From windows explorer (not Internet Explorer) menu, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image1&2.
Thank you David… Basically it confirmed that the malware has killed that registry key - Your one looks good as the tag is 5 as well so this should work
OK lets go for it
Copy all of the quoted text to a notepad file -
Then in the notepad file select file type All Files
Save the file as IPSEC.reg to your desktop
Piccy below
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
“Type”=dword:00000001
“Start”=dword:00000001
“ErrorControl”=dword:00000001
“Tag”=dword:00000005
“ImagePath”=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,69,00,70,00,73,00,65,00,63,00,2e,
00,73,00,79,00,73,00,00,00
“DisplayName”=“IPSEC driver”
“Group”=“PNP_TDI”
“Description”=“IPSEC driver”[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Security]
“Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Enum]
“0”=“Root\LEGACY_IPSEC\0000”
“Count”=dword:00000001
“NextInstance”=dword:00000001
On the desktop will be the rubics cube type icon ;D
Double click that and reboot
Then retry the net
You’re welcome.
@ Donjuan
When you double click the newly created IPSEC.reg file XP will throw up a pop-up ‘Are you sure you want to add the information in <Location_To>ipsec.reg to the registry ?’ answer Yes. See image example, click to expand.
Thank you guys so much, but am running into an error… cannot import. the specified folder is not a registry script. you can only import binary registry files within the registry editor.
And I am naming file as you said to, and also changing to all files.
but i might have imported file first time with a different name other than ipsec.reg it was named avast.reg
I’m not sure what is happening on your system when you are trying to save the created file.
It doesn’t matter what the actual name of the file.reg was as it is the contents of the file that creates the specific registry key IPSEC and associated sub-keys. So first check the registry and see if the IPSEC key as created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec (when you ran avast.reg).
If it isn’t there - you can download this file (from my dropbox account), I created it from exporting my XP Pro ipsec key in the registry and that type of export I have used without problem in the past. Since it was created by the registry export, I would like to think that the registry import wouldn’t baulk at it.
http://dl.dropbox.com/u/56425897/avast/ipsec.reg
Just right click on the URL above and select Save As or Save Link As (depending on your browser) and save it to somewhere that you can find it later. and double click it again to import it.
NOW I DID FIND THIS
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.ipsec]
“Type”=dword:00000001
“Start”=dword:00000003
“ImagePath”=“\?”
Where did you find that ?
Certainly not in the registry, looks like the start of a .reg file contents.
That is only the first 5 or so lines of a .reg file, unfortunately that file is corrupt (not all present) and incorrect as the registry key path is incorrect as there is a . (period) before the ipsec registry key name [nobbc][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services[/nobbc].[nobbc]ipsec][/nobbc] and the image path element is missing.
So if you ran this it would be incorrect and hopefully fail, not create an incorrect key, but because it had the . (period) before the ipsec it shouldn’t really impact on anything.
i imported the correct file to this, and it seems to have worked, i have started another post it is “have error new farbar scan”, this shows the scan after fixing this registry
Although you mentioned a problem with farbar, it has completed and you should attach/copy and paste that log in here.
I have answered your other topic.
Note that the registry entry you posted is .ipsec this is the malware entry there is a dot prior to the ipsec - could you confirm that … If so I will need to remove it
Also merge the threads - so post the farbar report here along with the problems that you now have
indows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.ipsec]
“Type”=dword:00000001
“Start”=dword:00000003
“ImagePath”=“\?”
this is in my registry
Yep definitely a dot - do you have the proper ipsec installed now ?
What are the current problems
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:Reg [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.ipsec]:Files
ipconfig /flushdns /c:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Re-run OTL with the following script in the custom scans box
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
Then press the quick scan button
thank you for your help and patience, i do not know what otl stands for, you have walked me through a few things but this is new to me, and i want to make sure everything is done right.And yes I do have a proper ipsec in my registry also
Ok that was my deliberate error that you spotted :-[
You did not use OTL as we went direct to Farbar
So ignore the bit about dleting the .ipsec for the moment I will catch that next time round
Download OTL to your Desktop
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs
the files have to many characters to post i have tried cutting them in half, will try to cut them up smaller and make numerous posts
OTL logfile created on: 11/01/2012 4:25:10 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy
2.00 Gb Total Physical Memory | 1.54 Gb Available Physical Memory | 77.00% Memory free
3.35 Gb Paging File | 3.09 Gb Available in Paging File | 92.15% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 234.37 Gb Total Space | 162.04 Gb Free Space | 69.14% Space Free | Partition Type: NTFS
Drive D: | 63.72 Gb Total Space | 60.00 Gb Free Space | 94.16% Space Free | Partition Type: NTFS
Drive E: | 3.73 Gb Total Space | 3.72 Gb Free Space | 99.86% Space Free | Partition Type: FAT32
Computer Name: USER-C8E3B92F32 | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2012/01/11 16:21:00 | 000,584,192 | ---- | M] (OldTimer Tools) – C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2011/11/28 13:01:24 | 003,744,552 | ---- | M] (AVAST Software) – C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/11/28 13:01:23 | 000,044,768 | ---- | M] (AVAST Software) – C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/07/28 18:08:12 | 001,259,376 | ---- | M] () – C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2011/05/25 01:09:21 | 002,214,504 | ---- | M] (NVIDIA Corporation) – C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) – C:\WINDOWS\explorer.exe
PRC - [2007/03/12 14:49:46 | 001,209,904 | ---- | M] (Nero AG) – C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
PRC - [2007/03/12 14:49:26 | 000,153,136 | ---- | M] (Nero AG) – C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
PRC - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) – C:\WINDOWS\system32\HPZipm12.exe
========== Modules (No Company Name) ==========
MOD - [2012/01/08 13:57:50 | 001,666,048 | ---- | M] () – C:\Program Files\AVAST Software\Avast\defs\12010801\algo.dll
MOD - [2011/11/01 23:26:32 | 000,087,912 | ---- | M] () – C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/11/01 23:26:12 | 001,242,472 | ---- | M] () – C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/07/28 18:09:42 | 000,096,112 | ---- | M] () – C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2011/07/28 18:08:12 | 001,259,376 | ---- | M] () – C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2010/09/22 20:12:20 | 000,016,832 | ---- | M] () – C:\Program Files\Adobe\Reader 9.0\Reader\ViewerPS.dll
========== Win32 Services (SafeList) ==========
SRV - [2011/11/28 13:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] – C:\Program Files\AVAST Software\Avast\AvastSvc.exe – (avast! Antivirus)
SRV - [2011/05/25 01:09:21 | 002,214,504 | ---- | M] (NVIDIA Corporation) [Auto | Running] – C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe – (nvUpdatusService)
SRV - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] – C:\WINDOWS\system32\HPZipm12.exe – (Pml Driver HPZ12)
========== Driver Services (SafeList) ==========
DRV - [2011/11/28 12:53:53 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System | Running] – C:\WINDOWS\System32\drivers\aswSnx.sys – (aswSnx)
DRV - [2011/11/28 12:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Running] – C:\WINDOWS\System32\drivers\aswSP.sys – (aswSP)
DRV - [2011/11/28 12:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] – C:\WINDOWS\System32\drivers\aswRdr.sys – (aswRdr)
DRV - [2011/11/28 12:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Running] – C:\WINDOWS\System32\drivers\aswTdi.sys – (aswTdi)
DRV - [2011/11/28 12:52:02 | 000,111,320 | ---- | M] (AVAST Software) [File_System | Auto | Running] – C:\WINDOWS\System32\drivers\aswmon2.sys – (aswMon2)
DRV - [2011/11/28 12:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] – C:\WINDOWS\System32\drivers\aswFsBlk.sys – (aswFsBlk)
DRV - [2011/11/28 12:48:49 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] – C:\WINDOWS\System32\drivers\aavmker4.sys – (Aavmker4)
DRV - [2008/04/13 13:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] – C:\WINDOWS\system32\drivers\nwlnkipx.sys – (NwlnkIpx)
DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] – C:\WINDOWS\system32\drivers\senfilt.sys – (senfilt)
DRV - [2004/08/23 14:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] – C:\WINDOWS\system32\drivers\b57xp32.sys – (b57w2k)
DRV - [2004/08/04 07:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] – C:\WINDOWS\system32\drivers\nwlnknb.sys – (NwlnkNb)
DRV - [2004/08/04 07:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] – C:\WINDOWS\system32\drivers\nwlnkspx.sys – (NwlnkSpx)
DRV - [2004/05/25 23:19:00 | 000,729,600 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] – C:\WINDOWS\system32\drivers\ati2mtag.sys – (ati2mtag)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yeppo.net
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKU.DEFAULT..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyEnable” = 0
IE - HKU\S-1-5-18..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyEnable” = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyEnable” = 0
IE - HKU\S-1-5-21-1844237615-1220945662-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKU\S-1-5-21-1844237615-1220945662-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-1844237615-1220945662-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1844237615-1220945662-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?lang=en-ca&OCID=iehp
IE - HKU\S-1-5-21-1844237615-1220945662-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-ca
IE - HKU\S-1-5-21-1844237615-1220945662-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C4 CE 88 95 13 04 CC 01 [binary data]
IE - HKU\S-1-5-21-1844237615-1220945662-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyEnable” = 0
IE - HKU\S-1-5-21-1844237615-1220945662-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyOverride” = *.local
========== FireFox ==========
FF - prefs.js…browser.search.defaultenginename: “AVG Secure Search”
FF - prefs.js…browser.search.selectedEngine: “AVG Secure Search”
FF - prefs.js…browser.startup.homepage: “http://go.microsoft.com/fwlink/?LinkId=69157”
FF - prefs.js…extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js…extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.872
FF - prefs.js…extensions.enabledItems: avg@igeared:6.010.006.004
FF - prefs.js…keyword.URL: “http://search.avg.com/route/?d=4c337dbf&v=6.010.006.004&i=23&tp=ab&iy=&ychte=ca&lng=en-US&q=”
FF - HKLM\Software\MozillaPlugins@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/01/09 14:08:54 | 000,000,000 | —D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011/12/31 05:46:52 | 000,000,000 | —D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\Components: C:\Program Files\Mozilla Firefox\components [2012/01/08 09:08:10 | 000,000,000 | —D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/31 05:46:48 | 000,000,000 | —D | M]
[2010/06/11 23:03:53 | 000,000,000 | —D | M] (No name found) – C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2011/01/01 10:21:35 | 000,000,000 | —D | M] (No name found) – C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\ry1tmoda.default\extensions
[2010/10/18 22:49:17 | 000,000,000 | —D | M] (Microsoft .NET Framework Assistant) – C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\ry1tmoda.default\extensions{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/05 16:25:52 | 000,000,000 | —D | M] (No name found) – C:\Program Files\Mozilla Firefox\extensions
[2012/01/05 16:25:53 | 000,000,000 | —D | M] (Skype Click to Call) – C:\Program Files\Mozilla Firefox\extensions{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/01/08 09:08:09 | 000,121,816 | ---- | M] (Mozilla Foundation) – C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) – C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/10/03 12:28:38 | 000,002,252 | ---- | M] () – C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/09 23:47:11 | 000,002,040 | ---- | M] () – C:\Program Files\mozilla firefox\searchplugins\twitter.xml
Hosts file not found
O2 - BHO: (DivX Plus Web Player HTML5
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces{BBCE1838-7E3A-41CB-8F01-F483783E704F}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (nwprovau) -C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/12/23 12:53:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT – [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk )
O35 - HKLM..comfile [open] – “%1” %
O35 - HKLM..exefile [open] – “%1” %*
O37 - HKLM.…com [@ = comfile] – “%1” %*
O37 - HKLM.…exe [@ = exefile] – “%1” %*
NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
CREATERESTOREPOINT
Restore point Set: OTL Restore Point
========== Files/Folders - Created Within 30 Days ==========
[2012/01/11 16:24:10 | 000,584,192 | ---- | C] (OldTimer Tools) – C:\Documents and Settings\User\Desktop\OTL.exe
[2012/01/09 14:08:54 | 000,000,000 | —D | C] – C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2012/01/09 03:07:46 | 000,386,560 | ---- | C] (Корпорация Майкрософт) – C:\Documents and Settings\User\Local Settings\Application Data\trm.exe
[2012/01/09 03:07:46 | 000,386,560 | ---- | C] (Корпорация Майкрософт) – C:\Documents and Settings\User\Local Settings\Application Data\tni.exe
[2012/01/05 16:25:42 | 000,000,000 | —D | C] – C:\Documents and Settings\User\Application Data\Skype
[2012/01/05 16:25:28 | 000,000,000 | —D | C] – C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2012/01/05 16:25:21 | 000,000,000 | R–D | C] – C:\Program Files\Skype
[2012/01/05 16:25:15 | 000,000,000 | —D | C] – C:\Documents and Settings\All Users\Application Data\Skype
[2011/12/31 05:47:57 | 000,000,000 | —D | C] – C:\Documents and Settings\User\Application Data\DDMSettings
[2011/12/13 04:05:27 | 000,000,000 | —D | C] – C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2011/12/13 04:05:17 | 000,000,000 | —D | C] – C:\WINDOWS\System32\DRVSTORE
[2011/12/13 04:04:52 | 000,000,000 | —D | C] – C:\Program Files\Bonjour
[4 C:\WINDOWS\System32*.tmp files → C:\WINDOWS\System32*.tmp → ]
[4 C:\WINDOWS*.tmp files → C:\WINDOWS*.tmp → ]
[2 C:\Documents and Settings\User\Application Data*.tmp files → C:\Documents and Settings\User\Application Data*.tmp → ]
========== Files - Modified Within 30 Days ==========
[2012/01/11 16:21:00 | 000,584,192 | ---- | M] (OldTimer Tools) – C:\Documents and Settings\User\Desktop\OTL.exe
[2012/01/11 16:14:40 | 000,002,510 | ---- | M] () – C:\Documents and Settings\User\Desktop\1234.reg
[2012/01/11 15:54:41 | 000,000,344 | ---- | M] () – C:\Documents and Settings\User\Desktop\essex.reg
[2012/01/11 13:47:31 | 000,012,598 | ---- | M] () – C:\WINDOWS\System32\wpa.dbl
[2012/01/11 13:46:35 | 000,000,276 | ---- | M] () – C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1844237615-1220945662-682003330-1003.job
[2012/01/11 13:44:45 | 000,002,048 | --S- | M] () – C:\WINDOWS\bootstat.dat
[2012/01/11 13:43:52 | 000,001,789 | ---- | M] () – C:\WINDOWS\System32\AUTOEXEC.NT
[2012/01/11 09:33:03 | 000,002,510 | ---- | M] () – C:\Documents and Settings\User\Desktop\ipsec.reg
[2012/01/11 02:42:26 | 000,000,420 | -H-- | M] () – C:\WINDOWS\tasks\User_Feed_Synchronization-{3C0DEF3D-1109-4E6A-A629-2253C647F1FE}.job
[2012/01/11 02:27:01 | 000,000,330 | -H-- | M] () – C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/01/11 00:32:41 | 000,000,947 | ---- | M] () – C:\Documents and Settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2012/01/09 14:02:25 | 000,001,689 | ---- | M] () – C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2012/01/09 14:02:24 | 000,002,625 | ---- | M] () – C:\WINDOWS\System32\CONFIG.NT
[2012/01/09 03:07:46 | 000,386,560 | ---- | M] (Корпорация Майкрософт) – C:\Documents and Settings\User\Local Settings\Application Data\trm.exe
[2012/01/09 03:07:46 | 000,386,560 | ---- | M] (Корпорация Майкрософт) – C:\Documents and Settings\User\Local Settings\Application Data\tni.exe
[2012/01/08 21:19:00 | 000,000,284 | ---- | M] () – C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1844237615-1220945662-682003330-1003.job
[2012/01/08 17:15:09 | 000,000,751 | ---- | M] () – C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[2012/01/08 12:35:25 | 000,002,265 | ---- | M] () – C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/01/05 21:33:00 | 000,000,284 | ---- | M] () – C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/12/19 23:37:10 | 000,034,421 | ---- | M] () – C:\Documents and Settings\User\My Documents\bad santa 4.jpg
[2011/12/19 23:36:10 | 000,067,364 | ---- | M] () – C:\Documents and Settings\User\My Documents\bad sant3.jpg
[2011/12/19 23:35:42 | 000,056,890 | ---- | M] () – C:\Documents and Settings\User\My Documents\bad snta2.jpg
[2011/12/19 23:35:12 | 000,036,814 | ---- | M] () – C:\Documents and Settings\User\My Documents\bad santa.jpg
[2011/12/16 03:24:30 | 000,297,256 | ---- | M] () – C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/16 03:07:41 | 000,001,393 | ---- | M] () – C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\System32*.tmp files → C:\WINDOWS\System32*.tmp → ]
[4 C:\WINDOWS*.tmp files → C:\WINDOWS*.tmp → ]
[2 C:\Documents and Settings\User\Application Data*.tmp files → C:\Documents and Settings\User\Application Data*.tmp → ]
========== Files Created - No Company Name ==========
[2012/01/11 16:14:40 | 000,002,510 | ---- | C] () – C:\Documents and Settings\User\Desktop\1234.reg
[2012/01/11 15:54:41 | 000,000,344 | ---- | C] () – C:\Documents and Settings\User\Desktop\essex.reg
[2012/01/11 09:04:18 | 000,002,510 | ---- | C] () – C:\Documents and Settings\User\Desktop\ipsec.reg
[2012/01/11 00:32:41 | 000,000,947 | ---- | C] () – C:\Documents and Settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2012/01/09 09:38:51 | 000,001,689 | ---- | C] () – C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2012/01/05 16:25:28 | 000,002,265 | ---- | C] () – C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/12/19 23:37:10 | 000,034,421 | ---- | C] () – C:\Documents and Settings\User\My Documents\bad santa 4.jpg
[2011/12/19 23:36:10 | 000,067,364 | ---- | C] () – C:\Documents and Settings\User\My Documents\bad sant3.jpg
[2011/12/19 23:35:42 | 000,056,890 | ---- | C] () – C:\Documents and Settings\User\My Documents\bad snta2.jpg
[2011/12/19 23:35:10 | 000,036,814 | ---- | C] () – C:\Documents and Settings\User\My Documents\bad santa.jpg
[2011/12/17 01:52:11 | 000,000,284 | ---- | C] () – C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/07/21 18:22:37 | 002,123,582 | ---- | C] () – C:\WINDOWS\System32\nvdata.data
[2011/04/27 22:14:56 | 000,000,151 | ---- | C] () – C:\WINDOWS\PhotoSnapViewer.INI
[2011/01/01 03:35:42 | 000,000,000 | ---- | C] () – C:\Documents and Settings\User\Local Settings\Application Data\prvlcl.dat
[2010/12/27 15:43:04 | 000,002,057 | ---- | C] () – C:\Program Files\svchost.dat
[2010/09/21 14:32:13 | 000,068,294 | ---- | C] () – C:\WINDOWS\hpoins05.dat.temp
[2010/09/21 14:32:12 | 000,019,696 | ---- | C] () – C:\WINDOWS\hpomdl05.dat.temp
[2010/08/28 15:53:31 | 000,010,240 | ---- | C] () – C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/18 17:26:37 | 000,000,719 | ---- | C] () – C:\WINDOWS\cdplayer.ini
[2010/07/15 13:09:29 | 000,273,344 | ---- | C] () – C:\WINDOWS\System32\nvdrsdb0.bin
[2010/07/15 13:09:27 | 000,273,344 | ---- | C] () – C:\WINDOWS\System32\nvdrsdb1.bin
[2010/07/15 13:09:27 | 000,000,001 | ---- | C] () – C:\WINDOWS\System32\nvdrssel.bin
[2010/06/11 23:03:46 | 000,000,000 | ---- | C] () – C:\WINDOWS\nsreg.dat
[2010/06/05 21:33:26 | 000,002,508 | ---- | C] () – C:\Documents and Settings\User\Application Data$_hpcst$.hpc
[2010/06/03 12:34:11 | 000,000,262 | ---- | C] () – C:\WINDOWS{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/06/02 13:05:09 | 000,000,069 | ---- | C] () – C:\WINDOWS\NeroDigital.ini
[2010/06/01 16:07:34 | 000,473,704 | ---- | C] () – C:\WINDOWS\nvShell.dll
[2009/12/23 14:15:20 | 000,516,096 | ---- | C] () – C:\WINDOWS\System32\ati2sgag.exe
[2009/12/23 13:36:59 | 000,397,312 | ---- | C] () – C:\WINDOWS\System32\ati2evxx.exe
[2009/12/23 13:36:59 | 000,086,016 | ---- | C] () – C:\WINDOWS\System32\ati2evxx.dll
[2009/12/23 12:55:39 | 000,002,048 | --S- | C] () – C:\WINDOWS\bootstat.dat
[2009/12/23 12:50:57 | 000,021,640 | ---- | C] () – C:\WINDOWS\System32\emptyregdb.dat
[2009/12/23 07:25:13 | 000,004,161 | ---- | C] () – C:\WINDOWS\ODBCINST.INI
[2009/12/23 07:24:11 | 000,297,256 | ---- | C] () – C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/04 07:00:00 | 013,107,200 | ---- | C] () – C:\WINDOWS\System32\oembios.bin
[2004/08/04 07:00:00 | 000,673,088 | ---- | C] () – C:\WINDOWS\System32\mlang.dat
[2004/08/04 07:00:00 | 000,520,888 | ---- | C] () – C:\WINDOWS\System32\perfh009.dat
[2004/08/04 07:00:00 | 000,272,128 | ---- | C] () – C:\WINDOWS\System32\perfi009.dat
[2004/08/04 07:00:00 | 000,218,003 | ---- | C] () – C:\WINDOWS\System32\dssec.dat
[2004/08/04 07:00:00 | 000,094,390 | ---- | C] () – C:\WINDOWS\System32\perfc009.dat
[2004/08/04 07:00:00 | 000,046,258 | ---- | C] () – C:\WINDOWS\System32\mib.bin
[2004/08/04 07:00:00 | 000,028,626 | ---- | C] () – C:\WINDOWS\System32\perfd009.dat
[2004/08/04 07:00:00 | 000,004,569 | ---- | C] () – C:\WINDOWS\System32\secupd.dat
[2004/08/04 07:00:00 | 000,004,461 | ---- | C] () – C:\WINDOWS\System32\oembios.dat
[2004/08/04 07:00:00 | 000,001,804 | ---- | C] () – C:\WINDOWS\System32\dcache.bin
[2004/08/04 07:00:00 | 000,000,741 | ---- | C] () – C:\WINDOWS\System32\noise.dat
========== LOP Check ==========
[2012/01/09 14:08:50 | 000,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/10/26 06:34:07 | 000,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data\CCP
[2011/03/15 07:01:25 | 000,000,000 | -H-D | M] – C:\Documents and Settings\All Users\Application Data\Common Files
[2011/11/29 13:17:06 | 000,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data\PMB Files
[2010/12/17 18:35:44 | 000,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data\Virtualized Applications
[2010/10/29 19:32:08 | 000,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data\VirtualizedApplications
[2011/04/20 08:12:32 | 000,000,000 | —D | M] – C:\Documents and Settings\User\Application Data.minecraft
[2011/12/31 05:47:57 | 000,000,000 | —D | M] – C:\Documents and Settings\User\Application Data\DDMSettings
[2011/06/13 15:10:07 | 000,000,000 | —D | M] – C:\Documents and Settings\User\Application Data\EVEMon
[2011/02/18 09:36:18 | 000,000,000 | —D | M] – C:\Documents and Settings\User\Application Data\OpenOffice.org
[2011/02/18 08:48:08 | 000,000,000 | —D | M] – C:\Documents and Settings\User\Application Data\SoftGrid Client
[2011/02/18 08:43:17 | 000,000,000 | —D | M] – C:\Documents and Settings\User\Application Data\TP
[2012/01/11 02:27:01 | 000,000,330 | -H-- | M] () – C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2012/01/11 02:42:26 | 000,000,420 | -H-- | M] () – C:\WINDOWS\Tasks\User_Feed_Synchronization-{3C0DEF3D-1109-4E6A-A629-2253C647F1FE}.job
========== Purity Check ==========
========== Custom Scans ==========
< %SYSTEMDRIVE%*.exe >
< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 – C:\WINDOWS\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 – C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2004/08/04 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 – C:\WINDOWS$NtServicePackUninstall$\explorer.exe
< MD5 for: SVCHOST.EXE >
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 – C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 – C:\WINDOWS\system32\svchost.exe
[2004/08/04 07:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 – C:\WINDOWS$NtServicePackUninstall$\svchost.exe
< MD5 for: USERINIT.EXE >
[2004/08/04 07:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF – C:\WINDOWS$NtServicePackUninstall$\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 – C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 – C:\WINDOWS\system32\userinit.exe
< MD5 for: WINLOGON.EXE >
[2004/08/04 07:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE – C:\WINDOWS$NtServicePackUninstall$\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E – C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E – C:\WINDOWS\system32\winlogon.exe
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s >
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s >
“Type” = 2
“Start” = 1
“ErrorControl” = 1
“Tag” = 1
“ImagePath” = system32\DRIVERS\netbios.sys – [2008/04/13 13:56:02 | 000,034,688 | ---- | M] (Microsoft Corporation)
“DisplayName” = NetBIOS Interface
“Group” = NetBIOSGroup
“Description” = NetBIOS Interface
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Linkage]
“LanaMap” = 01 03 01 00 00 01 00 02 [binary data]
“Bind” = [Binary data over 100 bytes]
“Route” = [Binary data over 100 bytes]
“Export” = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Parameters]
“MaxLana” = 3
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Parameters\Winsock]
“HelperDllName” = %SystemRoot%\System32\wshnetbs.dll – [2004/08/04 07:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation)
“MaxSockAddrLength” = 20
“MinSockAddrLength” = 20
“Mapping” = 02 00 00 00 03 00 00 00 11 00 00 00 05 00 00 00 00 00 00 00 11 00 00 00 02 00 00 00 00 00 00 00 [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Security]
“Security” = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Enum]
“0” = Root\LEGACY_NETBIOS\0000
“Count” = 1
“NextInstance” = 1
< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\HideIconsCommand: “C:\Program Files\Mozilla Firefox\uninstall\helper.exe” /HideShortcuts [2012/01/08 09:08:00 | 000,715,216 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\ShowIconsCommand: “C:\Program Files\Mozilla Firefox\uninstall\helper.exe” /ShowShortcuts [2012/01/08 09:08:00 | 000,715,216 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\ReinstallCommand: “C:\Program Files\Mozilla Firefox\uninstall\helper.exe” /SetAsDefaultAppGlobal [2012/01/08 09:08:00 | 000,715,216 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/01/08 09:08:08 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\: “C:\Program Files\Mozilla Firefox\firefox.exe” -preferences [2012/01/08 09:08:08 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\: “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode [2012/01/08 09:08:08 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\ReinstallCommand: “C:\WINDOWS\system32\ie4uinit.exe” -reinstall [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\HideIconsCommand: “C:\WINDOWS\system32\ie4uinit.exe” -hide [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\ShowIconsCommand: “C:\WINDOWS\system32\ie4uinit.exe” -show [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\: “C:\Program Files\Internet Explorer\iexplore.exe” -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\HideIconsCommand: “C:\Program Files\Mozilla Firefox\uninstall\helper.exe” /HideShortcuts [2012/01/08 09:08:00 | 000,715,216 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\ShowIconsCommand: “C:\Program Files\Mozilla Firefox\uninstall\helper.exe” /ShowShortcuts [2012/01/08 09:08:00 | 000,715,216 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\ReinstallCommand: “C:\Program Files\Mozilla Firefox\uninstall\helper.exe” /SetAsDefaultAppGlobal [2012/01/08 09:08:00 | 000,715,216 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/01/08 09:08:08 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\: “C:\Program Files\Mozilla Firefox\firefox.exe” -preferences [2012/01/08 09:08:08 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\: “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode [2012/01/08 09:08:08 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\ReinstallCommand: “C:\WINDOWS\system32\ie4uinit.exe” -reinstall [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\HideIconsCommand: “C:\WINDOWS\system32\ie4uinit.exe” -hide [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\ShowIconsCommand: “C:\WINDOWS\system32\ie4uinit.exe” -show [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\: “C:\Program Files\Internet Explorer\iexplore.exe” -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
< C:\Windows\assembly\tmp\U*.* /s >
< %Temp%\smtmp\1*.* >
< %Temp%\smtmp\2*.* >
< %Temp%\smtmp\3*.* >
< %Temp%\smtmp\4*.* >
========== Alternate Data Streams ==========
@Alternate Data Stream - 88 bytes → C:\Documents and Settings\User\Desktop\101114074200.3g2:SummaryInformation
< End of report >