Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spybot-FB Worm


  • Please log in to reply

#1
yesiammanu

yesiammanu

    Member

  • Member
  • PipPipPip
  • 213 posts
I am current experiencing difficulties with Spybot-FB worm (Or svkp), and I would greatly appreciate any assistance in its removal. Spyware doctor detects but cannot remove the registry files.

It's acually quite funny, I've been trying to play Renegade for over a month now, but it does not work. No technical support can help me. Then I read on systematic

Renguard creates the file (anti cheat program for C&C Renegade)
General M-13

Pretty lame.

Aaaaaaaaaaanyways

Logfile of HijackThis v1.99.1
Scan saved at 3:52:40 PM, on 9/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Wireless LAN\WlanUtil.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [vssms32] C:\WINDOWS\system32\vssms32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\Wireless LAN\WlanUtil.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Lookup Meaning - res://C:\Program Files\ieSpell\iespell.dll/LOOKUPMEANING.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145056415406
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload....GPlugin7USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe


Any help would be appreciated.

~Yesiammanu :whistling:
  • 0

Advertisements


#2
yesiammanu

yesiammanu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 213 posts
I forgot to say, when I try to delete legacy_svkp manually, and/or all the files in it, I get an error.

I am also getting an error with windows firewall.

Whenever I click it
"Due to an unidentified problem, Windows cannot display Windows Firewall Settings"\

:Edit:

Troj/Bdoor-YP also

A automatic updates alert just came up, should I be worried?

~Yesiammanu :whistling:

Edited by yesiammanu, 13 September 2006 - 05:07 PM.

  • 0

#3
yesiammanu

yesiammanu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 213 posts
Attached File  ___F.html   18KB   74 downloadsLooks like I have a new undetected variant of purity scan yay!
C://Qoobox/purity

I attached it

Also, I have smitfra.reg and smitfrau.reg but im not sure they belong to smitfraud fix. Whenever I run smitrem, I get a csts.exe has crashed, the scan continues, then I get it again. The tool completes, finds nothing.

I nodiced a few extra folders in my windows folder

srchasst
ime
msagent
nview
pss

I also have a "Setup1.exe" in my windows folder with a vampire icon.

A lot of Q354340503409609356805407=928789050956.exes in my windows
IE Q331958.exe

They are also attached


Ok, one more time let me say a few fishy folders, this time in my system32 folder

usmt
npp
ras
IME
msdtc
E177E04D548C4006A465EEB92D3DE021
Setup which contains a few dlls

Id appreciate if you looked into that CatRoot and CatRoot2 thing also

I have a replace.cmd in my local disk, I'll attach that too

Sorry for all the stuff, I'd usually just search it, but its relatively new from what I see, and
I have a fever :whistling:

I ran the combo fix 2 days ago, didn't want to do it right now because im running a (extremely long) spyware doctor full system scan. So heres that log

Admin - 06-09-13 16:52:15.97 Service Pack 2
ComboFix 06.09.14 - Running from: C:\Documents and Settings\Admin\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\system32\PPATCH~1
C:\QooBox\Purity\WINDOWS\system32\SKS~1
C:\QooBox\Purity\WINDOWS\system32\PPATCH~1\à?pPatch


((((((((((((((((((((((((((((((( Files Created from 2006-08-13 to 2006-09-13 ))))))))))))))))))))))))))))))))))


2006-09-12 14:31 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-09-12 14:31 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-09-12 14:31 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-09-09 09:04 2,048 --a------ C:\WINDOWS\system32\dump_wmimmc.sys
2006-09-09 09:04 2,048 --a------ C:\WINDOWS\dump_wmimmc.sys
2006-08-26 15:16 8,704 --a------ C:\WINDOWS\system32\ntswrl32.dll
2006-08-26 15:16 621,120 ---hs---- C:\WINDOWS\system32\vssms32.exe
2006-08-26 15:16 23,552 --a------ C:\WINDOWS\system32\ntcvx32.dll
2006-08-26 15:16 16,896 --a------ C:\WINDOWS\system32\ldapi32.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-12 14:40 -------- d-------- C:\Program Files\Warcraft III
2006-09-08 22:39 -------- d-------- C:\Documents and Settings\Admin\Application Data\ieSpell
2006-09-07 19:47 28400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-09-07 15:49 -------- d-------- C:\Program Files\ieSpell
2006-09-04 18:47 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-08-29 23:41 -------- d-------- C:\Program Files\Internet Explorer
2006-08-26 16:55 -------- d-------- C:\Documents and Settings\Admin\Application Data\CyberLink
2006-08-21 02:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-11 19:21 -------- d---s---- C:\Documents and Settings\Admin\Application Data\Microsoft
2006-08-10 18:44 -------- d-------- C:\Program Files\Iolo
2006-08-10 17:14 -------- d-------- C:\Program Files\MSN Messenger
2006-08-04 19:17 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-29 11:03 -------- d-------- C:\Documents and Settings\Admin\Application Data\AdobeUM
2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-23 14:25 -------- d-------- C:\Documents and Settings\Admin\Application Data\Dev-Cpp
2006-07-23 11:45 14848 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-07-22 15:26 -------- d-------- C:\Documents and Settings\Admin\Application Data\Lavasoft
2006-07-21 07:08 -------- d-------- C:\Program Files\BitTorrent
2006-07-21 07:08 -------- d-------- C:\Documents and Settings\Admin\Application Data\BitTorrent
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-19 13:22 -------- d-------- C:\Program Files\BitTorrent Acceleration Patch
2006-07-13 01:48 202240 --a------ C:\WINDOWS\system32\drivers\rmcast.sys
2006-06-21 22:06 69120 --a------ C:\WINDOWS\system32\ciodm.dll
2006-06-21 22:06 1435648 --a------ C:\WINDOWS\system32\query.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /AUTO"
"Steam"=""
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"VAIO Recovery"="C:\\Windows\\Sonysys\\VAIO Recovery\\PartSeal.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"Adobe Photo Downloader"="\"D:\\Program Files\\3.0\\Apps\\apdproxy.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"eFax 4.1"="\"C:\\Program Files\\eFax Messenger 4.1\\J2GDllCmd.exe\" /R"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="\"D:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="\"D:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1121315459.job
C:\WINDOWS\tasks\Registration reminder 2.job
C:\WINDOWS\tasks\Registration reminder 3.job

Completion time: Wed 09/13/2006 16:54:14.73
ComboFix.txt


And finally, a freseh hjt log

Logfile of HijackThis v1.99.1
Scan saved at 16:39, on 06-09-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Wireless LAN\WlanUtil.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\Wireless LAN\WlanUtil.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Lookup Meaning - res://C:\Program Files\ieSpell\iespell.dll/LOOKUPMEANING.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145056415406
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload....GPlugin7USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

Thanks for all the help!

~Yesiammanu :blink:

Ah, I just nodiced that I can't attach files with .rar, so I'll upload it somewhere else and edit.

All passwords are geeks2go
http://www.muffinsha...d08dbfe55b39de7
Purityscan thingy

I was gonna submit the other ones, but they are taking a bit longer than I had hoped, and I feel tired, so I'm going to go to sleep.

Sorry if you didn't want these, I thought they would be helpful

~Yesiammanu :help:

Edited by yesiammanu, 15 September 2006 - 06:19 PM.

  • 0

#4
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hello,
Please stop bumping your topic thats why your not getting any help staff members are looking for topics with 0 replies,
You still have some files on your system that need to go


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



Next

First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

  • 0

#5
yesiammanu

yesiammanu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 213 posts
When I click safemode, it starts loading all those things, says "Press esc to stop loading sptd.sys, then vax347b.sys, then the whole computer restarts, enabling me to try to go into safe mode again, then it happens again ect ect. When I do pres esc, it still happens. So, I am unable to go to safe mode
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 09:46 06-09-17

+ Scan result:



C:\WINDOWS\system32\ntcvx32.dll -> Backdoor.Dosia : Cleaned with backup (quarantined).
D:\Program Files\Cheat Engine\dbk32.sys -> Rootkit.Small : Cleaned with backup (quarantined).


::Report end


~Yesiammanu :whistling:
  • 0

#6
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Those are pointing to driver and Alcohol issues but Ewido did find and quaratine a couple trojans,

BUt there is likely more that need attention,

Do this for me please

Download WinPFind2.zip and unzip it to your Desktop. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.
  • Open the folder and double-click on winpfind2.exe to start the program.
  • Keep the standard settings and then in the AddOn-Options box click the checkboxes for
    • <put AddOn's here>
    to select them.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Export To Text button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Since the report is quite large it will require multiple posts to show it all. Follow the markers for [Start Post #1], [Start Post #2] and [Start Post #3] to divide the report into 3 separate posts and use the Add Reply button to post the information back here.

I will review the information when it comes in.
  • 0

#7
yesiammanu

yesiammanu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 213 posts
You put a <Put Addon's here>, I think you made a mistake :blink:

Can you tell me which addons please?

Also, I forgot to say, I ran a housecall scan and it cleaned a lot of things but Tspy_Small

Fresh hijack this log, just for the sake of it -

Scan saved at 16:52, on 06-09-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Wireless LAN\WlanUtil.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [!ewido] "D:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\Wireless LAN\WlanUtil.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Lookup Meaning - res://C:\Program Files\ieSpell\iespell.dll/LOOKUPMEANING.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145056415406
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload....GPlugin7USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

Also, for a quick, odd note, my time no longer displays in AM, PM, but all the way through 24. Also, when I go on Warcraft 3 & hover over the time, the dates are numerical instead of spelled out (Only for me).
Thanks for all the help

~Yesiammanu :whistling:

Edited by yesiammanu, 17 September 2006 - 06:22 PM.

  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Opps sorry about that thought I added them


Please check the top 2 bot checks
  • 0

#9
yesiammanu

yesiammanu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 213 posts
Logfile created on: 09-17-2006 21:06
WinPFind2 by OldTimer - Version 1.0.10 Folder = C:\Documents and Settings\Admin\Desktop\winpfind2\WinPFind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)


[Start Post #1]

Processes
Image Name---------------ProcessID--Thread Count--Parent ID--Base Priority--
#Full Path
##(Version Info)

googletoolbarnotifier.exe002520-----0007----------001004-----Normal---------
#c:\program files\google\googletoolbarnotifier\1.1.720.5674\googletoolbarnotifier.exe
##(Google Inc. [Ver = 1, 1, 720, 5674 | Size = 157944 bytes | Date = 09-13-2006 22:02 | Attr = ])

guard.exe----------------001548-----0008----------000836-----Normal---------
#d:\program files\ewido anti-spyware 4.0\guard.exe
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 172032 bytes | Date = 06-16-2006 07:38 | Attr = ])

hkcmd.exe----------------003256-----0002----------002096-----Normal---------
#c:\windows\system32\hkcmd.exe
##(Intel Corporation [Ver = 3,0,0,2082 | Size = 114688 bytes | Date = 03-11-2003 11:11 | Attr = ])

hpzipm12.exe-------------000892-----0002----------000836-----Normal---------
#c:\windows\system32\hpzipm12.exe
##(HP [Ver = 6, 0, 0, 0 | Size = 65795 bytes | Date = 03-09-2003 13:31 | Attr = R ])

igfxtray.exe-------------003580-----0001----------002096-----Normal---------
#c:\windows\system32\igfxtray.exe
##(Intel Corporation [Ver = 3,0,0,2082 | Size = 155648 bytes | Date = 03-11-2003 11:24 | Attr = ])

jusched.exe--------------002628-----0001----------002096-----Normal---------
#c:\program files\java\jre1.5.0_06\bin\jusched.exe
##(Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 36975 bytes | Date = 11-10-2005 13:03 | Attr = ])

photoappsrv.exe----------002008-----0009----------000836-----Normal---------
#c:\program files\sony\photo server\appsrv\photoappsrv.exe
##(Sony Corporation [Ver = 2, 5, 0,15250 | Size = 262144 bytes | Date = 03-25-2003 17:39 | Attr = ])

sssvr.exe----------------001960-----0008----------000836-----Normal---------
#c:\program files\sony\vaio media music server\sssvr.exe
##(Sony Corporation [Ver = 2.5.00.15184 | Size = 536648 bytes | Date = 03-18-2003 17:03 | Attr = ])

sv_httpd.exe-------------000432-----0003----------000836-----Normal---------
#c:\program files\common files\sony shared\vaio media platform\sv_httpd.exe
##(Sony Corporation [Ver = 2.5.00.14070 | Size = 57344 bytes | Date = 02-10-2003 13:11 | Attr = ])

sv_httpd.exe-------------000596-----0003----------000836-----Normal---------
#c:\program files\common files\sony shared\vaio media platform\sv_httpd.exe
##(Sony Corporation [Ver = 2.5.00.14070 | Size = 57344 bytes | Date = 02-10-2003 13:11 | Attr = ])

winpfind2.exe------------004016-----0001----------002096-----Normal---------
#c:\documents and settings\admin\desktop\winpfind2\winpfind2\winpfind2.exe
##(OldTimer Tools [Ver = 1.0.10.0 | Size = 392704 bytes | Date = 09-17-2006 11:39 | Attr = ])

wkufind.exe--------------003652-----0001----------002096-----Normal---------
#c:\program files\common files\microsoft shared\works shared\wkufind.exe
##(Microsoft® Corporation [Ver = 7.00.0724.0 | Size = 28672 bytes | Date = 07-24-2002 22:20 | Attr = ])

wlanutil.exe-------------003772-----0001----------002096-----Normal---------
#c:\program files\wireless lan\wlanutil.exe
##( [Ver = 1, 0, 49, 21 | Size = 413696 bytes | Date = 10-15-2004 18:45 | Attr = ])


Registry Entries

#Value
##(Version Info)

<<< >> Internet Explorer Settings << >>>

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page
#http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page
#http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL
#http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Search_URL
#http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page
#C:\windows\system32\blank.htm
##

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page
#http://www.google.com/
##

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Bar
#http://www.google.com/ie
##

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page
#http://www.google.com
##

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Search_URL
#http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
##

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page
#C:\WINDOWS\system32\blank.htm
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\CustomizeSearch
#http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant
#http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
##

HKCU\Software\Microsoft\Internet Explorer\urlSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
#Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll
##(Microsoft Corporation [Ver = 6.00.2900.2937 (xpsp_sp2_gdr.060623-0002) | Size = 1494016 bytes | Date = 06-23-2006 04:02 | Attr = ])

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable
#0
##

<<< >> BHO's << >>>

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
#PCTools Site Guard = D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
##(PC Tools [Ver = 3.6.0.2071 | Size = 825528 bytes | Date = 08-01-2006 14:27 | Attr = ])

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
#Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
##(Google Inc. [Ver = 4, 0, 1019, 5266 | Size = 2018368 bytes | Date = 09-16-2006 10:13 | Attr = R ])

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}
#PCTools Browser Monitor = D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
##(PC Tools [Ver = 3.6.0.2284 | Size = 848496 bytes | Date = 09-08-2006 15:43 | Attr = ])

<<< >> Internet Explorer Bars, Toolbars and Extensions << >>>

<<< HKLM-> Internet Explorer Bars >>>

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
#&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
##(File not found)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
#&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
##(Microsoft Corporation [Ver = 6.00.2900.2937 (xpsp_sp2_gdr.060623-0002) | Size = 1494016 bytes | Date = 06-23-2006 04:02 | Attr = ])

<<< HKCU-> Internet Explorer Bars >>>

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
#Reg Data missing or invalid = Reg Data missing or invalid
##(File not found)

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
#History Band = %SystemRoot%\System32\shdocvw.dll
##(Microsoft Corporation [Ver = 6.00.2900.2937 (xpsp_sp2_gdr.060623-0002) | Size = 1494016 bytes | Date = 06-23-2006 04:02 | Attr = ])

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
#Explorer Band = %SystemRoot%\System32\shdocvw.dll
##(Microsoft Corporation [Ver = 6.00.2900.2937 (xpsp_sp2_gdr.060623-0002) | Size = 1494016 bytes | Date = 06-23-2006 04:02 | Attr = ])

<<< HKLM-> Internet Explorer ToolBars >>>

HKLM\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{2318C2B1-4965-11d4-9B18-009027A5CD4F}
#&Google = c:\program files\google\googletoolbar1.dll
##(Google Inc. [Ver = 4, 0, 1019, 5266 | Size = 2018368 bytes | Date = 09-16-2006 10:13 | Attr = R ])

<<< HKCU-> Internet Explorer ToolBars >>>

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383}
#&Address = %SystemRoot%\System32\browseui.dll
##(Microsoft Corporation [Ver = 6.00.2900.2937 (xpsp_sp2_gdr.060623-0002) | Size = 1022976 bytes | Date = 06-23-2006 04:02 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383}
#&Address = %SystemRoot%\System32\browseui.dll
##(Microsoft Corporation [Ver = 6.00.2900.2937 (xpsp_sp2_gdr.060623-0002) | Size = 1022976 bytes | Date = 06-23-2006 04:02 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}
#Reg Data missing or invalid = Reg Data missing or invalid
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
#&Links = %SystemRoot%\system32\SHELL32.dll
##(Microsoft Corporation [Ver = 6.00.2900.2951 (xpsp_sp2_gdr.060713-0009) | Size = 8453632 bytes | Date = 07-13-2006 06:33 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
#&Google = c:\program files\google\googletoolbar1.dll
##(Google Inc. [Ver = 4, 0, 1019, 5266 | Size = 2018368 bytes | Date = 09-16-2006 10:13 | Attr = R ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
#Reg Data missing or invalid = Reg Data missing or invalid
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
#Yahoo! Toolbar = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
##(Yahoo! Inc. [Ver = 2005, 8, 4, 2 | Size = 343112 bytes | Date = 08-04-2005 21:54 | Attr = ])

<<< HKCU-> Internet Explorer CmdMapping >>>

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
#8195 - Reg Data missing or invalid
##

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8}
#8200 - ieSpell
##

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{1606D6F9-9D3B-4aea-A025-ED5B2FD488E7}
#8201 - ieSpell Options
##

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
#8198 - Reg Data missing or invalid
##

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
#8197 - Reg Data missing or invalid
##

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
#8193 - Reg Data missing or invalid
##

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
#8196 - Reg Data missing or invalid
##

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
#8194 - Reg Data missing or invalid
##

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683}
#8199 - Windows Messenger
##

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\NextId
#8202
##

<<< HKLM-> Internet Explorer Extensions >>>

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8}
#ButtonText: ieSpell = res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
##(File not found)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1606D6F9-9D3B-4aea-A025-ED5B2FD488E7}
#MenuText: ieSpell Options = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
#ButtonText: Research = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
#ButtonText: AIM = C:\PROGRA~1\AIM\aim.exe
##(America Online, Inc. [Ver = 5.9.3861 | Size = 67160 bytes | Date = 08-05-2005 15:08 | Attr = ])

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
#ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe
##(Microsoft Corporation [Ver = 4.7.3001 | Size = 1694208 bytes | Date = 10-13-2004 09:24 | Attr = ])

<<< HKCU-> Internet Explorer Menu Extensions >>>

HKCU\Software\Microsoft\Internet Explorer\MenuExt\&ieSpell Options
#res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Lookup Meaning
#res://C:\Program Files\ieSpell\iespell.dll/LOOKUPMEANING.HTM
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\Check &Spelling
#res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel
#res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
##(Microsoft Corporation [Ver = 11.0.8033 | Size = 10196752 bytes | Date = 06-23-2006 12:38 | Attr = ])

<<< >> Approved Shell Extensions (Non-Microsoft only) << >>>

<<< HKLM-> Approved Shell Extensions >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
#Taskbar and Start Menu = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1CDB2949-8F65-4355-8456-263E7C208A5D}
#Desktop Explorer = C:\WINDOWS\System32\nvshell.dll
##(NVIDIA Corporation [Ver = 6.14.01.4303 | Size = 462919 bytes | Date = 03-03-2003 19:44 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1E9B04FB-F9E5-4718-997B-B8DA88302A47}
#Desktop Explorer Menu = C:\WINDOWS\System32\nvshell.dll
##(NVIDIA Corporation [Ver = 6.14.01.4303 | Size = 462919 bytes | Date = 03-03-2003 19:44 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{32020A01-506E-484D-A2A8-BE3CF17601C3}
#AlcoholShellEx = D:\PROGRA~1\ALCOHO~1\ALCOHO~2\AXShlEx.dll
##(Alcohol Soft Development Team [Ver = 1.4.9.1024 | Size = 387072 bytes | Date = 07-05-2005 16:48 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{32683183-48a0-441b-a342-7c2a440a9478}
#Media Band = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{42071714-76d4-11d1-8b24-00a0c9068ff3}
#Display Panning CPL Extension = deskpan.dll
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6db8213d-6561-483a-af7b-393725a1f0d3}
#eFax Messenger - Shell Extension = C:\Program Files\eFax Messenger 4.1\J2GShell.dll
##(j2 Global Communications, Inc. [Ver = 4.1.310.0 | Size = 104960 bytes | Date = 12-16-2005 16:59 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{764BF0E1-F219-11ce-972D-00AA00A14F56}
#Shell extensions for file compression = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7A9D77BD-5403-11d2-8785-2E0420524153}
#User Accounts = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}
#Encryption Context Menu = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{88895560-9AA2-1069-930E-00AA0030EBC8}
#HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll
##(Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Date = 08-29-2002 05:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B41DB860-8EE4-11D2-9906-E49FADC173CA}
#WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll
##( [Ver = | Size = 125440 bytes | Date = 08-03-2005 22:32 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}
#UnlockerShellExtension = C:\Program Files\Unlocker\UnlockerCOM.dll
##( [Ver = | Size = 8704 bytes | Date = 03-03-2006 01:38 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E0D79304-84BE-11CE-9641-444553540000}
#WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
##(WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Date = 12-17-2004 09:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E0D79305-84BE-11CE-9641-444553540000}
#WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
##(WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Date = 12-17-2004 09:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E0D79306-84BE-11CE-9641-444553540000}
#WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
##(WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Date = 12-17-2004 09:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E0D79307-84BE-11CE-9641-444553540000}
#WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
##(WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Date = 12-17-2004 09:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
#Shell Extensions for RealOne Player = Reg Data missing or invalid
##(File not found)

<<< >> ContextMenuHandlers (Non-Microsoft only) << >>>

<<< HKLM-> ContextMenuHandlers >>>

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ewido anti-spyware
#{8934FCEF-F5B8-468f-951F-78A921CD3920} = D:\Program Files\ewido anti-spyware 4.0\context.dll
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 94208 bytes | Date = 06-16-2006 07:38 | Attr = ])

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\HexWorkshopContextMenu
#{DB34D5DC-D41A-482E-A5EF-8FA0F88761DA} = d:\hwext.dll
##(BreakPoint Software, Inc. [Ver = 4.23 | Size = 49152 bytes | Date = 02-16-2004 15:02 | Attr = ])

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\HotShellExt_40
#{6DB8213D-6561-483a-AF7B-393725A1F0D3} = C:\Program Files\eFax Messenger 4.1\J2GShell.dll
##(j2 Global Communications, Inc. [Ver = 4.1.310.0 | Size = 104960 bytes | Date = 12-16-2005 16:59 | Attr = ])

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\WinRAR
#{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
##( [Ver = | Size = 125440 bytes | Date = 08-03-2005 22:32 | Attr = ])

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\WinZip
#{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
##(WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Date = 12-17-2004 09:00 | Attr = ])

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension
#{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Program Files\Unlocker\UnlockerCOM.dll
##( [Ver = | Size = 8704 bytes | Date = 03-03-2006 01:38 | Attr = ])

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
#{8934FCEF-F5B8-468f-951F-78A921CD3920} = D:\Program Files\ewido anti-spyware 4.0\context.dll
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 94208 bytes | Date = 06-16-2006 07:38 | Attr = ])

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
#{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
##( [Ver = | Size = 125440 bytes | Date = 08-03-2005 22:32 | Attr = ])

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
#{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
##(WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Date = 12-17-2004 09:00 | Attr = ])

HKLM\SOFTWARE\Classes\Directory\BackGround\shellex\ContextMenuHandlers\igfxcui
#{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} = C:\WINDOWS\System32\igfxpph.dll
##(Intel Corporation [Ver = 3,0,0,2082 | Size = 204800 bytes | Date = 03-11-2003 11:23 | Attr = ])

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UnlockerShellExtension
#{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Program Files\Unlocker\UnlockerCOM.dll
##( [Ver = | Size = 8704 bytes | Date = 03-03-2006 01:38 | Attr = ])

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
#{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
##( [Ver = | Size = 125440 bytes | Date = 08-03-2005 22:32 | Attr = ])

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
#{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
##(WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Date = 12-17-2004 09:00 | Attr = ])

<<< >> ColumnHandlers (Non-Microsoft only) << >>>

<<< HKLM-> ColumnHandlers >>>

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
#PDF Shell Extension = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
##(Adobe Systems, Inc. [Ver = 7.0.0.0 | Size = 110592 bytes | Date = 12-14-2004 03:20 | Attr = ])

<<< >> File Associations Keys << >>>

HKLM\SOFTWARE\Classes\.bat\\''
#batfile
##

HKLM\SOFTWARE\Classes\batfile\shell\open\command\\''
#"%1" %*
##

HKLM\SOFTWARE\Classes\.cmd\\''
#cmdfile
##

HKLM\SOFTWARE\Classes\cmdfile\shell\open\command\\''
#"%1" %*
##

HKLM\SOFTWARE\Classes\.com\\''
#comfile
##

HKLM\SOFTWARE\Classes\comfile\shell\open\command\\''
#"%1" %*
##

HKLM\SOFTWARE\Classes\.exe\\''
#exefile
##

HKLM\SOFTWARE\Classes\exefile\shell\open\command\\''
#"%1" %*
##

HKLM\SOFTWARE\Classes\.hta\\''
#htafile
##

HKLM\SOFTWARE\Classes\htafile\shell\open\command\\''
#C:\WINDOWS\System32\mshta.exe "%1" %*
##

HKLM\SOFTWARE\Classes\.js\\''
#JSFile
##

HKLM\SOFTWARE\Classes\jsfile\shell\open\command\\''
#%SystemRoot%\System32\WScript.exe "%1" %*
##

HKLM\SOFTWARE\Classes\.jse\\''
#JSEFile
##

HKLM\SOFTWARE\Classes\jsefile\shell\open\command\\''
#%SystemRoot%\System32\WScript.exe "%1" %*
##

HKLM\SOFTWARE\Classes\.scr\\''
#scrfile
##

HKLM\SOFTWARE\Classes\scrfile\shell\open\command\\''
#"%1" /S
##

HKLM\SOFTWARE\Classes\.vbe\\''
#VBEFile
##

HKLM\SOFTWARE\Classes\vbefile\shell\open\command\\''
#%SystemRoot%\System32\WScript.exe "%1" %*
##

HKLM\SOFTWARE\Classes\.vbs\\''
#VBSFile
##

HKLM\SOFTWARE\Classes\vbsfile\shell\open\command\\''
#%SystemRoot%\System32\WScript.exe "%1" %*
##

HKLM\SOFTWARE\Classes\.wsf\\''
#WSFFile
##

HKLM\SOFTWARE\Classes\wsffile\shell\open\command\\''
#%SystemRoot%\System32\WScript.exe "%1" %*
##

HKLM\SOFTWARE\Classes\.wsh\\''
#WSHFile
##

HKLM\SOFTWARE\Classes\wshfile\shell\open\command\\''
#%SystemRoot%\System32\WScript.exe "%1" %*
##

HKLM\SOFTWARE\Classes\.txt\\''
#txtfile
##

HKLM\SOFTWARE\Classes\txtfile\shell\open\command\\''
#%SystemRoot%\system32\NOTEPAD.EXE %1
##

<<< >> Registry Run Keys << >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\!ewido
#"D:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 6283264 bytes | Date = 06-16-2006 07:39 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Adobe Photo Downloader
#"D:\Program Files\3.0\Apps\apdproxy.exe"
##(Adobe Systems Incorporated [Ver = 3.0.0.49815 | Size = 57344 bytes | Date = 06-07-2005 00:46 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ATIPTA
#C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
##(ATI Technologies, Inc. [Ver = 6.14.10.4029 | Size = 315392 bytes | Date = 02-28-2003 21:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\eFax 4.1
#"C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
##(j2 Global Communications, Inc. [Ver = 4.1.310.0 | Size = 107008 bytes | Date = 12-16-2005 16:59 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ezShieldProtector for Px
#C:\WINDOWS\System32\ezSP_Px.exe
##(Easy Systems Japan Ltd. [Ver = 1, 0, 0, 0 | Size = 40960 bytes | Date = 08-20-2002 10:29 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\HotKeysCmds
#C:\WINDOWS\System32\hkcmd.exe
##(Intel Corporation [Ver = 3,0,0,2082 | Size = 114688 bytes | Date = 03-11-2003 11:11 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\IgfxTray
#C:\WINDOWS\System32\igfxtray.exe
##(Intel Corporation [Ver = 3,0,0,2082 | Size = 155648 bytes | Date = 03-11-2003 11:24 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Works Update Detection
#C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
##(Microsoft® Corporation [Ver = 7.00.0724.0 | Size = 28672 bytes | Date = 07-24-2002 22:20 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QuickTime Task
#"C:\Program Files\QuickTime\qttask.exe" -atboottime
##(Apple Computer, Inc. [Ver = 6.4 | Size = 77824 bytes | Date = 09-25-2005 16:45 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched
#C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
##(Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 36975 bytes | Date = 11-10-2005 13:03 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\VAIO Recovery
#C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
##(Sony Electronics Inc [Ver = 1.0.2 | Size = 28672 bytes | Date = 04-19-2003 22:08 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
#Installed = 1
##

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
#Installed = 1
##

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
#Installed = 1
##

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ccleaner
#"C:\Program Files\CCleaner\ccleaner.exe" /AUTO
##(CCleaner.com [Ver = 1.23.0160 | Size = 520192 bytes | Date = 08-30-2005 03:52 | Attr = ])

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Steam
#
##(File not found)

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\swg
#C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
##(Google Inc. [Ver = 1, 1, 720, 5674 | Size = 157944 bytes | Date = 09-13-2006 22:02 | Attr = ])

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\updateMgr
#"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
##(Adobe Systems Incorporated [Ver = 3.1.0.9 | Size = 307200 bytes | Date = 10-24-2005 16:53 | Attr = ])

<<< >> Miscellaneous Startup Keys << >>>

<<< AppInit DLLs >>>

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
#
##(File not found)

<<< Image File Execution Options >>>

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
#Debugger = ntsd -d
##

<<< Shell Service Object Delay Load >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\CDBurn
#{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
##(Microsoft Corporation [Ver = 6.00.2900.2951 (xpsp_sp2_gdr.060713-0009) | Size = 8453632 bytes | Date = 07-13-2006 06:33 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\PostBootReminder
#{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
##(Microsoft Corporation [Ver = 6.00.2900.2951 (xpsp_sp2_gdr.060713-0009) | Size = 8453632 bytes | Date = 07-13-2006 06:33 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\SysTray
#{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 121856 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck
#{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
##(Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 276480 bytes | Date = 08-04-2004 00:56 | Attr = ])

<<< Shell Execute Hooks >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}
#CShellExecuteHookImpl Object = D:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 73728 bytes | Date = 06-16-2006 07:38 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972}
#URL Exec Hook = shell32.dll
##(Microsoft Corporation [Ver = 6.00.2900.2951 (xpsp_sp2_gdr.060713-0009) | Size = 8453632 bytes | Date = 07-13-2006 06:33 | Attr = ])

<<< Shared Task Scheduler >>>

<<< SafeBoot Option >>>

<<< HKLM Command Processor AutoRun >>>

HKLM\SOFTWARE\Microsoft\Command Processor\\AutoRun
#
##

<<< HKCU Command Processor AutoRun >>>

<<< Security Providers >>>

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
#msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
##

<<< BootExecute >>>

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\\BootExecute
#autocheck autochk *;
##

<<< PendingFileRenameOperations >>>

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\\PendingFileRenameOperations
#\??\C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\index.dat;
##

<<< FileRenameOperations >>>

<<< ExcludeFromKnownDlls >>>

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\\ExcludeFromKnownDlls
#
##

<<< >> Disabled MSConfig Items << >>>

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\KernelFaultCheck
#dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
##(File not found)

<<< >> User Agent Post Platform << >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\\SV1
#
##

<<< >> Winlogon << >>>

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
#C:\WINDOWS\system32\userinit.exe,
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 24576 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
#explorer.exe
##(Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\System
#
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet
#rundll32 shell32,Control_RunDLL "sysdm.cpl"
##

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
#crypt32.dll
##(Microsoft Corporation [Ver = 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 597504 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
#cryptnet.dll
##(Microsoft Corporation [Ver = 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 63488 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
#cscdll.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 101888 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
#igfxsrvc.dll
##(Intel Corporation [Ver = 3,0,0,2082 | Size = 315392 bytes | Date = 03-11-2003 11:11 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
#wlnotify.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
#wlnotify.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
#sclgntfy.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 20992 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
#WlNotify.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
#wlnotify.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
#WgaLogon.dll
##(Microsoft Corporation [Ver = 1.5.0540.0 | Size = 702768 bytes | Date = 06-19-2006 16:20 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
#wlnotify.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
#wzcdlg.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 378368 bytes | Date = 08-04-2004 00:56 | Attr = ])

<<< >> DNS Name Servers << >>>

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0EB074DC-C7A2-4B1E-94D4-CB78A7B9EE41}
# (Realtek RTL8139/810x Family Fast Ethernet NIC)
##

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52856984-5165-4B7A-B21B-C952989AA1BE}
# (IEEE 802.11g USB Wireless LAN)
##

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6B3BEE2D-00DF-4D3D-B38E-931285C90742}
# (IEEE 802.11g USB Wireless LAN)
##

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A084841-1B0C-464D-B5A8-529C2E0A4A26}
# (D-Link DFE-538TX 10/100 Adapter)
##

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8E1CDBDC-78D4-40C3-860B-B91B93242642}
# (D-Link DFE-538TX 10/100 Adapter)
##

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D1C6A30D-45CA-48A5-BD57-49A8A823DB56}
# (IEEE 802.11g USB Wireless LAN)
##

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F4C5E6A3-3978-4AE1-89B7-8AAA8CB20178}
# (1394 Net Adapter)
##

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FAC3E950-8E00-4CEB-8532-DBEB9B0D2A29}
# ()
##

<<< >> All Winsock2 Catalogs << >>>

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
#%SystemRoot%\System32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
#%SystemRoot%\System32\winrnr.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 16896 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
#%SystemRoot%\System32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
#%SystemRoot%\System32\nwprovau.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 144384 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
#%SystemRoot%\system32\rsvpsp.dll
##(Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 90112 bytes | Date = 08-29-2002 05:00 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
#%SystemRoot%\system32\rsvpsp.dll
##(Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 90112 bytes | Date = 08-29-2002 05:00 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018
#%SystemRoot%\system32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08-04-2004 00:56 | Attr = ])

<<< >> Protocol Handlers (Non-Microsoft only) << >>>

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\ipp
#
##(File not found)

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp
#
##(File not found)

<<< >> Protocol Filters (Non-Microsoft only) << >>>
  • 0

#10
yesiammanu

yesiammanu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 213 posts
[Start Post #2]

Services
Name--Internal Name--Startup Type--State--Service Type--
#Path
##(Version Info)

ewido anti-spyware 4.0 guard--ewido anti-spyware 4.0 guard--Automatic--Running--Win32, running in it's own process--
#D:\Program Files\ewido anti-spyware 4.0\guard.exe
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 172032 bytes | Date = 06-16-2006 07:38 | Attr = ])

Pml Driver HPZ12--Pml Driver HPZ12--On Demand--Running--Win32, running in it's own process--
#C:\WINDOWS\System32\HPZipm12.exe
##(HP [Ver = 6, 0, 0, 0 | Size = 65795 bytes | Date = 03-09-2003 13:31 | Attr = R ])

VAIO Media Music Server--VAIOMediaPlatform-MusicServer-AppServer--Automatic--Running--Win32, running in it's own process--
#"C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server"
##(Sony Corporation [Ver = 2.5.00.15184 | Size = 536648 bytes | Date = 03-18-2003 17:03 | Attr = ])

VAIO Media Music Server (HTTP)--VAIOMediaPlatform-MusicServer-HTTP--Automatic--Running--Win32, running in a shared process--
#"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP"
##(Sony Corporation [Ver = 2.5.00.14070 | Size = 57344 bytes | Date = 02-10-2003 13:11 | Attr = ])

VAIO Media Photo Server--VAIOMediaPlatform-PhotoServer-AppServer--Automatic--Running--Win32, running in it's own process--
#C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
##(Sony Corporation [Ver = 2, 5, 0,15250 | Size = 262144 bytes | Date = 03-25-2003 17:39 | Attr = ])

VAIO Media Photo Server (HTTP)--VAIOMediaPlatform-PhotoServer-HTTP--Automatic--Running--Win32, running in a shared process--
#"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP"
##(Sony Corporation [Ver = 2.5.00.14070 | Size = 57344 bytes | Date = 02-10-2003 13:11 | Attr = ])


Files
Full Path
#Details

Auto-Start Folders
#

HKLM->Explorer\Shell Folders\\Common Startup
# = C:\Documents and Settings\All Users\Start Menu\Programs\Startup

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
#( [Ver = | Size = 84 bytes | Date = 04-09-2003 18:47 | Attr = HS])

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
#C:\Program Files\Google\Google Updater\GoogleUpdater.exe (Google [Ver = 1.3.612.22906.beta | Size = 114616 bytes | Date = 09-13-2006 22:02 | Attr = ])

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IEEE 802.11g USB Wireless LAN Utility.lnk
#C:\Program Files\Wireless LAN\WlanUtil.exe ( [Ver = 1, 0, 49, 21 | Size = 413696 bytes | Date = 10-15-2004 18:45 | Attr = ])

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
#C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe (Hewlett-Packard Co. [Ver = 4.2.0.020 | Size = 147456 bytes | Date = 04-06-2003 00:37 | Attr = ])

HKLM->Explorer\User Shell Folders\\Common Startup
# = %ALLUSERSPROFILE%\Start Menu\Programs\Startup

HKLM->Explorer\Shell Folders\\Startup
# = C:\Documents and Settings\Admin\Start Menu\Programs\Startup

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini
#( [Ver = | Size = 84 bytes | Date = 04-09-2003 18:47 | Attr = HS])

HKCU->Explorer\User Shell Folders\\Startup
# = %USERPROFILE%\Start Menu\Programs\Startup

Miscellaneous Auto-Start Files
#

System.ini->[Boot]\\Shell
#explorer.exe

Wininit.ini: Line 1
#[Rename]

Wininit.ini: Line 3
#NUL=C:\DOCUME~1\Admin\LOCALS~1\Temp\utildel.exe

Wininit.ini: Line 5
#nul=C:\gendel32.exe

Miscellaneous Folders
#

AllUsers ApplicationData Folder
#

C:\Documents and Settings\All Users\Application Data\desktop.ini
# ( [Ver = | Size = 62 bytes | Date = 04-09-2003 11:42 | Attr = HS])

C:\Documents and Settings\All Users\Application Data\hpzinstall.log
# ( [Ver = | Size = 203 bytes | Date = 07-13-2005 21:29 | Attr = ])

CurrentUser ApplicationData Folder
#

C:\Documents and Settings\Admin\Application Data\desktop.ini
# ( [Ver = | Size = 62 bytes | Date = 04-09-2003 11:42 | Attr = HS])

Program Files Folder
#

Common Files Folder
#

DPF files
#

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
#QuickTime Object - CodeBase = http://www.apple.com...ex/qtplugin.cab

{166B1BCA-3F9C-11CF-8075-444553540000}
#Shockwave ActiveX Control - CodeBase = http://download.macr...director/sw.cab

{215B8138-A3CF-44C5-803F-8226143CFC0A}
#Trend Micro ActiveX Scan Agent 6.5 - CodeBase = http://housecall65.t...ivex/hcImpl.cab

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
#MUWebControl Class - CodeBase = http://update.micros...b?1145056415406

{6E5A37BF-FD42-463A-877C-4EB7002E68AE}
#Trend Micro ActiveX Scan Agent 6.5 - CodeBase = http://housecall65.t...ivex/hcImpl.cab

{8AD9C840-044E-11D1-B3E9-00805F499D93}
#Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab

{A2E05F45-F127-4092-B9F7-9A02C3E04C77}
#HGPlugin7USA Class - CodeBase = http://gamedownload....GPlugin7USA.cab

{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
#Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
#Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab

{CD995117-98E5-4169-9920-6C12D4C0B548}
#HGPlugin9USA Class - CodeBase = http://gamedownload....GPlugin9USA.cab

{D27CDB6E-AE6D-11CF-96B8-444553540000}
# - CodeBase = http://fpdownload.ma...ent/swflash.cab

DirectAnimation Java Classes
# - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab

Microsoft XML Parser for Java
# - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

Hosts file = 734 bytes. Reading all entries.
#C:\WINDOWS\System32\drivers\etc\Hosts

# Copyright © 1993-1999 Microsoft Corp.
#

#
#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#

#
#

# This file contains the mappings of IP addresses to host names. Each
#

# entry should be kept on an individual line. The IP address should
#

# be placed in the first column followed by the corresponding host name.
#

# The IP address and the host name should be separated by at least one
#

# space.
#

#
#

# Additionally, comments (such as these) may be inserted on individual
#

# lines or following the machine name denoted by a '#' symbol.
#

#
#

# For example:
#

#
#

# 102.54.94.97 rhino.acme.com # source server
#

# 38.25.63.10 x.acme.com # x client host
#


#

127.0.0.1 localhost
#
  • 0

Advertisements


#11
yesiammanu

yesiammanu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 213 posts
AddOn's

#Info or Value


#

< KEY HKLM\SOFTWARE\Microsoft\Ole (No SUBKEYS) >


#

HKLM\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission
#01 00 04 80 64 00 00 00 80 00 00 00 00 00 00 00 14 00 00 00 02 00 50 00 03 00 00 00 00 00 18 00 01 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 00 00 00 00 18 00 01 00 00 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 00 00 00 00 18 00 01 00 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 01 05 00 00 00 00 00 05 15 00 00 00 A0 5F 84 1F 5E 2E 6B 49 CE 12 03 03 F4 01 00 00 01 05 00 00 00 00 00 05 15 00 00 00 A0 5F 84 1F 5E 2E 6B 49 CE 12 03 03 F4 01 00 00

HKLM\SOFTWARE\Microsoft\Ole\\EnableDCOM
#Y

HKLM\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction
#01 00 04 80 48 00 00 00 58 00 00 00 00 00 00 00 14 00 00 00 02 00 34 00 02 00 00 00 00 00 18 00 1F 00 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 0B 00 00 00 01 01 00 00 00 00 00 01 00 00 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00

HKLM\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction
#01 00 04 80 44 00 00 00 54 00 00 00 00 00 00 00 14 00 00 00 02 00 30 00 02 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 07 00 00 00 00 00 14 00 07 00 00 00 01 01 00 00 00 00 00 01 00 00 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00

HKLM\SOFTWARE\Microsoft\Ole\AppCompat
#

< KEY HKLM\SOFTWARE\Microsoft\Security Center (No SUBKEYS) >


#

HKLM\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify
#0

HKLM\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify
#0

HKLM\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride
#1

HKLM\SOFTWARE\Microsoft\Security Center\\FirewallOverride
#1

HKLM\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify
#0

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring
#

< KEY HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate (No SUBKEYS) >


#

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\\DoNotAllowXPSP2
#0

< KEY HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile (No SUBKEYS) >


#

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\\EnableFirewall
#0

< KEY HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile (No SUBKEYS) >


#

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\\EnableFirewall
#0

< KEY HKLM\SYSTEM\CurrentControlSet\Control (No SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Control\\CurrentUser
#USERNAME

HKLM\SYSTEM\CurrentControlSet\Control\\WaitToKillServiceTimeout
#20000

HKLM\SYSTEM\CurrentControlSet\Control\\SystemStartOptions
#FASTDETECT NOEXECUTE=OPTIN

HKLM\SYSTEM\CurrentControlSet\Control\\SystemBootDevice
#multi(0)disk(0)rdisk(0)partition(2)

HKLM\SYSTEM\CurrentControlSet\Control\AGP
#

HKLM\SYSTEM\CurrentControlSet\Control\Arbiters
#

HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore
#

HKLM\SYSTEM\CurrentControlSet\Control\Biosinfo
#

HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram
#

HKLM\SYSTEM\CurrentControlSet\Control\Class
#

HKLM\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers
#

HKLM\SYSTEM\CurrentControlSet\Control\COM Name Arbiter
#

HKLM\SYSTEM\CurrentControlSet\Control\ComputerName
#

HKLM\SYSTEM\CurrentControlSet\Control\ContentIndex
#

HKLM\SYSTEM\CurrentControlSet\Control\ContentIndexCommon
#

HKLM\SYSTEM\CurrentControlSet\Control\CrashControl
#

HKLM\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase
#

HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses
#

HKLM\SYSTEM\CurrentControlSet\Control\FileSystem
#

HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers
#

HKLM\SYSTEM\CurrentControlSet\Control\GroupOrderList
#

HKLM\SYSTEM\CurrentControlSet\Control\HAL
#

HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB
#

HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout
#

HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
#

HKLM\SYSTEM\CurrentControlSet\Control\MediaCategories
#

HKLM\SYSTEM\CurrentControlSet\Control\MediaInterfaces
#

HKLM\SYSTEM\CurrentControlSet\Control\MediaProperties
#

HKLM\SYSTEM\CurrentControlSet\Control\MediaResources
#

HKLM\SYSTEM\CurrentControlSet\Control\MediaSets
#

HKLM\SYSTEM\CurrentControlSet\Control\MediumCache
#

HKLM\SYSTEM\CurrentControlSet\Control\Network
#

HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider
#

HKLM\SYSTEM\CurrentControlSet\Control\Nls
#

HKLM\SYSTEM\CurrentControlSet\Control\NTMS
#

HKLM\SYSTEM\CurrentControlSet\Control\PnP
#

HKLM\SYSTEM\CurrentControlSet\Control\Print
#

HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl
#

HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions
#

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
#

HKLM\SYSTEM\CurrentControlSet\Control\ScsiPort
#

HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers
#

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
#

HKLM\SYSTEM\CurrentControlSet\Control\Server Applications
#

HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder
#

HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider
#

HKLM\SYSTEM\CurrentControlSet\Control\Servicing
#

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
#

HKLM\SYSTEM\CurrentControlSet\Control\Setup
#

HKLM\SYSTEM\CurrentControlSet\Control\StillImage
#

HKLM\SYSTEM\CurrentControlSet\Control\SystemResources
#

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
#

HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
#

HKLM\SYSTEM\CurrentControlSet\Control\Update
#

HKLM\SYSTEM\CurrentControlSet\Control\UsbFlags
#

HKLM\SYSTEM\CurrentControlSet\Control\Video
#

HKLM\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers
#

HKLM\SYSTEM\CurrentControlSet\Control\Watchdog
#

HKLM\SYSTEM\CurrentControlSet\Control\Windows
#

HKLM\SYSTEM\CurrentControlSet\Control\WMI
#

HKLM\SYSTEM\CurrentControlSet\Control\WOW
#

HKLM\SYSTEM\CurrentControlSet\Control\hivelist
#

HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent
#

< KEY HKLM\SYSTEM\CurrentControlSet\Control\Lsa (No SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
#msv1_0;

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds
#00 30 00 00 00 20 00 00

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages
#kerberos;msv1_0;schannel;wdigest;

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid
#856

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot
#1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest
#1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing
#00

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse
#1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner
#1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam
#1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages
#scecli;

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun
#1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\enabledcom
#y

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Data
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\GBG
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\JD
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Skew1
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SSO
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache
#

< KEY HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters (No SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\autodisconnect
#15

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\enableforcedlogoff
#1

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\enablesecuritysignature
#0

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\requiresecuritysignature
#0

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\NullSessionPipes
#COMNAP;COMNODE;SQL\QUERY;SPOOLSS;LLSRPC;browser;

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\NullSessionShares
#COMCFG;DFS$;

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\ServiceDll
#%SystemRoot%\System32\srvsvc.dll

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\Lmannounce
#0

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\Size
#1

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\Guid
#61 2A 46 EF A6 41 38 41 9E F1 AB 1D 05 8D 2A E9

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\srvcomment
#

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\CachedOpenLimit
#0

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\AdjustedNullSessionPipes
#1

< KEY HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters (No SUBKEYS) >


#

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\autodisconnect
#15

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\enableforcedlogoff
#1

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\enablesecuritysignature
#0

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\requiresecuritysignature
#0

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\NullSessionPipes
#COMNAP;COMNODE;SQL\QUERY;SPOOLSS;LLSRPC;browser;

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\NullSessionShares
#COMCFG;DFS$;

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\ServiceDll
#%SystemRoot%\System32\srvsvc.dll

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\Lmannounce
#0

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\Size
#1

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\Guid
#61 2A 46 EF A6 41 38 41 9E F1 AB 1D 05 8D 2A E9

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\srvcomment
#

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\CachedOpenLimit
#0

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\AdjustedNullSessionPipes
#1

< KEY HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Parameters (No SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Parameters\\enableplaintextpassword
#0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Parameters\\enablesecuritysignature
#1

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Parameters\\requiresecuritysignature
#0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Parameters\\ServiceDll
#%SystemRoot%\System32\wkssvc.dll

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Parameters\\OtherDomains
#

< KEY HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\Parameters (No SUBKEYS) >


#

HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\Parameters\\enableplaintextpassword
#0

HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\Parameters\\enablesecuritysignature
#1

HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\Parameters\\requiresecuritysignature
#0

HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\Parameters\\ServiceDll
#%SystemRoot%\System32\wkssvc.dll

HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\Parameters\\OtherDomains
#

< KEY HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess (No SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start
#2

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName
#Windows Firewall/Internet Connection Sharing (ICS)

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService
#Netman;WinMgmt;

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch
#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
#

< KEY HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry (No SUBKEYS) >


#

< KEY HKLM\SYSTEM\ControlSet001\Services\RemoteRegistry (No SUBKEYS) >


#

< KEY HKLM\SYSTEM\CurrentControlSet\Services\tcpipservice (No SUBKEYS) >


#

< KEY HKLM\SYSTEM\ControlSet001\Services\tcpipservice (No SUBKEYS) >


#

< KEY HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr (No SUBKEYS) >


#

< KEY HKLM\SYSTEM\ControlSet001\Services\TlntSvr (No SUBKEYS) >


#

< KEY HKLM\SYSTEM\CurrentControlSet\Services\wuauserv (No SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\\Type
#32

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\\Start
#2

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl
#1

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath
#%systemroot%\system32\svchost.exe -k netsvcs

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName
#Automatic Updates

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName
#LocalSystem

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\\Description
#Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
#

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security
#

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Enum
#

< KEY HKLM\SYSTEM\ControlSet001\Services\wuauserv (No SUBKEYS) >


#

HKLM\SYSTEM\ControlSet001\Services\wuauserv\\Type
#32

HKLM\SYSTEM\ControlSet001\Services\wuauserv\\Start
#2

HKLM\SYSTEM\ControlSet001\Services\wuauserv\\ErrorControl
#1

HKLM\SYSTEM\ControlSet001\Services\wuauserv\\ImagePath
#%systemroot%\system32\svchost.exe -k netsvcs

HKLM\SYSTEM\ControlSet001\Services\wuauserv\\DisplayName
#Automatic Updates

HKLM\SYSTEM\ControlSet001\Services\wuauserv\\ObjectName
#LocalSystem

HKLM\SYSTEM\ControlSet001\Services\wuauserv\\Description
#Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.

HKLM\SYSTEM\ControlSet001\Services\wuauserv\Parameters
#

HKLM\SYSTEM\ControlSet001\Services\wuauserv\Security
#

HKLM\SYSTEM\ControlSet001\Services\wuauserv\Enum
#

< KEY HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings (No SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable
#0

< KEY HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings (No SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable
#0


#

< KEY HKLM\SOFTWARE\Microsoft\Ole (Include SUBKEYS) >


#

HKLM\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission
#01 00 04 80 64 00 00 00 80 00 00 00 00 00 00 00 14 00 00 00 02 00 50 00 03 00 00 00 00 00 18 00 01 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 00 00 00 00 18 00 01 00 00 00 01 01 00 00 00 00 00 05 04 00 00 00 00 00 00 00 00 00 18 00 01 00 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 01 05 00 00 00 00 00 05 15 00 00 00 A0 5F 84 1F 5E 2E 6B 49 CE 12 03 03 F4 01 00 00 01 05 00 00 00 00 00 05 15 00 00 00 A0 5F 84 1F 5E 2E 6B 49 CE 12 03 03 F4 01 00 00

HKLM\SOFTWARE\Microsoft\Ole\\EnableDCOM
#Y

HKLM\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction
#01 00 04 80 48 00 00 00 58 00 00 00 00 00 00 00 14 00 00 00 02 00 34 00 02 00 00 00 00 00 18 00 1F 00 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 0B 00 00 00 01 01 00 00 00 00 00 01 00 00 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00

HKLM\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction
#01 00 04 80 44 00 00 00 54 00 00 00 00 00 00 00 14 00 00 00 02 00 30 00 02 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 07 00 00 00 00 00 14 00 07 00 00 00 01 01 00 00 00 00 00 01 00 00 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00

HKLM\SOFTWARE\Microsoft\Ole\AppCompat
#

HKLM\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList
#

HKLM\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937AD}
#1

HKLM\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A93843}
#1

HKLM\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D69}
#1

HKLM\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}
#1

< KEY HKLM\SOFTWARE\Microsoft\Security Center (Include SUBKEYS) >


#

HKLM\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify
#0

HKLM\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify
#0

HKLM\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride
#1

HKLM\SOFTWARE\Microsoft\Security Center\\FirewallOverride
#1

HKLM\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify
#0

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring
#

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus
#

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus
#

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus
#

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus
#

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall
#

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus
#

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall
#

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus
#

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus
#

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall
#

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall
#

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus
#

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall
#

HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall
#

< KEY HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate (Include SUBKEYS) >


#

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\\DoNotAllowXPSP2
#0

< KEY HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile (Include SUBKEYS) >


#

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\\EnableFirewall
#0

< KEY HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile (Include SUBKEYS) >


#

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\\EnableFirewall
#0

< KEY HKLM\SYSTEM\CurrentControlSet\Control (No SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Control\\CurrentUser
#USERNAME

HKLM\SYSTEM\CurrentControlSet\Control\\WaitToKillServiceTimeout
#20000

HKLM\SYSTEM\CurrentControlSet\Control\\SystemStartOptions
#FASTDETECT NOEXECUTE=OPTIN

HKLM\SYSTEM\CurrentControlSet\Control\\SystemBootDevice
#multi(0)disk(0)rdisk(0)partition(2)

HKLM\SYSTEM\CurrentControlSet\Control\AGP
#

HKLM\SYSTEM\CurrentControlSet\Control\Arbiters
#

HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore
#

HKLM\SYSTEM\CurrentControlSet\Control\Biosinfo
#

HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram
#

HKLM\SYSTEM\CurrentControlSet\Control\Class
#

HKLM\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers
#

HKLM\SYSTEM\CurrentControlSet\Control\COM Name Arbiter
#

HKLM\SYSTEM\CurrentControlSet\Control\ComputerName
#

HKLM\SYSTEM\CurrentControlSet\Control\ContentIndex
#

HKLM\SYSTEM\CurrentControlSet\Control\ContentIndexCommon
#

HKLM\SYSTEM\CurrentControlSet\Control\CrashControl
#

HKLM\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase
#

HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses
#

HKLM\SYSTEM\CurrentControlSet\Control\FileSystem
#

HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers
#

HKLM\SYSTEM\CurrentControlSet\Control\GroupOrderList
#

HKLM\SYSTEM\CurrentControlSet\Control\HAL
#

HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB
#

HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout
#

HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
#

HKLM\SYSTEM\CurrentControlSet\Control\MediaCategories
#

HKLM\SYSTEM\CurrentControlSet\Control\MediaInterfaces
#

HKLM\SYSTEM\CurrentControlSet\Control\MediaProperties
#

HKLM\SYSTEM\CurrentControlSet\Control\MediaResources
#

HKLM\SYSTEM\CurrentControlSet\Control\MediaSets
#

HKLM\SYSTEM\CurrentControlSet\Control\MediumCache
#

HKLM\SYSTEM\CurrentControlSet\Control\Network
#

HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider
#

HKLM\SYSTEM\CurrentControlSet\Control\Nls
#

HKLM\SYSTEM\CurrentControlSet\Control\NTMS
#

HKLM\SYSTEM\CurrentControlSet\Control\PnP
#

HKLM\SYSTEM\CurrentControlSet\Control\Print
#

HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl
#

HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions
#

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
#

HKLM\SYSTEM\CurrentControlSet\Control\ScsiPort
#

HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers
#

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
#

HKLM\SYSTEM\CurrentControlSet\Control\Server Applications
#

HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder
#

HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider
#

HKLM\SYSTEM\CurrentControlSet\Control\Servicing
#

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
#

HKLM\SYSTEM\CurrentControlSet\Control\Setup
#

HKLM\SYSTEM\CurrentControlSet\Control\StillImage
#

HKLM\SYSTEM\CurrentControlSet\Control\SystemResources
#

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
#

HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
#

HKLM\SYSTEM\CurrentControlSet\Control\Update
#

HKLM\SYSTEM\CurrentControlSet\Control\UsbFlags
#

HKLM\SYSTEM\CurrentControlSet\Control\Video
#

HKLM\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers
#

HKLM\SYSTEM\CurrentControlSet\Control\Watchdog
#

HKLM\SYSTEM\CurrentControlSet\Control\Windows
#

HKLM\SYSTEM\CurrentControlSet\Control\WMI
#

HKLM\SYSTEM\CurrentControlSet\Control\WOW
#

HKLM\SYSTEM\CurrentControlSet\Control\hivelist
#

HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent
#

< KEY HKLM\SYSTEM\CurrentControlSet\Control\Lsa (Include SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
#msv1_0;

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds
#00 30 00 00 00 20 00 00

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages
#kerberos;msv1_0;schannel;wdigest;

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid
#856

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot
#1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest
#1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing
#00

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse
#1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner
#1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam
#1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages
#scecli;

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun
#1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\\enabledcom
#y

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder
#Windows NT Access Provider;

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath
#%SystemRoot%\system32\ntmarta.dll

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Data
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern
#4A B4 62 FC CC 0D 10 6C 4E 8C 37 D7 1B 63 B6 58 31 33 61 66 39 32 35 66 00 00 00 00 01 00 00 00 B4 01 00 00 B8 01 00 00 34 CA 06 00 45 9D BF 71 04 00 00 00 10 00 00 00 00 00 00 00 5F AD 73 2E

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\GBG
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup
#9C 8B 96 70 9D A1 AB 95 39

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\JD
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup
#2A 02 1A 3A AB B1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\\ntlmminclientsec
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\\ntlmminserversec
#0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Skew1
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix
#E3 EB 77 DA 17 63 89 F3 66 DA E9 19 D1 29 52 90

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SSO
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL
#http://www.passport.com

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time
#FC 18 14 82 1B A3 C6 01

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name
#Digest

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment
#Digest SSPI Authentication Package

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities
#16464

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId
#65535

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version
#1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize
#65535

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time
#00 D9 4A 94 F8 79 C4 01

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type
#49

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name
#DPA

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment
#DPA Security Package

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities
#55

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId
#17

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version
#1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize
#768

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time
#00 D9 4A 94 F8 79 C4 01

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type
#49

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll
#

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name
#MSN

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment
#MSN Security Package

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities
#55

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId
#18

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version
#1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize
#768

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time
#80 6F E3 94 F8 79 C4 01

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type
#49

< KEY HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters (No SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\autodisconnect
#15

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\enableforcedlogoff
#1

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\enablesecuritysignature
#0

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\requiresecuritysignature
#0

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\NullSessionPipes
#COMNAP;COMNODE;SQL\QUERY;SPOOLSS;LLSRPC;browser;

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\NullSessionShares
#COMCFG;DFS$;

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\ServiceDll
#%SystemRoot%\System32\srvsvc.dll

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\Lmannounce
#0

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\Size
#1

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\Guid
#61 2A 46 EF A6 41 38 41 9E F1 AB 1D 05 8D 2A E9

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\srvcomment
#

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\CachedOpenLimit
#0

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\\AdjustedNullSessionPipes
#1

< KEY HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters (No SUBKEYS) >


#

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\autodisconnect
#15

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\enableforcedlogoff
#1

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\enablesecuritysignature
#0

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\requiresecuritysignature
#0

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\NullSessionPipes
#COMNAP;COMNODE;SQL\QUERY;SPOOLSS;LLSRPC;browser;

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\NullSessionShares
#COMCFG;DFS$;

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\ServiceDll
#%SystemRoot%\System32\srvsvc.dll

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\Lmannounce
#0

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\Size
#1

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\Guid
#61 2A 46 EF A6 41 38 41 9E F1 AB 1D 05 8D 2A E9

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\srvcomment
#

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\CachedOpenLimit
#0

HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\\AdjustedNullSessionPipes
#1

< KEY HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Parameters (No SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Parameters\\enableplaintextpassword
#0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Parameters\\enablesecuritysignature
#1

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Parameters\\requiresecuritysignature
#0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Parameters\\ServiceDll
#%SystemRoot%\System32\wkssvc.dll

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Parameters\\OtherDomains
#

< KEY HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\Parameters (No SUBKEYS) >


#

HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\Parameters\\enableplaintextpassword
#0

HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\Parameters\\enablesecuritysignature
#1

HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\Parameters\\requiresecuritysignature
#0

HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\Parameters\\ServiceDll
#%SystemRoot%\System32\wkssvc.dll

HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\Parameters\\OtherDomains
#

< KEY HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess (Include SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start
#2

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName
#Windows Firewall/Internet Connection Sharing (ICS)

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService
#Netman;WinMgmt;

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch
#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe
#C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\139:TCP
#139:TCP:*:Enabled:@xpsp2res.dll,-22004

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\445:TCP
#445:TCP:*:Enabled:@xpsp2res.dll,-22005

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\137:UDP
#137:UDP:*:Enabled:@xpsp2res.dll,-22001

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\138:UDP
#138:UDP:*:Enabled:@xpsp2res.dll,-22002

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\BitTorrent\bittorrent.exe
#C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe
#C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\vssms32.exe
#C:\WINDOWS\system32\vssms32.exe:*:Enabled:Dnode

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
#

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP
#139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP
#445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP
#137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP
#138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

< KEY HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry (Include SUBKEYS) >


#

< KEY HKLM\SYSTEM\ControlSet001\Services\RemoteRegistry (Include SUBKEYS) >


#

< KEY HKLM\SYSTEM\CurrentControlSet\Services\tcpipservice (Include SUBKEYS) >


#

< KEY HKLM\SYSTEM\ControlSet001\Services\tcpipservice (Include SUBKEYS) >


#

< KEY HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr (Include SUBKEYS) >


#

< KEY HKLM\SYSTEM\ControlSet001\Services\TlntSvr (Include SUBKEYS) >


#

< KEY HKLM\SYSTEM\CurrentControlSet\Services\wuauserv (Include SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\\Type
#32

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\\Start
#2

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl
#1

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath
#%systemroot%\system32\svchost.exe -k netsvcs

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName
#Automatic Updates

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName
#LocalSystem

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\\Description
#Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
#

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll
#C:\WINDOWS\System32\wuauserv.dll

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security
#

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security
#01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Enum
#

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0
#Root\LEGACY_WUAUSERV\0000

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count
#1

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance
#1

< KEY HKLM\SYSTEM\ControlSet001\Services\wuauserv (Include SUBKEYS) >


#

HKLM\SYSTEM\ControlSet001\Services\wuauserv\\Type
#32

HKLM\SYSTEM\ControlSet001\Services\wuauserv\\Start
#2

HKLM\SYSTEM\ControlSet001\Services\wuauserv\\ErrorControl
#1

HKLM\SYSTEM\ControlSet001\Services\wuauserv\\ImagePath
#%systemroot%\system32\svchost.exe -k netsvcs

HKLM\SYSTEM\ControlSet001\Services\wuauserv\\DisplayName
#Automatic Updates

HKLM\SYSTEM\ControlSet001\Services\wuauserv\\ObjectName
#LocalSystem

HKLM\SYSTEM\ControlSet001\Services\wuauserv\\Description
#Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.

HKLM\SYSTEM\ControlSet001\Services\wuauserv\Parameters
#

HKLM\SYSTEM\ControlSet001\Services\wuauserv\Parameters\\ServiceDll
#C:\WINDOWS\System32\wuauserv.dll

HKLM\SYSTEM\ControlSet001\Services\wuauserv\Security
#

HKLM\SYSTEM\ControlSet001\Services\wuauserv\Security\\Security
#01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00

HKLM\SYSTEM\ControlSet001\Services\wuauserv\Enum
#

HKLM\SYSTEM\ControlSet001\Services\wuauserv\Enum\\0
#Root\LEGACY_WUAUSERV\0000

HKLM\SYSTEM\ControlSet001\Services\wuauserv\Enum\\Count
#1

HKLM\SYSTEM\ControlSet001\Services\wuauserv\Enum\\NextInstance
#1

< KEY HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings (Include SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable
#0

< KEY HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings (Include SUBKEYS) >


#

HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable
#0

Thanks for the help :blink:
~Yesiammanu :whistling:

Edited by yesiammanu, 17 September 2006 - 10:21 PM.

  • 0

#12
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets get after the files we see

*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\vssms32.exe 
C:\WINDOWS\system32\ldapi32.exe 
C:\WINDOWS\system32\ntcvx32.dll 
C:\WINDOWS\system32\ntswrl32.dll 

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click on “All Files”
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Your computer should restart automatically if not restart manually,

Next

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#13
yesiammanu

yesiammanu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 213 posts

Lets get after the files we see

*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\vssms32.exe 
C:\WINDOWS\system32\ldapi32.exe 
C:\WINDOWS\system32\ntcvx32.dll 
C:\WINDOWS\system32\ntswrl32.dll 

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click on “All Files”
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Your computer should restart automatically if not restart manually,

Next

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


I can't copy+paste multiple things into killbox, and when I paste C:\WINDOWS\system32\vssms32.exe , it says in blue vssms32.exe, but when I do any other it does not. If I put vssms32.exe at the end of the copy+paste, it will only put vssms, regardless of its position.
  • 0

#14
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please copy these instructions to notepad and save them to your desk top*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

C:\WINDOWS\system32\vssms32.exe
C:\WINDOWS\system32\ldapi32.exe
C:\WINDOWS\system32\ntcvx32.dll
C:\WINDOWS\system32\ntswrl32.dll


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered, press the YES button at both prompts so that your computer restarts. If you receive a message and your computer does not restart automatically, please restart it manually.
Then run the scan with kaspersky and post back what it finds please
  • 0

#15
yesiammanu

yesiammanu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 213 posts
For all of the files, it says "This file does not seem to exist". I'm running kaspersky now.

~Yesiammanu :whistling:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP