Hello and Thanks again! I removed the 4 items using hijack this and ran SilentRunners. Here's the SilentRunners log:
"Silent Runners.vbs", revision 38.1,
http://www.silentrunners.org/Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"Pure Networks Port Magic" = ""C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run" ["Pure Networks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}
"(Default)" = (empty string)
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Microsoft Office\Office10\MLSHEXT.DLL" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\msohev.dll" [MS]
"{FACEB421-912E-11D3-B7D5-0080AD41AF95}" = "ZipStar Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPEEDPROJECT\ZIPSTAR 4\ZSSHELL.DLL" ["SpeedProject"]
"{0D302F2C-8EA6-11CE-B035-444553540000}" = "pcANYWHERECallerShellExt"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshell.DLL" ["Symantec Corporation"]
"{92A681A0-9f0D-11CE-B035-444553540000}" = "pcANYWHERECallerPage"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshllpg.DLL" ["Symantec Corporation"]
"{DF44ACC1-972F-11CE-B035-444553540000}" = "pcANYWHERERemoteCtrlShellExt"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshell.DLL" ["Symantec Corporation"]
"{92a681a1-9f0d-11CE-B035-444553540000}" = "pcANYWHERERemoteCtrlPage"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshllpg.DLL" ["Symantec Corporation"]
"{DF44ACC2-972F-11CE-B035-444553540000}" = "pcANYWHEREBeHostExt"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshell.DLL" ["Symantec Corporation"]
"{92A681A2-9f0D-11CE-B035-444553540000}" = "pcANYWHEREBeHostPage"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshllpg.DLL" ["Symantec Corporation"]
"{DF44ACC3-972F-11CE-B035-444553540000}" = "pcANYWHEREOnlineSvcExt"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshell.DLL" ["Symantec Corporation"]
"{92A681A3-9f0D-11CE-B035-444553540000}" = "pcANYWHEREOnlineSvcPage"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshllpg.DLL" ["Symantec Corporation"]
"{DF44ACC4-972F-11CE-B035-444553540000}" = "pcANYWHEREGatewayExt"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshell.DLL" ["Symantec Corporation"]
"{92A681A4-9f0D-11CE-B035-444553540000}" = "pcANYWHEREGatewayPage"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshllpg.DLL" ["Symantec Corporation"]
"{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}" = "ShellPlusContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\B4FM.dll" [null data]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "GinaDLL" = "C:\WINDOWS\System32\awgina.dll" ["Symantec Corporation"]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\WebshotsForSysadmin.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\Webshots.scr" ["Auralis, Inc."]
Startup items in "sysadmin" & "All Users" startup folders:
----------------------------------------------------------
C:\Documents and Settings\sysadmin\Start Menu\Programs\Startup
"Webshots" -> shortcut to: "C:\Program Files\Webshots\WebshotsTray.exe" ["The Webshots Corporation"]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -h" ["Eastman Kodak Company"]
Enabled Scheduled Tasks:
------------------------
"Modem & Network" -> launches: "C:\WINDOWS\Desktop\modem network.BHF" [file not found]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 08, 11 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHDOCVW.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKCU\Software\Microsoft\Internet Explorer\Extensions\
{C02E3700-038B-11D6-9DFD-00065B61A109}\
"ButtonText" = "Dell Home"
"Exec" = "
http://business.dellnet.com/" [file not found]
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]
{4982D40A-C53B-4615-B15B-B5B5E98D167C}\
"ButtonText" = "AOL Toolbar"
"MenuText" = "AOL Toolbar"
"CLSIDExtension" = "{4982D40A-C53B-4615-B15B-B5B5E98D167C}"
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM95\aim.exe" ["America Online, Inc."]
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["America Online, Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Kodak Camera Connection Software, KodakCCS, "C:\WINDOWS\system32\drivers\KodakCCS.exe" ["Eastman Kodak Company"]
ObjectStore Cache Manager R6.0, ObjectStore Cache Manager R6.0, "C:\ODI\OStore\BIN\OSCMGR6.EXE" ["eXcelon Corp."]
ObjectStore Server R6.0, ObjectStore Server R6.0, "C:\ODI\OStore\BIN\OSSERVER.EXE" ["eXcelon Corp."]
ptssvc, ptssvc, "C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe" ["KODAK"]
Keyboard Driver Filters:
------------------------
HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "aw_host" [file not found]
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Now, here's the log from the MWAV antivirus tool scan:
Object "saap Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CWS.smartsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS\SYSTEM\ATL.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS\SYSTEM\danim.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS\SYSTEM\ddrawex.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS\SYSTEM\iuctl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS\SYSTEM\iuengine.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS\SYSTEM\quartz.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:\WINDOWS\wupdmgr.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00020344-0000-0000-C000-000000000046}" refers to invalid object "mapisrvr.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0A4550F5-9BC3-4152-B387-A6A92314EFB9}" refers to invalid object "mailui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{700B1221-CAFF-11d1-B9DE-000000001B1B}" refers to invalid object "atippaxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{756b000a-da70-11d5-8fe2-00c04f01a9d6}" refers to invalid object "SEAL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{756b000b-da70-11d5-8fe2-00c04f01a9d6}" refers to invalid object "SEAL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{756b000c-da70-11d5-8fe2-00c04f01a9d6}" refers to invalid object "SEAL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{756b000d-da70-11d5-8fe2-00c04f01a9d6}" refers to invalid object "SEAL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{756b000e-da70-11d5-8fe2-00c04f01a9d6}" refers to invalid object "SEAL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{756b0015-da70-11d5-8fe2-00c04f01a9d6}" refers to invalid object "SEAL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8B621BBF-A21D-4311-92E5-A98E7DDDF36A}" refers to invalid object "mailui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8E16892B-25C6-431f-8297-0EABCF13AC59}" refers to invalid object "mailui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{98F933D7-551D-45c5-A99A-93D438DA87D9}" refers to invalid object "mailui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A15C359E-0A0E-4afa-9C6A-7AEC4F7B9C93}" refers to invalid object "msnmetal.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DC67367A-8B15-47BC-B7F8-0BA0435A504A}" refers to invalid object "MSNCON32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DCEDFCBF-C7D1-4B81-A20F-7524D306135E}" refers to invalid object "MSNCON32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E62DCD80-C262-11d1-A419-006097923041}" refers to invalid object "atipdsxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F2B8E361-D2E2-11D1-A41F-00609729B902}" refers to invalid object "atipuixx.dll". Action Taken: No Action Taken.
Entry "HKCR\AcroIEHelper.AcroIEHlprObj" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: No Action Taken.
Entry "HKCR\AcroIEHelper.AcroIEHlprObj.1" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: No Action Taken.
Entry "HKCR\ActiveEx.ButtonProvider" refers to invalid object "{69E5414B-B371-11D0-BCD9-00AA00C1AB1C}". Action Taken: No Action Taken.
Entry "HKCR\ActiveEx.ButtonProvider.1" refers to invalid object "{69E5414B-B371-11D0-BCD9-00AA00C1AB1C}". Action Taken: No Action Taken.
Entry "HKCR\ActiveEx.FolderChooser" refers to invalid object "{69E5414F-B371-11D0-BCD9-00AA00C1AB1C}". Action Taken: No Action Taken.
Entry "HKCR\ActiveEx.FolderChooser.1" refers to invalid object "{69E5414F-B371-11D0-BCD9-00AA00C1AB1C}". Action Taken: No Action Taken.
Entry "HKCR\ActiveEx.ScriptChooser" refers to invalid object "{69E5414D-B371-11D0-BCD9-00AA00C1AB1C}". Action Taken: No Action Taken.
Entry "HKCR\ActiveEx.ScriptChooser.1" refers to invalid object "{69E5414D-B371-11D0-BCD9-00AA00C1AB1C}". Action Taken: No Action Taken.
Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
Entry "HKCR\AOL.IEToolbar" refers to invalid object "{4982D40A-C53B-4615-B15B-B5B5E98D167C}". Action Taken: No Action Taken.
Entry "HKCR\AOL.IEToolbar.1" refers to invalid object "{4982D40A-C53B-4615-B15B-B5B5E98D167C}". Action Taken: No Action Taken.
Entry "HKCR\AolBridge.AolBrowserBridge" refers to invalid object "{B6069E5C-B409-11D3-BA1D-00108334265F}". Action Taken: No Action Taken.
Entry "HKCR\AolBridge.AolBrowserBridge.1" refers to invalid object "{B6069E5C-B409-11D3-BA1D-00108334265F}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACApptTypeCombo.1" refers to invalid object "{F0CABE48-0484-11D4-B137-00C04FA03009}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACCalendarDCtrl.1" refers to invalid object "{3AEE3932-59BB-11D3-A8CC-005004A0F323}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACColorPick.1" refers to invalid object "{F0CABE45-0484-11D4-B137-00C04FA03009}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACDayViewCtrl" refers to invalid object "{0410820E-D7CB-11D3-A74F-0050DA126772}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACDayViewCtrl.1" refers to invalid object "{0410820E-D7CB-11D3-A74F-0050DA126772}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACDictionary.1" refers to invalid object "{F09500A4-0A08-11D4-B137-00C04FA03009}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACMonthViewCtrl.1" refers to invalid object "{5F6B2D5A-CFEB-11D3-A74E-0050DA126772}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACMPickerCtrl.1" refers to invalid object "{F5E941E8-DA94-11D3-8B69-00105AA31C20}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACToolBarCtrl.1" refers to invalid object "{66DD4567-DA5C-11D3-A74F-0050DA126772}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACWebDlgHelper.1" refers to invalid object "{CD961C04-E3BC-11D3-A74F-0050DA126772}". Action Taken: No Action Taken.
Entry "HKCR\BackWeb.Client.ScriptHelper-" refers to invalid object "{A0EC6B8B-3129-47E0-9C0A-F5A986E6C377}". Action Taken: No Action Taken.
Entry "HKCR\cliproxy.objects" refers to invalid object "{E381F1C0-910E-11D1-AB1E-00A0C90F8F6F}". Action Taken: No Action Taken.
Entry "HKCR\cliproxy.objects.1" refers to invalid object "{E381F1C0-910E-11D1-AB1E-00A0C90F8F6F}". Action Taken: No Action Taken.
Entry "HKCR\cliscan.objects" refers to invalid object "{E381F1D0-910E-11D1-AB1E-00A0C90F8F6F}". Action Taken: No Action Taken.
Entry "HKCR\cliscan.objects.1" refers to invalid object "{E381F1D0-910E-11D1-AB1E-00A0C90F8F6F}". Action Taken: No Action Taken.
Entry "HKCR\CognosBIBatcher60.Message" refers to invalid object "{14E05213-4D9E-4B4E-BDCE-4D6D6EF952A3}". Action Taken: No Action Taken.
Entry "HKCR\CognosBIBatcher60.Send" refers to invalid object "{B868BB4B-93C0-433F-AC4E-7562993752F6}". Action Taken: No Action Taken.
Entry "HKCR\CognosBIInstMgr60.AppInstance" refers to invalid object "{9377470B-7241-4578-997B-7751F7AB84A1}". Action Taken: No Action Taken.
Entry "HKCR\CognosPowerPrompts.Model.cer1" refers to invalid object "{F38EFEF7-098B-11d4-9DCF-0010A4F9EE7E}". Action Taken: No Action Taken.
Entry "HKCR\CogUdf.CogRExp" refers to invalid object "{5D287322-AB5C-11D4-9DD5-00D0B71329D8}". Action Taken: No Action Taken.
Entry "HKCR\ComCtl2.Animation" refers to invalid object "{1E216240-1B7D-11CF-9D53-00AA003C9CB6}". Action Taken: No Action Taken.
Entry "HKCR\ComCtl2.Animation.1" refers to invalid object "{1E216240-1B7D-11CF-9D53-00AA003C9CB6}". Action Taken: No Action Taken.
Entry "HKCR\ComCtl2.UpDown" refers to invalid object "{026371C0-1B7C-11CF-9D53-00AA003C9CB6}". Action Taken: No Action Taken.
Entry "HKCR\ComCtl2.UpDown.1" refers to invalid object "{026371C0-1B7C-11CF-9D53-00AA003C9CB6}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\DameWare.Cal32Ctrl.1" refers to invalid object "{891C9A24-4070-11CF-8E46-00AA006DB209}". Action Taken: No Action Taken.
Entry "HKCR\Ebrowser.FatWallet" refers to invalid object "{E13046F7-A5DF-4574-BD7A-6DC12EC10FF5}". Action Taken: No Action Taken.
Entry "HKCR\Ebrowser.FatWallet.1" refers to invalid object "{E13046F7-A5DF-4574-BD7A-6DC12EC10FF5}". Action Taken: No Action Taken.
Entry "HKCR\Eyretel.BroadcastInterface" refers to invalid object "{6C10218F-6A4E-11D2-AB8B-00E0291154ED}". Action Taken: No Action Taken.
Entry "HKCR\Eyretel.Configuration" refers to invalid object "{AC0758BA-4675-11D3-AA6F-0060B06ABE0F}". Action Taken: No Action Taken.
Entry "HKCR\Eyretel.ControlInterface" refers to invalid object "{AC0758B4-4675-11D3-AA6F-0060B06ABE0F}". Action Taken: No Action Taken.
Entry "HKCR\Eyretel.LicenseInterface" refers to invalid object "{F0BCF754-4306-11D2-AB83-00E0291154ED}". Action Taken: No Action Taken.
Entry "HKCR\EyreTel.LicenseServer" refers to invalid object "{765E6444-20A2-11D2-9DA6-00E0291154ED}". Action Taken: No Action Taken.
Entry "HKCR\EyreTel.SecurityInterface" refers to invalid object "{E9AE7864-5DC2-11D2-AB87-00E0291154ED}". Action Taken: No Action Taken.
Entry "HKCR\Eyretel.SecurityServer" refers to invalid object "{7FADD504-2ADF-11D2-9DA8-00E0291154ED}". Action Taken: No Action Taken.
Entry "HKCR\Eyretel.Status" refers to invalid object "{AC0758B7-4675-11D3-AA6F-0060B06ABE0F}". Action Taken: No Action Taken.
Entry "HKCR\FireLink.FireLink.1" refers to invalid object "{D991B0BE-0D0D-11D1-858B-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\GraphViewLib.EdgeArrow" refers to invalid object "{DC7B46F2-09A1-11D4-9DCF-0010A4F9EE7E}". Action Taken: No Action Taken.
Entry "HKCR\GraphViewLib.GraphView" refers to invalid object "{DC7B46F7-09A1-11D4-9DCF-0010A4F9EE7E}". Action Taken: No Action Taken.
Entry "HKCR\HclFtp.Engine" refers to invalid object "{C7B3087F-E999-11D1-B0D1-006008914D5A}". Action Taken: No Action Taken.
Entry "HKCR\HclFtp.Engine.1" refers to invalid object "{C7B3087F-E999-11D1-B0D1-006008914D5A}". Action Taken: No Action Taken.
Entry "HKCR\Hummingbird.RshCtrl.1" refers to invalid object "{DE39AEC7-3D73-11D0-8E0F-00A0240B2FE9}". Action Taken: No Action Taken.
Entry "HKCR\LSClient.SSManager" refers to invalid object "{8B0DE85A-F975-11D2-A985-00A0244D507A}". Action Taken: No Action Taken.
Entry "HKCR\LSClient.SSManager.1" refers to invalid object "{8B0DE85A-F975-11D2-A985-00A0244D507A}". Action Taken: No Action Taken.
Entry "HKCR\LSClient.SubscriptionInfo" refers to invalid object "{9B3A3465-FE53-11D3-9784-005004D12CC3}". Action Taken: No Action Taken.
Entry "HKCR\LSClient.SubscriptionInfo.1" refers to invalid object "{9B3A3465-FE53-11D3-9784-005004D12CC3}". Action Taken: No Action Taken.
Entry "HKCR\LSClient.Subscriptions" refers to invalid object "{F8D14F43-FC26-11D3-9784-005004D12CC3}". Action Taken: No Action Taken.
Entry "HKCR\LSClient.Subscriptions.1" refers to invalid object "{F8D14F43-FC26-11D3-9784-005004D12CC3}". Action Taken: No Action Taken.
Entry "HKCR\LSClientUI.UserInterface" refers to invalid object "{DE2F6328-0707-11D4-9784-005004D12CC3}". Action Taken: No Action Taken.
Entry "HKCR\LSClientUI.UserInterface.1" refers to invalid object "{DE2F6328-0707-11D4-9784-005004D12CC3}". Action Taken: No Action Taken.
Entry "HKCR\MAILMON.MailmonCtrl.1" refers to invalid object "{98842923-A0FA-11CF-B2A0-0000C0A08558}". Action Taken: No Action Taken.
Entry "HKCR\MAPI.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
Entry "HKCR\MAPI.Session.1" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
Entry "HKCR\MercLink.S2MessageFilter" refers to invalid object "{F00EEA66-C5AD-11D2-84C3-00104B69AAB4}". Action Taken: No Action Taken.
Entry "HKCR\MercLink.S2MessageFilter.1" refers to invalid object "{F00EEA66-C5AD-11D2-84C3-00104B69AAB4}". Action Taken: No Action Taken.
Entry "HKCR\MERCMESSAGE.MercMessageCtrl.1" refers to invalid object "{C36A2453-7A0C-11D0-94AF-00A0246D0D5F}". Action Taken: No Action Taken.
Entry "HKCR\MONTHVW.MonthvwCtrl.1" refers to invalid object "{278B28A3-6BE1-11D1-A4FC-444553540000}". Action Taken: No Action Taken.
Entry "HKCR\OracleInProcServer.XOraServer" refers to invalid object "{5CEA8296-F9B9-11D1-9E07-00C04FC2BED8}". Action Taken: No Action Taken.
Entry "HKCR\OracleInProcServer.XOraServer.3" refers to invalid object "{5CEA8296-F9B9-11D1-9E07-00C04FC2BED8}". Action Taken: No Action Taken.
Entry "HKCR\OracleInProcServer.XOraSession" refers to invalid object "{3893B4A0-FFD8-101A-ADF2-04021C007002}". Action Taken: No Action Taken.
Entry "HKCR\OracleInProcServer.XOraSession.3" refers to invalid object "{3893B4A0-FFD8-101A-ADF2-04021C007002}". Action Taken: No Action Taken.
Entry "HKCR\ORADC.ORADCCtrl.1" refers to invalid object "{EC4CF635-D196-11CE-9027-02608C4BF3B5}". Action Taken: No Action Taken.
Entry "HKCR\OraOLEDB.ErrorLookup" refers to invalid object "{3FC8E6E4-53FF-11D2-BB7D-00C04FA30080}". Action Taken: No Action Taken.
Entry "HKCR\OraOLEDB.ErrorLookup.1" refers to invalid object "{3FC8E6E4-53FF-11D2-BB7D-00C04FA30080}". Action Taken: No Action Taken.
Entry "HKCR\OraOLEDB.Oracle" refers to invalid object "{3F63C36E-51A3-11D2-BB7D-00C04FA30080}". Action Taken: No Action Taken.
Entry "HKCR\OraOLEDB.Oracle.1" refers to invalid object "{3F63C36E-51A3-11D2-BB7D-00C04FA30080}". Action Taken: No Action Taken.
Entry "HKCR\Overview.Document" refers to invalid object "{DA23B9C9-6893-11D0-8534-00C04FD7AD0C}". Action Taken: No Action Taken.
Entry "HKCR\PShopper.PersonalShopper" refers to invalid object "{8F05DED0-B413-11D3-BA1D-00108334265F}". Action Taken: No Action Taken.
Entry "HKCR\PShopper.PersonalShopper.1" refers to invalid object "{8F05DED0-B413-11D3-BA1D-00108334265F}". Action Taken: No Action Taken.
Entry "HKCR\PShopperCOM.PSConfig" refers to invalid object "{11BE3AE6-C9DF-11D3-8E11-00805F9E26E6}". Action Taken: No Action Taken.
Entry "HKCR\PShopperCOM.PSConfig.1" refers to invalid object "{11BE3AE6-C9DF-11D3-8E11-00805F9E26E6}". Action Taken: No Action Taken.
Entry "HKCR\PShopperCOM.PSProductFinder" refers to invalid object "{C0E02720-C9D7-11D3-8E10-00805F9E26E6}". Action Taken: No Action Taken.
Entry "HKCR\PShopperCOM.PSProductFinder.1" refers to invalid object "{C0E02720-C9D7-11D3-8E10-00805F9E26E6}". Action Taken: No Action Taken.
Entry "HKCR\QFORMCTL.QFormCtlCtrl.1" refers to invalid object "{E3749279-23AE-11D0-90C5-00A024095107}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.AlarmVarCtrl.1" refers to invalid object "{979F753D-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.FormatTimeCtrl.1" refers to invalid object "{979F7539-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.GenericCmdsCtrl.1" refers to invalid object "{979F7529-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.NoteCtrl.1" refers to invalid object "{979F752D-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.S2000DispCmds8Ctrl.1" refers to invalid object "{979F7545-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.TimeStampCtrl.1" refers to invalid object "{979F7535-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.TuneCtrl.1" refers to invalid object "{979F7531-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2000DISPCMDS.VarCtrl.1" refers to invalid object "{979F7541-CAD0-11D0-8547-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\S2MSGEDITOR.S2MsgEditorCtrl.1" refers to invalid object "{6708835D-0C6B-11D3-808F-00105AA9BDD3}". Action Taken: No Action Taken.
Entry "HKCR\S2NUMSPINNER.S2NumSpinnerCtrl.1" refers to invalid object "{965A7B86-9F03-11D1-8660-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\SCHDYLST.SchdylstCtrl.1" refers to invalid object "{85AA926D-D8F1-11CF-B2A0-0000C0A08558}". Action Taken: No Action Taken.
Entry "HKCR\SDULISTBOX.SDUListBoxCtrl.1" refers to invalid object "{1054A526-4183-11D1-85D7-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\SNOTE.SnoteCtrl.1" refers to invalid object "{36FD55C3-DF00-11CF-8224-00800F24117C}". Action Taken: No Action Taken.
Entry "HKCR\SSCalendar.SSDayCtrl.1" refers to invalid object "{643F1350-1D07-11CE-9E52-0000C0554C0A}". Action Taken: No Action Taken.
Entry "HKCR\SYMONTIME.SymonTimeCtrl.1" refers to invalid object "{22434BA5-AF5F-11D0-8521-0020AFD55D4F}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
Entry "HKCR\TAOCMAP.TaocmapCtrl.1" refers to invalid object "{A96D76E3-EF71-11CF-B2A0-0000C0A08558}". Action Taken: No Action Taken.
Entry "HKCR\TrialEnd.TrialEnd.1" refers to invalid object "{438B8ECD-AD2A-11D1-ADEB-0000F87734F0}". Action Taken: No Action Taken.
Entry "HKCR\xxxSubClasser.clsTimer" refers to invalid object "{9D78E757-09A1-11D4-9DCF-0010A4F9EE7E}". Action Taken: No Action Taken.
Entry "HKCR\xxxSubClasser.GSubClass" refers to invalid object "{9D78E755-09A1-11D4-9DCF-0010A4F9EE7E}". Action Taken: No Action Taken.
File C:\WINDOWS\Cliff.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\sysadmin\Application Data\Mozilla\Profiles\A C\hcgc1nc1.slt\Cache\042ED42Dd01 infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\sysadmin\Local Settings\Application Data\Microsoft\MSN\db\Mail (
[email protected])\stm0xf000133.000 tagged as not-a-virus:Garbage.HTML.Fraud.gen. No Action Taken.
File C:\My Documents\My Downloads\NSuperEB_install_22.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\BitTorrent\uninstall.exe tagged as not-a-virus:Tool.Win32.Processor.1001. No Action Taken.
File C:\Program Files\Common Files\aolback\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUSaveNow2.zip infected by "Password-protected-EXE" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Cliff.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\AOL\AOL40AU.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\AOL\AOL40CA.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\AOL\AOL40UK.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\AOL\AOL40US.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\AT&T\ATTKIT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\CSI\USKIT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\WIN98_66.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Here is the log.txt from running the log.bat file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Conferencing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System\DNSclient]
"UserNameString"="User Name:"
"PasswordString"="Password:"
"DomainString"="Domain:"
"CredentialsString"="The credentials used for Dynamic DNS registration:"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\disallowed]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\disallowed\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\disallowed\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\disallowed\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS]
"EFSBlob"=hex:01,00,01,00,01,00,00,00,6f,02,00,00,6b,02,00,00,1c,00,00,00,02,\
00,00,00,33,02,00,00,38,00,00,00,73,00,00,00,16,00,04,00,01,05,00,00,00,00,\
00,05,15,00,00,00,be,04,3e,32,da,16,eb,23,07,e5,3b,2b,e8,03,00,00,30,82,02,\
2f,30,82,01,9c,a0,03,02,01,02,02,10,8f,e7,f9,ea,50,10,15,88,4e,62,01,a0,59,\
5f,d3,9c,30,09,06,05,2b,0e,03,02,1d,05,00,30,4b,31,11,30,0f,06,03,55,04,03,\
13,08,73,79,73,61,64,6d,69,6e,31,0c,30,0a,06,03,55,04,07,13,03,45,46,53,31,\
28,30,26,06,03,55,04,0b,13,1f,45,46,53,20,46,69,6c,65,20,45,6e,63,72,79,70,\
74,69,6f,6e,20,43,65,72,74,69,66,69,63,61,74,65,30,20,17,0d,30,34,30,37,32,\
30,30,31,30,37,34,37,5a,18,0f,32,31,30,34,30,36,32,36,30,31,30,37,34,37,5a,\
30,4b,31,11,30,0f,06,03,55,04,03,13,08,73,79,73,61,64,6d,69,6e,31,0c,30,0a,\
06,03,55,04,07,13,03,45,46,53,31,28,30,26,06,03,55,04,0b,13,1f,45,46,53,20,\
46,69,6c,65,20,45,6e,63,72,79,70,74,69,6f,6e,20,43,65,72,74,69,66,69,63,61,\
74,65,30,81,9f,30,0d,06,09,2a,86,48,86,f7,0d,01,01,01,05,00,03,81,8d,00,30,\
81,89,02,81,81,00,ba,1e,86,4c,13,b9,17,14,2c,57,d2,02,e0,63,a2,17,69,db,08,\
33,5b,ef,2c,2d,9f,7b,c8,88,dc,ee,f7,fb,e4,d4,da,e6,a3,9d,65,1b,f5,60,75,c3,\
ae,8d,ac,1e,0f,12,f3,ea,73,7f,74,46,b6,cd,43,09,68,09,51,e7,50,91,c2,d3,a2,\
99,2c,58,e7,b3,00,70,8e,ae,c7,d6,d4,aa,a4,28,79,22,b1,78,fb,be,bb,01,df,46,\
b5,58,4b,85,5f,39,f6,53,14,e3,56,9a,4d,92,8b,df,30,d0,9e,70,4c,bc,3b,02,56,\
48,38,1b,3e,69,68,e8,01,8f,02,03,01,00,01,a3,1a,30,18,30,16,06,03,55,1d,25,\
04,0f,30,0d,06,0b,2b,06,01,04,01,82,37,0a,03,04,01,30,09,06,05,2b,0e,03,02,\
1d,05,00,03,81,81,00,b6,93,38,38,8d,62,30,09,6b,31,12,3e,48,57,04,0b,6a,51,\
b1,6e,19,54,9b,a9,a0,f9,e9,60,b5,1f,d3,c1,f8,5f,e1,65,5f,dd,36,c8,11,51,fc,\
af,7c,89,5b,ae,4e,09,53,dc,de,bb,cc,ce,8c,00,e1,b6,65,7f,7b,66,ef,09,ec,25,\
5d,65,06,01,b2,09,2b,df,5d,c2,70,58,f7,a3,da,82,2d,27,7f,9a,2f,29,eb,7c,e5,\
5d,e8,7d,c0,1f,23,00,0f,b2,4d,bf,31,88,da,3d,7a,e9,e5,14,73,ce,ba,73,b7,1e,\
8e,33,8c,29,dc,cd,5a,aa,81,d3
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\Certificates\7A14F39ACBC0F10040FA1A2F547195D3D86A3DE5]
"Blob"=hex:03,00,00,00,01,00,00,00,14,00,00,00,7a,14,f3,9a,cb,c0,f1,00,40,fa,\
1a,2f,54,71,95,d3,d8,6a,3d,e5,02,00,00,00,01,00,00,00,c4,00,00,00,1c,00,00,\
00,6c,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,\
34,00,35,00,66,00,30,00,33,00,32,00,65,00,39,00,2d,00,61,00,36,00,62,00,31,\
00,2d,00,34,00,39,00,32,00,63,00,2d,00,61,00,63,00,32,00,34,00,2d,00,35,00,\
39,00,35,00,64,00,31,00,39,00,37,00,33,00,35,00,30,00,61,00,39,00,00,00,00,\
00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,\
42,00,61,00,73,00,65,00,20,00,43,00,72,00,79,00,70,00,74,00,6f,00,67,00,72,\
00,61,00,70,00,68,00,69,00,63,00,20,00,50,00,72,00,6f,00,76,00,69,00,64,00,\
65,00,72,00,20,00,76,00,31,00,2e,00,30,00,00,00,00,00,20,00,00,00,01,00,00,\
00,33,02,00,00,30,82,02,2f,30,82,01,9c,a0,03,02,01,02,02,10,8f,e7,f9,ea,50,\
10,15,88,4e,62,01,a0,59,5f,d3,9c,30,09,06,05,2b,0e,03,02,1d,05,00,30,4b,31,\
11,30,0f,06,03,55,04,03,13,08,73,79,73,61,64,6d,69,6e,31,0c,30,0a,06,03,55,\
04,07,13,03,45,46,53,31,28,30,26,06,03,55,04,0b,13,1f,45,46,53,20,46,69,6c,\
65,20,45,6e,63,72,79,70,74,69,6f,6e,20,43,65,72,74,69,66,69,63,61,74,65,30,\
20,17,0d,30,34,30,37,32,30,30,31,30,37,34,37,5a,18,0f,32,31,30,34,30,36,32,\
36,30,31,30,37,34,37,5a,30,4b,31,11,30,0f,06,03,55,04,03,13,08,73,79,73,61,\
64,6d,69,6e,31,0c,30,0a,06,03,55,04,07,13,03,45,46,53,31,28,30,26,06,03,55,\
04,0b,13,1f,45,46,53,20,46,69,6c,65,20,45,6e,63,72,79,70,74,69,6f,6e,20,43,\
65,72,74,69,66,69,63,61,74,65,30,81,9f,30,0d,06,09,2a,86,48,86,f7,0d,01,01,\
01,05,00,03,81,8d,00,30,81,89,02,81,81,00,ba,1e,86,4c,13,b9,17,14,2c,57,d2,\
02,e0,63,a2,17,69,db,08,33,5b,ef,2c,2d,9f,7b,c8,88,dc,ee,f7,fb,e4,d4,da,e6,\
a3,9d,65,1b,f5,60,75,c3,ae,8d,ac,1e,0f,12,f3,ea,73,7f,74,46,b6,cd,43,09,68,\
09,51,e7,50,91,c2,d3,a2,99,2c,58,e7,b3,00,70,8e,ae,c7,d6,d4,aa,a4,28,79,22,\
b1,78,fb,be,bb,01,df,46,b5,58,4b,85,5f,39,f6,53,14,e3,56,9a,4d,92,8b,df,30,\
d0,9e,70,4c,bc,3b,02,56,48,38,1b,3e,69,68,e8,01,8f,02,03,01,00,01,a3,1a,30,\
18,30,16,06,03,55,1d,25,04,0f,30,0d,06,0b,2b,06,01,04,01,82,37,0a,03,04,01,\
30,09,06,05,2b,0e,03,02,1d,05,00,03,81,81,00,b6,93,38,38,8d,62,30,09,6b,31,\
12,3e,48,57,04,0b,6a,51,b1,6e,19,54,9b,a9,a0,f9,e9,60,b5,1f,d3,c1,f8,5f,e1,\
65,5f,dd,36,c8,11,51,fc,af,7c,89,5b,ae,4e,09,53,dc,de,bb,cc,ce,8c,00,e1,b6,\
65,7f,7b,66,ef,09,ec,25,5d,65,06,01,b2,09,2b,df,5d,c2,70,58,f7,a3,da,82,2d,\
27,7f,9a,2f,29,eb,7c,e5,5d,e8,7d,c0,1f,23,00,0f,b2,4d,bf,31,88,da,3d,7a,e9,\
e5,14,73,ce,ba,73,b7,1e,8e,33,8c,29,dc,cd,5a,aa,81,d3
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Cache]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70FA-11D1-864C-14A300000000}]
"ClassName"="ipsecFilter"
"ipsecID"="{72385235-70FA-11D1-864C-14A300000000}"
"ipsecName"="All ICMP Traffic"
"ipsecDataType"=dword:00000100
"description"="Matches all ICMP packets between this computer and any other computer."
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,4e,00,46,00,41,00,7b,00,37,00,31,00,34,00,41,00,39,00,46,00,36,\
00,45,00,2d,00,31,00,44,00,31,00,45,00,2d,00,34,00,39,00,46,00,38,00,2d,00,\
42,00,38,00,38,00,38,00,2d,00,36,00,45,00,34,00,42,00,37,00,34,00,38,00,36,\
00,41,00,30,00,41,00,45,00,7d,00,00,00,53,00,4f,00,46,00,54,00,57,00,41,00,\
52,00,45,00,5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,\
00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,\
64,00,6f,00,77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,\
00,6c,00,69,00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,\
70,00,73,00,65,00,63,00,4e,00,46,00,41,00,7b,00,31,00,34,00,45,00,45,00,46,\
00,36,00,33,00,46,00,2d,00,41,00,37,00,34,00,42,00,2d,00,34,00,37,00,42,00,\
37,00,2d,00,42,00,46,00,43,00,36,00,2d,00,31,00,37,00,33,00,30,00,38,00,37,\
00,41,00,32,00,44,00,39,00,31,00,36,00,7d,00,00,00,00,00
"ipsecData"=hex:b5,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,52,00,00,00,01,\
00,00,00,02,00,00,00,00,00,02,00,00,00,00,00,0a,00,00,00,49,00,43,00,4d,00,\
50,00,00,00,cd,70,b8,f3,94,7b,6f,4f,ba,7b,81,4b,91,ad,60,ad,01,00,00,00,00,\
00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00
"whenChanged"=dword:40fc6a9a
"name"="ipsecFilter{72385235-70FA-11D1-864C-14A300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523A-70FA-11D1-864C-14A300000000}]
"ClassName"="ipsecFilter"
"ipsecID"="{7238523A-70FA-11D1-864C-14A300000000}"
"ipsecName"="All IP Traffic"
"ipsecDataType"=dword:00000100
"description"="Matches all IP packets from this computer to any other computer, except broadcast, multicast, Kerberos, RSVP and ISAKMP (IKE)."
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,4e,00,46,00,41,00,7b,00,33,00,35,00,43,00,42,00,37,00,34,00,31,\
00,34,00,2d,00,38,00,31,00,33,00,31,00,2d,00,34,00,35,00,31,00,46,00,2d,00,\
38,00,37,00,30,00,37,00,2d,00,32,00,39,00,32,00,36,00,46,00,42,00,43,00,35,\
00,33,00,35,00,42,00,44,00,7d,00,00,00,53,00,4f,00,46,00,54,00,57,00,41,00,\
52,00,45,00,5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,\
00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,\
64,00,6f,00,77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,\
00,6c,00,69,00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,\
70,00,73,00,65,00,63,00,4e,00,46,00,41,00,7b,00,41,00,36,00,38,00,35,00,45,\
00,38,00,38,00,34,00,2d,00,33,00,39,00,35,00,37,00,2d,00,34,00,37,00,44,00,\
32,00,2d,00,42,00,35,00,46,00,33,00,2d,00,44,00,35,00,31,00,36,00,33,00,42,\
00,39,00,35,00,42,00,31,00,44,00,38,00,7d,00,00,00,00,00
"ipsecData"=hex:b5,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,4a,00,00,00,01,\
00,00,00,02,00,00,00,00,00,02,00,00,00,00,00,02,00,00,00,00,00,f8,01,10,14,\
5f,a7,0a,47,9c,5a,7b,21,1b,36,0c,6f,01,00,00,00,00,00,00,00,ff,ff,ff,ff,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"whenChanged"=dword:40fc6a9a
"name"="ipsecFilter{7238523A-70FA-11D1-864C-14A300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000}]
"ClassName"="ipsecISAKMPPolicy"
"ipsecID"="{72385231-70FA-11D1-864C-14A300000000}"
"ipsecName"="{72385231-70FA-11D1-864C-14A300000000}"
"ipsecDataType"=dword:00000100
"description"="Ā"
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,50,00,6f,00,6c,00,69,00,63,00,79,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,30,00,2d,00,37,00,30,00,46,00,41,00,2d,00,31,00,31,00,\
44,00,31,00,2d,00,38,00,36,00,34,00,43,00,2d,00,31,00,34,00,41,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00
"ipsecData"=hex:b8,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,40,01,00,00,a7,\
70,57,b3,5d,b8,92,48,80,21,3f,78,4b,e1,ea,32,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,30,00,03,00,00,00,40,00,00,00,\
08,00,00,00,02,00,00,00,40,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,08,00,\
00,00,00,00,00,00,03,00,00,00,40,00,00,00,08,00,00,00,01,00,00,00,40,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,30,00,02,00,00,00,\
00,00,00,00,00,00,00,00,80,70,00,00,84,03,00,00,00,00,00,00,01,00,00,00,40,\
00,00,00,08,00,00,00,02,00,00,00,40,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,65,00,01,00,00,00,00,00,00,00,00,00,00,00,80,70,00,\
00,84,03,00,00,00,00,00,00,01,00,00,00,40,00,00,00,08,00,00,00,01,00,00,00,\
40,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,7b,00,01,\
00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,7d,00,00,00,00
"whenChanged"=dword:40fc6a9a
"name"="ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70FA-11D1-864C-14A300000000}]
"ClassName"="ipsecISAKMPPolicy"
"ipsecID"="{72385234-70FA-11D1-864C-14A300000000}"
"ipsecName"="Built-in Default IKE Settings"
"ipsecDataType"=dword:00000100
"description"="Built-in Default IKE Settings"
"ipsecData"=hex:b8,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,40,01,00,00,07,\
7d,16,aa,90,de,43,45,b7,9e,23,44,5c,4e,fd,1b,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,03,00,00,00,40,00,00,00,\
08,00,00,00,02,00,00,00,40,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,01,10,\
08,00,00,00,2d,00,03,00,00,00,40,00,00,00,08,00,00,00,01,00,00,00,40,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,02,00,00,00,\
00,00,00,00,00,00,00,00,80,70,00,00,02,00,00,00,00,00,39,00,01,00,00,00,40,\
00,00,00,08,00,00,00,02,00,00,00,40,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,01,00,00,01,00,00,00,00,00,00,00,00,00,00,00,80,70,00,\
00,01,00,00,00,00,00,65,00,01,00,00,00,40,00,00,00,08,00,00,00,01,00,00,00,\
40,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,\
00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,01,00,00,00,00
"whenChanged"=dword:40fc6a9a
"name"="ipsecISAKMPPolicy{72385234-70FA-11D1-864C-14A300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A300000000}]
"ClassName"="ipsecISAKMPPolicy"
"ipsecID"="{72385237-70FA-11D1-864C-14A300000000}"
"ipsecName"="{72385237-70FA-11D1-864C-14A300000000}"
"ipsecDataType"=dword:00000100
"description"="Ā"
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,50,00,6f,00,6c,00,69,00,63,00,79,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,36,00,2d,00,37,00,30,00,46,00,41,00,2d,00,31,00,31,00,\
44,00,31,00,2d,00,38,00,36,00,34,00,43,00,2d,00,31,00,34,00,41,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00
"ipsecData"=hex:b8,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,40,01,00,00,ec,\
41,f1,04,97,b3,e5,43,b4,6f,15,d2,04,d6,48,4d,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,03,00,00,00,40,00,00,00,\
08,00,00,00,02,00,00,00,40,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,01,00,00,02,00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,01,00,\
00,00,00,00,00,00,03,00,00,00,40,00,00,00,08,00,00,00,01,00,00,00,40,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,02,00,00,00,\
00,00,00,00,00,00,00,00,80,70,00,00,98,01,65,00,00,00,02,04,01,00,00,00,40,\
00,00,00,08,00,00,00,02,00,00,00,40,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,11,00,01,00,00,00,00,00,00,00,00,00,00,00,80,70,00,\
00,24,8d,30,21,00,00,16,00,01,00,00,00,40,00,00,00,08,00,00,00,01,00,00,00,\
40,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,50,00,01,\
00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,01,01,0c,00,00
"whenChanged"=dword:40fc6a9a
"name"="ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind