Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Nasty Bifrose Trojan [RESOLVED]

Started by demeggy , May 28 2008 05:59 AM

  • This topic is locked This topic is locked

#16
demeggy
Posted 01 June 2008 - 12:55 PM

demeggy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Cheers Mike,

so we have:

OTMoveIt2:

C:\WINDOWS\WinUpdate.exe moved successfully.
C:\WINDOWS\TFTP768 moved successfully.
C:\WINDOWS\TFTP396 moved successfully.
C:\WINDOWS\TFTP308 moved successfully.
C:\WINDOWS\TFTP1756 moved successfully.
C:\WINDOWS\TFTP1824 moved successfully.
C:\WINDOWS\TFTP2244 moved successfully.
C:\WINDOWS\TFTP324 moved successfully.
C:\WINDOWS\TFTP2552 moved successfully.
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\\{7E853D72-626A-48EC-A868-BA8D5E23E045} >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\\{7E853D72-626A-48EC-A868-BA8D5E23E045} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
< emptytemp >
File delete failed. C:\DOCUME~1\Kris\LOCALS~1\Temp\~DF327E.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Kris\LOCALS~1\Temp\~DF3289.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Kris\LOCALS~1\Temp\~DF3BC1.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Kris\LOCALS~1\Temp\~DF3BE0.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
 
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06012008_191121

Files moved on Reboot...
File C:\DOCUME~1\Kris\LOCALS~1\Temp\~DF327E.tmp not found!
File C:\DOCUME~1\Kris\LOCALS~1\Temp\~DF3289.tmp not found!
File C:\DOCUME~1\Kris\LOCALS~1\Temp\~DF3BC1.tmp not found!
File C:\DOCUME~1\Kris\LOCALS~1\Temp\~DF3BE0.tmp not found!

PEEKBAT.BAT

Volume in drive C has no label.
 Volume Serial Number is 88E3-B94F

--

MBAM comes up with this error once its supposedly installed (or is installing);

"Run-Time Error '372' - Failed to load control 'vbalGrid' from vbalsgrid6.ocx. Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application'

In answer, My comp's still running same as before so far. Still no soundcard detected, can't copy n paste etc.

Does the MBAM error make any sense?
  • 0

Advertisements

#17
Mike
Posted 02 June 2008 - 03:27 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there demeggy,

Don't worry about MBAM, it is probably related to your installer issue.

If you navigate to C:\Windows\System32, do you see a folder named explorer? If so could you please tell me what is in it, if not thats fine.
Be careful not to delete anything in the system32 folder, alot of the files will have malware-ish names but are legit.

Step 1. Deckards' System Scanner

Please Re-run Deckards' System Scanner
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open one Notepad main.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt in your next reply.

Step 2. Running Kaspersky Online Virusscaner

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

In your next reply

Please post the log from Deckards' System Scanner (main.txt)
Please post the log from Kaspersky.

If the logs are to big to fit in one reply please spread them out over multiple replies.
  • 0

#18
demeggy
Posted 02 June 2008 - 03:35 AM

demeggy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Okay,

in the folder you asked me to look in, there's a hidden file called explorer. Its 29kb in size and I cant find out much more about it.

The DSS log:

Deckard's System Scanner v20071014.68
Run by Kris on 2008-06-02 10:34:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Kris.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:45 AM, on 6/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Kris\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kris.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1078081533-1292428093-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\system32\msiexec.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5553 bytes

-- Files created between 2008-05-02 and 2008-06-02 -----------------------------

2008-06-01 20:00:08		 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-01 20:00:08		 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-01 20:00:00		 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-01 13:01:05		 0 d-------- C:\WINDOWS\ERUNT
2008-05-31 11:52:09		 0 d-------- C:\Program Files\Avira
2008-05-31 11:52:09		 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-31 11:37:55		 0 d-------- C:\Documents and Settings\Kris\.SunDownloadManager
2008-05-29 20:14:00		 0 d--h----- C:\WINDOWS\System32\explorer
2008-05-27 21:43:11	 22016 --a------ C:\WINDOWS\System32\drivers\mouclass.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-27 21:43:10	 12160 --a------ C:\WINDOWS\System32\drivers\mouhid.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-27 21:35:08	 33792 --a------ C:\WINDOWS\System32\drivers\disk.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-27 21:34:58	 20480 --a------ C:\WINDOWS\System32\hidserv.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-27 21:25:51	 34560 --a------ C:\WINDOWS\System32\drivers\hidclass.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-27 21:25:50	  9600 --a------ C:\WINDOWS\System32\drivers\hidusb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-27 21:25:50	 23680 --a------ C:\WINDOWS\System32\drivers\hidparse.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Find3M Report ---------------------------------------------------------------

2008-05-26 14:26:57		 0 d-------- C:\Program Files\GtkRadiant-1.4
2008-05-24 19:04:41		 0 d-------- C:\Program Files\Defcon
2008-04-26 13:50:47		 0 d-------- C:\Program Files\RogueRemover FREE
2008-04-25 21:25:02		 0 d-------- C:\Program Files\LimeWire
2008-04-24 17:29:42		 0 d-------- C:\Program Files\Enigma Software Group
2008-04-22 21:07:27		 0 d-------- C:\Program Files\Trend Micro
2008-04-21 23:14:18		 0 d-------- C:\Program Files\Alwil Software
2008-04-20 23:27:15		 0 d-------- C:\Documents and Settings\Kris\Application Data\Macromedia
2008-04-20 23:13:18		 0 d-------- C:\Program Files\lg_fwupdate
2008-04-15 19:12:08		 0 d-------- C:\Documents and Settings\Kris\Application Data\Skype
2008-03-21 17:42:07	   664 --a------ C:\WINDOWS\System32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [08/30/2006 06:51 PM]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [08/30/2006 06:51 PM]
"GBB36X Configure"="C:\WINDOWS\System32\JMRaidTool.exe" [06/02/2006 09:46 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [12/15/2006 04:23 AM]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [03/14/2007 05:03 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/31/2007 06:44 PM]
"%FP%Friendly fts.exe"="C:\Program Files\VoyagerTest\fts.exe" [05/06/2003 10:28 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [02/06/2007 12:52 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [08/29/2002 03:41 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=  scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kris^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Kris\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kris^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Kris\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\valve\steam\steam.exe" -silent




-- End of Deckard's System Scanner: finished at 2008-06-02 10:34:57 ------------

I couldnt get Kaspersky to run in IE for some reason. I hit the button, but nothing happens. It's not looking too good really is it?
  • 0

#19
Mike
Posted 02 June 2008 - 03:59 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there demeggy,

was explorer in the system32 folder a file or a folder? If its a file it should have an extension like .exe or .dll...

Could you please right click on explorer then click on properties, post back with the information on what it says.

Explorer shouldn't be located in the system32 folder at all, but I want to be sure before we nuke it.

If its a file please do the following.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • find the "File to upload & scan"box on the top of the page:
  • Click on the browse button

    • browse forC:\WINDOWS\SYSTEM32\Explorer
  • Please post the results in your next reply.

Please open HijackThis and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Now please close all open windows except HJT and press "Fix checked".

Let's try an alternative scan...

Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient

Edited by Mike, 02 June 2008 - 04:09 AM.

  • 0

#20
demeggy
Posted 02 June 2008 - 04:23 AM

demeggy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi Mike,

as I cant copy and paste, the results of the online scan for the explorer file found in "C:\WINDOWS\system32\explorer" can be found attached as a screen shot;

I put a check next to 1 instance of the O2 - BHO - file in HJT and clicked "Fix Checked".

My net times out after 5mins so running a lengthy online scan won't work, as it'll time out. Any other suggestions?
  • 0

#21
Mike
Posted 02 June 2008 - 04:30 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there, I don't see any attachments. Could you write for me what the scans detected the file as?

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

Important: If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.
  • 0

#22
demeggy
Posted 02 June 2008 - 04:50 AM

demeggy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Mike,

OTScanIt Results as requested;

OTScanIt logfile created on: 6/2/2008 11:49:43 AM
OTScanIt by OldTimer - Version 1.0.15.10	 Folder = C:\Documents and Settings\Kris\Desktop\OTScanIt\OTScanIt
Windows XP Professional Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 279.45 Gb Total Space | 61.16 Gb Free Space | 21.88% Space Free | Partition Type: NTFS
Drive D: | 634.76 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
Drive F: | 75.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KRISPC
Current User Name: Kris
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
adskscsrv.exe -> %CommonProgramFiles%\Autodesk Shared\Service\AdskScSrv.exe -> Autodesk [Ver = 2.70.000 | Size = 72704 bytes | Modified Date = 1/27/2007 4:24:01 PM | Attr =	]
wlservice.exe -> %ProgramFiles%\Belkin\Belkin Wireless Network Utility\WLService.exe ->  [Ver =  | Size = 49152 bytes | Modified Date = 3/29/2004 4:08:16 PM | Attr =	]
wlancfgg.exe -> %ProgramFiles%\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe ->  [Ver = 1, 0, 7, 4 | Size = 827392 bytes | Modified Date = 6/13/2005 3:45:54 PM | Attr =	]
lssrvc.exe -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.4.74.1 | Size = 73728 bytes | Modified Date = 2/17/2006 4:26:32 PM | Attr =	]
jusched.exe -> %ProgramFiles%\Java\jre1.5.0_11\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 75520 bytes | Modified Date = 12/15/2006 4:23:27 AM | Attr =	]
fts.exe -> %ProgramFiles%\VoyagerTest\fts.exe -> Friendly Technologies [Ver = 1, 0, 2, 2 | Size = 72192 bytes | Modified Date = 5/6/2003 10:28:34 AM | Attr =	]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.15.10 | Size = 373760 bytes | Modified Date = 6/2/2008 12:37:14 AM | Attr =	]

[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.67.010 | Size = 72704 bytes | Modified Date = 2/18/2007 9:58:58 PM | Attr =	]
(AntiVirScheduler) Avira AntiVir Personal – Free Antivirus Scheduler [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\sched.exe -> Avira GmbH [Ver = 8.00.00.12 | Size = 68865 bytes | Modified Date = 3/7/2008 12:00:08 PM | Attr =	]
(AntiVirService) Avira AntiVir Personal – Free Antivirus Guard [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avguard.exe -> Avira GmbH [Ver = 8.00.01.15 | Size = 147201 bytes | Modified Date = 3/26/2008 3:34:49 PM | Attr =	]
(Autodesk Licensing Service) Autodesk Licensing Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Autodesk Shared\Service\AdskScSrv.exe -> Autodesk [Ver = 2.70.000 | Size = 72704 bytes | Modified Date = 1/27/2007 4:24:01 PM | Attr =	]
(Belkin Wireless USB Network Adapter Service) Belkin Wireless USB Network Adapter [Win32_Own | Auto | Running] -> %ProgramFiles%\Belkin\Belkin Wireless Network Utility\WLService.exe ->  [Ver =  | Size = 49152 bytes | Modified Date = 3/29/2004 4:08:16 PM | Attr =	]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 204800 bytes | Modified Date = 8/18/2001 1:00:00 PM | Attr =	]
(iPod Service) iPod Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.3.2.6 | Size = 501048 bytes | Modified Date = 7/31/2007 6:44:34 PM | Attr =	]
(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.4.74.1 | Size = 73728 bytes | Modified Date = 2/17/2006 4:26:32 PM | Attr =	]
(mi-raysat_3dsmax9_32) mental ray 3.5 Satellite (32-bit) [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe ->  [Ver =  | Size = 65536 bytes | Modified Date = 9/29/2006 1:48:06 PM | Attr =	]
(MSIServer) Windows Installer [Win32_Shared | On_Demand | Stopped] -> %SystemDrive%\WINNT\system32\msiexec.exe -> File not found
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Stopped] -> %SystemRoot%\System32\nvsvc32.exe -> File not found
(PnkBstrA) PnkBstrA [Win32_Own | Auto | Stopped] -> %SystemRoot%\System32\PnkBstrA.exe -> File not found
(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\ZoneLabs\vsmon.exe -> Zone Labs Inc. [Ver = 4.5.594.000 | Size = 824584 bytes | Modified Date = 4/1/2004 10:29:14 AM | Attr =	]

[Driver Services - Non-Microsoft Only]
(AegisP) AEGIS Protocol (IEEE 802.1x) v3.4.3.0 [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\AegisP.sys -> Meetinghouse Data Communications [Ver = 3.4.3.0 | Size = 20747 bytes | Modified Date = 7/30/2007 8:58:57 PM | Attr =	]
(aiptektp) HyperPen [Kernel | System | Stopped] -> %SystemRoot%\system32\drivers\aiptektp.sys -> AIPTEK International Inc. [Ver = 2.34.00 | Size = 22272 bytes | Modified Date = 7/7/2004 4:02:14 PM | Attr =	]
(atksgt) atksgt [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\atksgt.sys ->  [Ver =  | Size = 271360 bytes | Modified Date = 5/2/2007 1:25:02 AM | Attr =	]
(avgntdd) avgntdd [File_System | System | Running] -> %SystemRoot%\system32\drivers\avgntdd.sys -> Avira GmbH [Ver = 6.39.00.30 | Size = 41792 bytes | Modified Date = 1/21/2008 6:12:56 PM | Attr =	]
(avgntmgr) avgntmgr [File_System | Boot | Running] -> %SystemRoot%\system32\drivers\avgntmgr.sys -> Avira GmbH [Ver = 6.37.01.02 | Size = 22336 bytes | Modified Date = 1/21/2008 6:11:28 PM | Attr =	]
(avipbb) avipbb [Kernel | System | Running] -> %SystemRoot%\system32\drivers\avipbb.sys -> Avira GmbH [Ver = 1.00.02.22 | Size = 79424 bytes | Modified Date = 3/4/2008 1:28:53 PM | Attr =	]
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\Kris\LOCALS~1\Temp\catchme.sys -> File not found
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 780928 bytes | Modified Date = 8/18/2001 1:00:00 PM | Attr =	]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 146304 bytes | Modified Date = 8/18/2001 1:00:00 PM | Attr =	]
(dmload) dmload [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 8/18/2001 1:00:00 PM | Attr =	]
(GEARAspiWDM) GEARAspiWDM [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\GEARAspiWDM.sys -> GEAR Software Inc. [Ver = 2.0.6.1 | Size = 15664 bytes | Modified Date = 9/19/2006 4:44:04 PM | Attr =	]
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\Hdaudbus.sys -> Windows (R) Server 2003 DDK provider [Ver = 5.10.01.5013 built by: WinDDK | Size = 138752 bytes | Modified Date = 1/7/2005 6:07:18 PM | Attr =	]
(HTTP) HTTP [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\Drivers\HTTP.sys -> File not found
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\RtkHDAud.Sys -> Realtek Semiconductor Corp. [Ver = 5.10.00.5259 built by: WinDDK | Size = 4279296 bytes | Modified Date = 5/26/2006 6:20:58 AM | Attr = R  ]
(intelppm) Intel Processor Driver [Kernel | System | Stopped] -> %SystemRoot%\System32\DRIVERS\intelppm.sys -> File not found
(ip6fw) IPv6 Windows Firewall Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\ip6fw.sys -> File not found
(JGOGO) JMicron Hot-Plug Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\JGOGO.sys -> JMicron  [Ver = 5.0.3790.1 | Size = 6912 bytes | Modified Date = 2/7/2006 12:52:58 PM | Attr = R  ]
(JRAID) JRAID [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\jraid.sys -> JMicron Technology Corp. [Ver = 1.10.02.00 built by: WinDDK | Size = 43264 bytes | Modified Date = 6/2/2006 12:49:56 PM | Attr = R  ]
(lirsgt) lirsgt [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\lirsgt.sys ->  [Ver =  | Size = 18048 bytes | Modified Date = 5/2/2007 1:25:01 AM | Attr =	]
(mcdbus) Driver for MagicISO SCSI Host Controller [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\mcdbus.sys -> MagicISO, Inc. [Ver = 1.0.0.32 | Size = 92160 bytes | Modified Date = 9/22/2006 2:06:10 PM | Attr =	]
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 6.14.10.9147 | Size = 3958496 bytes | Modified Date = 8/30/2006 6:51:07 PM | Attr =	]
(ovt519) %USB\VID_054C&PID_0154.DeviceDesc% [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ov519vid.sys -> OmniVision Technologies, Inc. [Ver = 2.2.0.2606 | Size = 174530 bytes | Modified Date = 10/15/2003 6:52:50 PM | Attr =	]
(PPPoEWin) PPPoEWin Miniport [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\PPPoEWin.SYS -> Friendly Technologies [Ver = 3, 0, 0, 3 | Size = 104375 bytes | Modified Date = 9/25/2003 5:52:46 PM | Attr =	]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 8/18/2001 1:00:00 PM | Attr =	]
(RT73) Belkin USB Network Adapter [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\rt73.sys -> Ralink Technology, Corp. [Ver = 1.00.00.0000 | Size = 232192 bytes | Modified Date = 8/2/2005 11:00:36 PM | Attr =	]
(SCDEmu) SCDEmu [Kernel | System | Running] -> %SystemRoot%\System32\drivers\scdemu.sys -> PowerISO Computing, Inc. [Ver = 3, 7, 0, 0 | Size = 31548 bytes | Modified Date = 4/9/2007 1:27:07 PM | Attr =	]
(SE27bus) Sony Ericsson Device 039 Driver driver (WDM) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\SE27bus.sys -> MCCI [Ver = V4.34 | Size = 61600 bytes | Modified Date = 4/28/2006 6:24:42 PM | Attr =	]
(SE27mdfl) Sony Ericsson Device 039 USB WMC Modem Filter [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\SE27mdfl.sys -> MCCI [Ver = V4.34 | Size = 9360 bytes | Modified Date = 5/15/2006 2:35:42 PM | Attr = R  ]
(SE27mdm) Sony Ericsson Device 039 USB WMC Modem Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\SE27mdm.sys -> MCCI [Ver = V4.34 | Size = 97184 bytes | Modified Date = 5/15/2006 2:35:42 PM | Attr = R  ]
(SE27mgmt) Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\SE27mgmt.sys -> MCCI [Ver = V4.34 | Size = 88688 bytes | Modified Date = 4/28/2006 6:26:46 PM | Attr =	]
(se27nd5) Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\se27nd5.sys -> MCCI [Ver = V4.34 | Size = 18704 bytes | Modified Date = 4/28/2006 6:24:06 PM | Attr =	]
(SE27obex) Sony Ericsson Device 039 USB WMC OBEX Interface [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\SE27obex.sys -> MCCI [Ver = V4.34 | Size = 86560 bytes | Modified Date = 4/28/2006 6:27:48 PM | Attr =	]
(se27unic) Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\se27unic.sys -> MCCI [Ver = V4.34 | Size = 90800 bytes | Modified Date = 4/28/2006 6:24:00 PM | Attr =	]
(Secdrv) Secdrv [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\secdrv.sys -> Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.00.060 | Size = 163644 bytes | Modified Date = 2/24/2007 4:18:56 PM | Attr =	]
(SONYPVU1) Sony USB Filter Driver (SONYPVU1) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\SONYPVU1.SYS -> Sony Corporation [Ver = 1.3.0526.0 (XPClient.010817-1148) | Size = 7552 bytes | Modified Date = 8/17/2001 2:56:16 PM | Attr =	]
(sptd) sptd [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\sptd.sys ->  [Ver =  | Size = 646392 bytes | Modified Date = 1/19/2007 12:54:01 AM | Attr =	]
(ssmdrv) ssmdrv [Kernel | System | Running] -> %SystemRoot%\system32\drivers\ssmdrv.sys -> Avira GmbH [Ver = 7.0.1.1 | Size = 28352 bytes | Modified Date = 3/1/2007 10:34:22 AM | Attr =	]
(tmcomm) tmcomm [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1059 | Size = 102664 bytes | Modified Date = 4/22/2008 8:29:47 PM | Attr =	]
(vsdatant) vsdatant [Kernel | Auto | Running] -> %SystemRoot%\system32\vsdatant.sys -> Zone Labs Inc. [Ver = 4.5.594.000 | Size = 228400 bytes | Modified Date = 4/1/2004 10:29:02 AM | Attr =	]
(yukonwxp) NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\yk51x86.sys -> Marvell [Ver = 8.61.2.3 built by: WinDDK | Size = 250496 bytes | Modified Date = 11/2/2006 8:01:00 AM | Attr =	]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
%FP%Friendly fts.exe -> %ProgramFiles%\VoyagerTest\fts.exe ["C:\Program Files\VoyagerTest\fts.exe"] -> Friendly Technologies [Ver = 1, 0, 2, 2 | Size = 72192 bytes | Modified Date = 5/6/2003 10:28:34 AM | Attr =	]
GBB36X Configure -> %SystemRoot%\system32\JMRaidTool.exe [C:\WINDOWS\System32\JMRaidTool.exe boot] -> Gigabyte Technology Corp. [Ver = 1.10.02g | Size = 385024 bytes | Modified Date = 6/2/2006 9:46:40 AM | Attr = R  ]
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe ["C:\Program Files\iTunes\iTunesHelper.exe"] -> Apple Inc. [Ver = 7.3.2.6 | Size = 271672 bytes | Modified Date = 7/31/2007 6:44:42 PM | Attr =	]
KernelFaultCheck ->  [%systemroot%\system32\dumprep 0 -k] -> File not found
NvCplDaemon -> %SystemRoot%\system32\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.9147 | Size = 7630848 bytes | Modified Date = 8/30/2006 6:51:11 PM | Attr =	]
NvMediaCenter -> %SystemRoot%\system32\nvmctray.dll [RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit] -> NVIDIA Corporation [Ver = 6.14.10.9147 | Size = 86016 bytes | Modified Date = 8/30/2006 6:51:28 PM | Attr =	]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_11\bin\jusched.exe ["C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"] -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 75520 bytes | Modified Date = 12/15/2006 4:23:27 AM | Attr =	]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
< Kris Startup Folder > -> C:\Documents and Settings\Kris\Start Menu\Programs\Startup -> 
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoBandCustomize -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoMovingBands -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoCloseDragDropBands -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSetTaskbar -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoToolbarsOnTaskbar -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 
< CDROM Autorun Settings > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup -> 
SCSI miniport ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\drivers\cdrom.sys [System32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 47488 bytes | Modified Date = 8/29/2002 1:27:56 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 -> 
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable -> 
NEC	 MBR-7	->  -> File not found
NEC	 MBR-7.4  ->  -> File not found
PIONEER CHANGR DRM-1804X ->  -> File not found
PIONEER CD-ROM DRM-6324X ->  -> File not found
PIONEER CD-ROM DRM-624X  ->  -> File not found
TORiSAN CD-ROM CDR_C36 ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\0 -> SCSI\CdRom&Ven_HL-DT-ST&Prod_DVD-RAM_GSA-H22L&Rev_1.00\5&3063afa3&0&010 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\Count -> 3 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\NextInstance -> 3 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\1 -> SCSI\CdRom&Ven_XW7110S&Prod_TUA224H&Rev_1.0\5&b95880f&0&000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\2 -> SCSI\CdRom&Ven_MagicISO&Prod_Virtual_DVD-ROM&Rev_1.0A\1&2afd7d61&0&0000 -> 
< Drives - Autoruns > ->  -> 
AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] ->  [Ver =  | Size = 0 bytes | Modified Date = 1/16/2007 6:16:25 PM | Attr =	]
AUTORUN.INF [[autorun] | open=Run.exe | icon=Run.exe | ] -> D:\AUTORUN.INF [ CDFS ] ->  [Ver =  | Size = 39 bytes | Modified Date = 10/22/2003 7:05:32 AM | Attr = R  ]
< HOSTS File > (686 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
  .[msn] -> My Computer -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [AcroIEHlprObj Class] ->  [Ver = 1, 0, 0, 1 | Size = 37808 bytes | Modified Date = 4/16/2001 5:39:02 PM | Attr =	]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.5.0_11\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 440056 bytes | Modified Date = 12/15/2006 4:23:24 AM | Attr =	]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{8E718888-423F-11D2-876E-00A0C9082467} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\msdxm.ocx [&Radio] ->  [Ver =  | Size = 842268 bytes | Modified Date = 8/29/2002 3:40:12 AM | Attr =	]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.5.0_11\bin\NPJPI150_11.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 75528 bytes | Modified Date = 12/15/2006 4:23:25 AM | Attr =	]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.5.0_11\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 440056 bytes | Modified Date = 12/15/2006 4:23:24 AM | Attr =	]
{E19ADC6E-3909-43E4-9A89-B7B676377EE3}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Sothink SWF Catcher] -> File not found
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.5.0_11\bin\NPJPI150_11.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 75528 bytes | Modified Date = 12/15/2006 4:23:25 AM | Attr =	]
CmdMapping\\{E19ADC6E-3909-43E4-9A89-B7B676377EE3} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\SourceTec\SWF Catcher\SWFCatcher.dll [SWFDecompiler.InternetExplorer] -> SourceTec [Ver = 3, 0, 0, 0 | Size = 397312 bytes | Modified Date = 6/7/2007 11:00:00 AM | Attr =	]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
Sothink SWF Catcher -> %CommonProgramFiles%\SourceTec\SWF Catcher\InternetExplorer.htm ->  [Ver =  | Size = 191 bytes | Modified Date = 6/7/2007 12:00:00 PM | Attr =	]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
Extension\.spop -> %ProgramFiles%\Internet Explorer\PLUGINS\NPDocBox.dll [] -> Intertrust Technologies, Inc. [Ver = 1.0.0.32 | Size = 270336 bytes | Modified Date = 8/1/2001 6:05:42 PM | Attr =	]
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{1CEA6C23-CF8E-470F-9B49-D01E33F55E07} ->	() -> 
{27681CBA-04E9-42B9-A12B-3D0EACB8CF0F} ->	() -> 
{3608B5C2-6EC8-4A38-ACD0-54462E84319E} ->	(Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller) -> 
{40D7372B-0174-4EBE-B58E-97AF4544126F} ->	(Sony Ericsson Device 039 USB Ethernet Emulation (NDIS 5)) -> 
{7DEFD4CE-7966-4B4C-A217-A21BFFC9F1FE} ->	(Belkin 54g Wireless USB Network Adapter) -> 
{E46EC82E-0CE0-46BA-BCAD-5882263D2C57} ->	(Belkin 54g Wireless USB Network Adapter) -> 
{ECDB4609-9B22-49DA-BCE8-B163768CFB9F} ->	(Belkin 54g Wireless USB Network Adapter) -> 
< Default Protocols [HKEY_LOCAL_MACHINE\] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults -> 
shell -> shell protocol not assigned -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Skype\Skype4COM.dll[IEProtocolHandler Class] -> Skype Technologies [Ver = 1, 0, 27, 0 | Size = 1828440 bytes | Modified Date = 1/12/2007 1:50:48 PM | Attr = R  ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab[Java Plug-in 1.5.0_11] -> 
{C3F79A2B-B9B4-4A66-B012-3EE46475B072}[HKEY_LOCAL_MACHINE] -> http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab[MessengerStatsClient Class] -> 
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab[Java Plug-in 1.5.0_10] -> 
{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab[Java Plug-in 1.5.0_11] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab[Java Plug-in 1.5.0_11] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] -> 
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MessengerStatsPAClient.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MessengerStatsPAClient.dll\\.Owner -> {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MessengerStatsPAClient.dll\\{C3F79A2B-B9B4-4A66-B012-3EE46475B072} ->  ->

cont.

Edited by demeggy, 02 June 2008 - 04:57 AM.

  • 0

#23
demeggy
Posted 02 June 2008 - 04:58 AM

demeggy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
cont.

[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\\System.EnterpriseServices.Thunk.dll ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> -> 
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ not found. -> -> 
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ not found. -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 108544 bytes | Modified Date = 8/29/2002 3:41:08 AM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> 0  [binary data] -> 
*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> 
kerberos -> %SystemRoot%\system32\kerberos.dll -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 272896 bytes | Modified Date = 8/29/2002 3:41:00 AM | Attr =	]
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 108544 bytes | Modified Date = 8/29/2002 3:41:08 AM | Attr =	]
schannel -> %SystemRoot%\system32\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 136704 bytes | Modified Date = 8/29/2002 3:41:12 AM | Attr =	]
wdigest -> %SystemRoot%\system32\wdigest.dll -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 46592 bytes | Modified Date = 8/18/2001 1:00:00 PM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 968 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing ->  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages ->  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> -> 
*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder -> 
Windows NT Access Provider ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> %SystemRoot%\system32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 112128 bytes | Modified Date = 8/29/2002 3:41:08 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> 0A 6D 61 40 15 AD 87 2E E7 F5 9D C5 73 21 1D 2F 39 39 31 61 61 32 34 34 00 68 07 00 01 00 00 00 D8 00 00 00 E0 00 00 00 48 FA 06 00 D6 48 5A 74 04 00 00 00 A0 FD 06 00 B8 FD 06 00 70 DF E4 BD  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> F6 0A F6 59 86 A0 E7 D3 7C  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> B6 46 67 18 57 DC  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth132 -> %SystemRoot%\system32\iissuba.dll [IISSUBA] -> Microsoft Corporation [Ver = 6.0.2600.0 (xpclient.010817-1148) | Size = 9216 bytes | Modified Date = 8/18/2001 1:00:00 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminclientsec -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminserversec -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> A7 F3 4D 89 47 06 A3 F9 08 15 D5 A8 6A 1B 08 FD  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> 28 3D E8 D8 50 97 C7 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> 00 C6 58 87 B5 79 C4 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> 00 C6 58 87 B5 79 C4 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> 00 C6 58 87 B5 79 C4 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> %SystemRoot%\system32\svchost.exe [%SystemRoot%\System32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 12800 bytes | Modified Date = 8/18/2001 1:00:00 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;NLA;RasMan;ALG; -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup ->  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> %SystemRoot%\system32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 435200 bytes | Modified Date = 8/29/2002 3:40:58 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> %SystemRoot%\system32\svchost.exe [%systemroot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 12800 bytes | Modified Date = 8/18/2001 1:00:00 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> %SystemRoot%\system32\wuauserv.dll [C:\WINDOWS\System32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.3630.1106 (xpsp1.020828-1920) | Size = 9216 bytes | Modified Date = 8/29/2002 3:41:20 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Description -> Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. -> 
*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DependOnService -> 
RPCSS -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 260608 bytes | Modified Date = 8/29/2002 3:41:10 AM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DisplayName -> Remote Registry -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ImagePath -> %SystemRoot%\system32\svchost.exe [%SystemRoot%\system32\svchost.exe -k LocalService] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 12800 bytes | Modified Date = 8/18/2001 1:00:00 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ObjectName -> NT AUTHORITY\LocalService -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Group ->  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\FailureActions -> 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 E0 AD 08 00 01 00 00 00 E8 03 00 00  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\\ServiceDll -> %SystemRoot%\system32\regsvc.dll [%SystemRoot%\system32\regsvc.dll] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 51712 bytes | Modified Date = 8/18/2001 1:00:00 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\0 -> Root\LEGACY_REMOTEREGISTRY\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Type -> 16 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Start -> 4 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ImagePath -> %SystemRoot%\system32\tlntsvr.exe [C:\WINDOWS\System32\tlntsvr.exe] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 67584 bytes | Modified Date = 8/29/2002 3:41:28 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DisplayName -> Telnet -> 
*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnService -> 
RPCSS -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 260608 bytes | Modified Date = 8/29/2002 3:41:10 AM | Attr =	]
TCPIP ->  -> File not found
NTLMSSP ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnGroup ->  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Description -> Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 ->

cont.
  • 0

#24
demeggy
Posted 02 June 2008 - 04:59 AM

demeggy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
cont.

[Files/Folders - Created Within 30 days]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Created Date = 5/30/2008 11:39:06 AM | Attr =	]
SDFix -> %SystemDrive%\SDFix ->  [Folder | Created Date = 6/1/2008 12:55:28 PM | Attr =	]
_OTMoveIt -> %SystemDrive%\_OTMoveIt ->  [Folder | Created Date = 6/1/2008 7:11:21 PM | Attr =	]
avgntdd.sys -> %SystemRoot%\System32\drivers\avgntdd.sys -> Avira GmbH [Ver = 6.39.00.30 | Size = 41792 bytes | Created Date = 5/31/2008 11:52:10 AM | Attr =	]
avgntmgr.sys -> %SystemRoot%\System32\drivers\avgntmgr.sys -> Avira GmbH [Ver = 6.37.01.02 | Size = 22336 bytes | Created Date = 5/31/2008 11:52:10 AM | Attr =	]
avipbb.sys -> %SystemRoot%\System32\drivers\avipbb.sys -> Avira GmbH [Ver = 1.00.02.22 | Size = 79424 bytes | Created Date = 5/31/2008 11:52:09 AM | Attr =	]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys ->  [Ver =  | Size = 15864 bytes | Created Date = 6/1/2008 8:00:08 PM | Attr =	]
mbamcatchme.sys -> %SystemRoot%\System32\drivers\mbamcatchme.sys ->  [Ver =  | Size = 34296 bytes | Created Date = 6/1/2008 8:00:08 PM | Attr =	]
ssmdrv.sys -> %SystemRoot%\System32\drivers\ssmdrv.sys -> Avira GmbH [Ver = 7.0.1.1 | Size = 28352 bytes | Created Date = 5/31/2008 11:52:10 AM | Attr =	]
explorer -> %SystemRoot%\System32\explorer ->  [Folder | Created Date = 5/29/2008 8:14:00 PM | Attr =  H ]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
ERDNT -> %SystemRoot%\ERDNT ->  [Folder | Created Date = 5/30/2008 11:39:10 AM | Attr =	]
4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
ERUNT -> %SystemRoot%\ERUNT ->  [Folder | Created Date = 6/1/2008 1:01:05 PM | Attr =	]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
Avira -> %AllUsersProfile%\Application Data\Avira ->  [Folder | Created Date = 5/31/2008 11:52:09 AM | Attr =	]
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes ->  [Folder | Created Date = 6/1/2008 8:00:08 PM | Attr =	]
TRANSFER -> %UserProfile%\My Documents\TRANSFER ->  [Folder | Created Date = 5/20/2008 12:48:31 PM | Attr =	]
AntiVir PE Classic.lnk -> %AllUsersProfile%\Desktop\AntiVir PE Classic.lnk ->  [Ver =  | Size = 1851 bytes | Created Date = 5/31/2008 11:52:15 AM | Attr =	]
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk ->  [Ver =  | Size = 696 bytes | Created Date = 6/1/2008 8:00:08 PM | Attr =	]
antivir_workstation_winu_en_h(2).exe -> %UserProfile%\Desktop\antivir_workstation_winu_en_h(2).exe ->  [Ver =  | Size = 22311160 bytes | Created Date = 5/31/2008 11:46:17 AM | Attr =	]
antivir_workstation_winu_en_h.exe -> %UserProfile%\Desktop\antivir_workstation_winu_en_h.exe ->  [Ver =  | Size = 0 bytes | Created Date = 5/31/2008 11:39:35 AM | Attr =	]
App Form (Art).zip -> %UserProfile%\Desktop\App Form (Art).zip ->  [Ver =  | Size = 80751 bytes | Created Date = 6/2/2008 11:27:11 AM | Attr =	]
ATF-Cleaner.exe -> %UserProfile%\Desktop\ATF-Cleaner.exe -> Atribune.org [Ver = 3.00.0002 | Size = 50688 bytes | Created Date = 6/2/2008 11:35:10 AM | Attr =	]
dban-1.0.7_i386.exe -> %UserProfile%\Desktop\dban-1.0.7_i386.exe ->  [Ver = 8.00.8000 | Size = 1717879 bytes | Created Date = 5/28/2008 8:28:26 PM | Attr =	]
Download_mbam-setup.exe -> %UserProfile%\Desktop\Download_mbam-setup.exe -> Digital River [Ver = 1.0.0.1 | Size = 128368 bytes | Created Date = 6/1/2008 7:58:26 PM | Attr =	]
dss.exe -> %UserProfile%\Desktop\dss.exe ->  [Ver = 3, 2, 8, 1 | Size = 686630 bytes | Created Date = 5/30/2008 11:38:40 AM | Attr =	]
erunt-setup.exe -> %UserProfile%\Desktop\erunt-setup.exe -> Lars Hederer												 [Ver =					  | Size = 791393 bytes | Created Date = 5/31/2008 5:35:07 PM | Attr =	]
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk ->  [Ver =  | Size = 592 bytes | Created Date = 5/31/2008 5:35:23 PM | Attr =	]
fix.reg -> %UserProfile%\Desktop\fix.reg ->  [Ver =  | Size = 3601 bytes | Created Date = 5/31/2008 5:37:51 PM | Attr =	]
index.php -> %UserProfile%\Desktop\index.php ->  [Ver =  | Size = 3601 bytes | Created Date = 5/31/2008 5:36:16 PM | Attr =	]
jre-6u6-windows-i586-p(2).exe -> %UserProfile%\Desktop\jre-6u6-windows-i586-p(2).exe ->  [Ver =  | Size = 15951256 bytes | Created Date = 5/31/2008 11:40:04 AM | Attr =	]
jre-6u6-windows-i586-p.exe -> %UserProfile%\Desktop\jre-6u6-windows-i586-p.exe ->  [Ver =  | Size = 0 bytes | Created Date = 5/31/2008 11:38:16 AM | Attr =	]
jre-6u6-windows-i586-p.exe.sdm -> %UserProfile%\Desktop\jre-6u6-windows-i586-p.exe.sdm ->  [Ver =  | Size = 1211 bytes | Created Date = 5/31/2008 11:38:10 AM | Attr =	]
mbam-setup.exe -> %UserProfile%\Desktop\mbam-setup.exe -> Malwarebytes												 [Ver = 1.0.0.0			  | Size = 1756760 bytes | Created Date = 6/1/2008 7:20:32 PM | Attr =	]
mbam-setup1.exe -> %UserProfile%\Desktop\mbam-setup1.exe -> Malwarebytes												 [Ver = 1.0.0.0			  | Size = 1805926 bytes | Created Date = 6/1/2008 7:58:42 PM | Attr =	]
NTREGOPT.lnk -> %UserProfile%\Desktop\NTREGOPT.lnk ->  [Ver =  | Size = 611 bytes | Created Date = 5/31/2008 5:35:23 PM | Attr =	]
OTMoveIt2.exe -> %UserProfile%\Desktop\OTMoveIt2.exe -> OldTimer Tools [Ver = 1.0.4.2 | Size = 291328 bytes | Created Date = 6/1/2008 7:05:39 PM | Attr =	]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Created Date = 6/2/2008 11:36:57 AM | Attr =	]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 544627 bytes | Created Date = 6/2/2008 11:36:19 AM | Attr =	]
peek.bat -> %UserProfile%\Desktop\peek.bat ->  [Ver =  | Size = 95 bytes | Created Date = 6/1/2008 7:19:08 PM | Attr =	]
Quote(2).pdf -> %UserProfile%\Desktop\Quote(2).pdf ->  [Ver =  | Size = 235704 bytes | Created Date = 6/2/2008 10:52:36 AM | Attr =	]
Quote.pdf -> %UserProfile%\Desktop\Quote.pdf ->  [Ver =  | Size = 235704 bytes | Created Date = 5/27/2008 12:15:50 PM | Attr =	]
registrybackup -> %UserProfile%\Desktop\registrybackup ->  [Folder | Created Date = 5/31/2008 5:35:43 PM | Attr =	]
scan.JPG -> %UserProfile%\Desktop\scan.JPG ->  [Ver =  | Size = 83948 bytes | Created Date = 6/2/2008 11:14:52 AM | Attr =	]
SDFix.exe -> %UserProfile%\Desktop\SDFix.exe ->  [Ver =  | Size = 1438693 bytes | Created Date = 5/31/2008 11:51:24 AM | Attr =	]
Download Manager -> %CommonProgramFiles%\Download Manager ->  [Folder | Created Date = 6/1/2008 8:00:00 PM | Attr =	]
Avira -> %ProgramFiles%\Avira ->  [Folder | Created Date = 5/31/2008 11:52:09 AM | Attr =	]
ERUNT -> %ProgramFiles%\ERUNT ->  [Folder | Created Date = 5/31/2008 5:35:22 PM | Attr =	]
Malwarebytes' Anti-Malware -> %ProgramFiles%\Malwarebytes' Anti-Malware ->  [Folder | Created Date = 6/1/2008 8:00:08 PM | Attr =	]

[Files/Folders - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 282 bytes | Modified Date = 5/27/2008 11:22:00 AM | Attr = RHS]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Modified Date = 5/30/2008 11:39:06 AM | Attr =	]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 6/1/2008 8:00:08 PM | Attr = R  ]
SDFix -> %SystemDrive%\SDFix ->  [Folder | Modified Date = 6/1/2008 1:38:44 PM | Attr =	]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 6/1/2008 7:11:21 PM | Attr =	]
_OTMoveIt -> %SystemDrive%\_OTMoveIt ->  [Folder | Modified Date = 6/1/2008 7:11:21 PM | Attr =	]
etc -> %SystemRoot%\System32\drivers\etc ->  [Folder | Modified Date = 6/1/2008 1:08:27 PM | Attr =	]
HOSTS -> %SystemRoot%\System32\drivers\etc\HOSTS ->  [Ver =  | Size = 686 bytes | Modified Date = 6/1/2008 1:08:27 PM | Attr =	]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys ->  [Ver =  | Size = 15864 bytes | Modified Date = 5/30/2008 1:06:36 AM | Attr =	]
mbamcatchme.sys -> %SystemRoot%\System32\drivers\mbamcatchme.sys ->  [Ver =  | Size = 34296 bytes | Modified Date = 5/30/2008 1:06:40 AM | Attr =	]
drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 6/1/2008 8:00:08 PM | Attr =	]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
explorer -> %SystemRoot%\System32\explorer ->  [Folder | Modified Date = 5/29/2008 8:14:00 PM | Attr =  H ]
nvapps.xml -> %SystemRoot%\System32\nvapps.xml ->  [Ver =  | Size = 81191 bytes | Modified Date = 6/2/2008 11:45:24 AM | Attr =	]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 2206 bytes | Modified Date = 5/26/2008 2:25:09 PM | Attr =	]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 6/2/2008 11:43:58 AM | Attr =   S]
CSC -> %SystemRoot%\CSC ->  [Folder | Modified Date = 6/2/2008 11:44:06 AM | Attr =  HS]
4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 5/30/2008 11:41:56 AM | Attr =   S]
ERDNT -> %SystemRoot%\ERDNT ->  [Folder | Modified Date = 5/30/2008 11:39:10 AM | Attr =	]
ERUNT -> %SystemRoot%\ERUNT ->  [Folder | Modified Date = 6/1/2008 1:01:07 PM | Attr =	]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 6/1/2008 12:47:43 PM | Attr =  H ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini ->  [Ver =  | Size = 116 bytes | Modified Date = 5/22/2008 10:27:06 AM | Attr =	]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 6/2/2008 11:35:32 AM | Attr =	]
system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 6/1/2008 1:12:41 PM | Attr =	]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 6/2/2008 11:44:11 AM | Attr =	]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader ->  [Folder | Modified Date = 1/18/2007 1:04:59 PM | Attr =	]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 5338 bytes | Modified Date = 4/11/2008 5:57:39 PM | Attr =	]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 4232 bytes | Modified Date = 4/13/2008 12:27:55 PM | Attr =	]
C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA ->  [Folder | Modified Date = 1/17/2007 1:10:23 AM | Attr =	]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat ->  [Ver =  | Size = 8206 bytes | Modified Date = 1/17/2007 1:10:23 AM | Attr =	]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Avira -> %AllUsersProfile%\Application Data\Avira ->  [Folder | Modified Date = 5/31/2008 11:52:09 AM | Attr =	]
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes ->  [Folder | Modified Date = 6/1/2008 8:00:08 PM | Attr =	]
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ->  [Ver =  | Size = 111616 bytes | Modified Date = 5/22/2008 10:27:04 AM | Attr =	]
IconCache.db -> %UserProfile%\Local Settings\Application Data\IconCache.db ->  [Ver =  | Size = 1575412 bytes | Modified Date = 5/30/2008 11:44:33 AM | Attr =  H ]
Misc -> %UserProfile%\My Documents\Misc ->  [Folder | Modified Date = 6/1/2008 6:52:07 PM | Attr =	]
My Pictures -> %UserProfile%\My Documents\My Pictures ->  [Folder | Modified Date = 5/31/2008 5:55:38 PM | Attr = R  ]
My Received Files -> %UserProfile%\My Documents\My Received Files ->  [Folder | Modified Date = 6/2/2008 11:46:53 AM | Attr = R  ]
TRANSFER -> %UserProfile%\My Documents\TRANSFER ->  [Folder | Modified Date = 5/20/2008 12:48:31 PM | Attr =	]
AntiVir PE Classic.lnk -> %AllUsersProfile%\Desktop\AntiVir PE Classic.lnk ->  [Ver =  | Size = 1851 bytes | Modified Date = 5/31/2008 11:52:15 AM | Attr =	]
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk ->  [Ver =  | Size = 696 bytes | Modified Date = 6/1/2008 8:00:08 PM | Attr =	]
antivir_workstation_winu_en_h(2).exe -> %UserProfile%\Desktop\antivir_workstation_winu_en_h(2).exe ->  [Ver =  | Size = 22311160 bytes | Modified Date = 5/31/2008 11:50:50 AM | Attr =	]
antivir_workstation_winu_en_h.exe -> %UserProfile%\Desktop\antivir_workstation_winu_en_h.exe ->  [Ver =  | Size = 0 bytes | Modified Date = 5/31/2008 11:39:35 AM | Attr =	]
App Form (Art).zip -> %UserProfile%\Desktop\App Form (Art).zip ->  [Ver =  | Size = 80751 bytes | Modified Date = 6/2/2008 11:27:01 AM | Attr =	]
ATF-Cleaner.exe -> %UserProfile%\Desktop\ATF-Cleaner.exe -> Atribune.org [Ver = 3.00.0002 | Size = 50688 bytes | Modified Date = 6/2/2008 11:35:09 AM | Attr =	]
dban-1.0.7_i386.exe -> %UserProfile%\Desktop\dban-1.0.7_i386.exe ->  [Ver = 8.00.8000 | Size = 1717879 bytes | Modified Date = 5/28/2008 8:28:43 PM | Attr =	]
Download_mbam-setup.exe -> %UserProfile%\Desktop\Download_mbam-setup.exe -> Digital River [Ver = 1.0.0.1 | Size = 128368 bytes | Modified Date = 6/1/2008 7:58:24 PM | Attr =	]
dss.exe -> %UserProfile%\Desktop\dss.exe ->  [Ver = 3, 2, 8, 1 | Size = 686630 bytes | Modified Date = 5/30/2008 11:39:03 AM | Attr =	]
erunt-setup.exe -> %UserProfile%\Desktop\erunt-setup.exe -> Lars Hederer												 [Ver =					  | Size = 791393 bytes | Modified Date = 5/31/2008 5:35:13 PM | Attr =	]
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk ->  [Ver =  | Size = 592 bytes | Modified Date = 5/31/2008 5:35:23 PM | Attr =	]
fix.reg -> %UserProfile%\Desktop\fix.reg ->  [Ver =  | Size = 3601 bytes | Modified Date = 5/31/2008 5:37:51 PM | Attr =	]
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk ->  [Ver =  | Size = 1734 bytes | Modified Date = 5/28/2008 12:25:11 PM | Attr =	]
index.php -> %UserProfile%\Desktop\index.php ->  [Ver =  | Size = 3601 bytes | Modified Date = 5/31/2008 5:36:17 PM | Attr =	]
jre-6u6-windows-i586-p(2).exe -> %UserProfile%\Desktop\jre-6u6-windows-i586-p(2).exe ->  [Ver =  | Size = 15951256 bytes | Modified Date = 5/31/2008 11:41:27 AM | Attr =	]
jre-6u6-windows-i586-p.exe -> %UserProfile%\Desktop\jre-6u6-windows-i586-p.exe ->  [Ver =  | Size = 0 bytes | Modified Date = 5/31/2008 11:38:16 AM | Attr =	]
jre-6u6-windows-i586-p.exe.sdm -> %UserProfile%\Desktop\jre-6u6-windows-i586-p.exe.sdm ->  [Ver =  | Size = 1211 bytes | Modified Date = 5/31/2008 11:38:10 AM | Attr =	]
mbam-setup.exe -> %UserProfile%\Desktop\mbam-setup.exe -> Malwarebytes												 [Ver = 1.0.0.0			  | Size = 1756760 bytes | Modified Date = 6/1/2008 7:21:05 PM | Attr =	]
mbam-setup1.exe -> %UserProfile%\Desktop\mbam-setup1.exe -> Malwarebytes												 [Ver = 1.0.0.0			  | Size = 1805926 bytes | Modified Date = 6/1/2008 8:00:00 PM | Attr =	]
NTREGOPT.lnk -> %UserProfile%\Desktop\NTREGOPT.lnk ->  [Ver =  | Size = 611 bytes | Modified Date = 5/31/2008 5:35:23 PM | Attr =	]
OTMoveIt2.exe -> %UserProfile%\Desktop\OTMoveIt2.exe -> OldTimer Tools [Ver = 1.0.4.2 | Size = 291328 bytes | Modified Date = 6/1/2008 7:05:43 PM | Attr =	]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Modified Date = 6/2/2008 11:36:58 AM | Attr =	]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 544627 bytes | Modified Date = 6/2/2008 11:36:21 AM | Attr =	]
peek.bat -> %UserProfile%\Desktop\peek.bat ->  [Ver =  | Size = 95 bytes | Modified Date = 6/1/2008 7:19:08 PM | Attr =	]
Quote(2).pdf -> %UserProfile%\Desktop\Quote(2).pdf ->  [Ver =  | Size = 235704 bytes | Modified Date = 6/2/2008 10:52:40 AM | Attr =	]
Quote.pdf -> %UserProfile%\Desktop\Quote.pdf ->  [Ver =  | Size = 235704 bytes | Modified Date = 5/27/2008 12:15:55 PM | Attr =	]
registrybackup -> %UserProfile%\Desktop\registrybackup ->  [Folder | Modified Date = 5/31/2008 5:35:53 PM | Attr =	]
scan.JPG -> %UserProfile%\Desktop\scan.JPG ->  [Ver =  | Size = 83948 bytes | Modified Date = 6/2/2008 11:14:52 AM | Attr =	]
SDFix.exe -> %UserProfile%\Desktop\SDFix.exe ->  [Ver =  | Size = 1438693 bytes | Modified Date = 5/31/2008 11:51:40 AM | Attr =	]
Download Manager -> %CommonProgramFiles%\Download Manager ->  [Folder | Modified Date = 6/1/2008 8:00:00 PM | Attr =	]

< End of report >

I hope this makes sense. Cheers
  • 0

#25
Mike
Posted 02 June 2008 - 05:13 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts

Hi there, I don't see any attachments. Could you write for me what the scans detected the file as?


Could you provide me with the information above please. You could also host the image through imageshack or photobucket.

I will review your OTScanIt log meanwhile.

Thanks,

Mike

Edited by Mike, 02 June 2008 - 05:15 AM.

  • 0

Advertisements

#26
demeggy
Posted 02 June 2008 - 05:17 AM

demeggy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Oops, sorry!

Imageshack'd screenshot - http://img134.images...816/scanga9.jpg

It's just occured to me, is it safe for my pc to be connected to the net if theres potential backdoor viruses operating?
  • 0

#27
Mike
Posted 02 June 2008 - 06:07 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there demeggy,

Very Important!

Thats bitfrose for ya :) At least we can nuke it now.

You have a backdoor trojan installed on your computer.
Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

If you choose to reformat please let me know in your next post.

Fixes With OTScanIt

Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Registry - Non-Microsoft Only]
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN ->   .[msn] -> My Computer
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {E19ADC6E-3909-43E4-9A89-B7B676377EE3}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Sothink SWF Catcher]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 30 days]
YY -> explorer -> %SystemRoot%\System32\explorer
YY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
YY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
YY -> peek.bat -> %UserProfile%\Desktop\peek.bat
[Files/Folders - Modified Within 30 days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Empty Temp Folders]
[Start Explorer]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanIt scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#28
demeggy
Posted 02 June 2008 - 06:53 AM

demeggy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Okay, it asked me to reboot, so I did, to which explorer wouldnt respond. I let it try to end it, but it prompted me to end it, so I did, and the pc restarted as stated.

I'm using my gf's laptop and a USB to copy logs backwards and forwards. I hope this'll be safe.

OTScanIt Log:

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msn\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E19ADC6E-3909-43E4-9A89-B7B676377EE3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E19ADC6E-3909-43E4-9A89-B7B676377EE3}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
[Files/Folders - Created Within 30 days]
C:\WINDOWS\System32\explorer folder moved successfully.
[Files Created - Additional Folder Scans - Non-Microsoft Only]
C:\Documents and Settings\Kris\Desktop\peek.bat moved successfully.
[Files/Folders - Modified Within 30 days]
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.15.10 fix logfile created on 06022008_134954

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

Is there anything I need to do in the meantime? Turn my pc off (it isn't connected to the net, I removed my Wireless USB stick)?
  • 0

#29
Mike
Posted 02 June 2008 - 07:57 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
You can connect to the internet with your PC, although don't stay on for excessive amounts of time. Things like downloading tools and posting here can be done without a problem.
I don't see any problems with plugging in your USB device in this case, but some malware do infect USB devices to spread to other computers so be cautious when infected.

Could you please post a new OTScanIt log? Also how is your computer running now?

Edited by Mike, 02 June 2008 - 07:59 AM.

  • 0

#30
demeggy
Posted 02 June 2008 - 08:01 AM

demeggy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Shall I run the scan with Reg - BotCheck and File - Additional Folder Scans checked?

PC's still running same as before. No sound, can't copy/paste etc
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP