1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: evil emailer has taken over!

Discussion in 'Virus & Other Malware Removal' started by justchange, Nov 24, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. justchange

    justchange Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    38
    I'll get better info posted in a few minutes.
     
  2. justchange

    justchange Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    38
    Contents of [user]/temp/:

    Directory of C:\Documents and Settings\Nice Person\Local Settings\Temp

    ~DF3DAD.tmp 16,384 11/24/2006 A
    ~DF4003.tmp 16,384 11/24/2006 A
    ~DF5675.tmp 540,672 11/24/2006 A
    ~DF567B.tmp 16,384 11/24/2006 A
    ~DF6460.tmp 655,360 11/24/2006 A
    ~DF6465.tmp 16,384 11/24/2006 A
    ~DF6869.tmp 589,824 11/24/2006 A
    ~DF7883.tmp 16,384 11/24/2006 A
    ~DFDFCB.tmp 655,360 11/24/2006 A
    ~DFDFD1.tmp 16,384 11/24/2006 A
    ~DFFE40.tmp 655,360 11/24/2006 A
    16exhdd.l.exe 25,088 11/24/2006 A
    21exinjs.q.exe 35,328 11/24/2006 A
    26exmodul32e.q.exe 37,376 11/24/2006 A
    26exssd32.o.exe 23,552 11/24/2006 A
    2exmodul32e.q.exe 37,376 11/24/2006 A
    32exinjs.q.exe 35,328 11/24/2006 A
    35exssd32.o.exe 23,552 11/24/2006 A
    36exhdd.l.exe 25,088 11/24/2006 A
    39exssd32.o.exe 23,552 11/24/2006 A
    40exhdd.l.exe 25,088 11/24/2006 A
    40exmodul32e.q.exe 37,376 11/24/2006 A
    45exhdd.l.exe 25,088 11/24/2006 A
    49exmodul32e.q.exe 37,376 11/24/2006 A
    4exhdd.l.exe 25,088 11/24/2006 A
    51exinjs.q.exe 35,328 11/24/2006 A
    57exmodul32e.q.exe 37,376 11/24/2006 A
    58exhdd.l.exe 25,088 11/24/2006 A
    60exhdd.l.exe 25,088 11/24/2006 A
    64exssd32.o.exe 23,552 11/24/2006 A
    65exinjs.q.exe 35,328 11/24/2006 A
    69exhdd.l.exe 25,088 11/24/2006 A
    6exinjs.q.exe 35,328 11/24/2006 A
    72exssd32.o.exe 23,552 11/24/2006 A
    74exmodul32e.q.exe 37,376 11/24/2006 A
    75exmodul32e.q.exe 37,376 11/24/2006 A
    75exssd32.o.exe 23,552 11/24/2006 A
    78exinjs.q.exe 35,328 11/24/2006 A
    82exinjs.q.exe 35,328 11/24/2006 A
    83exmodul32e.q.exe 37,376 11/24/2006 A
    84exinjs.q.exe 35,328 11/24/2006 A
    85exhdd.l.exe 25,088 11/24/2006 A
    98exmodul32e.q.exe 37,376 11/24/2006 A
    99exhdd.l.exe 25,088 11/24/2006 A
    99exssd32.o.exe 23,552 11/24/2006 A
    autorun.inf 43 11/24/2006 A
    DFC5A2B2.TMP 107 11/21/2006 A
    domains.txt 368,243 11/24/2006 A
    domains.txt.cab 126,354 11/24/2006 A
    fnames.txt 88,071 11/24/2006 A
    fnames.txt.cab 28,894 11/24/2006 A
    hdd.l.exe.conf 48 11/24/2006 A
    injs.q.exe.conf 49 11/24/2006 A
    java_install_reg.log 416 11/24/2006 A
    lnames.txt 187,993 11/24/2006 A
    lnames.txt.cab 85,470 11/24/2006 A
    modul32e.q.exe.conf 53 11/24/2006 A
    Perflib_Perfdata_290.dat 16,384 11/24/2006
    Perflib_Perfdata_674.dat 16,384 11/24/2006
    Perflib_Perfdata_884.dat 16,384 11/24/2006
    setup.exe 38,912 11/24/2006 A
    ssd32.o.exe.conf 50 11/24/2006 A
    zbdwdols.uno 327,763 11/24/2006

    63 file(s) found
    Total file size 5,531,250 bytes
     
  3. justchange

    justchange Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    38
    Contents of Windows/temp/:
    Volume in drive C:\ is Tony's Baby
    Directory of C:\WINDOWS\Temp\

    Perflib_Perfdata_108.dat 17 KB 10/20/2006
    Perflib_Perfdata_110.dat 17 KB 8/26/2006
    Perflib_Perfdata_114.dat 17 KB 11/19/2006
    Perflib_Perfdata_11c.dat 17 KB 8/14/2006
    Perflib_Perfdata_1a8.dat 17 KB 11/19/2006
    Perflib_Perfdata_264.dat 17 KB 9/16/2006
    Perflib_Perfdata_278.dat 17 KB 9/8/2006
    Perflib_Perfdata_29c.dat 17 KB 10/10/2006
    Perflib_Perfdata_2a4.dat 17 KB 8/31/2006
    Perflib_Perfdata_2b8.dat 17 KB 9/14/2006
    Perflib_Perfdata_2bc.dat 17 KB 8/17/2006
    Perflib_Perfdata_2c0.dat 17 KB 9/21/2006
    Perflib_Perfdata_2c8.dat 17 KB 8/28/2006
    Perflib_Perfdata_2e4.dat 17 KB 8/27/2006
    Perflib_Perfdata_2e8.dat 17 KB 11/1/2006
    Perflib_Perfdata_2ec.dat 17 KB 9/17/2006
    Perflib_Perfdata_2f0.dat 17 KB 11/18/2006
    Perflib_Perfdata_2f4.dat 17 KB 9/14/2006
    Perflib_Perfdata_2fc.dat 17 KB 8/19/2006
    Perflib_Perfdata_300.dat 17 KB 10/19/2006
    Perflib_Perfdata_304.dat 17 KB 11/20/2006
    Perflib_Perfdata_308.dat 17 KB 10/4/2006
    Perflib_Perfdata_30c.dat 17 KB 9/1/2006
    Perflib_Perfdata_310.dat 17 KB 9/16/2006
    Perflib_Perfdata_318.dat 17 KB 9/5/2006
    Perflib_Perfdata_3a8.dat 17 KB 9/1/2006
    Perflib_Perfdata_518.dat 17 KB 9/15/2006
    Perflib_Perfdata_570.dat 17 KB 11/24/2006
    Perflib_Perfdata_670.dat 17 KB 8/13/2006
    Perflib_Perfdata_678.dat 17 KB 8/19/2006
    Perflib_Perfdata_680.dat 17 KB 9/16/2006
    Perflib_Perfdata_684.dat 17 KB 8/17/2006
    Perflib_Perfdata_688.dat 17 KB 9/23/2006
    Perflib_Perfdata_68c.dat 17 KB 11/8/2006
    Perflib_Perfdata_750.dat 17 KB 10/19/2006
    Perflib_Perfdata_758.dat 17 KB 11/20/2006
    Perflib_Perfdata_75c.dat 17 KB 10/9/2006
    Perflib_Perfdata_7cc.dat 17 KB 11/24/2006
    Perflib_Perfdata_7d8.dat 17 KB 11/24/2006
    Perflib_Perfdata_80.dat 17 KB 11/17/2006
    Perflib_Perfdata_90c.dat 17 KB 10/18/2006
    Perflib_Perfdata_b4.dat 17 KB 8/17/2006
    Perflib_Perfdata_e0.dat 17 KB 11/24/2006
    Perflib_Perfdata_f54.dat 17 KB 10/9/2006
    ZLT01744.TMP 1 KB 11/24/2006
    ZLT029d7.TMP 1 KB 11/24/2006
    ZLT02a63.TMP 1 KB 11/24/2006
    ZLT050e2.TMP 1 KB 11/24/2006
    ZLT05f31.TMP 1 KB 11/24/2006
    ZLT066f4.TMP 1 KB 11/24/2006


    50 file(s)
    Total filesize 706 KB
    207736144 kilobytes free
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,721
    Download WinPFind.exe to your desktop and double click on it open it and then select “extract” to extract the files. This will create a folder named WinPFind on your desktop.

    Start in Safe Mode Using the F8 method:

    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.

    Double click on the WinPFind folder on your desktop to open it and then double click on the WinPFind.exe file to start the program.

    • Click “Configure scan options”
    • Under “Run AdOns” select the following:
      • Policies.def
      • Security.def
    • Click “apply”
    • Click "Start Scan"
    • It will scan the entire System, so please be patient and let it complete.


    When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder).
     
  5. justchange

    justchange Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    38
    Thank you. Wilco.
     
  6. justchange

    justchange Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    38
    :confused: The forum prog tells me that the file is too large (~54K) and to reduce it <30K.
    Should I split it? Or upload it as an attachment?
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,721
    Either one would be fine. You can put it in two posts or upload it as an attachment.
     
  8. justchange

    justchange Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    38
    Here's the split version 1 of 2: (attachment to follow)


    WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

    If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

    »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Logfile created on: 11/25/2006 11:44:17 AM
    WinPFind v1.5.0 Folder = C:\Documents and Settings\Nice Person\Desktop\WinPFind\
    Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
    Internet Explorer (Version = 6.0.2900.2180)

    »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

    Checking %SystemDrive% folder...

    Checking %ProgramFilesDir% folder...

    Checking %WinDir% folder...

    Checking %System% folder...
    WSUD 6/18/2004 12:32:34 AM 15684608 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
    UPX! 9/25/2006 7:45:08 AM 666240 C:\WINDOWS\SYSTEM32\aswBoot.exe ()
    PEC2 8/23/2001 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
    PTech 6/27/2006 4:40:02 AM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll (Microsoft Corporation)
    PTech 6/2/2006 12:39:54 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.old (Microsoft Corporation)
    PECompact2 11/15/2006 9:20:40 PM 10474920 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
    aspack 11/15/2006 9:20:40 PM 10474920 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
    WSUD 8/3/2004 11:56:54 PM 1200128 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
    aspack 8/3/2004 11:56:36 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
    WSUD 8/3/2004 11:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
    Umonitor 8/3/2004 11:56:44 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
    winsync 8/23/2001 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()

    Checking %System%\Drivers folder and sub-folders...
    PTech 8/3/2004 9:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys (Smart Link)

    Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


    Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
    11/25/2006 11:42:36 AM S 2048 C:\WINDOWS\bootstat.dat ()
    11/23/2006 6:13:28 PM HS 7680 C:\WINDOWS\Thumbs.db ()
    10/13/2006 9:01:30 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index22.dat ()
    10/13/2006 9:01:32 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index23.dat ()
    11/22/2006 12:49:42 PM S 64 C:\WINDOWS\CSC\00000001 ()
    11/22/2006 9:25:02 AM S 64 C:\WINDOWS\CSC\00000002 ()
    11/25/2006 11:41:46 AM H 48882 C:\WINDOWS\system32\vsconfig.xml ()
    11/24/2006 12:02:40 PM H 4212 C:\WINDOWS\system32\zllictbl.dat ()
    10/16/2006 7:35:46 AM S 10965 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920213.cat ()
    10/13/2006 4:55:52 AM S 10965 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB923980.cat ()
    10/13/2006 5:33:10 AM S 10259 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB924270.cat ()
    11/25/2006 11:42:32 AM H 8192 C:\WINDOWS\system32\config\default.LOG ()
    11/25/2006 11:42:42 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
    11/25/2006 11:42:38 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG ()
    11/25/2006 11:43:00 AM H 69632 C:\WINDOWS\system32\config\software.LOG ()
    11/25/2006 11:42:40 AM H 1105920 C:\WINDOWS\system32\config\system.LOG ()
    11/24/2006 10:35:36 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
    11/24/2006 5:43:38 PM S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 ()
    11/18/2006 10:07:36 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD ()
    11/24/2006 5:43:38 PM S 41774 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 ()
    11/24/2006 5:43:38 PM S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 ()
    11/18/2006 10:07:36 PM S 146 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD ()
    11/24/2006 5:43:38 PM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 ()
    10/19/2006 9:00:36 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e2942726-9a99-4e4e-89a6-bfcbc2059d08 ()
    10/19/2006 9:00:36 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
    11/25/2006 11:41:56 AM H 6 C:\WINDOWS\Tasks\SA.DAT ()

    Checking for CPL files...
    8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
    6/18/2004 12:32:34 AM 15684608 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
    8/3/2004 11:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
    11/10/2005 12:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
    8/23/2001 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
    8/23/2001 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
    8/23/2001 4:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
    8/23/2001 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
    8/3/2004 11:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
    5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
    8/23/2001 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
    8/23/2001 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
    8/23/2001 4:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
    8/23/2001 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)

    Checking for Downloaded Program Files...
    {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab
    {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    {166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
    {193C772A-87BE-4B19-A7BB-445B226FE9A1} - ewidoOnlineScan Control - CodeBase = http://download.ewido.net/ewidoOnlineScan.cab
    {2D337EB0-3BFB-42A3-B314-A24BBA8C085B} - YAutoImport Class - CodeBase = http://download.yahoo.com/dl/mail/yautoiol1.cab
    {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - WebGameLoader Class - CodeBase = http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
    {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - MJLauncherCtrl Class - CodeBase = http://www.shockwave.com/content/luxor/mjolauncher.cab
    {87056D28-9730-4A47-B9F9-7E890B62C58A} - WildfireActiveXHost Class - CodeBase = http://www.shockwave.com/content/tumblebugs/axhost.cab
    {89981B1D-07DA-43C3-9770-06C51E7E5DCE} - NostaleWebStarter Control - CodeBase = http://game.nostale.com/sso/NostaleWebLauncher.cab
    {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - - CodeBase = http://www.trendmicro.com/spyware-scan/as4web.cab
    {D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - Logout Class - CodeBase = http://www.gamengame.com/KALogoutComponent.cab
    {F7899FAE-51C9-4EF5-B98C-A64997635235} - GSPRunGame Class - CodeBase = http://www.playinfinity.net/cab/WindyGSPAx.cab
    DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab
    Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

    »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

    Checking files in %ALLUSERSPROFILE%\Startup folder...
    6/30/2006 12:52:52 PM 1768 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk ()
    7/23/2005 9:48:20 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

    Checking files in %ALLUSERSPROFILE%\Application Data folder...
    7/23/2005 2:36:04 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()
    1/15/2006 3:47:06 PM 2898 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache ()

    Checking files in %USERPROFILE%\Startup folder...
    7/23/2005 9:48:20 PM HS 84 C:\Documents and Settings\Nice Person\Start Menu\Programs\Startup\desktop.ini ()
    11/25/2006 10:43:54 AM 679 C:\Documents and Settings\Nice Person\Start Menu\Programs\Startup\MemTurbo.lnk ()

    Checking files in %USERPROFILE%\Application Data folder...
    7/25/2005 10:48:42 AM 877 C:\Documents and Settings\Nice Person\Application Data\AdobeDLM.log ()
    7/23/2005 2:36:04 PM HS 62 C:\Documents and Settings\Nice Person\Application Data\desktop.ini ()
    7/25/2005 10:48:42 AM 0 C:\Documents and Settings\Nice Person\Application Data\dm.ini ()

    »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

    >>> Internet Explorer Settings <<<


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
    \\Start Page - http://www.yahoo.com/
    \\Search Page - http://www.google.com
    \\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    \\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    \\Local Page - %SystemRoot%\system32\blank.htm

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
    \\Start Page - http://www.yahoo.com/
    \\Search Page - http://www.google.com
    \\Local Page - C:\WINDOWS\system32\blank.htm

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
    \\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
    \\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    \\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

    >>> BHO's <<<
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    \{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    \{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)

    >>> Internet Explorer Bars, Toolbars and Extensions <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
    \{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    \{30D02401-6A81-11D0-8274-00C04FD5AE38} - Search Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
    \{32683183-48a0-441b-a342-7c2a440a9478} - = ()
    \{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
    \{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
    \{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
    \\{ACB1E670-3217-45C4-A021-6B829A8A27CB} - McAfee VirusScan = C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll (Network Associates, Inc.)

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
    \ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
    \ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
    \WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
    \WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
    \WebBrowser\\{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - = ()

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
    \\NEXTID - 8197
    \\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8193 = Windows Messenger
    \\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - 8194 = PartyPoker.com
    \\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8195 = Sun Java Console
    \\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - 8196 =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
    \{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll (Sun Microsystems, Inc.)
    \{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - ButtonText: PartyPoker.com = c:\program files\PartyGaming\PartyPoker\RunApp.exe ()
    \{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

    >>> Approved Shell Extensions (Non-Microsoft Only) <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    \\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
    \\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
    \\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
    \\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
    \\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
    \\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = ()
    \\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
    \\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ()
    \\{472083B0-C522-11CF-8763-00608CC02F24} - avast = C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software)
    \\{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc.)
    \\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} - OpenOffice.org Column Handler = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" (Sun Microsystems, Inc.)
    \\{087B3AE3-E237-4467-B8DB-5A38AB959AC9} - OpenOffice.org Infotip Handler = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" (Sun Microsystems, Inc.)
    \\{63542C48-9552-494A-84F7-73AA6A7C99C1} - OpenOffice.org Property Sheet Handler = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" (Sun Microsystems, Inc.)
    \\{3B092F0C-7696-40E3-A80F-68D74DA84210} - OpenOffice.org Thumbnail Viewer = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" (Sun Microsystems, Inc.)
    \\{B327765E-D724-4347-8B16-78AE18552FC3} - NeroDigitalIconHandler = C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG)
    \\{7F1CF152-04F8-453A-B34C-E609530A9DC8} - NeroDigitalPropSheetHandler = C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG)

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    >>> Context Menu Handlers (Non-Microsoft Only) <<<
    [HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
    \avast - {472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software)
    \WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
    \{97F51F2B-E87A-4349-84B1-2D91CB2C0C1B} - = C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll (Network Associates, Inc.)
    \{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} - = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)

    [HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

    [HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
    \WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()

    [HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
    \ACE - {5E2121EE-0300-11D4-8D3B-444553540000} = ()

    [HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
    \avast - {472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software)
    \WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
    \{97F51F2B-E87A-4349-84B1-2D91CB2C0C1B} - = C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll (Network Associates, Inc.)
    \{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} - = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)

    >>> Column Handlers (Non-Microsoft Only) <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
    \{7D4D6379-F301-4311-BEBA-E26EB0561882} - NeroDigitalExt.NeroDigitalColumnHandler = C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG)
    \{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} - OpenOffice.org Column Handler = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" (Sun Microsystems, Inc.)
    \{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

    >>> Registry Run Keys <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    SoundMan - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
    Logitech Utility - C:\WINDOWS\Logi_MwX.Exe (Logitech Inc.)
    LVCOMSX - C:\WINDOWS\system32\LVCOMSX.EXE (Logitech Inc.)
    avast! - C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe ()
    iTunesHelper - C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
    QuickTime Task - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
    RemoteControl - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
    ATICCC - C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
    NWEReboot - Reg Data missing or invalid ()
    NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
    .nvsvc - C:\WINDOWS\system\smss.exe ()
    Zone Labs Client - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    MSMSGS - C:\Program Files\Messenger\MSMSGS.EXE (Microsoft Corporation)
    PhotoShow Deluxe Media Manager - C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe ()
    - Reg Data missing or invalid ()
    SpybotSD TeaTimer - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
    SsAAD.exe - C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe ()

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

    >>> Startup Links <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
    C:\Documents and Settings\Nice Person\Start Menu\Programs\Startup\desktop.ini ()
    C:\Documents and Settings\Nice Person\Start Menu\Programs\Startup\MemTurbo.lnk - C:\Program Files\MemTurbo\MemTurbo.exe (SoftwareOnline.com, Inc.)

    >>> MSConfig Disabled Items <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

    [All Users Startup Folder Disabled Items]

    [Current User Startup Folder Disabled Items]

    >>> User Agent Post Platform <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    \\SV1 -

    >>> AppInit Dll's <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

    >>> Image File Execution Options <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    \Your Image File Name Here without a path - Debugger = ntsd -d

    >>> Shell Service Object Delay Load <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    \\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
    \\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = ()
    \\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
    \\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

    >>> Shell Execute Hooks <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    \\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)

    >>> Shared Task Scheduler <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    \\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
    \\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
     
  9. justchange

    justchange Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    38
    Here's the split version 2 of 2: (attachment to follow)

    >>> Winlogon <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    \\UserInit = C:\WINDOWS\system32\userinit.exe,
    \\Shell = Explorer.exe
    \\System =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
    \AtiExtEvent - Ati2evxx.dll = (ATI Technologies Inc.)
    \crypt32chain - crypt32.dll = (Microsoft Corporation)
    \cryptnet - cryptnet.dll = (Microsoft Corporation)
    \cscdll - cscdll.dll = (Microsoft Corporation)
    \ScCertProp - wlnotify.dll = (Microsoft Corporation)
    \Schedule - wlnotify.dll = (Microsoft Corporation)
    \sclgntfy - sclgntfy.dll = (Microsoft Corporation)
    \SensLogn - WlNotify.dll = (Microsoft Corporation)
    \termsrv - wlnotify.dll = (Microsoft Corporation)
    \wlballoon - wlnotify.dll = (Microsoft Corporation)

    >>> DNS Name Servers <<<
    {2ED82DDA-81CA-4229-84D2-12E0600AC18F} - (Actiontec Gateway)
    {508E6AB4-9EBB-4BB2-B95E-C4B458FFF495} - (Actiontec Gateway)
    {9680D9A8-0B05-4CF5-9A31-B4C616337842} - (Intel(R) PRO/100 WfM PCI Adapter)
    {C1485B73-1642-43F9-9B18-CA40A7EACFC3} - ()
    {D72A594F-57A9-468D-B734-C84A73126DCA} - (Actiontec Gateway)
    {FC288D9E-67B0-4602-B55F-A56DB164EFE0} - ()

    >>> All Winsock2 Catalogs <<<
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
    \000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
    \000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
    \000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
    \000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
    \000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
    \000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000019\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000020\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000021\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000022\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000023\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000024\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000025\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

    >>> Protocol Handlers (Non-Microsoft Only) <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
    \ipp - ()
    \msdaipp - ()

    >>> Protocol Filters (Non-Microsoft Only) <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

    >>> Selected AddOn's <<<

    >>>>Output for AddOn file Policies.def<<<<
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
    policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
    policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
    policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
    policies\system\\dontdisplaylastusername - 0
    policies\system\\legalnoticecaption -
    policies\system\\legalnoticetext -
    policies\system\\shutdownwithoutlogon - 1
    policies\system\\undockwithoutlogon - 1

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
    policies\Explorer\\NoDriveTypeAutoRun - 0
    policies\System\\DisableRegistryTools - 0

    >>>>Output for AddOn file Security.def<<<<
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center - Include SUBKEYS
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    Security Center\\AntiVirusDisableNotify - 0
    Security Center\\FirewallDisableNotify - 0
    Security Center\\UpdatesDisableNotify - 0
    Security Center\\AntiVirusOverride - 0
    Security Center\\FirewallOverride - 0
    Security Center\Monitoring\ZoneLabsFirewall\\DisableMonitoring - 1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS - Include SUBKEYS
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
    BITS\\Type - 32
    BITS\\Start - 3
    BITS\\ErrorControl - 1
    BITS\\ImagePath - %SystemRoot%\System32\svchost.exe -k netsvcs
    BITS\\DisplayName - Background Intelligent Transfer Service
    BITS\\DependOnService - Rpcss;
    BITS\\DependOnGroup -
    BITS\\ObjectName - LocalSystem
    BITS\\Description - Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
    BITS\\FailureActions - 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 68 E3 0C 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00
    BITS\Parameters\\ServiceDll - C:\WINDOWS\system32\qmgr.dll
    BITS\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
    BITS\Enum\\0 - Root\LEGACY_BITS\0000
    BITS\Enum\\Count - 1
    BITS\Enum\\NextInstance - 1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess - Include SUBKEYS
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
    SharedAccess\\Type - 32
    SharedAccess\\Start - 2
    SharedAccess\\ErrorControl - 1
    SharedAccess\\ImagePath - %SystemRoot%\System32\svchost.exe -k netsvcs
    SharedAccess\\DisplayName - Windows Firewall/Internet Connection Sharing (ICS)
    SharedAccess\\DependOnService - Netman;WinMgmt;
    SharedAccess\\DependOnGroup -
    SharedAccess\\ObjectName - LocalSystem
    SharedAccess\\Description - Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
    SharedAccess\Epoch\\Epoch - 12314
    SharedAccess\Parameters\\ServiceDll - %SystemRoot%\System32\ipnathlp.dll
    SharedAccess\Parameters\\SharedAutoDial - 0
    SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019
    SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\139:TCP - 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\445:TCP - 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\137:UDP - 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\138:UDP - 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall - 0
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions - 0
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DisableNotifications - 0
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\sessmgr.exe - C:\WINDOWS\system32\sessmgr.exe:*:Disabled:mad:xpsp2res.dll,-22019
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\America's Army\System\ArmyOps.exe - C:\Program Files\America's Army\System\ArmyOps.exe:*:Enabled:ArmyOps
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\NovaLogic\Joint Operations Beta Demo\jodemo.exe - C:\Program Files\NovaLogic\Joint Operations Beta Demo\jodemo.exe:*:Disabled:jodemo
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Sierra On-Line\SIGSPat.exe - C:\Program Files\Sierra On-Line\SIGSPat.exe:*:Enabled:SIGSPat
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Skype\Phone\Skype.exe - C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe:*:Disabled:backWeb-8876480
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\iTunes\iTunes.exe - C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Xfire\Xfire.exe - C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\EA Games\American McGee's Alice\alice.exe - C:\Program Files\EA Games\American McGee's Alice\alice.exe:*:Enabled:American McGee's Alice
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Ahead\Nero ShowTime\ShowTime.exe - C:\Program Files\Ahead\Nero ShowTime\ShowTime.exe:*:Enabled:Nero ShowTime
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Internet Explorer\iexplore.exe - C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\BitComet\BitComet.exe - C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Azureus\Azureus.exe - C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\javaw.exe - C:\WINDOWS\system32\javaw.exe:*:Enabled:javaw.exe
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\svchost.exe - C:\WINDOWS\system32\svchost.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\62ex4.modul32.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\62ex4.modul32.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\89ex4.modul32.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\89ex4.modul32.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\eMule\emule.exe - C:\Program Files\eMule\emule.exe:*:Enabled:eMule
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\ActionDump\Support_Files\INITCONN.EXE - C:\WINDOWS\system32\ActionDump\Support_Files\INITCONN.EXE:*:Enabled:INITCONN
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Nice Person\Desktop\Downloads\Calba\CabalTemp\ESTdnheadless.exe - C:\Documents and Settings\Nice Person\Desktop\Downloads\Calba\CabalTemp\ESTdnheadless.exe:*:Enabled:EST! download engine
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Nice Person\Desktop\Downloads\Cabal\CabalTemp\ESTdnheadless.exe - C:\Documents and Settings\Nice Person\Desktop\Downloads\Cabal\CabalTemp\ESTdnheadless.exe:*:Enabled:EST! download engine
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Cabal_GSP\update\ESTdnheadless.exe - C:\Program Files\Cabal_GSP\update\ESTdnheadless.exe:*:Enabled:EST! download engine
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\infinity_eng\xclient.exe - C:\Program Files\infinity_eng\xclient.exe:*:Enabled:xclient
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\GPotato\SpaceCowboy\SpaceCowboy.exe - C:\Program Files\GPotato\SpaceCowboy\SpaceCowboy.exe:*:Enabled:SpaceCowboy
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Softnyx\Rakion\Bin\rakion.bin - C:\Program Files\Softnyx\Rakion\Bin\rakion.bin:*:Enabled:rakion
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\69exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\69exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\76exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\76exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\43exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\43exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\72exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\72exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\96exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\96exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\87exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\87exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\21exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\21exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\58exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\58exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\52exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\52exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\77exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\77exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\92exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\92exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\94exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\94exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\62exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\62exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\24exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\24exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\54exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\54exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\5exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\5exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\49exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\49exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\53exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\53exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\48exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\48exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\67exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\67exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\71exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\71exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\39exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\39exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\50exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\50exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\80exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\80exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\27exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\27exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\25exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\25exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\4exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\4exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\47exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\47exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\7exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\7exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\11exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\11exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\6exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\6exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\82exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\82exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\3exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\3exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\63exinjs.p.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\63exinjs.p.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\32exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\32exinjs.q.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\57exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\57exinjs.q.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\84exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\84exinjs.q.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\82exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\82exinjs.q.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\51exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\51exinjs.q.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\65exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\65exinjs.q.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\21exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\21exinjs.q.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\6exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\6exinjs.q.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\78exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\78exinjs.q.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\74exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\74exinjs.q.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\72exinjs.q.exe - C:\DOCUME~1\NICEPE~1\LOCALS~1\Temp\72exinjs.q.exe:*:Enabled:Microsoft Update
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP - 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP - 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\4662:TCP - 4662:TCP:*:Enabled:eMule TCP Incoming
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\4661:TCP - 4661:TCP:*:Enabled:eMule TCP outgoing
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\14985:TCP - 14985:TCP:*:Enabled:BitComet 14985 TCP
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\14985:UDP - 14985:UDP:*:Enabled:BitComet 14985 UDP
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10201:TCP - 10201:TCP:*:Enabled:BitComet 10201 TCP
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10201:UDP - 10201:UDP:*:Enabled:BitComet 10201 UDP
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP - 139:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22004
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP - 445:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22005
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP - 137:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22001
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP - 138:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22002
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\4711:UDP - 4711:UDP:*:Enabled:eMule UDP outgoing
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\4665:UDP - 4665:UDP:*:Enabled:eMule UDP incoming
    SharedAccess\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
    SharedAccess\Setup\\ServiceUpgrade - 1
    SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{C1485B73-1642-43F9-9B18-CA40A7EACFC3} - 1
    SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{6A4076B6-D49E-44F9-AAE8-6426AE3A5C59} - 1
    SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\{FC288D9E-67B0-4602-B55F-A56DB164EFE0} - 1
    SharedAccess\Enum\\0 - Root\LEGACY_SHAREDACCESS\0000
    SharedAccess\Enum\\Count - 1
    SharedAccess\Enum\\NextInstance - 1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv - Include SUBKEYS
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
    wuauserv\\Type - 32
    wuauserv\\Start - 4
    wuauserv\\ErrorControl - 1
    wuauserv\\ImagePath - %systemroot%\system32\svchost.exe -k netsvcs
    wuauserv\\DisplayName - Automatic Updates
    wuauserv\\ObjectName - LocalSystem
    wuauserv\\Description - Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
    wuauserv\Parameters\\ServiceDll - C:\WINDOWS\System32\wuauserv.dll
    wuauserv\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
    wuauserv\Enum\\0 - Root\LEGACY_WUAUSERV\0000
    wuauserv\Enum\\Count - 1
    wuauserv\Enum\\NextInstance - 1


    »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
     
  10. justchange

    justchange Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    38
    Here's the complete WinPFind.txt file.
     

    Attached Files:

  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,721
    Since you already have AVG Anti-Spyware, please do this:

    • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
    • Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    • Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
    1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

      IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
    2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
    3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    4. AVG will now begin the scanning process. Please be patient as this may take a little time.
      Once the scan is complete, do the following:
    5. If you have any infections you will be prompted. Then select "Apply all actions."
    6. Next select the "Reports" icon at the top.
    7. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
    8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.


    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Download GMER from http://www.gmer.net

    Save it somewhere safe & unzip it to desktop

    Double click the gmer.exe to run it and select the rootkit tab, press scan and when it has finished press save and copy the log back here please.


    Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans and the GMER log.
     
  12. justchange

    justchange Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    38
    multi-tasking today... helping another neighbor move.
    I'll follow these instructions and post the logs, shortly.
    Thank you for your commitment to help.
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,721
    That's fine. (y)
     
  14. justchange

    justchange Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    38
    Here are the reports you requested.

    BTW, we've noticed a non-MS smss.exe (39.5k) in the Windows/System/ folder, dated 11-19-2006, about the time this started. There is another, larger file in the ../System32/ folder. Important?
     

    Attached Files:

  15. valis

    valis Moderator

    Joined:
    Sep 24, 2004
    Messages:
    67,558
    dang, panda keeps earning my respect.......
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/521041