Adware & Trojans: Winantispyware!

Viruses and worms
41

As Bitdefender has detected this but not removed it, an online scan in Safe Mode may be more effective. You can also scan with AVG in this way. Instructions here:

Now restart in safe mode. To get in safe mode Press "F8" upon boot up. Select "Safe mode with Network". Go to Start – Run - type iexplore http://www.bitdefender.com/scan8/ie.html... Enter(ok). Do a full scan of all your drives. If something is found, delete it, reboot and do the same again in safe mode with network. When that scan does not find anything you reboot again in safe mode with network. Go to Start – Run – type iexplore http://www.ewido.net/en/ Enter(ok). Do a full scan of all your drives. If something is found, delete it, reboot and do the same again in safe mode with network.

NOTE: Do NOT do anything else with your computer when scanning. This because you can start virus/adware/spyware/malware manually.

http://ph.answers.yahoo.com/question/index?qid=20070920142247AASiUIe

Did you run VirtumundoBegone in Safe Mode? What was the result?

42

VundoFix V6.5.7

Checking Java version…

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 1:44:40 PM 8/15/2007

Listing files found while scanning…

No infected files were found.

Beginning removal…

VundoFix V6.5.8

Checking Java version…

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 1:08:53 PM 9/20/2007

Listing files found while scanning…

No infected files were found.

Beginning removal…

VundoFix V6.5.8

Checking Java version…

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 1:22:05 PM 9/20/2007

Listing files found while scanning…

No infected files were found.

Beginning removal…

Beginning removal…

Attempting to delete C:\WINDOWS\system32\mahcrbyj.dll
C:\WINDOWS\system32\mahcrbyj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tusqo.dll
C:\WINDOWS\system32\tusqo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal…

Attempting to delete C:\WINDOWS\system32\tusqo.dll
C:\WINDOWS\system32\tusqo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal…

ComboFix 07-09-20.1 - “Tara & Paul” 2007-09-22 8:36:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.54 [GMT -7:00]
Script execution time was exceeded on script “C:\ComboFix\restore_pt.vbs”.
Script execution was terminated.
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Temp\fse
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\boxcpdpl.ini
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\lpdpcxob.dll
C:\WINDOWS\system32\oqsut.bak1
C:\WINDOWS\system32\oqsut.bak2
C:\WINDOWS\system32\oqsut.ini
C:\WINDOWS\system32\oqsut.ini2
C:\WINDOWS\system32\oqsut.tmp
C:\WINDOWS\system32\tusqo.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-22 to 2007-09-22 )))))))))))))))))))))))))))))))
.

2007-09-20 19:07 83,008 --a------ C:\WINDOWS\system32\gqoqomwo.dll
2007-09-20 14:33 d-------- C:\Program Files\Common Files\Download Manager
2007-09-20 10:50 d-------- C:\WINDOWS\SxsCaPendDel
2007-09-20 09:06 83,008 --a------ C:\WINDOWS\system32\jsrrrvjh.dll
2007-09-19 19:15 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-19 19:14 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-19 19:14 d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-19 19:12 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 09:52 d-------- C:\Program Files\RogueRemover FREE
2007-09-08 20:13 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-09-08 20:03 d-------- C:\All DVD Work
2007-08-30 21:05 d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\CyberLink
2007-08-30 21:05 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-08-30 11:38 31 --ah----- C:\WINDOWS\uccspecc.sys
2007-08-30 11:38 d-------- C:\WINDOWS\Cache
2007-08-30 11:38 d-------- C:\Program Files\Coupons
2007-08-23 20:45 d-------- C:\Program Files\Norton Security Scan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-22 08:25 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-09-15 15:55 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-06 03:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 03:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 03:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 03:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 03:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-26 16:17 --------- d–h----- C:\Program Files\InstallShield Installation Information
2007-08-19 15:54 --------- d-------- C:\Program Files\mobile PhoneTools
2007-08-18 20:11 --------- d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\Ahead
2007-08-18 20:09 --------- d-------- C:\Program Files\Common Files\LightScribe
2007-08-18 10:58 --------- d-------- C:\Program Files\Common Files\Ahead
2007-08-18 10:34 --------- d-------- C:\Program Files\Nero
2007-08-18 10:34 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-08-18 10:10 --------- d-------- C:\Program Files\CyberLink
2007-08-16 14:03 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-13 14:17 --------- d-------- C:\Program Files\Google
2007-08-13 10:43 --------- d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\LimeWire
2007-08-10 10:23 --------- d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\Viewpoint
2007-08-10 10:23 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-08-10 10:22 --------- d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\acccore
2007-08-10 10:21 --------- d-------- C:\Program Files\Viewpoint
2007-08-10 10:21 --------- d-------- C:\Program Files\AIM6
2007-08-10 10:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-08-10 10:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-10 10:19 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-10 10:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-08-09 10:32 --------- d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\ArcSoft
2007-08-09 09:47 --------- d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\Leadertech
2007-08-09 09:42 --------- d-------- C:\Program Files\epson
2007-08-09 09:39 --------- d-------- C:\Program Files\ArcSoft
2007-07-23 09:09 --------- d-------- C:\Program Files\Comodo
2007-07-22 19:23 --------- d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\AdobeUM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“@”=“”
“WatchDog”=“C:\Program Files\mobile PhoneTools\WatchDog.exe” [2007-09-07 18:42]
“EPSON Stylus CX5800F Series”=“C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.exe” [2005-05-09 22:00]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 03:06]
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-09-07 18:42]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“P2kAutostart”=“C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe”
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-19 16:29]
“Aim6”=“”
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-12-23 18:05]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06]

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“MySpaceIM”=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-13 14:14:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 cwrwdm;SoundFusion™ WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys

.
Contents of the ‘Scheduled Tasks’ folder
“2007-09-14 23:44:38 C:\WINDOWS\Tasks\Norton Security Scan.job”

  • C:\Program Files\Norton Security Scan\Nss.exe
    .

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-22 08:51:33
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

scanning hidden processes …

scanning hidden autostart entries …

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe?0???

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2007-09-22 8:55:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt … 2007-09-22 08:55
C:\ComboFix2.txt … 2007-08-15 12:09
.
— E O F —

43

WinPFind3 logfile created on: 9/22/2007 8:58:58 AM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\Tara & Paul\Desktop\WinPFind3u
Microsoft Windows XP Service Pack 2, v.2096 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2096)

191.48 Mb Total Physical Memory | 33.88 Mb Available Physical Memory | 17.69% Memory free
466.79 Mb Paging File | 276.67 Mb Available in Paging File | 59.27% Paging File free
Paging file location(s): C:\pagefile.sys 288 576;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.64 Gb Total Space | 23.18 Gb Free Space | 83.87% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: LAPTOP
Current User Name: Tara & Paul
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
ashdisp.exe → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 3:06:10 AM | Attr = ]
ashmaisv.exe → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 3:05:42 AM | Attr = ]
ashserv.exe → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 3:06:04 AM | Attr = ]
ashwebsv.exe → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 3:04:44 AM | Attr = ]
aswupdsv.exe → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 2:54:58 AM | Attr = ]
e_fatiala.exe → %System32%\spool\drivers\w32x86\3\E_FATIALA.EXE → SEIKO EPSON CORPORATION [Ver = 4.00 | Size = 98304 bytes | Modified Date = 5/9/2005 10:00:00 PM | Attr = ]
googleupdater.exe → %ProgramFiles%\Google\Google Updater\GoogleUpdater.exe → Google [Ver = 2.2.940.34809.beta | Size = 124912 bytes | Modified Date = 8/13/2007 2:13:36 PM | Attr = ]
googleupdaterservice.exe → %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe → Google [Ver = 2.2.824.5515.beta | Size = 138680 bytes | Modified Date = 8/13/2007 2:14:18 PM | Attr = ]
jusched.exe → %ProgramFiles%\Java\jre1.6.0_02\bin\jusched.exe → Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr = ]
lssrvc.exe → %CommonProgramFiles%\LightScribe\LSSrvc.exe → Hewlett-Packard Company [Ver = 1.4.124.1 | Size = 61440 bytes | Modified Date = 10/19/2006 1:52:24 PM | Attr = ]
nmbgmonitor.exe → %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe → Nero AG [Ver = 1, 5, 13, 0 | Size = 143360 bytes | Modified Date = 12/23/2006 6:05:20 PM | Attr = ]
nmindexingservice.exe → %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe → Nero AG [Ver = 1, 5, 13, 0 | Size = 262144 bytes | Modified Date = 12/23/2006 5:54:04 PM | Attr = ]
nmindexstoresvr.exe → %CommonProgramFiles%\Ahead\Lib\NMIndexStoreSvr.exe → Nero AG [Ver = 1, 5, 13, 0 | Size = 905216 bytes | Modified Date = 12/23/2006 6:04:42 PM | Attr = ]
superantispyware.exe → %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
watchdog.exe → %ProgramFiles%\mobile PhoneTools\WatchDog.exe → [Ver = | Size = 36864 bytes | Modified Date = 9/7/2007 6:42:16 PM | Attr = ]
winpfind3u.exe → %UserDesktop%\WinPFind3u\WinPFind3U.exe → OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 2:54:58 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 3:06:04 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 3:05:42 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 3:04:44 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] → %System32%\dmadmin.exe → Microsoft Corp., Veritas Software [Ver = 2600.2096.503.0 | Size = 224768 bytes | Modified Date = 3/11/2004 6:18:58 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | Auto | Running] → %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe → Google [Ver = 2.2.824.5515.beta | Size = 138680 bytes | Modified Date = 8/13/2007 2:14:18 PM | Attr = ]
(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] → %CommonProgramFiles%\LightScribe\LSSrvc.exe → Hewlett-Packard Company [Ver = 1.4.124.1 | Size = 61440 bytes | Modified Date = 10/19/2006 1:52:24 PM | Attr = ]
(NBService) NBService [Win32_Own | On_Demand | Stopped] → %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe → Nero AG [Ver = 2, 7, 3, 1 | Size = 774144 bytes | Modified Date = 1/5/2007 1:41:10 PM | Attr = ]
(NMIndexingService) NMIndexingService [Win32_Own | On_Demand | Running] → %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe → Nero AG [Ver = 1, 5, 13, 0 | Size = 262144 bytes | Modified Date = 12/23/2006 5:54:04 PM | Attr = ]

44

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 2:54:58 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 3:06:04 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 3:05:42 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 3:04:44 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] → %System32%\dmadmin.exe → Microsoft Corp., Veritas Software [Ver = 2600.2096.503.0 | Size = 224768 bytes | Modified Date = 3/11/2004 6:18:58 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | Auto | Running] → %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe → Google [Ver = 2.2.824.5515.beta | Size = 138680 bytes | Modified Date = 8/13/2007 2:14:18 PM | Attr = ]
(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] → %CommonProgramFiles%\LightScribe\LSSrvc.exe → Hewlett-Packard Company [Ver = 1.4.124.1 | Size = 61440 bytes | Modified Date = 10/19/2006 1:52:24 PM | Attr = ]
(NBService) NBService [Win32_Own | On_Demand | Stopped] → %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe → Nero AG [Ver = 2, 7, 3, 1 | Size = 774144 bytes | Modified Date = 1/5/2007 1:41:10 PM | Attr = ]
(NMIndexingService) NMIndexingService [Win32_Own | On_Demand | Running] → %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe → Nero AG [Ver = 1, 5, 13, 0 | Size = 262144 bytes | Modified Date = 12/23/2006 5:54:04 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
avast! → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 3:06:10 AM | Attr = ]
EPSON Stylus CX5800F Series → %System32%\spool\drivers\w32x86\3\E_FATIALA.EXE → SEIKO EPSON CORPORATION [Ver = 4.00 | Size = 98304 bytes | Modified Date = 5/9/2005 10:00:00 PM | Attr = ]
NeroFilterCheck → %CommonProgramFiles%\Ahead\Lib\NeroCheck.exe → Nero AG [Ver = 1, 0, 0, 5 | Size = 155648 bytes | Modified Date = 9/7/2007 6:42:24 PM | Attr = ]
SunJavaUpdateSched → %ProgramFiles%\Java\jre1.6.0_02\bin\jusched.exe → Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr = ]
WatchDog → %ProgramFiles%\mobile PhoneTools\WatchDog.exe → [Ver = | Size = 36864 bytes | Modified Date = 9/7/2007 6:42:16 PM | Attr = ]
< Run [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
Aim6 → → File not found
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} → %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe → Nero AG [Ver = 1, 5, 13, 0 | Size = 143360 bytes | Modified Date = 12/23/2006 6:05:20 PM | Attr = ]
P2kAutostart → %UserDocuments%\P2kCommanderV330\P2kAutostart.exe → File not found
SUPERAntiSpyware → %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
swg → %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe → Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 7/19/2007 4:29:22 PM | Attr = ]
< Common Startup > → C:\Documents and Settings\All Users\Start Menu\Programs\Startup →
%AllUsersStartup%\Google Updater.lnk → %ProgramFiles%\Google\Google Updater\GoogleUpdater.exe → Google [Ver = 2.2.940.34809.beta | Size = 124912 bytes | Modified Date = 8/13/2007 2:13:36 PM | Attr = ]
< ShellExecuteHooks [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks →
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] → %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr = ]
< SecurityProviders [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders →
< Winlogon settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon\Notify settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ →
!SASWinLogon → %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll → SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\NoDriveAutoRun → 67108863 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\NoDriveTypeAutoRun → 255 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} → 1073741857 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1} → 32 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaption → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetext → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\shutdownwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\undockwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ → →
< CurrentVersion Policy Settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →

45

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ → →
< HOSTS File > (27 bytes) → C:\WINDOWS\System32\drivers\etc\Hosts →
127.0.0.1 localhost → →
< Internet Explorer Settings > → →
HKLM: Default_Page_URL → http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF →
HKLM: Main\Default_Search_URL → http://www.google.com/ie
HKLM: Local Page → %SystemRoot%\system32\blank.htm →
HKLM: Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM: Start Page → about:blank →
HKLM: CustomizeSearch → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM: Search\Default_Search_URL → http://www.google.com/ie
HKLM: SearchAssistant → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU: Local Page → C:\WINDOWS\system32\blank.htm →
HKCU: Search Bar → http://www.google.com/ie
HKCU: Search Page → http://www.google.com
HKCU: Start Page → about:blank →
HKCU: SearchAssistant → http://www.google.com/ie
HKCU: ProxyEnable → 0 →
< Trusted Sites > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
msn.com [ - ] → →
< Trusted Sites > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
www_java.com [http] → →
update_microsoft.com [http] → →
photos_walmart.com [http] → →
< BHO’s > → HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ →
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] → %ProgramFiles%\Java\jre1.6.0_02\bin\ssv.dll [SSVHelper Class] → Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 501136 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] → %ProgramFiles%\Google\googletoolbar1.dll [Google Toolbar Helper] → Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] → %ProgramFiles%\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll [Google Toolbar Notifier BHO] → Google Inc. [Ver = 2, 1, 615, 5858 | Size = 654832 bytes | Modified Date = 8/13/2007 2:15:10 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar →
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] → %ProgramFiles%\Google\googletoolbar1.dll [&Google] → Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
{8E718888-423F-11D2-876E-00A0C9082467} [HKLM] → %System32%\msdxm.ocx [&Radio] → [Ver = | Size = 843802 bytes | Modified Date = 3/11/2004 4:08:16 PM | Attr = ]
< Internet Explorer ToolBars [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ →
ShellBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] → %ProgramFiles%\Google\googletoolbar1.dll [&Google] → Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
WebBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] → %ProgramFiles%\Google\googletoolbar1.dll [&Google] → Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
WebBrowser\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} [HKLM] → Reg Data - Key not found [Reg Data - Key not found] → File not found
< Internet Explorer Extensions [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ →
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] → %ProgramFiles%\Java\jre1.6.0_02\bin\npjpi160_02.dll [MenuText: Sun Java Console] → Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] → %ProgramFiles%\Java\jre1.6.0_02\bin\ssv.dll [MenuText: Sun Java Console] → Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 501136 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr = ]
{85d1f590-48f4-11d9-9669-0800200c9a66} [HKLM] → Reg Data - Key not found [MenuText: Uninstall BitDefender Online Scanner v8] → File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} → Reg Data - Value does not exist [ButtonText: Research] → File not found
< Internet Explorer Menu Extensions [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ →
E&xport to Microsoft Excel → → File not found
< DNS Name Servers [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ →
{2AD54E64-CF6F-4D17-876E-5B9A5215E2BD} → (Motorola SURFboard SB5100 USB Cable Modem) →
{870402FA-F9C7-4BEF-AD88-87CABAAAF413} → (Motorola SURFboard SB5100 USB Cable Modem) →
< Default Protocols [HKLM] - Select to Repair > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults →
shell → shell protocol not assigned →
< Default Protocols [HKCU] - Select to Repair > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults →
shell → shell protocol not assigned →
< Protocol Handlers [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ →
msdaipp → Reg Data - Key not found → File not found
vnd.ms.radio → %System32%\msdxm.ocx → [Ver = | Size = 843802 bytes | Modified Date = 3/11/2004 4:08:16 PM | Attr = ]
< Downloaded Program Files > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ →
{17492023-C23A-453E-A040-C7C580BBF700} → Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} → Symantec AntiVirus scanner - CodeBase = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
{406B5949-7190-4245-91A9-30A17DE16AD0} → Snapfish Activia - CodeBase = http://photos.walmart.com/WalmartActivia.cab
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} → BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab
{6414512B-B978-451D-A0D8-FCFDF33E833C} → WUWebControl Class - CodeBase = http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
{644E432F-49D3-41A1-8DD5-E099162EEEC5} → Symantec RuFSI Utility Class - CodeBase = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} → MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
{8AD9C840-044E-11D1-B3E9-00805F499D93} → Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
{A7EA8AD2-287F-11D3-B120-006008C39542} → CBSTIEPrint Class - CodeBase = http://offers.e-centives.com/cif/download/bin/actxcab.cab
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} → Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} → Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} → - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
{F137B9BA-89EA-4B04-9C67-2074A9DF61FD} → Photo Upload Plugin Class - CodeBase = http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab? →

46

[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultLaunchPermission → 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MachineLaunchRestriction → 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MachineAccessRestriction → 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM → Y →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\System.EnterpriseServices.Thunk.dll → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirstRunDisabled → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\DisableMonitoring → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate not found. → →
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile not found. → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages → msv1_0; →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Bounds →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages → kerberos;msv1_0;schannel;wdigest; →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ImpersonatePrivilegeUpgradeToolHasRun → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid → 660 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SecureBoot → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\auditbaseobjects → 0 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\crashonauditfail → 0 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\disabledomaincreds → 0 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\everyoneincludesanonymous → 0 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy → 0 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forceguest → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fullprivilegeauditing →

47

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\limitblankpassworduse → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel → 0 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\nodefaultadminowner → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\nolmhash → 0 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous → 0 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymoussam → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages → scecli; →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\enabledcom → y →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ProviderOrder → Windows NT Access Provider; →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ProviderPath → %SystemRoot%\system32\ntmarta.dll →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\Pattern → õ°> ­Ý¼D“Û4¶³110f47e9
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\GrafBlumGroup → @KÆvÚ­9

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\Lookup → ¾?IÎì →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\Auth132 → IISSUBA →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ntlmminclientsec → 0 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ntlmminserversec → 0 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\SkewMatrix → í§eQQ…rÆ•£Sd →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\SSOURL → http://www.passport.com
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\Time → 0¹{®¬þÆ →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\Name → Digest →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\Comment → Digest SSPI Authentication Package →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\Capabilities → 16464 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\RpcId → 65535 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\Version → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\TokenSize → 65535 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\Time →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\Type → 49 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\Name → DPA →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\Comment → DPA Security Package →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\Capabilities → 55 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\RpcId → 17 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\Version → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\TokenSize → 768 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\Time →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\Type → 49 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\Name → MSN →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\Comment → MSN Security Package →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\Capabilities → 55 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\RpcId → 18 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\Version → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\TokenSize → 768 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\Time →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\Type → 49 →

48

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start → 2 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\DisplayName → Internet Connection Sharing →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\DependOnService → Netman;WinMgmt; →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Type → 32 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ErrorControl → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ImagePath → %SystemRoot%\System32\svchost.exe -k netsvcs →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\DependOnGroup → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ObjectName → LocalSystem →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Description → Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection. →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch → 12003 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ServiceDll → %SystemRoot%\System32\ipnathlp.dll →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\139:TCP → 139:TCP::Enabled:NetBIOS Session Service →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\445:TCP → 445:TCP::Enabled:SMB over TCP →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\137:UDP → 137:UDP::Enabled:NetBIOS Name Service →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\138:UDP → 138:UDP::Enabled:NetBIOS Datagram Service →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications → 0 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\139:TCP → 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\445:TCP → 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\137:UDP → 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\138:UDP → 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\1900:UDP → 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\2869:TCP → 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\Security → 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ServiceUpgrade → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\All → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\0 → Root\LEGACY_SHAREDACCESS\0000 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\Count → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\NextInstance → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Type → 32 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Start → 2 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ErrorControl → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ImagePath → %systemroot%\system32\svchost.exe -k netsvcs →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\DisplayName → Automatic Updates →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ObjectName → LocalSystem →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Description → Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ServiceDll → C:\WINDOWS\system32\wuauserv.dll →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\Security → 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\0 → Root\LEGACY_WUAUSERV\0000 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\Count → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\NextInstance → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Description → Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\DependOnService → RPCSS; →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\DisplayName → Remote Registry →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ErrorControl → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ImagePath → %SystemRoot%\system32\svchost.exe -k LocalService →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ObjectName → NT AUTHORITY\LocalService →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Group → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Start → 2 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Type → 32 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\FailureActions →

49

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\ServiceDll → %SystemRoot%\system32\regsvc.dll →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\Security → 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\0 → Root\LEGACY_REMOTEREGISTRY\0000 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\Count → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\NextInstance → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Type → 16 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start → 4 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ErrorControl → 1 →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ImagePath → C:\WINDOWS\system32\tlntsvr.exe →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\DisplayName → Telnet →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\DependOnService → RPCSS;TCPIP;NTLMSSP; →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\DependOnGroup → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ObjectName → LocalSystem →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Description → Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\Security → 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ → →
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable → 0 →
< Uninstall List > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ →
{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79} → DVD Suite →
{2318C2B1-4965-11d4-9B18-009027A5CD4F} → Google Toolbar for Internet Explorer →
{2B04D44F-1D1B-4E0E-8431-D04F87C21033} → Nero 7 Essentials →
{3248F0A8-6813-11D6-A77B-00B0D0160020} → Java™ 6 Update 2 →
{43DCF766-6838-4F9A-8C91-D92DA586DFA7} → Microsoft Windows Journal Viewer →
{4D8E38A1-0932-11D7-8E11-0080C8274868} → Samsung Digimax 201 →
{76E41F43-59D2-4F30-BA42-9A762EE1E8DE} → LiveUpdate BVRP Software →
{86D6A20D-3910-4441-A3E5-EB6977251C86} → Samsung USB Driver →
{90110409-6000-11D3-8CFE-0150048383C9} → Microsoft Office Professional Edition 2003 →
{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} → Microsoft .NET Framework 1.1 →
{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} → SUPERAntiSpyware Free Edition →
{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7} → ArcSoft PhotoImpression 5 →
{DBEA1034-5882-4A88-8033-81C4EF0CFA29} → Google Toolbar for Internet Explorer →
{E1180142-3B31-4DCC-9D27-7AC2D37662BF} → LightScribe 1.4.124.1 →
{E5431FB5-B3EB-46C8-8275-F6447131C98A} → Norton Security Scan →
{EF1DD862-1F5C-4BC8-B3B6-BBB5AD3B460E} → Motorola Handset USB Driver →
{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999} → mobile PhoneTools →
{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F} → HighMAT Extension to Microsoft Windows XP CD Writing Wizard →
AIM_6 → AIM 6 →
avast! → avast! Antivirus →
DVDFab HD Decrypter_is1 → DVDFab HD Decrypter 3.1.8.0 →
EPSON Printer and Utilities → EPSON Printer Software →
EPSON Scanner → EPSON Scan →
Google Updater → Google Updater →
HijackThis → HijackThis 1.99.1 →
HijackThis 1.99.1 → HijackThis 1.99.1 →
ie7 → Windows Internet Explorer 7 →
KB892130 → Windows Genuine Advantage Validation Tool (KB892130) →
KB893803v2 → Windows Installer 3.1 (KB893803) →
KB896423 → Security Update for Windows XP (KB896423) →
KB898461 → Update for Windows XP (KB898461) →
KB908519 → Security Update for Windows XP (KB908519) →
KB920683 → Security Update for Windows XP (KB920683) →
KB920872 → Update for Windows XP (KB920872) →
MySpaceIM → MySpaceIM →
ShockwaveFlash → Adobe Flash Player 9 ActiveX →
Silent Package Run-Time Sample → EPSON CX5800F Guide →
ViewpointMediaPlayer → Viewpoint Media Player →
WGA → Windows Genuine Advantage Validation Tool (KB892130) →
Windows Media Format Runtime → Windows Media Format Runtime →

50

[Files/Folders - Created Within 30 days]
All DVD Work → %SystemDrive%\All DVD Work → [Folder | Created Date = 9/8/2007 8:03:08 PM | Attr = ]
Config.Msi → %SystemDrive%\Config.Msi → [Folder | Created Date = 9/20/2007 10:47:11 AM | Attr = HS]
hiberfil.sys → %SystemDrive%\hiberfil.sys → [Ver = | Size = 200855552 bytes | Created Date = 1/1/1601 7:00:00 AM | Attr = HS]
Cache → %SystemRoot%\Cache → [Folder | Created Date = 8/30/2007 11:38:19 AM | Attr = ]
DigimaxMaster.INI → %SystemRoot%\DigimaxMaster.INI → [Ver = | Size = 736 bytes | Created Date = 8/26/2007 4:13:02 PM | Attr = ]
NeroDigital.ini → %SystemRoot%\NeroDigital.ini → [Ver = | Size = 69 bytes | Created Date = 8/26/2007 12:53:01 PM | Attr = ]
SxsCaPendDel → %SystemRoot%\SxsCaPendDel → [Folder | Created Date = 9/20/2007 10:50:41 AM | Attr = ]
uccspecc.sys → %SystemRoot%\uccspecc.sys → [Ver = | Size = 31 bytes | Created Date = 8/30/2007 11:38:16 AM | Attr = H ]
WindowsShellOld.Manifest.1 → %SystemRoot%\WindowsShellOld.Manifest.1 → [Ver = | Size = 82 bytes | Created Date = 8/30/2007 11:38:16 AM | Attr = H ]
bspfmgkg.ini → %System32%\bspfmgkg.ini → [Ver = | Size = 693592 bytes | Created Date = 9/20/2007 11:54:35 AM | Attr = HS]
cpnprt2.cid → %System32%\cpnprt2.cid → Coupons, Inc. [Ver = 1, 0, 3, 0 | Size = 161376 bytes | Created Date = 8/30/2007 11:38:25 AM | Attr = RH ]
gfanmcqg.ini → %System32%\gfanmcqg.ini → [Ver = | Size = 693537 bytes | Created Date = 9/21/2007 11:46:52 AM | Attr = HS]
gqoqomwo.dll → %System32%\gqoqomwo.dll → [Ver = | Size = 83008 bytes | Created Date = 9/20/2007 7:07:35 PM | Attr = ]
hjvrrrsj.ini → %System32%\hjvrrrsj.ini → [Ver = | Size = 693421 bytes | Created Date = 9/20/2007 9:06:15 AM | Attr = HS]
java.exe → %System32%\java.exe → Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 135168 bytes | Created Date = 9/18/2007 12:46:30 PM | Attr = ]
javacpl.cpl → %System32%\javacpl.cpl → Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 69632 bytes | Created Date = 9/18/2007 12:46:30 PM | Attr = ]
javaw.exe → %System32%\javaw.exe → Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 135168 bytes | Created Date = 9/18/2007 12:46:30 PM | Attr = ]
javaws.exe → %System32%\javaws.exe → Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 139264 bytes | Created Date = 9/18/2007 12:46:30 PM | Attr = ]
jsrrrvjh.dll → %System32%\jsrrrvjh.dll → [Ver = | Size = 83008 bytes | Created Date = 9/20/2007 9:06:00 AM | Attr = ]
jybrcham.ini → %System32%\jybrcham.ini → [Ver = | Size = 693541 bytes | Created Date = 9/20/2007 8:30:12 PM | Attr = HS]
moveex.exe → %System32%\moveex.exe → [Ver = | Size = 38400 bytes | Created Date = 9/20/2007 10:05:50 AM | Attr = ]
oqsut.tmp2 → %System32%\oqsut.tmp2 → [Ver = | Size = 1982464 bytes | Created Date = 9/22/2007 8:26:48 AM | Attr = ]
owmoqoqg.ini → %System32%\owmoqoqg.ini → [Ver = | Size = 693670 bytes | Created Date = 9/20/2007 7:07:35 PM | Attr = HS]
pmayarhd.ini → %System32%\pmayarhd.ini → [Ver = | Size = 693601 bytes | Created Date = 9/21/2007 4:46:17 PM | Attr = HS]
unxkhjgv.ini → %System32%\unxkhjgv.ini → [Ver = | Size = 693481 bytes | Created Date = 9/20/2007 9:45:50 AM | Attr = HS]

[Files/Folders - Modified Within 30 days]
All DVD Work → %SystemDrive%\All DVD Work → [Folder | Modified Date = 9/11/2007 12:52:44 PM | Attr = ]
Config.Msi → %SystemDrive%\Config.Msi → [Folder | Modified Date = 9/20/2007 11:32:48 AM | Attr = HS]
Documents and Settings → %SystemDrive%\Documents and Settings → [Folder | Modified Date = 9/21/2007 9:46:06 AM | Attr = ]
hiberfil.sys → %SystemDrive%\hiberfil.sys → [Ver = | Size = 200855552 bytes | Modified Date = 9/22/2007 8:49:50 AM | Attr = HS]
Program Files → %ProgramFiles% → [Folder | Modified Date = 9/20/2007 7:06:50 PM | Attr = R ]
QooBox → %SystemDrive%\QooBox → [Folder | Modified Date = 9/22/2007 8:34:40 AM | Attr = ]
Temp → %SystemDrive%\Temp → [Folder | Modified Date = 9/22/2007 8:41:52 AM | Attr = ]
VundoFix Backups → %SystemDrive%\VundoFix Backups → [Folder | Modified Date = 9/21/2007 1:08:44 PM | Attr = ]
WINDOWS → %SystemRoot% → [Folder | Modified Date = 9/22/2007 8:41:48 AM | Attr = ]
BDOSCAN8 → %SystemRoot%\BDOSCAN8 → [Folder | Modified Date = 9/21/2007 10:57:32 AM | Attr = ]
bootstat.dat → %SystemRoot%\bootstat.dat → [Ver = | Size = 2048 bytes | Modified Date = 9/22/2007 8:49:52 AM | Attr = S]
Cache → %SystemRoot%\Cache → [Folder | Modified Date = 8/30/2007 11:38:20 AM | Attr = ]
CSC → %SystemRoot%\CSC → [Folder | Modified Date = 9/21/2007 10:36:26 AM | Attr = HS]
DigimaxMaster.INI → %SystemRoot%\DigimaxMaster.INI → [Ver = | Size = 736 bytes | Modified Date = 8/26/2007 4:13:04 PM | Attr = ]
Downloaded Program Files → %SystemRoot%\Downloaded Program Files → [Folder | Modified Date = 9/18/2007 9:49:56 AM | Attr = S]
EPISME00.SWB → %SystemRoot%\EPISME00.SWB → [Ver = | Size = 9662 bytes | Modified Date = 9/6/2007 9:55:02 AM | Attr = ]
erdnt → %SystemRoot%\erdnt → [Folder | Modified Date = 9/22/2007 8:46:58 AM | Attr = ]
inf → %SystemRoot%\inf → [Folder | Modified Date = 8/26/2007 12:40:02 PM | Attr = H ]
Installer → %SystemRoot%\Installer → [Folder | Modified Date = 9/20/2007 10:50:54 AM | Attr = HS]
NeroDigital.ini → %SystemRoot%\NeroDigital.ini → [Ver = | Size = 69 bytes | Modified Date = 9/9/2007 9:00:20 AM | Attr = ]
Prefetch → %SystemRoot%\Prefetch → [Folder | Modified Date = 9/22/2007 8:57:54 AM | Attr = ]
Registration → %SystemRoot%\Registration → [Folder | Modified Date = 9/18/2007 12:09:10 PM | Attr = ]
SxsCaPendDel → %SystemRoot%\SxsCaPendDel → [Folder | Modified Date = 9/20/2007 11:32:50 AM | Attr = ]
system32 → %System32% → [Folder | Modified Date = 9/22/2007 8:49:48 AM | Attr = ]
Tasks → %SystemRoot%\Tasks → [Folder | Modified Date = 9/22/2007 8:42:50 AM | Attr = S]
TEMP → %SystemRoot%\TEMP → [Folder | Modified Date = 9/22/2007 8:51:36 AM | Attr = ]
uccspecc.sys → %SystemRoot%\uccspecc.sys → [Ver = | Size = 31 bytes | Modified Date = 8/30/2007 11:38:18 AM | Attr = H ]
WindowsShellOld.Manifest.1 → %SystemRoot%\WindowsShellOld.Manifest.1 → [Ver = | Size = 82 bytes | Modified Date = 8/30/2007 11:38:18 AM | Attr = H ]
WinSxS → %SystemRoot%\WinSxS → [Folder | Modified Date = 9/19/2007 2:46:08 PM | Attr = ]
Norton Security Scan.job → %SystemRoot%\tasks\Norton Security Scan.job → [Ver = | Size = 420 bytes | Modified Date = 9/14/2007 4:44:40 PM | Attr = ]
SA.DAT → %SystemRoot%\tasks\SA.DAT → [Ver = | Size = 6 bytes | Modified Date = 9/22/2007 8:50:14 AM | Attr = H ]
aswBoot.exe → %System32%\aswBoot.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 9/6/2007 3:09:50 AM | Attr = ]
AVASTSS.scr → %System32%\AVASTSS.scr → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 95608 bytes | Modified Date = 9/6/2007 3:00:08 AM | Attr = ]
bspfmgkg.ini → %System32%\bspfmgkg.ini → [Ver = | Size = 693592 bytes | Modified Date = 9/20/2007 7:07:40 PM | Attr = HS]
CatRoot2 → %System32%\CatRoot2 → [Folder | Modified Date = 9/22/2007 8:57:40 AM | Attr = ]
CONFIG.NT → %System32%\CONFIG.NT → [Ver = | Size = 2626 bytes | Modified Date = 9/13/2007 9:18:34 AM | Attr = ]
cpnprt2.cid → %System32%\cpnprt2.cid → Coupons, Inc. [Ver = 1, 0, 3, 0 | Size = 161376 bytes | Modified Date = 8/30/2007 11:38:26 AM | Attr = RH ]
DirectX → %System32%\DirectX → [Folder | Modified Date = 8/26/2007 12:12:10 PM | Attr = ]
drivers → %System32%\drivers → [Folder | Modified Date = 9/22/2007 8:51:10 AM | Attr = ]
gfanmcqg.ini → %System32%\gfanmcqg.ini → [Ver = | Size = 693537 bytes | Modified Date = 9/21/2007 4:40:20 PM | Attr = HS]
gqoqomwo.dll → %System32%\gqoqomwo.dll → [Ver = | Size = 83008 bytes | Modified Date = 9/20/2007 7:07:36 PM | Attr = ]
hjvrrrsj.ini → %System32%\hjvrrrsj.ini → [Ver = | Size = 693421 bytes | Modified Date = 9/20/2007 9:06:30 AM | Attr = HS]
jsrrrvjh.dll → %System32%\jsrrrvjh.dll → [Ver = | Size = 83008 bytes | Modified Date = 9/20/2007 9:06:04 AM | Attr = ]
jybrcham.ini → %System32%\jybrcham.ini → [Ver = | Size = 693541 bytes | Modified Date = 9/21/2007 9:53:16 AM | Attr = HS]
oqsut.tmp2 → %System32%\oqsut.tmp2 → [Ver = | Size = 1982464 bytes | Modified Date = 9/22/2007 8:41:38 AM | Attr = ]
owmoqoqg.ini → %System32%\owmoqoqg.ini → [Ver = | Size = 693670 bytes | Modified Date = 9/20/2007 8:20:14 PM | Attr = HS]
pmayarhd.ini → %System32%\pmayarhd.ini → [Ver = | Size = 693601 bytes | Modified Date = 9/22/2007 8:09:38 AM | Attr = HS]
unxkhjgv.ini → %System32%\unxkhjgv.ini → [Ver = | Size = 693481 bytes | Modified Date = 9/20/2007 11:34:04 AM | Attr = HS]
wpa.dbl → %System32%\wpa.dbl → [Ver = | Size = 2206 bytes | Modified Date = 9/18/2007 8:37:48 AM | Attr = ]
aavmker4.sys → %System32%\drivers\aavmker4.sys → ALWIL Software [Ver = 4.7.1043.0 | Size = 26624 bytes | Modified Date = 9/6/2007 3:00:54 AM | Attr = ]
aswmon.sys → %System32%\drivers\aswmon.sys → ALWIL Software [Ver = 4.7.1043.0 | Size = 92848 bytes | Modified Date = 9/6/2007 3:05:26 AM | Attr = ]
aswmon2.sys → %System32%\drivers\aswmon2.sys → ALWIL Software [Ver = 4.7.1043.0 | Size = 94416 bytes | Modified Date = 9/6/2007 3:05:10 AM | Attr = ]
aswRdr.sys → %System32%\drivers\aswRdr.sys → ALWIL Software [Ver = 4.7.1043.0 | Size = 23152 bytes | Modified Date = 9/6/2007 3:03:02 AM | Attr = ]
aswTdi.sys → %System32%\drivers\aswTdi.sys → ALWIL Software [Ver = 4.7.1043.0 | Size = 42912 bytes | Modified Date = 9/6/2007 3:02:20 AM | Attr = ]
etc → %System32%\drivers\etc → [Folder | Modified Date = 9/22/2007 8:51:08 AM | Attr = ]

51

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , → %System32%\aswBoot.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 9/6/2007 3:09:50 AM | Attr = ]
PEC2 , → %System32%\dfrg.msc → [Ver = | Size = 41397 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
UPX! , UPX0 , → %System32%\swreg.exe → SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 7/22/2007 6:39:28 PM | Attr = ]
winsync , → %System32%\wbdbase.deu → [Ver = | Size = 1309184 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
WSUD , UPX0 , → %System32%\dllcache\hwxjpn.dll → [Ver = | Size = 13463552 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]

< End of report >

WOW THAT TOOK A LOT OF POSTS!!! Ok now I will do the Bitdefender in safemode. Oh also I noticed that it said I have old versions of Java. I’m not sure how often I’m supposed to be removing the old versions. That whole situation confuses me. It seems like I just did it.

52

When there is a new version you should update as the reson for updates is often to close a vulnerability.

Ensure you have the latest version of JRE (JAVA Runtime Enviroment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://www.java.com/en/download/index.jsp

53

I’m analysing WinPFind now.

You need to go into Add/Remove Programs in the Control Panel and uninstall all versions of Java older than 1.6.0.2. Just having these old versions installed is the cause of the recurring Vundo infection - the infection you have today is a different variety of the the same thing we removed in July.

54

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Files/Folders - Created Within 30 days] NY -> bspfmgkg.ini -> %System32%\bspfmgkg.ini NY -> cpnprt2.cid -> %System32%\cpnprt2.cid NY -> gfanmcqg.ini -> %System32%\gfanmcqg.ini NY -> gqoqomwo.dll -> %System32%\gqoqomwo.dll NY -> hjvrrrsj.ini -> %System32%\hjvrrrsj.ini NY -> jsrrrvjh.dll -> %System32%\jsrrrvjh.dll NY -> jybrcham.ini -> %System32%\jybrcham.ini NY -> oqsut.tmp2 -> %System32%\oqsut.tmp2 NY -> owmoqoqg.ini -> %System32%\owmoqoqg.ini NY -> pmayarhd.ini -> %System32%\pmayarhd.ini NY -> unxkhjgv.ini -> %System32%\unxkhjgv.ini [Files/Folders - Modified Within 30 days] NY -> uccspecc.sys -> %SystemRoot%\uccspecc.sys

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix - please post this. Some of the files may not be found - especially if you’ve already run BitDefender again. That’s OK.

Also let me know of any problems you encounter performing these steps or any continuing problems you are having with the computer.

Now download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


C:\WINDOWS\system32\vgjhkxnu.dll

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Also post the results of the WinPFind fix and a new WinPFind log.

In regard to the old Java, if you don’t find it in the list of installed programs reboot to safe mode and delete these folders (if present)


c:\programs files\java\jre1.5.0.4
c:\programs files\java\jre1.5.0.9

Do not delete the one labled jre1.6.0.2

55

WinPFind3U log

[Files/Folders - Created Within 30 days]
C:\WINDOWS\SYSTEM32\bspfmgkg.ini moved successfully.
C:\WINDOWS\SYSTEM32\cpnprt2.cid moved successfully.
C:\WINDOWS\SYSTEM32\gfanmcqg.ini moved successfully.
C:\WINDOWS\SYSTEM32\gqoqomwo.dll moved successfully.
C:\WINDOWS\SYSTEM32\hjvrrrsj.ini moved successfully.
C:\WINDOWS\SYSTEM32\jsrrrvjh.dll moved successfully.
C:\WINDOWS\SYSTEM32\jybrcham.ini moved successfully.
C:\WINDOWS\SYSTEM32\oqsut.tmp2 moved successfully.
C:\WINDOWS\SYSTEM32\owmoqoqg.ini moved successfully.
C:\WINDOWS\SYSTEM32\pmayarhd.ini moved successfully.
C:\WINDOWS\SYSTEM32\unxkhjgv.ini moved successfully.
[Files/Folders - Modified Within 30 days]
C:\WINDOWS\uccspecc.sys moved successfully.
File not found!
< End of log >
Created on 09/22/2007 16:06:59

OTMoveIt:

File/Folder C:\WINDOWS\system32\vgjhkxnu.dll not found.

Created on 09/22/2007 16:11:47

56

And the new logs?

How’s the computer running?

57
And the new logs?

I’m not sure what you’re talking about. Those are the newest logs I have.

The computer seems to be running fine and I haven’t had a pop up or Avast warning.
I have a few ?'s… How often should I be checking for updates for Java? Can I go ahead and uninstall all of the programs I had been downloading to get rid of this thing? Also, all the Avast warnings i was getting I was just sending them to the chest. Should I leave them there or delete them?

Thank you for all of your help! ;D

58

If you don’t mind posting fresh TryanFix and HijackTryan logs I would like to make sure nothing is still lurking. After I confirm you’re clean we’ll do some clean up.

Also there are quite a few files in the ComboFix quarantine folders that could be uploaded to avast!.

There are two ways to check or Java updates. The most common is to let it do automatic updates which is the default when you install it. This happens sporadically - their update process is not the best. The other is to actively seek updates by monitoring a forum like this one or checking the Java website. Its more labor intensive but you’ll get the updates sooner.

Did those old java folders delete OK?

59

Yeah the old Java files seemed to delete just fine. I had to go into safemode and delete the folders.
I will now upload the ComboFix quarantine files to avast!

ComboFix 07-09-20.1 - “Tara & Paul” 2007-09-23 9:07:32.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.39 [GMT -7:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-23 to 2007-09-23 )))))))))))))))))))))))))))))))
.

2007-09-20 14:33 d-------- C:\Program Files\Common Files\Download Manager
2007-09-20 10:50 d-------- C:\WINDOWS\SxsCaPendDel
2007-09-19 19:15 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-19 19:14 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-19 19:14 d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-19 19:12 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 09:52 d-------- C:\Program Files\RogueRemover FREE
2007-09-08 20:13 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-09-08 20:03 d-------- C:\All DVD Work
2007-08-30 21:05 d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\CyberLink
2007-08-30 21:05 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-08-30 11:38 d-------- C:\WINDOWS\Cache
2007-08-30 11:38 d-------- C:\Program Files\Coupons
2007-08-23 20:45 d-------- C:\Program Files\Norton Security Scan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-22 08:25 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-09-15 15:55 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-06 03:09 801144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-06 03:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 03:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 03:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 03:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 03:00 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 03:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-26 16:17 --------- d–h----- C:\Program Files\InstallShield Installation Information
2007-08-19 15:54 --------- d-------- C:\Program Files\mobile PhoneTools
2007-08-18 20:11 --------- d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\Ahead
2007-08-18 20:09 --------- d-------- C:\Program Files\Common Files\LightScribe
2007-08-18 10:58 --------- d-------- C:\Program Files\Common Files\Ahead
2007-08-18 10:34 --------- d-------- C:\Program Files\Nero
2007-08-18 10:34 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-08-18 10:10 --------- d-------- C:\Program Files\CyberLink
2007-08-16 14:03 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-13 14:17 --------- d-------- C:\Program Files\Google
2007-08-13 10:43 --------- d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\LimeWire
2007-08-10 10:23 --------- d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\Viewpoint
2007-08-10 10:23 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-08-10 10:22 --------- d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\acccore
2007-08-10 10:21 --------- d-------- C:\Program Files\Viewpoint
2007-08-10 10:21 --------- d-------- C:\Program Files\AIM6
2007-08-10 10:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-08-10 10:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-10 10:19 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-10 10:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-08-09 10:32 --------- d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\ArcSoft
2007-08-09 09:47 --------- d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\Leadertech
2007-08-09 09:42 --------- d-------- C:\Program Files\epson
2007-08-09 09:39 --------- d-------- C:\Program Files\ArcSoft
2007-07-31 18:13 380928 --a------ C:\WINDOWS\system32\BSTIEPrintCtl1.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-23 09:09 --------- d-------- C:\Program Files\Comodo
2007-07-22 19:23 --------- d-------- C:\DOCUME~1\TARA&P~1\APPLIC~1\AdobeUM
.

((((((((((((((((((((((((((((( snapshot_2007-09-22_ 85418.94 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 345,656 2006-07-11 16:41:36 C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll
----a-w 274,432 2007-09-23 16:06:56 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
----atw 16,384 2007-09-23 13:51:40 C:\WINDOWS\TEMP\Perflib_Perfdata_574.dat
.
----a-w 274,432 2007-09-22 15:34:39 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“WatchDog”=“C:\Program Files\mobile PhoneTools\WatchDog.exe” [2007-09-07 18:42]
“EPSON Stylus CX5800F Series”=“C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.exe” [2005-05-09 22:00]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 03:06]
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-09-07 18:42]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“P2kAutostart”=“C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe”
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-19 16:29]
“Aim6”=“”
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-12-23 18:05]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06]

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“MySpaceIM”=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-13 14:14:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 cwrwdm;SoundFusion™ WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys

.
Contents of the ‘Scheduled Tasks’ folder
“2007-09-14 23:44:38 C:\WINDOWS\Tasks\Norton Security Scan.job”

  • C:\Program Files\Norton Security Scan\Nss.exe
    .

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-23 09:09:57
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

scanning hidden processes …

scanning hidden autostart entries …

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe?0???

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2007-09-23 9:11:19
C:\ComboFix-quarantined-files.txt … 2007-09-23 09:11
C:\ComboFix2.txt … 2007-09-22 08:55
C:\ComboFix3.txt … 2007-08-15 12:09
.
— E O F —

60

Logfile of HijackThis v1.99.1
Scan saved at 9:12:59 AM, on 9/23/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HijackThis\hijacktryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 “EPSON Stylus CX5800F Series” /O6 “USB001” /M “Stylus CX5800F”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKCU..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O15 - Trusted Zone: http://www.java.com
O15 - Trusted Zone: http://photos.walmart.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe