41

part four:

SynTPEnh → %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe → Synaptics, Inc. [Ver = 7.5.11 30May03 | Size = 614400 bytes | Modified Date = 5/30/2003 10:23:14 PM | Attr = ]
SynTPLpr → %ProgramFiles%\Synaptics\SynTP\SynTPLpr.exe → Synaptics, Inc. [Ver = 7.5.11 30May03 | Size = 110592 bytes | Modified Date = 5/30/2003 10:25:02 PM | Attr = ]
TFncKy → TFncKy.exe → File not found
TFNF5 → %SystemRoot%\system32\TFNF5.exe → TOSHIBA Corp. [Ver = 2, 2, 0, 0 | Size = 73728 bytes | Modified Date = 7/18/2003 8:41:26 PM | Attr = ]
TouchED → %ProgramFiles%\Toshiba\TouchED\TouchED.exe → TOSHIBA Corporation [Ver = 2, 5, 0, 0 | Size = 126976 bytes | Modified Date = 1/21/2003 9:00:06 PM | Attr = ]
TPSMain → %SystemRoot%\system32\TPSMain.exe → TOSHIBA Corporation [Ver = 1, 0, 1, 1 | Size = 278528 bytes | Modified Date = 9/25/2003 1:19:40 PM | Attr = ]
< OptionalComponents [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ →
IMAIL-> Installed = 1 →
MAPI-> Installed = 1 →
MSFS-> Installed = 1 →
< Run [HKEY_CURRENT_USER] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
SpySweeper → %ProgramFiles%\Webroot\Spy Sweeper\SpySweeper.exe → File not found
SUPERAntiSpyware → %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
swg → %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe → File not found
TOSCDSPD → %ProgramFiles%\Toshiba\TOSCDSPD\TOSCDSPD.exe → TOSHIBA [Ver = 1, 0, 5, 0 | Size = 65536 bytes | Modified Date = 9/5/2003 6:24:46 AM | Attr = ]
< Run [HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006] > → HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
SpySweeper → %ProgramFiles%\Webroot\Spy Sweeper\SpySweeper.exe → File not found
SUPERAntiSpyware → %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
swg → %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe → File not found
TOSCDSPD → %ProgramFiles%\Toshiba\TOSCDSPD\TOSCDSPD.exe → TOSHIBA [Ver = 1, 0, 5, 0 | Size = 65536 bytes | Modified Date = 9/5/2003 6:24:46 AM | Attr = ]

42

< All Users Startup Folder > → C:\Documents and Settings\All Users\Start Menu\Programs\Startup →
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk → %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe → Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 98304 bytes | Modified Date = 5/19/2000 12:03:18 AM | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk → %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe → Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 29696 bytes | Modified Date = 12/14/2004 4:44:06 AM | Attr = ]
→ %AllUsersProfile%\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk → File not found
%AllUsersProfile%\Start Menu\Programs\Startup\j2 DllCmd 4.0.lnk → %ProgramFiles%\j2 Messenger 4.0\J2GDllCmd.exe → j2 Global Communications, Inc. [Ver = 4.0.134.0 | Size = 107008 bytes | Modified Date = 6/23/2005 5:51:58 PM | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\j2 Live Menu 3.2.lnk → %ProgramFiles%\j2 Messenger 3.2\J2GDllCmd.exe → j2 Global Communications, Inc. [Ver = 3.2.0.3 | Size = 17408 bytes | Modified Date = 6/10/2004 1:39:44 PM | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\j2 Tray Menu 3.2.lnk → %ProgramFiles%\j2 Messenger 3.2\J2GTray.exe → j2 Global Communications, Inc. [Ver = 3.2.0.3 | Size = 39936 bytes | Modified Date = 6/10/2004 1:38:26 PM | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\j2 Tray Menu 4.0.lnk → %ProgramFiles%\j2 Messenger 4.0\J2GTray.exe → j2 Global Communications, Inc. [Ver = 4.0.134.0 | Size = 500224 bytes | Modified Date = 6/23/2005 5:53:42 PM | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\RAMASST.lnk → %SystemRoot%\system32\RAMASST.exe → Matsushita Electric Industrial Co., Ltd. [Ver = 1, 0, 9, 0 | Size = 155648 bytes | Modified Date = 3/14/2003 2:38:12 PM | Attr = ]
< Carrie Startup Folder > → C:\Documents and Settings\Carrie\Start Menu\Programs\Startup →
%UserProfile%\Start Menu\Programs\Startup\RABCO - Auto Update.lnk → %ProgramFiles%\RABCO\RABCOse.exe → Rabio [Ver = 1, 0, 0, 26 | Size = 183216 bytes | Modified Date = 1/30/2008 4:19:42 PM | Attr = ]
< Default User Startup Folder > → C:\Documents and Settings\Default User\Start Menu\Programs\Startup →

43

< ICQ Agent [HKEY_CURRENT_USER] > → HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\ →
HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\ → ->
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks →
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr = ]
< SecurityProviders [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders →
< Winlogon settings [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon settings [HKEY_CURRENT_USER] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon settings [HKEY_USERS.DEFAULT] > → HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon settings [HKEY_USERS\S-1-5-18] > → HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon settings [HKEY_USERS\S-1-5-19] > → HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon settings [HKEY_USERS\S-1-5-20] > → HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon settings [HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006] > → HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ →
!SASWinLogon → %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll → SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr = ]
Sebring → %SystemRoot%\system32\LgNotify.dll → Intel Corporation [Ver = 8, 0, 0, 161 | Size = 110592 bytes | Modified Date = 12/16/2003 6:49:34 PM | Attr = ]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ → ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveAutoRun → 67108863 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 255 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ → ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ → ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} → 1073741857 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1} → 32 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaption → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetext → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\shutdownwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\undockwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ → ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ → ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ → ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ → ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ → ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ → ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ → ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ → ->
< CurrentVersion Policy Settings [HKEY_USERS.DEFAULT] > → HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → ->
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ → ->
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ → ->
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → ->
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ → ->
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → ->
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ → ->
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ → ->

44

< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > → HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ → ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ → ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ → ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ → ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ → ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > →
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > → HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006] > → HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ → ->

45

< HOSTS File > (27 bytes) → C:\WINDOWS\System32\drivers\etc\Hosts →
< Internet Explorer Settings [HKEY_LOCAL_MACHINE] > → ->
HKEY_LOCAL_MACHINE: Main\Default_Page_URL → http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE: Main\Default_Search_URL → http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE: Main\Local Page → %SystemRoot%\system32\blank.htm →
HKEY_LOCAL_MACHINE: Main\Search Page → http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE: Main\Start Page → http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE: Search\CustomizeSearch → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE: Search\Default_Search_URL → http://www.google.com/ie
HKEY_LOCAL_MACHINE: Search\SearchAssistant → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
< Internet Explorer Settings [HKEY_CURRENT_USER] > → ->
HKEY_CURRENT_USER: Main\Local Page → C:\WINDOWS\system32\blank.htm →
HKEY_CURRENT_USER: Main\Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER: Main\Start Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_CURRENT_USER: Search\SearchAssistant → http://www.google.com/ie
HKEY_CURRENT_USER: SearchURL\ → http://www.google.com/search?q=%s[Reg Error: Value provider does not exist or could not be read.] →
HKEY_CURRENT_USER: URLSearchHooks\{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\JUSearch\SearchEnh1.dll [URLSearchHook Class] → United Online, Inc. [Ver = 2.1.03 | Size = 102472 bytes | Modified Date = 11/9/2004 3:36:29 AM | Attr = ]
HKEY_CURRENT_USER: ProxyEnable → 0 →
HKEY_CURRENT_USER: ProxyOverride → →
< Internet Explorer Settings [HKEY_USERS.DEFAULT] > → ->
HKEY_USERS.DEFAULT: Main\Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_USERS.DEFAULT: Main\Start Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKEY_USERS.DEFAULT: ProxyEnable → 0 →
< Internet Explorer Settings [HKEY_USERS\S-1-5-18] > → ->
HKEY_USERS\S-1-5-18: Main\Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_USERS\S-1-5-18: Main\Start Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKEY_USERS\S-1-5-18: ProxyEnable → 0 →
< Internet Explorer Settings [HKEY_USERS\S-1-5-19] > → ->
HKEY_USERS\S-1-5-19: Main\Search Bar → http://www.toshiba.com/search
HKEY_USERS\S-1-5-19: Main\Start Page → http://www.toshiba.com
HKEY_USERS\S-1-5-19: ProxyEnable → 0 →
< Internet Explorer Settings [HKEY_USERS\S-1-5-20] > → ->
HKEY_USERS\S-1-5-20: Main\Search Bar → http://www.toshiba.com/search
HKEY_USERS\S-1-5-20: Main\Start Page → http://www.toshiba.com
HKEY_USERS\S-1-5-20: ProxyEnable → 0 →
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006] > → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006: Main\Local Page → C:\WINDOWS\system32\blank.htm →
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006: Main\Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

46

HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006: Main\Start Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006: Search\SearchAssistant → http://www.google.com/ie
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006: SearchURL\ → http://www.google.com/search?q=%s[Reg Error: Value provider does not exist or could not be read.] →
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006: URLSearchHooks\{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\JUSearch\SearchEnh1.dll [URLSearchHook Class] → United Online, Inc. [Ver = 2.1.03 | Size = 102472 bytes | Modified Date = 11/9/2004 3:36:29 AM | Attr = ]
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006: ProxyEnable → 0 →
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006: ProxyOverride → →
< Trusted Sites Domains [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 1 domain(s) found. →
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 0 range(s) found. →
< Trusted Sites Domains [HKEY_CURRENT_USER] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 5607 domain(s) found. →
.[msn] → My Computer →
126 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 57 range(s) found. →
< Trusted Sites Domains [HKEY_USERS.DEFAULT] > → HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 3524 domain(s) found. →
131 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_USERS.DEFAULT] > → HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 77 range(s) found. →
< Trusted Sites Domains [HKEY_USERS\S-1-5-18] > → HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 3524 domain(s) found. →
131 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18] > → HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 77 range(s) found. →
< Trusted Sites Domains [HKEY_USERS\S-1-5-19] > → HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 3525 domain(s) found. →
131 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19] > → HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 77 range(s) found. →
< Trusted Sites Domains [HKEY_USERS\S-1-5-20] > → HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 3525 domain(s) found. →
131 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20] > → HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 77 range(s) found. →
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006] > → HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 5607 domain(s) found. →
.[msn] → My Computer →
126 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006] > → HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 57 range(s) found. →
< BHO’s [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ →
{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll [Yahoo! Companion BHO] → Yahoo! Inc. [Ver = 2004, 9, 28, 1 | Size = 292947 bytes | Modified Date = 9/29/2004 11:02:16 AM | Attr = ]
{1C2E5D27-A17C-4D89-85DD-3553C189380D} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\RABCO\RABCO.dll [Search Enhancer Class] → Rabio [Ver = 1, 0, 0, 26 | Size = 414992 bytes | Modified Date = 1/30/2008 2:02:22 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll → Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 12:04:00 AM | Attr = ]
{601ED020-FB6C-11D3-87D8-0050DA59922B} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\Ipswitch\WS_FTP Home\wsbho2k0.dll [WsftpBrowserHelper Class] → Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421 [Ver = 9,0,1,0 | Size = 118839 bytes | Modified Date = 8/16/2004 1:51:22 PM | Attr = ]
< Internet Explorer Bars [HKEY_CURRENT_USER] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ →
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] → Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] → File not found
< Internet Explorer Bars [HKEY_USERS.DEFAULT] > → HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Internet

47

Explorer\Explorer Bars\ →
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] → Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] → File not found
< Internet Explorer Bars [HKEY_USERS\S-1-5-18] > → HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ →
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] → Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] → File not found
< Internet Explorer Bars [HKEY_USERS\S-1-5-19] > → HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ →
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] → Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] → File not found
< Internet Explorer Bars [HKEY_USERS\S-1-5-20] > → HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ →
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] → Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] → File not found
< Internet Explorer Bars [HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006] > → HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ →
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] → Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] → File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar →
{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\Juno\Toolbar.dll [JunoBar] → [Ver = 2, 0, 0, 1 | Size = 292336 bytes | Modified Date = 10/7/2005 1:41:09 AM | Attr = ]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll [Yahoo! Companion] → Yahoo! Inc. [Ver = 2004, 9, 28, 1 | Size = 292947 bytes | Modified Date = 9/29/2004 11:02:16 AM | Attr = ]
SITEguard [HKEY_LOCAL_MACHINE] → Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] → File not found
< Internet Explorer ToolBars [HKEY_CURRENT_USER] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ →
ShellBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\google\googletoolbar2.dll [&Google] → File not found
ShellBrowser\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] → Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] → File not found
WebBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\google\googletoolbar2.dll [&Google] → File not found
WebBrowser\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\Juno\Toolbar.dll [JunoBar] → [Ver = 2, 0, 0, 1 | Size = 292336 bytes | Modified Date = 10/7/2005 1:41:09 AM | Attr = ]
WebBrowser\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll [Yahoo! Companion] → Yahoo! Inc. [Ver = 2004, 9, 28, 1 | Size = 292947 bytes | Modified Date = 9/29/2004 11:02:16 AM | Attr = ]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006] > → HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\Software\Microsoft\Internet Explorer\Toolbar\ →
ShellBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\google\googletoolbar2.dll [&Google] → File not found
ShellBrowser\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] → Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] → File not found
WebBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\google\googletoolbar2.dll [&Google] → File not found
WebBrowser\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\Juno\Toolbar.dll [JunoBar] → [Ver = 2, 0, 0, 1 | Size = 292336 bytes | Modified Date = 10/7/2005 1:41:09 AM | Attr = ]
WebBrowser\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll [Yahoo! Companion] → Yahoo! Inc. [Ver = 2004, 9, 28, 1 | Size = 292947 bytes | Modified Date = 9/29/2004 11:02:16 AM | Attr = ]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ →
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] → Reg Error: Key does not exist or could not be opened. [Sun Java Console] → File not found
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}: [HKEY_LOCAL_MACHINE] → Reg Error: Key does not exist or could not be opened. → File not found
< Internet Explorer Extensions [HKEY_CURRENT_USER] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ →
CmdMapping\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] → [Sun Java Console] → File not found
CmdMapping\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKEY_LOCAL_MACHINE] → [Reg Error: Value MenuText does not exist or could not be read.] → File not found
CmdMapping\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] → [Reg Error: Key does not exist or could not be opened.] → File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ →
Add to AD Black List → %ProgramFiles%\Avant Browser\AddToADBlackList.htm → File not found
Block All Images from the Same Server → %ProgramFiles%\Avant Browser\AddAllToADBlackList.htm → File not found
Highlight → %ProgramFiles%\Avant Browser\Highlight.htm → File not found
Open All Links in This Page… → %ProgramFiles%\Avant Browser\OpenAllLinks.htm → File not found
Search → %ProgramFiles%\Avant Browser\Search.htm → File not found
< Internet Explorer Extensions [HKEY_USERS.DEFAULT] > → HKEY_USERS.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\ →
CmdMapping\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] → [Sun Java Console] → File not found
CmdMapping\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKEY_LOCAL_MACHINE] → [Reg Error: Value MenuText does not exist or could not be read.] → File not found
CmdMapping\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] → [Reg Error: Key does not exist or could not be opened.] → File not found
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18] > → HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\ →
CmdMapping\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] → [Sun Java Console] → File not found
CmdMapping\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKEY_LOCAL_MACHINE] → [Reg Error: Value MenuText does not exist or could not be read.] → File not found
CmdMapping\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] → [Reg Error: Key does not exist or could not be opened.] → File not found
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006] > →
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\Software\Microsoft\Internet Explorer\Extensions\ →
CmdMapping\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] → [Sun Java Console] → File not found
CmdMapping\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKEY_LOCAL_MACHINE] → [Reg Error: Value MenuText does not exist or could not be read.] → File not found
CmdMapping\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] → [Reg Error: Key does not exist or could not be opened.] → File not found
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006] > → HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\Software\Microsoft\Internet Explorer\MenuExt\ →
Add to AD Black List → %ProgramFiles%\Avant Browser\AddToADBlackList.htm → File not found
Block All Images from the Same Server → %ProgramFiles%\Avant Browser\AddAllToADBlackList.htm → File not found
Highlight → %ProgramFiles%\Avant Browser\Highlight.htm → File not found
Open All Links in This Page… → %ProgramFiles%\Avant Browser\OpenAllLinks.htm → File not found
Search → %ProgramFiles%\Avant Browser\Search.htm → File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ →
PluginsPageFriendlyName → Microsoft ActiveX Gallery →
PluginsPage → http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s
< DNS Name Servers [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ →
{485447B3-C4C0-4D36-944E-8F26FD15C124} → (1394 Net Adapter) →
{57DC4F1F-B8DE-40C4-BFC2-C4432BB0DFC4} → (Intel(R) PRO/Wireless 2200BG Network Connection) →
{69E25F5A-D790-4A00-8826-D43AF7C3A849} → (Sierra Wireless AirCard 555 Adapter) →
{D1D59301-252D-4BCB-98E1-6D21C255368B} → (Intel(R) PRO/100 VE Network Connection) →
< Default Protocols [HKEY_USERS.DEFAULT] - Select to Repair > → HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults →
shell → shell protocol not assigned →

48

< Default Protocols [HKEY_USERS\S-1-5-18] - Select to Repair > → HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults →
shell → shell protocol not assigned →
< Default Protocols [HKEY_USERS\S-1-5-19] - Select to Repair > → HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults →
shell → shell protocol not assigned →
< Default Protocols [HKEY_USERS\S-1-5-20] - Select to Repair > → HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults →
shell → shell protocol not assigned →
< Protocol Handlers [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ →
ipp: [HKEY_LOCAL_MACHINE] → Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.] → File not found
msdaipp: [HKEY_LOCAL_MACHINE] → Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.] → File not found

[Files/Folders - Created Within 90 days]
avenger → %SystemDrive%\avenger → [Folder | Created Date = 2/17/2008 3:45:33 PM | Attr = ]
1 C:*.tmp files → C:*.tmp →
Deckard → %SystemDrive%\Deckard → [Folder | Created Date = 2/10/2008 2:49:57 AM | Attr = ]
QooBox → %SystemDrive%\QooBox → [Folder | Created Date = 2/10/2008 5:27:42 PM | Attr = ]
aavmker4.sys → %SystemRoot%\System32\drivers\aavmker4.sys → ALWIL Software [Ver = 4.7.1098.0 | Size = 26624 bytes | Modified Date = 12/4/2007 9:49:02 AM | Attr = ]
aswmon.sys → %SystemRoot%\System32\drivers\aswmon.sys → ALWIL Software [Ver = 4.7.1098.0 | Size = 93264 bytes | Modified Date = 12/4/2007 9:56:02 AM | Attr = ]
aswmon2.sys → %SystemRoot%\System32\drivers\aswmon2.sys → ALWIL Software [Ver = 4.7.1098.0 | Size = 94544 bytes | Modified Date = 12/4/2007 9:55:46 AM | Attr = ]
aswRdr.sys → %SystemRoot%\System32\drivers\aswRdr.sys → ALWIL Software [Ver = 4.7.1098.0 | Size = 23152 bytes | Modified Date = 12/4/2007 9:53:39 AM | Attr = ]
aswTdi.sys → %SystemRoot%\System32\drivers\aswTdi.sys → ALWIL Software [Ver = 4.7.1098.0 | Size = 42912 bytes | Modified Date = 12/4/2007 9:51:52 AM | Attr = ]
cdr4_xp.sys → %SystemRoot%\System32\drivers\cdr4_xp.sys → Sonic Solutions [Ver = 8.0.0.212 | Size = 9336 bytes | Modified Date = 3/7/2007 6:51:00 PM | Attr = ]
cdralw2k.sys → %SystemRoot%\System32\drivers\cdralw2k.sys → Sonic Solutions [Ver = 8.0.0.212 | Size = 9464 bytes | Modified Date = 3/7/2007 6:51:00 PM | Attr = ]
actskin4.ocx → %SystemRoot%\System32\actskin4.ocx → [Ver = 4, 2, 7, 3 | Size = 380928 bytes | Modified Date = 1/9/2004 4:13:58 AM | Attr = ]
aswBoot.exe → %SystemRoot%\System32\aswBoot.exe → ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 837496 bytes | Modified Date = 12/4/2007 8:04:28 AM | Attr = ]
AvastSS.scr → %SystemRoot%\System32\AvastSS.scr → ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 95608 bytes | Modified Date = 12/4/2007 7:54:04 AM | Attr = ]
fdsv.exe → %SystemRoot%\System32\fdsv.exe → Smallfrogs Studio [Ver = 1.0.0.10 | Size = 73728 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
grep.exe → %SystemRoot%\System32\grep.exe → [Ver = | Size = 80412 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
pxafs.dll → %SystemRoot%\System32\pxafs.dll → Sonic Solutions [Ver = 3.6.36.500 | Size = 129784 bytes | Modified Date = 3/7/2007 6:51:00 PM | Attr = ]
pxcpya64.exe → %SystemRoot%\System32\pxcpya64.exe → Sonic Solutions [Ver = 1.00.40a | Size = 64760 bytes | Modified Date = 3/7/2007 6:51:00 PM | Attr = ]
pxinsa64.exe → %SystemRoot%\System32\pxinsa64.exe → Sonic Solutions [Ver = 3.00.56a | Size = 64760 bytes | Modified Date = 3/7/2007 6:51:00 PM | Attr = ]
pxsfs.dll → %SystemRoot%\System32\pxsfs.dll → Sonic Solutions [Ver = 3.6.36.500 | Size = 1628920 bytes | Modified Date = 3/7/2007 6:51:00 PM | Attr = ]
sed.exe → %SystemRoot%\System32\sed.exe → [Ver = | Size = 98816 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
swreg.exe → %SystemRoot%\System32\swreg.exe → SteelWerX [Ver = 3.0.0.0 | Size = 161792 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
swsc.exe → %SystemRoot%\System32\swsc.exe → SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
swxcacls.exe → %SystemRoot%\System32\swxcacls.exe → SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
VFind.exe → %SystemRoot%\System32\VFind.exe → [Ver = | Size = 49152 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
zip.exe → %SystemRoot%\System32\zip.exe → [Ver = | Size = 68096 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
ie7 → %SystemRoot%\ie7 → [Folder | Created Date = 1/30/2008 1:33:50 AM | Attr = H ]
46 C:\WINDOWS*.tmp files → C:\WINDOWS*.tmp →
Nircmd.exe → %SystemRoot%\Nircmd.exe → NirSoft [Ver = 2.00 | Size = 51200 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
QTFont.for → %SystemRoot%\QTFont.for → [Ver = | Size = 1409 bytes | Modified Date = 2/11/2008 12:42:43 PM | Attr = ]
QTFont.qfn → %SystemRoot%\QTFont.qfn → [Ver = | Size = 54156 bytes | Modified Date = 2/11/2008 12:42:29 PM | Attr = H ]

[Files/Folders - Modified Within 30 days]
avenger → %SystemDrive%\avenger → [Folder | Modified Date = 2/17/2008 3:45:33 PM | Attr = ]
1 C:*.tmp files → C:*.tmp →
Config.Msi → %SystemDrive%\Config.Msi → [Folder | Modified Date = 2/10/2008 2:40:05 PM | Attr = ]
Deckard → %SystemDrive%\Deckard → [Folder | Modified Date = 2/10/2008 2:49:57 AM | Attr = ]
Program Files → %ProgramFiles% → [Folder | Modified Date = 2/15/2008 10:31:25 PM | Attr = R ]
QooBox → %SystemDrive%\QooBox → [Folder | Modified Date = 2/17/2008 4:23:27 AM | Attr = ]
RECYCLER → %SystemDrive%\RECYCLER → [Folder | Modified Date = 2/10/2008 2:54:55 AM | Attr = HS]

49 
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 2/10/2008 2:50:26 AM | Attr =  HS]
TEMP -> %SystemDrive%\TEMP ->  [Folder | Modified Date = 2/17/2008 4:17:54 AM | Attr =    ]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 2/17/2008 3:40:59 PM | Attr =    ]
etc -> %SystemRoot%\System32\drivers\etc ->  [Folder | Modified Date = 2/14/2008 3:58:30 PM | Attr =    ]
hosts -> %SystemRoot%\System32\drivers\etc\hosts ->  [Ver =  | Size = 27 bytes | Modified Date = 2/14/2008 3:58:30 PM | Attr =    ]
CatRoot -> %SystemRoot%\System32\CatRoot ->  [Folder | Modified Date = 2/9/2008 4:34:50 PM | Attr =    ]
3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
CatRoot2 -> %SystemRoot%\System32\CatRoot2 ->  [Folder | Modified Date = 2/14/2008 9:07:53 PM | Attr =    ]
dllcache -> %SystemRoot%\System32\dllcache ->  [Folder | Modified Date = 2/9/2008 4:33:25 PM | Attr = RHS]
drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 2/17/2008 3:45:34 PM | Attr =    ]
en-US -> %SystemRoot%\System32\en-US ->  [Folder | Modified Date = 1/30/2008 1:39:43 AM | Attr =    ]
Restore -> %SystemRoot%\System32\Restore ->  [Folder | Modified Date = 2/10/2008 2:50:26 AM | Attr =    ]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 1158 bytes | Modified Date = 2/17/2008 3:45:39 PM | Attr =    ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 1/30/2008 1:40:33 AM | Attr =    ]
46 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 2/17/2008 3:45:20 PM | Attr =   S]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 2/10/2008 2:54:55 AM | Attr =   S]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Modified Date = 2/10/2008 5:28:05 PM | Attr =    ]
Help -> %SystemRoot%\Help ->  [Folder | Modified Date = 1/30/2008 4:20:03 AM | Attr =    ]
ie7 -> %SystemRoot%\ie7 ->  [Folder | Modified Date = 1/30/2008 1:35:56 AM | Attr =  H ]
ie7updates -> %SystemRoot%\ie7updates ->  [Folder | Modified Date = 1/30/2008 1:39:19 AM | Attr =    ]
imsins.BAK -> %SystemRoot%\imsins.BAK ->  [Ver =  | Size = 1374 bytes | Modified Date = 1/30/2008 1:40:43 AM | Attr =    ]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 2/9/2008 4:33:25 PM | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 2/10/2008 2:40:05 PM | Attr =  HS]
machine.ver -> %SystemRoot%\machine.ver ->  [Ver =  | Size = 2838 bytes | Modified Date = 2/7/2008 11:34:51 AM | Attr =    ]
Media -> %SystemRoot%\Media ->  [Folder | Modified Date = 1/30/2008 1:36:24 AM | Attr =    ]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 2/17/2008 4:27:31 PM | Attr =    ]
QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Modified Date = 2/11/2008 12:42:43 PM | Attr =    ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Modified Date = 2/11/2008 12:42:29 PM | Attr =  H ]
RegisteredPackages -> %SystemRoot%\RegisteredPackages ->  [Folder | Modified Date = 1/20/2008 1:33:07 AM | Attr =    ]
security -> %SystemRoot%\security ->  [Folder | Modified Date = 2/8/2008 3:55:15 PM | Attr =    ]
swupdate.INI -> %SystemRoot%\swupdate.INI ->  [Ver =  | Size = 67 bytes | Modified Date = 2/7/2008 11:34:20 AM | Attr =    ]
system -> %SystemRoot%\system ->  [Folder | Modified Date = 2/5/2008 1:56:44 PM | Attr =    ]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 227 bytes | Modified Date = 2/17/2008 4:21:48 AM | Attr =    ]
system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 2/17/2008 4:23:30 AM | Attr =    ]
Tasks -> %SystemRoot%\Tasks ->  [Folder | Modified Date = 2/14/2008 3:55:00 PM | Attr =   S]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 2/17/2008 3:47:49 PM | Attr =    ]
WBEM -> %SystemRoot%\WBEM ->  [Folder | Modified Date = 1/30/2008 1:36:41 AM | Attr =    ]
winamp.ini -> %SystemRoot%\winamp.ini ->  [Ver =  | Size = 1125 bytes | Modified Date = 1/20/2008 1:29:19 AM | Attr =    ]
WMSysPr9.prx -> %SystemRoot%\WMSysPr9.prx ->  [Ver =  | Size = 316640 bytes | Modified Date = 1/20/2008 1:32:50 AM | Attr =    ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 2/17/2008 3:45:28 PM | Attr =  H ]
WebReg 20040630191426.job -> %SystemRoot%\tasks\WebReg 20040630191426.job ->  [Ver =  | Size = 434 bytes | Modified Date = 2/14/2008 7:14:00 PM | Attr =    ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 4617 bytes | Modified Date = 2/9/2008 4:31:05 PM | Attr =    ]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 4232 bytes | Modified Date = 2/9/2008 4:31:05 PM | Attr =    ]
data.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\data.dat ->  [Ver =  | Size = 1538 bytes | Modified Date = 11/5/2004 12:27:56 PM | Attr =    ]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat ->  [Ver =  | Size = 8658 bytes | Modified Date = 6/14/2004 9:02:59 PM | Attr =    ]
wkcalcat.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wkcalcat.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 5/31/2005 10:25:17 AM | Attr =    ]
wklntnts.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wklntnts.dat ->  [Ver =  | Size = 526924 bytes | Modified Date = 3/26/2006 12:37:04 PM | Attr =    ]
wklntsk.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wklntsk.dat ->  [Ver =  | Size = 526924 bytes | Modified Date = 3/26/2006 12:37:04 PM | Attr =    ]
SSUPDATE.EXE -> C:\Documents and Settings\Carrie\Local Settings\Temp\SSUPDATE.EXE -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1030 | Size = 146672 bytes | Modified Date = 6/21/2007 2:07:10 PM | Attr =    ]
4 C:\Documents and Settings\Carrie\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Carrie\Local Settings\Temp\*.tmp -> 
Perflib_Perfdata_4fc.dat -> C:\Documents and Settings\Carrie\Local Settings\Temp\Perflib_Perfdata_4fc.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2/17/2008 3:45:34 PM | Attr =    ]
4 C:\Documents and Settings\Carrie\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Carrie\Local Settings\Temp\*.tmp -> 
Perflib_Perfdata_660.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_660.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2/17/2008 3:43:20 PM | Attr =    ]
Perflib_Perfdata_8b8.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_8b8.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2/15/2008 10:32:24 PM | Attr =    ]
Perflib_Perfdata_93c.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_93c.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2/17/2008 3:45:38 PM | Attr =    ]
Perflib_Perfdata_a0.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_a0.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2/15/2008 10:32:16 PM | Attr =    ]
Perflib_Perfdata_a8.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_a8.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2/17/2008 3:45:28 PM | Attr =    ]

< End of report >
50

Okay, I’ve got to go out for awhile and will go over thhe log then.

I found “Microsoft AntiSpyware” in the log. Is this what you saw? This one I believe is ok.

But we’ll get rid of Rabco.

Go to add/remove programs and uninstall these if present.

Rabio
Cool
RABCO

You may want to look for WinWINAntispyware

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe

Close all other browsers/windows, click fix, close HJT.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\Program Files\RABCO\RABCO.dll C:\Program Files\RABCO\RABCOse.exe

Folder::
C:\Program Files\RABCO

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

51

Hi oldman,

Consider the use of sdfix here as well, and what Ritchie performed here with a RABCO infestation:
http://www.bleepingcomputer.com/forums/index.php?s=1954ba93daa6a6d78b019da7ba89ac36&showuser=75975

polonus

52

Thanks pol, but that was a link to his profile. Got one for the thread?

53

Hi oldman,

Go here: http://www.bleepingcomputer.com/forums/topic129634.html#entry734833

Add comment please,

pol

54

Sorry it took so long. How you doing?

Did you get the rabco done?

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Files/Folders - Created Within 90 days] YY -> sed.exe -> %SystemRoot%\System32\sed.exe NY -> 46 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp [Files/Folders - Modified Within 30 days] NY -> 1 C:\*.tmp files -> C:\*.tmp NY -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp NY -> 46 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp YY -> imsins.BAK -> %SystemRoot%\imsins.BAK YY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat YY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat NY -> 4 C:\Documents and Settings\Carrie\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Carrie\Local Settings\Temp\*.tmp NY -> 4 C:\Documents and Settings\Carrie\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Carrie\Local Settings\Temp\*.tmp [Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here .