM | Attr =	]

FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT ->  [Ver =  | Size = 298048 bytes | Modified Date = 09/09/2008 5:15:34 PM | Attr =	]

MRT.INI -> %SystemRoot%\System32\MRT.INI ->  [Ver =  | Size = 127 bytes | Modified Date = 11/09/2008 9:49:13 AM | Attr =	]

perfc009.dat -> %SystemRoot%\System32\perfc009.dat ->  [Ver =  | Size = 77404 bytes | Modified Date = 30/08/2008 3:06:18 PM | Attr =	]

perfh009.dat -> %SystemRoot%\System32\perfh009.dat ->  [Ver =  | Size = 455136 bytes | Modified Date = 30/08/2008 3:06:18 PM | Attr =	]

PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI ->  [Ver =  | Size = 542934 bytes | Modified Date = 30/08/2008 3:06:18 PM | Attr =	]

wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 13646 bytes | Modified Date = 19/09/2008 2:56:01 PM | Attr =	]

xfcodec.dll -> %SystemRoot%\System32\xfcodec.dll ->  [Ver = 33914 | Size = 42320 bytes | Modified Date = 27/08/2008 5:03:26 PM | Attr =	]

14 C:\WINDOW\*.tmp files -> C:\WINDOW\*.tmp -> 

bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 19/09/2008 2:55:10 PM | Attr =   S]

imsins.BAK -> %SystemRoot%\imsins.BAK ->  [Ver =  | Size = 1374 bytes | Modified Date = 11/09/2008 9:45:50 AM | Attr =	]

system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 0 bytes | Modified Date = 11/09/2008 7:06:01 PM | Attr =	]

win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 1620 bytes | Modified Date = 11/09/2008 7:06:01 PM | Attr =	]

WININIT.INI -> %SystemRoot%\WININIT.INI ->  [Ver =  | Size = 171 bytes | Modified Date = 29/08/2008 3:17:10 PM | Attr =	]

WMSysPr9.prx -> %SystemRoot%\WMSysPr9.prx ->  [Ver =  | Size = 316640 bytes | Modified Date = 30/08/2008 12:20:18 PM | Attr =	]

MP Scheduled Scan.job -> %SystemRoot%\tasks\MP Scheduled Scan.job ->  [Ver =  | Size = 330 bytes | Modified Date = 19/09/2008 2:58:35 PM | Attr =  H ]

SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 19/09/2008 2:55:21 PM | Attr =  H ]

C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\HTML Help\ -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\HTML Help ->  [Folder | Modified Date = 01/03/2005 3:11:22 PM | Attr =	]

hhcolreg.dat -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\HTML Help\hhcolreg.dat ->  [Ver =  | Size = 1309 bytes | Modified Date = 01/03/2005 3:11:22 PM | Attr =	]

C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Money\12.0\Webcache\ -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Money\12.0\Webcache ->  [Folder | Modified Date = 01/03/2005 5:03:08 PM | Attr =	]

about.dat -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Money\12.0\Webcache\about.dat ->  [Ver =  | Size = 1528 bytes | Modified Date = 18/06/2003 1:00:00 PM | Attr =	]

college.dat -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Money\12.0\Webcache\college.dat ->  [Ver =  | Size = 327746 bytes | Modified Date = 18/06/2003 1:00:00 PM | Attr =	]

moreinfo.dat -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Money\12.0\Webcache\moreinfo.dat ->  [Ver =  | Size = 102 bytes | Modified Date = 18/06/2003 1:00:00 PM | Attr =	]

ylpgscat.dat -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Money\12.0\Webcache\ylpgscat.dat ->  [Ver =  | Size = 12283223 bytes | Modified Date = 18/06/2003 1:00:00 PM | Attr =	]

C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Network\Downloader ->  [Folder | Modified Date = 01/03/2005 4:40:31 PM | Attr =	]

qmgr0.dat -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 4232 bytes | Modified Date = 19/09/2008 7:13:38 AM | Attr =	]

qmgr1.dat -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 5479 bytes | Modified Date = 19/09/2008 7:13:38 AM | Attr =	]

C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Office\Data\ -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Office\Data ->  [Folder | Modified Date = 09/10/2005 4:54:34 PM | Attr =	]

data.dat -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Office\Data\data.dat ->  [Ver =  | Size = 3804 bytes | Modified Date = 30/11/2005 2:26:48 PM | Attr =	]

C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\VBExpress\8.0\ -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\VBExpress\8.0 ->  [Folder | Modified Date = 19/07/2005 1:23:31 AM | Attr =	]

vbexpress000223.dat -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\VBExpress\8.0\vbexpress000223.dat ->  [Ver =  | Size = 53674 bytes | Modified Date = 19/07/2005 1:23:05 AM | Attr =  H ]

C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Works\ -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Works ->  [Folder | Modified Date = 09/10/2005 4:54:17 PM | Attr =	]

wkcalcat.dat -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Works\wkcalcat.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 09/10/2005 4:54:07 PM | Attr =	]

wklntsk1.dat -> C:\Documents and Settings\All Users.WINDOW\Application Data\Microsoft\Works\wklntsk1.dat ->  [Ver =  | Size = 193946 bytes | Modified Date = 09/09/2008 7:28:47 PM | Attr =	]

C:\Documents and Settings\ryan\Local Settings\Temp\ -> C:\Documents and Settings\ryan\Local Settings\Temp ->  [Folder | Modified Date = 19/09/2008 3:25:17 PM | Attr =	]

jre-6u7-windows-i586-p-iftw_bdb28397.exe -> C:\Documents and Settings\ryan\Local Settings\Temp\jre-6u7-windows-i586-p-iftw_bdb28397.exe -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 382352 bytes | Modified Date = 10/06/2008 8:53:46 AM | Attr =	]

vmgrremok.exe -> C:\Documents and Settings\ryan\Local Settings\Temp\vmgrremok.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 98380 bytes | Modified Date = 04/01/2007 5:38:06 PM | Attr =	]

vmpremov.exe -> C:\Documents and Settings\ryan\Local Settings\Temp\vmpremov.exe -> Viewpoint Corporation [Ver = 3, 5, 0, 61 | Size = 114688 bytes | Modified Date = 06/02/2008 8:57:07 PM | Attr =	]

214 C:\Documents and Settings\ryan\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\ryan\Local Settings\Temp\*.tmp -> 

C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for avi.NET.zip\ -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for avi.NET.zip\ ->  [Folder | Modified Date = 24/03/2008 7:26:05 PM | Attr =  H ]

avi.NET v2.5.8.0.exe -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for avi.NET.zip\avi.NET v2.5.8.0.exe -> clone.AD													 [Ver = 2.5.8.0			  | Size = 1727275 bytes | Modified Date = 29/02/2008 11:25:48 PM | Attr =	]

C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for HALO LOL.zip\ -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for HALO LOL.zip\ ->  [Folder | Modified Date = 08/07/2008 3:10:53 PM | Attr =  H ]

HALO LOL.exe -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for HALO LOL.zip\HALO LOL.exe ->  [Ver = 1.0.1.0 | Size = 53248 bytes | Modified Date = 10/07/2007 3:03:06 AM | Attr =	]

C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for Halo PC 1.08 Aimbot.zip\ -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for Halo PC 1.08 Aimbot.zip\ ->  [Folder | Modified Date = 12/08/2008 4:39:26 PM | Attr =  H ]

Halo PC 1.08 Aimbot.exe -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for Halo PC 1.08 Aimbot.zip\Halo PC 1.08 Aimbot.exe ->  [Ver = 0.1.0.0 | Size = 45056 bytes | Modified Date = 11/08/2008 6:00:44 PM | Attr =	]

C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for hl2substancev12goldfinal.zip\ -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for hl2substancev12goldfinal.zip\ ->  [Folder | Modified Date = 18/04/2008 8:59:31 PM | Attr =  H ]

HL2Substance-v12-Gold-Final.exe -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for hl2substancev12goldfinal.zip\HL2Substance-v12-Gold-Final.exe ->  [Ver =  | Size = 138889933 bytes | Modified Date = 03/01/2006 1:54:10 PM | Attr = R  ]

C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for MDBPlus.zip\ -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for MDBPlus.zip\ ->  [Folder | Modified Date = 24/07/2008 3:09:06 PM | Attr =  H ]

MDBPlus.exe -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for MDBPlus.zip\MDBPlus.exe ->  [Ver =  | Size = 1803264 bytes | Modified Date = 24/07/2008 3:09:06 PM | Attr = R  ]

C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for xhfe.zip\ -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for xhfe.zip\ ->  [Folder | Modified Date = 20/04/2008 4:55:57 PM | Attr =  H ]

Xhzjang's Halo Font Editor.exe -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 1 for xhfe.zip\Xhzjang's Halo Font Editor.exe ->  [Ver = 1, 0, 0, 1 | Size = 90112 bytes | Modified Date = 19/02/2004 2:02:20 PM | Attr =	]

C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 2 for xhfe.zip\ -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 2 for xhfe.zip\ ->  [Folder | Modified Date = 20/04/2008 5:03:55 PM | Attr =  H ]

Xhzjang's Halo Font Editor.exe -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 2 for xhfe.zip\Xhzjang's Halo Font Editor.exe ->  [Ver = 1, 0, 0, 1 | Size = 90112 bytes | Modified Date = 19/02/2004 2:02:20 PM | Attr =	]

C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 3 for xhfe.zip\ -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 3 for xhfe.zip\ ->  [Folder | Modified Date = 20/04/2008 9:32:18 PM | Attr =  H ]

Xhzjang's Halo Font Editor.exe -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Directory 3 for xhfe.zip\Xhzjang's Halo Font Editor.exe ->  [Ver = 1, 0, 0, 1 | Size = 90112 bytes | Modified Date = 19/02/2004 2:02:20 PM | Attr =	]

C:\Documents and Settings\ryan\Local Settings\Temp\ -> C:\Documents and Settings\ryan\Local Settings\Temp ->  [Folder | Modified Date = 19/09/2008 3:25:17 PM | Attr =	]

parcce.dat -> C:\Documents and Settings\ryan\Local Settings\Temp\parcce.dat ->  [Ver =  | Size = 91 bytes | Modified Date = 18/09/2008 7:32:41 PM | Attr =	]

Perflib_Perfdata_24c.dat -> C:\Documents and Settings\ryan\Local Settings\Temp\Perflib_Perfdata_24c.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 07/09/2008 3:47:33 PM | Attr =	]

Perflib_Perfdata_284.dat -> C:\Documents and Settings\ryan\Local Settings\Temp\Perflib_Perfdata_284.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 11/09/2008 5:04:45 PM | Attr =	]

Perflib_Perfdata_808.dat -> C:\Documents and Settings\ryan\Local Settings\Temp\Perflib_Perfdata_808.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 07/09/2008 3:06:12 PM | Attr =	]

Perflib_Perfdata_9fc.dat -> C:\Documents and Settings\ryan\Local Settings\Temp\Perflib_Perfdata_9fc.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 07/09/2008 8:17:45 PM | Attr =	]

Perflib_Perfdata_ae0.dat -> C:\Documents and Settings\ryan\Local Settings\Temp\Perflib_Perfdata_ae0.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 04/09/2008 4:18:18 PM | Attr =	]

Perflib_Perfdata_b58.dat -> C:\Documents and Settings\ryan\Local Settings\Temp\Perflib_Perfdata_b58.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 07/09/2008 7:32:30 PM | Attr =	]

Perflib_Perfdata_b98.dat -> C:\Documents and Settings\ryan\Local Settings\Temp\Perflib_Perfdata_b98.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 07/09/2008 7:32:26 PM | Attr =	]

Perflib_Perfdata_d04.dat -> C:\Documents and Settings\ryan\Local Settings\Temp\Perflib_Perfdata_d04.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 07/09/2008 3:48:03 PM | Attr =	]

Perflib_Perfdata_e88.dat -> C:\Documents and Settings\ryan\Local Settings\Temp\Perflib_Perfdata_e88.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 11/09/2008 7:55:08 PM | Attr =	]

214 C:\Documents and Settings\ryan\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\ryan\Local Settings\Temp\*.tmp -> 

C:\Documents and Settings\ryan\Local Settings\Temp\Cookies\ -> C:\Documents and Settings\ryan\Local Settings\Temp\Cookies ->  [Folder | Modified Date = 03/01/2008 2:46:02 AM | Attr =  HS]

index.dat -> C:\Documents and Settings\ryan\Local Settings\Temp\Cookies\index.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 03/01/2008 2:46:00 AM | Attr =  HS]

C:\Documents and Settings\ryan\Local Settings\Temp\History\History.IE5\ -> C:\Documents and Settings\ryan\Local Settings\Temp\History\History.IE5\ ->  [Folder | Modified Date = 03/01/2008 2:46:02 AM | Attr =  HS]

index.dat -> C:\Documents and Settings\ryan\Local Settings\Temp\History\History.IE5\index.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 03/01/2008 2:46:00 AM | Attr =  HS]

C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Internet Files\Content.IE5\ -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Internet Files\Content.IE5\ ->  [Folder | Modified Date = 03/01/2008 2:46:02 AM | Attr =  HS]

index.dat -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 03/01/2008 2:46:00 AM | Attr =  HS]

C:\Documents and Settings\ryan\Local Settings\Temp\History\History.IE5\ -> C:\Documents and Settings\ryan\Local Settings\Temp\History\History.IE5\ ->  [Folder | Modified Date = 03/01/2008 2:46:02 AM | Attr =  HS]

desktop.ini -> C:\Documents and Settings\ryan\Local Settings\Temp\History\History.IE5\desktop.ini ->  [Ver =  | Size = 113 bytes | Modified Date = 03/01/2008 2:46:02 AM | Attr =  HS]

C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Internet Files\Content.IE5\ -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Internet Files\Content.IE5\ ->  [Folder | Modified Date = 03/01/2008 2:46:02 AM | Attr =  HS]

desktop.ini -> C:\Documents and Settings\ryan\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 03/01/2008 2:46:02 AM | Attr =  HS]

C:\WINDOW\Temp\ -> C:\WINDOW\Temp ->  [Folder | Modified Date = 19/09/2008 3:24:59 PM | Attr =	]

rtdrvmon.exe -> C:\WINDOW\Temp\rtdrvmon.exe -> Realtek [Ver = 1, 0, 0, 3 | Size = 40960 bytes | Modified Date = 19/09/2008 2:55:35 PM | Attr =	]

6 C:\WINDOW\Temp\*.tmp files -> C:\WINDOW\Temp\*.tmp -> 

C:\WINDOW\Temp\Cookies\ -> C:\WINDOW\Temp\Cookies ->  [Folder | Modified Date = 10/04/2006 8:15:43 AM | Attr =   S]

index.dat -> C:\WINDOW\Temp\Cookies\index.dat ->  [Ver =  | Size = 32768 bytes | Modified Date = 10/04/2006 7:36:22 PM | Attr =	]

C:\WINDOW\Temp\History\History.IE5\ -> C:\WINDOW\Temp\History\History.IE5\ ->  [Folder | Modified Date = 06/03/2006 12:57:36 PM | Attr =   S]

index.dat -> C:\WINDOW\Temp\History\History.IE5\index.dat ->  [Ver =  | Size = 32768 bytes | Modified Date = 10/04/2006 7:36:22 PM | Attr =	]

C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\ -> C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\ ->  [Folder | Modified Date = 22/11/2005 4:13:52 PM | Attr =   S]

index.dat -> C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\index.dat ->  [Ver =  | Size = 32768 bytes | Modified Date = 10/04/2006 7:36:22 PM | Attr =	]

C:\WINDOW\Temp\History\History.IE5\ -> C:\WINDOW\Temp\History\History.IE5\ ->  [Folder | Modified Date = 06/03/2006 12:57:36 PM | Attr =   S]

desktop.ini -> C:\WINDOW\Temp\History\History.IE5\desktop.ini ->  [Ver =  | Size = 113 bytes | Modified Date = 22/11/2005 4:13:52 PM | Attr =  HS]

C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\ -> C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\ ->  [Folder | Modified Date = 22/11/2005 4:13:52 PM | Attr =   S]

desktop.ini -> C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 22/11/2005 4:13:52 PM | Attr =  HS]

C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\CPM7S1EN\ -> C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\CPM7S1EN ->  [Folder | Modified Date = 08/03/2006 8:59:42 PM | Attr =   S]

desktop.ini -> C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\CPM7S1EN\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 22/11/2005 4:13:52 PM | Attr =  HS]

mcltvers[1].ini -> C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\CPM7S1EN\mcltvers[1].ini ->  [Ver =  | Size = 2657 bytes | Modified Date = 30/11/2005 12:01:37 PM | Attr =	]

C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\G56J8LMJ\ -> C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\G56J8LMJ ->  [Folder | Modified Date = 15/02/2006 9:40:47 PM | Attr =   S]

desktop.ini -> C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\G56J8LMJ\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 22/11/2005 4:13:52 PM | Attr =  HS]

C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\VH9GDMSC\ -> C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\VH9GDMSC ->  [Folder | Modified Date = 01/03/2006 10:07:45 PM | Attr =   S]

desktop.ini -> C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\VH9GDMSC\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 22/11/2005 4:13:52 PM | Attr =  HS]

C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\YPQJTBPZ\ -> C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\YPQJTBPZ ->  [Folder | Modified Date = 09/04/2006 7:30:09 PM | Attr =   S]

desktop.ini -> C:\WINDOW\Temp\Temporary Internet Files\Content.IE5\YPQJTBPZ\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 22/11/2005 4:13:52 PM | Attr =  HS]

[Files Modified - Additional Folder Scans - Non-Microsoft Only]

wklnhst.dat -> %AppData%\wklnhst.dat ->  [Ver =  | Size = 5282 bytes | Modified Date = 09/09/2008 7:25:27 PM | Attr =	]

DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ->  [Ver =  | Size = 105472 bytes | Modified Date = 16/09/2008 9:59:46 PM | Attr =	]

GDIPFONTCACHEV1.DAT -> %UserProfile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT ->  [Ver =  | Size = 88184 bytes | Modified Date = 11/09/2008 2:38:12 PM | Attr =	]

IconCache.db -> %UserProfile%\Local Settings\Application Data\IconCache.db ->  [Ver =  | Size = 2095504 bytes | Modified Date = 31/08/2008 1:39:53 PM | Attr =  H ]

Anti-Malware_stuff.rar -> %UserProfile%\My Documents\Anti-Malware_stuff.rar ->  [Ver =  | Size = 605777 bytes | Modified Date = 19/09/2008 3:22:51 PM | Attr =	]

default.jpg -> %UserProfile%\My Documents\default.jpg ->  [Ver =  | Size = 3249 bytes | Modified Date = 18/09/2008 4:28:41 PM | Attr =	]

My Sharing Folders.lnk -> %UserProfile%\My Documents\My Sharing Folders.lnk ->  [Ver =  | Size = 896 bytes | Modified Date = 31/08/2008 12:11:49 PM | Attr =	]

sig1.png -> %UserProfile%\My Documents\sig1.png ->  [Ver =  | Size = 32260 bytes | Modified Date = 09/09/2008 5:01:31 PM | Attr =	]

sig2.png -> %UserProfile%\My Documents\sig2.png ->  [Ver =  | Size = 20698 bytes | Modified Date = 09/09/2008 5:01:21 PM | Attr =	]

sig3.png -> %UserProfile%\My Documents\sig3.png ->  [Ver =  | Size = 31358 bytes | Modified Date = 09/09/2008 5:01:09 PM | Attr =	]

vov.bmp -> %UserProfile%\My Documents\vov.bmp ->  [Ver =  | Size = 404474 bytes | Modified Date = 18/09/2008 6:00:04 PM | Attr =	]

ZbThumbnail.info -> %UserProfile%\My Documents\ZbThumbnail.info ->  [Ver =  | Size = 2176 bytes | Modified Date = 19/09/2008 10:10:08 AM | Attr =  H ]

AIM 6.lnk -> %AllUsersProfile%\Desktop\AIM 6.lnk ->  [Ver =  | Size = 1674 bytes | Modified Date = 30/08/2008 3:29:32 PM | Attr =	]

HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk ->  [Ver =  | Size = 1734 bytes | Modified Date = 28/08/2008 7:18:26 PM | Attr =	]

jre-6u7-windows-i586-p.exe -> %UserProfile%\Desktop\jre-6u7-windows-i586-p.exe ->  [Ver =  | Size = 15984024 bytes | Modified Date = 16/09/2008 6:00:38 PM | Attr =	]

LimeWire PRO 4.18.7.lnk -> %UserProfile%\Desktop\LimeWire PRO 4.18.7.lnk ->  [Ver =  | Size = 1588 bytes | Modified Date = 18/09/2008 4:24:07 PM | Attr =	]

spybotsd160.exe -> %UserProfile%\Desktop\spybotsd160.exe -> Safer Networking Limited									 [Ver = 1.6.0				| Size = 14968808 bytes | Modified Date = 29/08/2008 2:10:41 AM | Attr =	]

YouTube Downloader.lnk -> %UserProfile%\Desktop\YouTube Downloader.lnk ->  [Ver =  | Size = 797 bytes | Modified Date = 25/08/2008 7:10:43 PM | Attr =	]



[CatchMe Rootkit Scan by GMER]

< Windows folder & sub-folders >

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOW\system32\config\system, 0

scanning hidden registry entries ...

disk error: C:\WINDOW\system32\config\software, 0

disk error: C:\Documents and Settings\ryan\ntuser.dat, 0

scanning hidden files ...

disk error: C:\WINDOW\

please note that you need administrator rights to perform deep scan

< Document and Settings folder & sub folders >

scanning hidden files ...

disk error: C:\Documents and Settings\

please note that you need administrator rights to perform deep scan



< End of report >


#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:44 PM

Posted 21 September 2008 - 12:03 AM

Hello, Jelly_man.
You have a Peer-To-Peer program installed.
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case uTorrent). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

We need to run an OTScanIt Fix
  • Please reopen Posted Image
  • Click on Posted Image
  • In the Posted Image area copy and paste in the following (Do not include the word CODE)
    [Kill Explorer]
    [Unregister Dlls]
    [Registry - Non-Microsoft Only]
    < Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
    YN -> CmdMapping\\{2499216C-4BA5-11D5-BD9C-000103C116D5} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
    YN -> CmdMapping\\{3369AF0D-62E9-4bda-8103-B4C75499B578} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
    YN -> CmdMapping\\{44226DFF-747E-4edc-B30C-78752E50CD0C} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
    YN -> CmdMapping\\{461CC20B-FB6E-4f16-8FE8-C29359DB100E} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
    YN -> CmdMapping\\{6224f700-cba3-4071-b251-47cb894244cd} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
    YN -> CmdMapping\\{669695BC-A811-4A9D-8CDF-BA8C795F261C} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
    YN -> CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
    YN -> CmdMapping\\{B13B4423-2647-4cfc-A4B3-C7D56CB83487} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
    YN -> CmdMapping\\{CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
    [Registry - Additional Scans - Non-Microsoft Only]
    < Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
    YN -> #  L"h'9œ3rWC: hkey= key= -> 
    YN -> adorttdl hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Vbijgjng\adorttdl.exe
    < File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\
    YN -> .com [@ = comfile] -> Reg Error: Value  does not exist or could not be read.
    YN -> .js [@ = JSFile] -> Reg Error: Key does not exist or could not be opened.
    [Files/Folders - Created Within 30 days]
    NY -> 1 C:\WINDOW\System32\*.tmp files -> C:\WINDOW\System32\*.tmp
    [Empty Temp Folders]
    [Start Explorer]
    [Reboot]
  • Press the Posted Image button.
  • Copy/Paste the resultant report in a reply here
We need to repair your Hosts file
  • Download HostsXpert.zip
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Please let me know if ESET works now :thumbsup:

In your next reply, please include the following:
  • OtScanIt Fix Report
  • A new HJT Log

Billy3

Edited by Billy O'Neal, 21 September 2008 - 12:03 AM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Jelly_man

Jelly_man
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 21 September 2008 - 01:59 PM

OTScanIt Log:
Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{2499216C-4BA5-11D5-BD9C-000103C116D5} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2499216 C-4BA5-11D5-BD9C-000103C116D5}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{3369AF0D-62E9-4bda-8103-B4C75499B578} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3369AF0 D-62E9-4bda-8103-B4C75499B578}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{44226DFF-747E-4edc-B30C-78752E50CD0C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44226DF F-747E-4edc-B30C-78752E50CD0C}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{461CC20B-FB6E-4f16-8FE8-C29359DB100E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{461CC20 B-FB6E-4f16-8FE8-C29359DB100E}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{6224f700-cba3-4071-b251-47cb894244cd} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6224f70 0-cba3-4071-b251-47cb894244cd}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{669695BC-A811-4A9D-8CDF-BA8C795F261C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{669695B C-A811-4A9D-8CDF-BA8C795F261C}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC9E254 1-2814-11d5-BC6D-00B0D0A1DE45}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{B13B4423-2647-4cfc-A4B3-C7D56CB83487} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B13B442 3-2647-4cfc-A4B3-C7D56CB83487}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF819DA 3-9882-4944-ADF5-6EF17ECF3C6E}\ not found.
[Registry - Additional Scans - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\# L"h'9œ3rWC: hkey= key=\ not found.
File not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\adorttdl hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ not found.
File not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.com\\'' updated successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\\'' updated successfully.
[Files/Folders - Created Within 30 days]
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\ryan\Local Settings\Temp\etilqs_KkJrZ0WQfwc6sRPZikph scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOW\temp\ scheduled to be deleted on reboot.
File delete failed. C:\WINDOW\temp\ scheduled to be deleted on reboot.
File delete failed. C:\WINDOW\temp\ scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 09212008_142414

Files moved on Reboot...
File C:\Documents and Settings\ryan\Local Settings\Temp\etilqs_KkJrZ0WQfwc6sRPZikph not found!
Folder move failed. C:\WINDOW\temp\ scheduled to be moved on reboot.

Latest Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:27 PM, on 21/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)
Boot mode: Normal

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\system32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\Ati2evxx.exe
C:\WINDOW\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOW\system32\LEXBCES.EXE
C:\WINDOW\system32\spoolsv.exe
C:\WINDOW\system32\LEXPPS.EXE
C:\WINDOW\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOW\system32\PnkBstrA.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOW\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOW\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOW\system32\mdm.exe
C:\WINDOW\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOW\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOW\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\RYAN\Application Data\Mozilla\Profiles\default\4s4fviwn.slt\prefs.j s)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (file missing)
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOW\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOW\system32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOW\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOW\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOW\system32\YPCSER~1.EXE

--
End of file - 7712 bytes


ESET's site is still inacessible.

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:44 PM

Posted 21 September 2008 - 02:13 PM

Hello, Jelly_man.
We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:44 PM

Posted 24 September 2008 - 07:45 PM

Hello, Jelly_man.
Are you still here?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 Jelly_man

Jelly_man
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 25 September 2008 - 01:06 PM

Sorry, the guy took a while to get back to me.

He says that installing the recovery console by dragging-and-dropping fails. However, he is now able to use BleepingComputer and ESET's site. Can he continue to follow your instructions from the first post, or would you like a new HijackThis log?

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:44 PM

Posted 25 September 2008 - 03:47 PM

Please post the CF log :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 Jelly_man

Jelly_man
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 26 September 2008 - 04:11 PM

ComboFix 08-09-03.06 - ryan 2008-09-22 16:59:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.162 [GMT -4:00]
Running from: C:\Documents and Settings\ryan\Desktop\Anti-Malware_stuff\Combofix_files\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ntldr.exe
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll
C:\WINDOW\system32\actskn43.ocx
C:\WINDOW\system32\cache329
C:\WINDOW\system32\cache329\B_329_0_0_106800.htm
C:\WINDOW\system32\cache329\B_329_0_0_107400.htm
C:\WINDOW\system32\cache329\B_329_1_0_449200.gif
C:\WINDOW\system32\cache329\B_329_1_0_449600.gif
C:\WINDOW\system32\cache329\B_329_1_0_454300.gif
C:\WINDOW\system32\cache329\B_329_2_0_106800.htm
C:\WINDOW\system32\cache329\B_329_2_0_107400.htm
C:\WINDOW\system32\cache329\B_329_3_0_106800.htm
C:\WINDOW\system32\cache329\B_329_3_0_107400.htm
C:\WINDOW\system32\cache329\B_329_4_0_111600.htm
C:\WINDOW\system32\cache329\B_329_4_0_152400.htm
C:\WINDOW\system32\cache329\B_329_4_0_155300.htm
C:\WINDOW\system32\cache329\B_329_4_0_164100.htm
C:\WINDOW\system32\cache329\t_B_329_0_0_106800.htm
C:\WINDOW\system32\cache329\t_B_329_0_0_107400.htm
C:\WINDOW\system32\cache329\t_B_329_2_0_106800.htm
C:\WINDOW\system32\cache329\t_B_329_2_0_107400.htm
C:\WINDOW\system32\cache329\t_B_329_3_0_106800.htm
C:\WINDOW\system32\cache329\t_B_329_3_0_107400.htm
C:\WINDOW\system32\cache329\t_B_329_4_0_111600.htm
C:\WINDOW\system32\cache329\t_B_329_4_0_152400.htm
C:\WINDOW\system32\cache329\t_B_329_4_0_155300.htm
C:\WINDOW\system32\cache329\t_B_329_4_0_164100.htm
C:\WINDOW\system32\mdm.exe
C:\WINDOW\system32\tdssadw.dll
C:\WINDOW\system32\tdssinit.dll
C:\WINDOW\system32\tdssl.dll
C:\WINDOW\system32\tdsslog.dll
C:\WINDOW\system32\tdssmain.dll
C:\WINDOW\system32\tdssservers.dat

.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.

2008-09-21 14:40 . 2008-09-21 14:40 <DIR> d-------- C:\HostsXpert
2008-09-21 14:24 . 2008-09-21 14:24 <DIR> d-------- C:\_OTScanIt
2008-09-18 16:24 . 2008-09-18 16:24 <DIR> d-------- C:\Program Files\LimeWire
2008-09-16 11:19 . 2008-09-16 11:19 <DIR> d-------- C:\Program Files\Sun
2008-09-12 17:05 . 2008-09-12 17:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-12 17:05 . 2008-09-12 17:05 <DIR> d-------- C:\Documents and Settings\ryan\Application Data\Malwarebytes
2008-09-12 17:05 . 2008-09-12 17:05 <DIR> d-------- C:\Documents and Settings\All Users.WINDOW\Application Data\Malwarebytes
2008-09-12 17:05 . 2008-09-10 00:04 38,528 --a------ C:\WINDOW\system32\drivers\mbamswissarmy.sys
2008-09-12 17:05 . 2008-09-10 00:03 17,200 --a------ C:\WINDOW\system32\drivers\mbam.sys
2008-09-02 09:06 . 2008-09-02 09:06 158,556 --a------ C:\Vtks Revolt.ttf
2008-08-31 21:05 . 2008-08-31 21:05 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-30 16:07 . 2008-09-07 18:38 <DIR> d-------- C:\fixwareout
2008-08-30 15:29 . 2008-08-30 15:29 <DIR> d-------- C:\Program Files\AIM6
2008-08-30 15:29 . 2008-08-30 15:29 <DIR> d-------- C:\Documents and Settings\All Users.WINDOW\Application Data\acccore
2008-08-30 15:03 . 2008-08-30 15:03 <DIR> d-------- C:\Program Files\Uvonsmcn2
2008-08-30 15:03 . 2008-08-30 15:03 <DIR> d-------- C:\Program Files\Uvonsmcn
2008-08-30 15:02 . 2008-09-11 09:52 <DIR> d-------- C:\Program Files\Apaflbcv
2008-08-30 13:36 . 2008-08-30 13:36 5,069,649 --a------ C:\Documents and Settings\All Users.aawqff
2008-08-30 12:34 . 2008-08-30 12:34 <DIR> d-------- C:\WINDOW\system32\unnefmim
2008-08-30 12:34 . 2008-08-30 12:34 <DIR> d-------- C:\Program Files\Bhddeivz2
2008-08-30 12:34 . 2008-08-30 12:34 <DIR> d-------- C:\Program Files\Bhddeivz
2008-08-30 12:33 . 2008-08-30 12:33 <DIR> d-------- C:\Program Files\Macclkop
2008-08-30 11:52 . 2008-08-30 11:52 <DIR> d-------- C:\WINDOW\system32\scripting
2008-08-30 11:52 . 2008-08-30 11:52 <DIR> d-------- C:\WINDOW\system32\en
2008-08-30 11:52 . 2008-08-30 11:52 <DIR> d-------- C:\WINDOW\l2schemas
2008-08-28 23:28 . 2008-04-13 20:12 69,120 --------- C:\WINDOW\system32\wlanapi.dll
2008-08-28 23:28 . 2008-04-13 20:12 53,248 --------- C:\WINDOW\system32\tsgqec.dll
2008-08-28 23:28 . 2008-04-13 20:12 50,688 --------- C:\WINDOW\system32\tspkg.dll
2008-08-28 23:26 . 2008-04-13 20:11 397,312 --------- C:\WINDOW\system32\mmcex.dll
2008-08-28 23:25 . 2008-04-13 20:11 650,752 --------- C:\WINDOW\system32\dot3ui.dll
2008-08-28 19:18 . 2008-08-28 19:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-28 16:52 . 2008-08-28 16:52 12,288 --------- C:\WINDOW\system32\tdssserf.dll
2008-08-27 17:03 . 2008-08-27 17:03 42,320 --a------ C:\WINDOW\system32\xfcodec.dll
2008-08-25 19:10 . 2008-08-25 19:10 <DIR> d-------- C:\Program Files\YouTube Downloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-09-22 19:14 --------- d-----w C:\Program Files\mIRC
2008-09-21 22:03 --------- d-----w C:\Documents and Settings\ryan\Application Data\uTorrent
2008-09-21 19:45 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-09-18 22:14 --------- d-----w C:\Documents and Settings\ryan\Application Data\Xfire
2008-09-18 21:44 --------- d-----w C:\Program Files\Xfire2
2008-09-16 22:13 --------- d-----w C:\Program Files\Java
2008-09-16 15:03 --------- d-----w C:\Program Files\Viewpoint
2008-09-16 15:03 --------- d-----w C:\Documents and Settings\ryan\Application Data\Viewpoint
2008-09-16 15:03 --------- d-----w C:\Documents and Settings\All Users.WINDOW\Application Data\Viewpoint
2008-09-09 23:25 5,282 -c--a-w C:\Documents and Settings\ryan\Application Data\wklnhst.dat
2008-09-03 01:04 --------- d-----w C:\Documents and Settings\All Users.WINDOW\Application Data\Spybot - Search & Destroy
2008-09-02 21:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-31 15:55 --------- d-----w C:\Program Files\Avi2Dvd
2008-08-31 15:47 --------- d-----w C:\Program Files\Sony
2008-08-30 22:17 --------- d-----w C:\Documents and Settings\All Users.WINDOW\Application Data\WLInstaller
2008-08-30 19:29 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-30 17:36 --------- d-----w C:\Program Files\Utility
2008-08-30 14:38 --------- d-----w C:\Program Files\Image-Line
2008-08-27 23:50 --------- d-----w C:\Program Files\Ulnanshb2
2008-08-27 23:29 --------- d-----w C:\Program Files\Ersaxcgx2
2008-08-25 06:34 --------- d-----w C:\Program Files\Flock
2008-08-21 22:24 --------- d-----w C:\Documents and Settings\jesse.DAVID-REPZ4PHA9\Application Data\Viewpoint
2008-08-20 23:31 --------- d-----w C:\Program Files\DAEMON Tools
2008-08-20 23:20 717,296 ----a-w C:\WINDOW\system32\drivers\sptd.sys
2008-08-20 23:19 --------- d-----w C:\Documents and Settings\ryan\Application Data\DAEMON Tools
2008-08-15 11:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-12 23:39 --------- d-----w C:\Documents and Settings\jesse.DAVID-REPZ4PHA9\Application Data\acccore
2008-08-12 20:33 --------- d-----w C:\Program Files\iTunes
2008-08-12 20:33 --------- d-----w C:\Program Files\iPod
2008-08-12 20:21 --------- d-----w C:\Program Files\QuickTime
2008-08-12 02:46 --------- d-----w C:\Program Files\Audiosurf
2008-08-10 01:38 --------- d-----w C:\Program Files\EA GAMES
2008-08-09 17:47 86,024 ----a-w C:\Documents and Settings\ryan\Application Data\GDIPFONTCACHEV1.DAT
2008-08-09 14:09 --------- d-----w C:\Documents and Settings\jesse.DAVID-REPZ4PHA9\Application Data\MSN6
2008-08-09 13:00 --------- d-----w C:\Program Files\Last.fm
2008-08-09 13:00 --------- d-----w C:\Program Files\GSC
2008-08-09 13:00 --------- d-----w C:\Documents and Settings\ryan\Application Data\InstallShield
2008-08-09 12:59 --------- d-----w C:\Documents and Settings\All Users.WINDOW\Application Data\Last.fm
2008-08-09 12:14 --------- d-----w C:\Program Files\VstPlugins
2008-08-08 04:41 --------- d-----w C:\Program Files\Trillian
2008-07-24 19:51 --------- d-----w C:\Program Files\Microsoft Games
2008-07-19 02:10 94,920 ----a-w C:\WINDOW\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOW\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOW\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOW\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOW\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOW\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOW\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOW\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOW\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOW\system32\muweb.dll
2008-07-18 18:34 586,240 ----a-w C:\WINDOW\WLXPGSS.SCR
2008-07-13 00:02 23 -c--a-w C:\Documents and Settings\jesse.DAVID-REPZ4PHA9\jagex_runescape_preferences.dat
2008-07-07 20:26 253,952 ----a-w C:\WINDOW\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOW\system32\mscms.dll
2007-09-10 22:34 22,328 -c--a-w C:\Documents and Settings\ryan\Application Data\PnkBstrK.sys
2006-08-03 21:16 449 -c--a-w C:\Program Files\Shortcut to 1964.lnk
2005-08-11 16:25 0 -c--a-w C:\Documents and Settings\jesse.DAVID-REPZ4PHA9\Application Data\wklnhst.dat
2005-04-18 17:51 5,096 -c--a-w C:\Documents and Settings\All Users.WINDOW\Application Data\ypinfo.bin
2005-02-28 22:40 68 -c--a-w C:\Documents and Settings\Unknown User\Application Data\tvmuknwrd.dll
2005-02-28 21:44 35 -c--a-w C:\Documents and Settings\Jesse\Application Data\tvmcwrd.dll
2005-02-28 21:44 103 -c--a-w C:\Documents and Settings\Jesse\Application Data\tvmuknwrd.dll
2005-02-28 21:39 60 -c--a-w C:\Documents and Settings\Jesse\Application Data\tvmdmns.dll
2005-02-28 21:26 63 -c--a-w C:\Documents and Settings\david\Application Data\tvmuknwrd.dll
2005-02-28 21:26 28 -c--a-w C:\Documents and Settings\david\Application Data\tvmcwrd.dll
2005-02-28 20:49 37 -c--a-w C:\Documents and Settings\DAVS\Application Data\tvmcwrd.dll
2005-02-28 02:56 0 -c--a-w C:\Documents and Settings\DAVS\Application Data\wklnhst.dat
2005-02-26 20:36 151 -c--a-w C:\Documents and Settings\dfdavid\Application Data\tvmuknwrd.dll
2005-02-14 19:43 5,684 -c--a-w C:\Documents and Settings\dfdavid\Application Data\wklnhst.dat
2004-12-17 00:49 0 -csha-r C:\Program Files\q330994.exe
2004-11-02 18:34 0 -c--a-w C:\Documents and Settings\david\Application Data\wklnhst.dat
2004-10-10 15:59 59,776 -c--a-w C:\Documents and Settings\dfdavid\Application Data\GDIPFONTCACHEV1.DAT
2003-08-27 22:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll
2005-07-21 01:14 10,856 -csha-w C:\WINDOW\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-08-06 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-14 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

C:\Documents and Settings\jesse.DAVID-REPZ4PHA9\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-11-24 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= jl_mjpg2.drv
"VIDC.PIM1"= pclepim1.dll
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOW^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOW\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOW^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOW\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOW^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=C:\WINDOW\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^ryan^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=C:\Documents and Settings\ryan\Start Menu\Programs\Startup\Anapod Manager.lnk
backup=C:\WINDOW\pss\Anapod Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ryan^Start Menu^Programs^Startup^BitTorrent.lnk]
path=C:\Documents and Settings\ryan\Start Menu\Programs\Startup\BitTorrent.lnk
backup=C:\WINDOW\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ryan^Start Menu^Programs^Startup^MOG-O-MATIC.lnk]
path=C:\Documents and Settings\ryan\Start Menu\Programs\Startup\MOG-O-MATIC.lnk
backup=C:\WINDOW\pss\MOG-O-MATIC.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ryan^Start Menu^Programs^Startup^World Community Grid Agent.lnk]
path=C:\Documents and Settings\ryan\Start Menu\Programs\Startup\World Community Grid Agent.lnk
backup=C:\WINDOW\pss\World Community Grid Agent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ryan^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\ryan\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOW\pss\Xfire.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:\Program Files\ISTsvc

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2005-06-07 00:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-08-06 11:21 50472 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
--a--c--- 2006-04-11 11:49 230512 C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
--a--c--- 2006-04-11 11:49 185456 C:\Program Files\Yahoo!\Antivirus\CAVRid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 08:11 490952 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gvjymwnm]
--a--c--- 2007-08-03 15:52 46080 C:\Program Files\Vwbyprah\gvjymwnm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
--a------ 2006-07-13 01:22 57344 C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-08-18 18:41 1832272 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-14 18:22 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uxfmhxpl]
--a------ 2008-08-30 12:34 41984 C:\Program Files\Bhddeivz\uxfmhxpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wxyripyr]
--a--c--- 2007-08-03 15:52 65536 C:\Program Files\wxyripyr\gbqrorqf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xfire Music]
--a--c--- 2006-04-13 20:12 246201 C:\Program Files\Xfire\xfiremusic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-09-14 13:26 3084288 C:\Program Files\Yahoo!\Messenger\YPager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2005-06-17 00:30 401408 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zvvktswg]
--a------ 2008-08-30 15:03 41984 C:\Program Files\Uvonsmcn\zvvktswg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOW\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloceded.exe"=
"C:\\WINDOW\\system32\\rtcshare.exe"=
"C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\StubInstaller.exe"=
"C:\\SNES\\zsnesw.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOW\\system32\\dpvsetup.exe"=
"C:\\WINDOW\\system32\\rundll32.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Last.fm\\LastFM.exe"=
"C:\\WINDOW\\system32\\PnkBstrA.exe"=
"C:\\WINDOW\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Xfire2\\xfire.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\ryan\\Desktop\\MSN Lite 7.5.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"22478:TCP"= 22478:TCP:BitComet 22478 TCP
"22478:UDP"= 22478:UDP:BitComet 22478 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3007:UDP"= 3007:UDP:Windows Media Format SDK (Iexplore.exe)
"3006:UDP"= 3006:UDP:Windows Media Format SDK (Iexplore.exe)
"3011:UDP"= 3011:UDP:Windows Media Format SDK (Iexplore.exe)

S3 JL2005;JL2005A Toy Camera;C:\WINDOW\system32\Drivers\toywdm.sys [2003-11-14 70472]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOW\system32\dri vers\mbamswissarmy.sys [2008-09-10 38528]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOW\system32\drivers\npf.sys [2005-08-02 32512]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-iLike - C:\Program Files\iLike\1.1.41\ilikesidebar.exe
MSConfigStartUp-adorttdl - C:\Program Files\Vbijgjng\adorttdl.exe
MSConfigStartUp-AppleSyncNotifier - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-ATI Launchpad - C:\Program Files\ATI Multimedia\main\launchpd.exe
MSConfigStartUp-ATI Remote Control - C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
MSConfigStartUp-ATICCC - C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
MSConfigStartUp-BHOZapper - C:\Program Files\BHOZapper\BHOZapper.exe
MSConfigStartUp-Dinst - C:\WINDOW\dinst.exe
MSConfigStartUp-lphc5ahj0encj - C:\WINDOW\system32\lphc5ahj0encj.exe
MSConfigStartUp-odejetob - C:\Documents and Settings\All Users.WINDOW\Application Data\odejetob.dll
MSConfigStartUp-pclsdanc - C:\Program Files\pclsdanc\rslunmps.dll
MSConfigStartUp-PdPYgu - C:\WINDOW\sunqu.exe
MSConfigStartUp-PicasaNet - C:\Program Files\Hello\Hello.exe
MSConfigStartUp-SC2 - C:\Program Files\SecCenter\scprot4.exe
MSConfigStartUp-SemanticInsight - C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
MSConfigStartUp-Steam - c:\program files\steam\steam.exe
MSConfigStartUp-STYLEXP - C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
MSConfigStartUp-tekucvbd - c:\window\system32\tekucvbd.exe
MSConfigStartUp-TFGcm - C:\WINDOW\sunqu.exe
MSConfigStartUp-Ultimate Cleaner - C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe
MSConfigStartUp-Uniblue Registry Booster - C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe
MSConfigStartUp-velqrmlo - C:\Program Files\velqrmlo\ngbyhsby.dll
MSConfigStartUp-ynozujiz - C:\Documents and Settings\All Users.WINDOW\Application Data\ynozujiz.dll
MSConfigStartUp-istsvc - C:\WINDOW\sunqu.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\26ukzymq.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig?hl=en&gl=
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npvlc.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
FF -: plugin - C:\WINDOW\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 17:03:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\P SSdk21]
"ImagePath"="\??\C:\WINDOW\system32\Drivers\HNPsSd k.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\P SSdk23]
"ImagePath"="\??\C:\WINDOW\system32\Drivers\PsSdk2 3.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\t dssserv]
"imagepath"="\systemroot\system32\drivers\TDSSserv .sys"
.
Completion time: 2008-09-22 17:12:59
ComboFix-quarantined-files.txt 2008-09-22 21:12:19

Pre-Run: 62,857,252,864 bytes free
Post-Run: 64,988,688,384 bytes free

355 --- E O F --- 2008-09-19 11:14:03



#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:44 PM

Posted 27 September 2008 - 03:20 PM

Hello, Jelly_man.

- REDUCED FUNCTIONALITY MODE -

When you run ComboFix, you MUST download a new copy. Your copy is expired. This is likely why the console installation failed.

It should also be noted that the RC filename must be left intact. Please do not rename the file when you download it.

Please delete any existing copies of ComboFix on your system, redownload it, re-run, and post a fresh log here :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users