nic's problem

Viruses and worms
1

Here you go if you could do the following for me I will help you out, by keeping them in seperate threads Oldman will not get confused :smiley: ???

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofixโ€™s window while its running. That may cause it to stall

2
Here you go if you could do the following for me I will help you out, by keeping them in seperate threads Oldman will not get confused

And thatโ€™s easily done :smiley: :wink:

Thnaks essexboy

3

Thank You Very Much. Here is the Log that was produced by ComboFix:

[i]ComboFix 08-01-03.3 - Owner 2008-01-02 14:10:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.220 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\7IN5XP3N\ComboFix[1].exe

  • Created a new restore point
    .[/i]
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\WINDOWS\system32\adsn.dll
    C:\WINDOWS\system32\drivers\ibhwjwkv.dat
    D:\Autorun.inf.
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).
    -------\LEGACY_DJGPMJKO
    -------\djgpmjko
    ((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))

2008-01-02 14:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-14 09:30 . 2007-12-04 05:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-14 09:30 . 2007-12-04 07:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-14 09:30 . 2007-12-04 07:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-14 09:30 . 2007-12-04 07:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-14 09:29 . 2007-12-14 09:29 d-------- C:\Program Files\Alwil Software
2007-12-14 09:29 . 2007-12-04 06:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-14 09:29 . 2004-01-09 02:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-14 09:29 . 2007-12-04 07:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-14 09:29 . 2007-12-04 07:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 13:41 . 2007-12-04 14:17 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2005-01-21 03:33 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
โ€ฆ
Note empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
โ€œMSMSGSโ€=โ€œC:\Program Files\Messenger\msmsgs.exeโ€ [2004-10-13 09:24 1694208]
โ€œBackupNotifyโ€=โ€œc:\Program Files\HP\Digital Imaging\bin\backupnotify.exeโ€ [2004-01-09 01:34 32768]
โ€œctfmon.exeโ€=โ€œC:\WINDOWS\system32\ctfmon.exeโ€ [2004-08-04 00:56 15360]
โ€œYSearchProtectionโ€=โ€œC:\Program Files\Yahoo!\Search Protection\SearchProtection.exeโ€ [2007-06-08 07:59 224248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
โ€œSSBkgdUpdateโ€=โ€œC:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exeโ€ [2003-10-14 09:22 155648]
โ€œPaperPort PTDโ€=โ€œC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeโ€ [2004-04-14 13:46 57393]
โ€œIndexSearchโ€=โ€œC:\Program Files\ScanSoft\PaperPort\IndexSearch.exeโ€ [2004-04-14 14:04 40960]
โ€œSetDefPrtโ€=โ€œC:\Program Files\Brother\Brmfl04a\BrStDvPt.exeโ€ [2004-05-25 08:16 49152]
โ€œControlCenter2.0โ€=โ€œC:\Program Files\Brother\ControlCenter2\brctrcen.exeโ€ [2004-07-20 08:34 851968]
โ€œiTunesHelperโ€=โ€œC:\Program Files\iTunes\iTunesHelper.exeโ€ [2005-10-18 11:58 278528]
โ€œQuickTime Taskโ€=โ€œC:\Program Files\QuickTime\qttask.exeโ€ [2005-11-16 23:31 155648]
โ€œtgcmdโ€=โ€œC:\Program Files\Support.com\bin\tgcmd.exeโ€ [2005-11-18 22:33 1851392]
โ€œTkBellExeโ€=โ€œC:\Program Files\Common Files\Real\Update_OB\realsched.exeโ€ [2007-08-02 05:49 185632]
โ€œAdobe Reader Speed Launcherโ€=โ€œC:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exeโ€ [2007-05-11 02:06 40048]
โ€œYSearchProtectionโ€=โ€œC:\Program Files\Yahoo!\Search Protection\SearchProtection.exeโ€ [2007-06-08 07:59 224248]
โ€œNoteBurnerโ€=โ€œC:\Program Files\NoteBurner\VTBurnerGUI.exeโ€
โ€œavast!โ€=โ€œC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeโ€ [2007-12-04 06:00 79224]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup
MySurvey Messenger.lnk - C:\Program Files\MySurvey Messenger\MySurveyMessenger.exe [2007-07-02 14:46:10]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2006-06-12 12:39:36]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2005-08-06 15:11:11]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 15:11]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 20:15]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 04:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 03:28]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 21:41].
Contents of the โ€˜Scheduled Tasksโ€™ folder
โ€œ2006-07-08 16:12:04 C:\WINDOWS\Tasks\Symantec NetDetect.jobโ€

  • C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    .**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-03 14:17:31
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes โ€ฆ
    scanning hidden autostart entries โ€ฆ
    scanning hidden files โ€ฆ
    scan completed successfully
    hidden files: 0
    **************************************************************************.
    Completion time: 2008-01-03 14:21:39 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-03 21:21:30.
    2007-12-21 03:21:26 โ€” E O F โ€” [/i] [/i]
4

Hijack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:15 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\MySurvey Messenger\MySurveyMessenger.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM..\Run: [SSBkgdUpdate] โ€œC:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exeโ€ -Embedding -boot
O4 - HKLM..\Run: [PaperPort PTD] โ€œC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeโ€
O4 - HKLM..\Run: [IndexSearch] โ€œC:\Program Files\ScanSoft\PaperPort\IndexSearch.exeโ€
O4 - HKLM..\Run: [SetDefPrt] โ€œC:\Program Files\Brother\Brmfl04a\BrStDvPt.exeโ€
O4 - HKLM..\Run: [ControlCenter2.0] โ€œC:\Program Files\Brother\ControlCenter2\brctrcen.exeโ€ /autorun
O4 - HKLM..\Run: [iTunesHelper] โ€œC:\Program Files\iTunes\iTunesHelper.exeโ€
O4 - HKLM..\Run: [QuickTime Task] โ€œC:\Program Files\QuickTime\qttask.exeโ€ -atboottime
O4 - HKLM..\Run: [tgcmd] โ€œC:\Program Files\Support.com\bin\tgcmd.exeโ€ /server /startmonitor /deaf
O4 - HKLM..\Run: [TkBellExe] โ€œC:\Program Files\Common Files\Real\Update_OB\realsched.exeโ€ -osboot
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] โ€œC:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exeโ€
O4 - HKLM..\Run: [YSearchProtection] โ€œC:\Program Files\Yahoo!\Search Protection\SearchProtection.exeโ€
O4 - HKLM..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MSMSGS] โ€œC:\Program Files\Messenger\msmsgs.exeโ€ /background
O4 - HKCU..\Run: [BackupNotify] โ€œc:\Program Files\HP\Digital Imaging\bin\backupnotify.exeโ€
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [YSearchProtection] โ€œC:\Program Files\Yahoo!\Search Protection\SearchProtection.exeโ€
O4 - Startup: MySurvey Messenger.lnk = C:\Program Files\MySurvey Messenger\MySurveyMessenger.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra โ€˜Toolsโ€™ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra โ€˜Toolsโ€™ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra โ€˜Toolsโ€™ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

End of file - 7842 bytes

5

Not a great deal apparent there what symptoms are you experiencing ?

I can do a deeper search

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

Reg - BotCheck

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

6

Not a great deal apparent there what symptoms are you experiencing ? <~~~essexboy

Iโ€™m not experiencing any problems that I know of. But,I would like this trojan off of my machine since thereโ€™s no telling what itโ€™s up to and whatโ€™s being stolenโ€ฆif anything. As an aside, I ran AVG AND Webroot and they didnโ€™t find it. Not a very reassuring sign. So, what do the logs indicate?
Again,thank you very much.

7

Nic_1

The adsn.dll is gone. Let essexboy know what, if any other symptoms, you are experiecing. He has offered to do a very deep scan of your system. Take him up on it. :slight_smile:

8

After another scheduled scan, I was able to place the trojan into the chest. This time with no message telling me โ€˜Access Deniedโ€™. Do you still recommend a deeper scan w/WinPFind3u . Sorry itโ€™s taking me a while to respond, work sometimes gets in the way. ::slight_smile:

9

Yes, itโ€™s a deeper scan that should reveal the problem.

10

:slight_smile: Hi โ€œNicโ€ :

  Just a side Note : your Sun Java program is WAY-out-of-date and a very
  serious security risk ; should uninstall ALL versions of this program.
  The latest version is available at www.java.com .

   And there is recent news of a serious Vulnerability discovered in "Real
   Player" ; not sure if it is currently "patchable" !? Perhaps you should
   consider an "alternative" & many of us here recommend "RealAlternate" .
11

Thank You Essexboy,Oldman,and Spiritsong for all of your help.
This is the log from WinPFind3U in several parts since it doesnโ€™t fit:

WinPFind3 logfile created on: 1/4/2008 10:11:40 AM
WinPFind3U by OldTimer - Version 1.0.44 Folder = C:\Documents and Settings\Owner\Desktop\WinPFind3u
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

503.48 Mb Total Physical Memory | 267.28 Mb Available Physical Memory | 53.09% Memory free
1.20 Gb Paging File | 0.98 Gb Available in Paging File | 81.66% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 30.94 Gb Total Space | 10.68 Gb Free Space | 34.51% Space Free
Drive D: | 6.31 Gb Total Space | 2.38 Gb Free Space | 37.74% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: YOUR-46E94OWX6A
Current User Name: Owner
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
ashdisp.exe โ†’ %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe โ†’ ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 12/4/2007 6:00:24 AM | Attr = ]
ashmaisv.exe โ†’ %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe โ†’ ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 247160 bytes | Modified Date = 12/4/2007 5:59:54 AM | Attr = ]
ashserv.exe โ†’ %ProgramFiles%\Alwil Software\Avast4\ashServ.exe โ†’ ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 12/4/2007 6:00:16 AM | Attr = ]
ashwebsv.exe โ†’ %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe โ†’ ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 345464 bytes | Modified Date = 12/4/2007 5:59:02 AM | Attr = ]
aswupdsv.exe โ†’ %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe โ†’ ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 12/4/2007 7:36:34 AM | Attr = ]
brmfrmps.exe โ†’ %System32%\Brmfrmps.exe โ†’ Brother Industries, Ltd. [Ver = 1.10.10.144 | Size = 65536 bytes | Modified Date = 5/5/2003 6:30:22 PM | Attr = ]
brss01a.exe โ†’ %System32%\brss01a.exe โ†’ brother Industries Ltd [Ver = 1.004 | Size = 45056 bytes | Modified Date = 12/12/2001 11:01:00 PM | Attr = ]
brsvc01a.exe โ†’ %System32%\brsvc01a.exe โ†’ brother Industries Ltd [Ver = 1, 0, 0, 3 | Size = 57344 bytes | Modified Date = 4/11/2002 11:00:00 PM | Attr = ]
ipodservice.exe โ†’ %ProgramFiles%\iPod\bin\iPodService.exe โ†’ Apple Computer, Inc. [Ver = 6.0.1.3 | Size = 323584 bytes | Modified Date = 10/18/2005 11:58:40 AM | Attr = ]
ituneshelper.exe โ†’ %ProgramFiles%\iTunes\iTunesHelper.exe โ†’ Apple Computer, Inc. [Ver = 6.0.1.3 | Size = 278528 bytes | Modified Date = 10/18/2005 11:58:54 AM | Attr = ]
mysurveymessenger.exe โ†’ %ProgramFiles%\MySurvey Messenger\MySurveyMessenger.exe โ†’ [Ver = 1, 0, 0, 1 | Size = 651264 bytes | Modified Date = 7/2/2007 2:46:10 PM | Attr = ]
pptd40nt.exe โ†’ %ProgramFiles%\ScanSoft\PaperPort\pptd40nt.exe โ†’ ScanSoft, Inc. [Ver = 9.0 | Size = 57393 bytes | Modified Date = 4/14/2004 1:46:50 PM | Attr = ]
realsched.exe โ†’ %CommonProgramFiles%\Real\Update_OB\realsched.exe โ†’ RealNetworks, Inc. [Ver = 0.1.0.4081 | Size = 185632 bytes | Modified Date = 8/2/2007 5:49:04 AM | Attr = ]
searchprotection.exe โ†’ %ProgramFiles%\Yahoo!\Search Protection\SearchProtection.exe โ†’ Yahoo! Inc. [Ver = 2007, 6, 8, 1 | Size = 224248 bytes | Modified Date = 6/8/2007 7:59:38 AM | Attr = ]
sonytray.exe โ†’ %ProgramFiles%\Sony Corporation\Image Transfer\SonyTray.exe โ†’ [Ver = | Size = 73728 bytes | Modified Date = 10/16/2002 7:20:20 PM | Attr = ]
tgcmd.exe โ†’ %ProgramFiles%\Support.com\bin\tgcmd.exe โ†’ Qwest [Ver = 5,5,726,0 | Size = 1851392 bytes | Modified Date = 11/18/2005 10:33:00 PM | Attr = R ]
winpfind3u.exe โ†’ %UserDesktop%\WinPFind3u\WinPFind3U.exe โ†’ OldTimer Tools [Ver = 1.0.44.0 | Size = 371200 bytes | Modified Date = 11/21/2007 9:19:46 AM | Attr = ]

12

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] โ†’ %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe โ†’ ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 12/4/2007 7:36:34 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] โ†’ %ProgramFiles%\Alwil Software\Avast4\ashServ.exe โ†’ ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 12/4/2007 6:00:16 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] โ†’ %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe โ†’ ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 247160 bytes | Modified Date = 12/4/2007 5:59:54 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] โ†’ %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe โ†’ ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 345464 bytes | Modified Date = 12/4/2007 5:59:02 AM | Attr = ]
(brmfrmps) Brother Popup Suspend service for Resource manager [Win32_Own | Auto | Running] โ†’ %System32%\Brmfrmps.exe โ†’ Brother Industries, Ltd. [Ver = 1.10.10.144 | Size = 65536 bytes | Modified Date = 5/5/2003 6:30:22 PM | Attr = ]
(Brother XP spl Service) BrSplService [Win32_Own | Auto | Running] โ†’ %System32%\brsvc01a.exe โ†’ brother Industries Ltd [Ver = 1, 0, 0, 3 | Size = 57344 bytes | Modified Date = 4/11/2002 11:00:00 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] โ†’ %System32%\dmadmin.exe โ†’ Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 12:56:48 AM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] โ†’ %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe โ†’ Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 12:41:10 AM | Attr = ]
(iPodService) iPodService [Win32_Own | On_Demand | Running] โ†’ %ProgramFiles%\iPod\bin\iPodService.exe โ†’ Apple Computer, Inc. [Ver = 6.0.1.3 | Size = 323584 bytes | Modified Date = 10/18/2005 11:58:40 AM | Attr = ]
(SymWSC) SymWMI Service [Win32_Own | Auto | Stopped] โ†’ %CommonProgramFiles%\Symantec Shared\Security Center\SymWSC.exe โ†’ Symantec Corporation [Ver = 2005.1.2.20 | Size = 316544 bytes | Modified Date = 11/2/2004 7:59:50 PM | Attr = ]

13

[Registry - Non-Microsoft Only]
< Run [HKLM] > โ†’ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run โ†’
Adobe Reader Speed Launcher โ†’ %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe โ†’ Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 40048 bytes | Modified Date = 5/11/2007 2:06:32 AM | Attr = ]
avast! โ†’ %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe โ†’ ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 12/4/2007 6:00:24 AM | Attr = ]
ControlCenter2.0 โ†’ %ProgramFiles%\Brother\ControlCenter2\brctrcen.exe โ†’ Brother Industries, Ltd. [Ver = 2, 0, 8, 0 | Size = 851968 bytes | Modified Date = 7/20/2004 8:34:28 AM | Attr = ]
IndexSearch โ†’ %ProgramFiles%\ScanSoft\PaperPort\IndexSearch.exe โ†’ ScanSoft, Inc. [Ver = 9.0 | Size = 40960 bytes | Modified Date = 4/14/2004 2:04:12 PM | Attr = ]
iTunesHelper โ†’ %ProgramFiles%\iTunes\iTunesHelper.exe โ†’ Apple Computer, Inc. [Ver = 6.0.1.3 | Size = 278528 bytes | Modified Date = 10/18/2005 11:58:54 AM | Attr = ]
NoteBurner โ†’ %ProgramFiles%\NoteBurner\VTBurnerGUI.exe โ†’ File not found
PaperPort PTD โ†’ %ProgramFiles%\ScanSoft\PaperPort\pptd40nt.exe โ†’ ScanSoft, Inc. [Ver = 9.0 | Size = 57393 bytes | Modified Date = 4/14/2004 1:46:50 PM | Attr = ]
QuickTime Task โ†’ %ProgramFiles%\QuickTime\qttask.exe โ†’ Apple Computer, Inc. [Ver = 7.0.3 | Size = 155648 bytes | Modified Date = 11/16/2005 11:31:26 PM | Attr = ]
SetDefPrt โ†’ %ProgramFiles%\Brother\Brmfl04a\BrStDvPt.exe โ†’ Brother Industories, Ltd. [Ver = 1, 0, 0, 3 | Size = 49152 bytes | Modified Date = 5/25/2004 8:16:56 AM | Attr = ]
SSBkgdUpdate โ†’ %CommonProgramFiles%\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe โ†’ Scansoft, Inc. [Ver = 1, 0, 0, 6 | Size = 155648 bytes | Modified Date = 10/14/2003 9:22:30 AM | Attr = R ]
tgcmd โ†’ %ProgramFiles%\Support.com\bin\tgcmd.exe โ†’ Qwest [Ver = 5,5,726,0 | Size = 1851392 bytes | Modified Date = 11/18/2005 10:33:00 PM | Attr = R ]
TkBellExe โ†’ %CommonProgramFiles%\Real\Update_OB\realsched.exe โ†’ RealNetworks, Inc. [Ver = 0.1.0.4081 | Size = 185632 bytes | Modified Date = 8/2/2007 5:49:04 AM | Attr = ]
YSearchProtection โ†’ %ProgramFiles%\Yahoo!\Search Protection\SearchProtection.exe โ†’ Yahoo! Inc. [Ver = 2007, 6, 8, 1 | Size = 224248 bytes | Modified Date = 6/8/2007 7:59:38 AM | Attr = ]
< OptionalComponents [HKLM] > โ†’ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ โ†’
IMAIL โ†’ Installed = 1 โ†’
MAPI โ†’ Installed = 1 โ†’
MSFS โ†’ Installed = 1 โ†’
< Run [HKCU] > โ†’ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run โ†’
BackupNotify โ†’ %ProgramFiles%\HP\Digital Imaging\bin\backupnotify.exe โ†’ Hewlett-Packard Company [Ver = 2004.01.08.0 | Size = 32768 bytes | Modified Date = 1/9/2004 1:34:10 AM | Attr = ]
YSearchProtection โ†’ %ProgramFiles%\Yahoo!\Search Protection\SearchProtection.exe โ†’ Yahoo! Inc. [Ver = 2007, 6, 8, 1 | Size = 224248 bytes | Modified Date = 6/8/2007 7:59:38 AM | Attr = ]
< Common Startup > โ†’ C:\Documents and Settings\All Users\Start Menu\Programs\Startup โ†’
%AllUsersStartup%\Image Transfer.lnk โ†’ %ProgramFiles%\Sony Corporation\Image Transfer\SonyTray.exe โ†’ [Ver = | Size = 73728 bytes | Modified Date = 10/16/2002 7:20:20 PM | Attr = ]
%AllUsersStartup%\Status Monitor.lnk โ†’ %ProgramFiles%\Brother\Brmfcmon\BrMfcWnd.exe โ†’ Brother Industries, Ltd. [Ver = 1, 0, 5, 4 | Size = 819200 bytes | Modified Date = 3/26/2004 6:30:12 PM | Attr = ]
< User Startup > โ†’ C:\Documents and Settings\Owner\Start Menu\Programs\Startup โ†’
%UserStartup%\MySurvey Messenger.lnk โ†’ %ProgramFiles%\MySurvey Messenger\MySurveyMessenger.exe โ†’ [Ver = 1, 0, 0, 1 | Size = 651264 bytes | Modified Date = 7/2/2007 2:46:10 PM | Attr = ]
< SecurityProviders [HKLM] > โ†’ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders โ†’
< Winlogon settings [HKLM] > โ†’ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon โ†’
< Winlogon settings [HKCU] > โ†’ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon โ†’
< Winlogon\Notify settings [HKLM] > โ†’ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ โ†’
igfxcui โ†’ %System32%\igfxsrvc.dll โ†’ Intel Corporation [Ver = 3.0.0.3889 | Size = 344064 bytes | Modified Date = 8/20/2004 6:50:54 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > โ†’ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveAutoRun โ†’ 67108863 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun โ†’ 255 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} โ†’ 1 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} โ†’ 1073741857 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1} โ†’ 32 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername โ†’ 0 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaption โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetext โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\shutdownwithoutlogon โ†’ 1 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\undockwithoutlogon โ†’ 1 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ โ†’ โ†’

14

< CurrentVersion Policy Settings [HKCU] > โ†’ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ โ†’
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ โ†’ โ†’
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ โ†’ โ†’
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ โ†’ โ†’
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ โ†’ โ†’
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun โ†’ 0 โ†’
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ โ†’ โ†’
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ โ†’ โ†’
< HOSTS File > (27 bytes) โ†’ C:\WINDOWS\System32\drivers\etc\Hosts โ†’
127.0.0.1 localhost โ†’ โ†’
< Internet Explorer Settings > โ†’ โ†’
HKLM: Default_Page_URL โ†’ http://go.microsoft.com/fwlink/?LinkId=69157 โ†’
HKLM: Main\Default_Search_URL โ†’ http://go.microsoft.com/fwlink/?LinkId=54896 โ†’
HKLM: Local Page โ†’ %SystemRoot%\system32\blank.htm โ†’
HKLM: Search Bar โ†’ http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop โ†’
HKLM: Search Page โ†’ http://go.microsoft.com/fwlink/?LinkId=54896 โ†’
HKLM: Start Page โ†’ http://www.yahoo.com โ†’
HKLM: CustomizeSearch โ†’ http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm โ†’
HKLM: SearchAssistant โ†’ http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm โ†’
HKCU: Default_Search_URL โ†’ http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop โ†’
HKCU: Local Page โ†’ C:\WINDOWS\System32\blank.htm โ†’
HKCU: Search Page โ†’ http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch โ†’
HKCU: Start Page โ†’ http://www.yahoo.com โ†’
HKCU: URLSearchHooks\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] โ†’ %ProgramFiles%\Yahoo!\Companion\Installs\cpn3\yt.dll [Yahoo! Toolbar] โ†’ Yahoo! Inc. [Ver = 2007, 8, 22, 1 | Size = 816912 bytes | Modified Date = 8/22/2007 6:30:18 PM | Attr = ]
HKCU: ProxyEnable โ†’ 0 โ†’
HKCU: ProxyOverride โ†’ localhost โ†’

15

< Trusted Sites > โ†’ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ โ†’
msn.com [ - ] โ†’ โ†’
< BHOโ€™s > โ†’ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ โ†’
{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] โ†’ %ProgramFiles%\Yahoo!\Companion\Installs\cpn3\yt.dll [&Yahoo! Toolbar Helper] โ†’ Yahoo! Inc. [Ver = 2007, 8, 22, 1 | Size = 816912 bytes | Modified Date = 8/22/2007 6:30:18 PM | Attr = ]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] โ†’ %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] โ†’ Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 10:08:42 PM | Attr = ]
{3049C3E9-B461-4BC5-8870-4C09146192CA} [HKLM] โ†’ %ProgramFiles%\Real\RealPlayer\rpbrowserrecordplugin.dll [RealPlayer Download and Record Plugin for Internet Explorer] โ†’ RealPlayer [Ver = 1.0.0.333 | Size = 279928 bytes | Modified Date = 8/2/2007 5:49:18 AM | Attr = ]
< Internet Explorer Bars [HKCU] > โ†’ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ โ†’
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] โ†’ Reg Data - Key not found [Reg Data - Key not found] โ†’ File not found
< Internet Explorer ToolBars [HKLM] > โ†’ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar โ†’
[HKLM] โ†’ Reg Data - Key not found [Reg Data - Value does not exist] โ†’ File not found
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} [HKLM] โ†’ %ProgramFiles%\HP\digital imaging\bin\hpdtlk02.dll [HP view] โ†’ Hewlett-Packard Company [Ver = 1.0.0.7 | Size = 98304 bytes | Modified Date = 11/21/2003 12:26:26 PM | Attr = ]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] โ†’ %ProgramFiles%\Yahoo!\Companion\Installs\cpn3\yt.dll [Yahoo! Toolbar] โ†’ Yahoo! Inc. [Ver = 2007, 8, 22, 1 | Size = 816912 bytes | Modified Date = 8/22/2007 6:30:18 PM | Attr = ]
< Internet Explorer ToolBars [HKCU] > โ†’ HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ โ†’
ShellBrowser\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} [HKLM] โ†’ %ProgramFiles%\HP\digital imaging\bin\hpdtlk02.dll [HP view] โ†’ Hewlett-Packard Company [Ver = 1.0.0.7 | Size = 98304 bytes | Modified Date = 11/21/2003 12:26:26 PM | Attr = ]
WebBrowser\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKLM] โ†’ Reg Data - Key not found [Reg Data - Key not found] โ†’ File not found
WebBrowser\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] โ†’ Reg Data - Key not found [Reg Data - Key not found] โ†’ File not found
WebBrowser\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} [HKLM] โ†’ %ProgramFiles%\HP\digital imaging\bin\hpdtlk02.dll [HP view] โ†’ Hewlett-Packard Company [Ver = 1.0.0.7 | Size = 98304 bytes | Modified Date = 11/21/2003 12:26:26 PM | Attr = ]
WebBrowser\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] โ†’ %ProgramFiles%\Yahoo!\Companion\Installs\cpn3\yt.dll [Yahoo! Toolbar] โ†’ Yahoo! Inc. [Ver = 2007, 8, 22, 1 | Size = 816912 bytes | Modified Date = 8/22/2007 6:30:18 PM | Attr = ]

16

< Internet Explorer Extensions [HKLM] > โ†’ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ โ†’
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] โ†’ Reg Data - Key not found [MenuText: Sun Java Console] โ†’ File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} โ†’ Reg Data - Value does not exist [ButtonText: Research] โ†’ File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] โ†’ Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] โ†’ File not found
< Internet Explorer Menu Extensions [HKCU] > โ†’ HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ โ†’
E&xport to Microsoft Excel โ†’ โ†’ File not found
< User Agent Post Platform [HKLM] > โ†’ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform โ†’
SV1 โ†’ โ†’
< DNS Name Servers [HKLM] > โ†’ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ โ†’
{5AEF64FB-479F-4850-91ED-1EF99CD75A23} โ†’ (Realtek RTL8139/810x Family Fast Ethernet NIC) โ†’
{6CC8F273-D1F2-4348-8C35-03DBC855E913} โ†’ () โ†’
{AF7B24A7-C28D-442D-A270-8E74B216D4B2} โ†’ (SMC EZ Connect USB/Ethernet Series Converter) โ†’
{F74557C2-F377-48F8-A9F9-B72B58E7E9C3} โ†’ (NETGEAR WG311v2 802.11g Wireless PCI Adapter) โ†’
< Protocol Handlers [HKLM] > โ†’ HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ โ†’
cetihpz โ†’ %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll โ†’ Hewlett-Packard Company [Ver = 2.1.4 | Size = 81920 bytes | Modified Date = 12/22/2003 3:38:40 PM | Attr = ]
ipp โ†’ Reg Data - Key not found โ†’ File not found
msdaipp โ†’ Reg Data - Key not found โ†’ File not found
< Downloaded Program Files > โ†’ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ โ†’
{193C772A-87BE-4B19-A7BB-445B226FE9A1} โ†’ ewidoOnlineScan Control - CodeBase = http://downloads.ewido.net/ewidoOnlineScan.cab โ†’
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} โ†’ YInstStarter Class - CodeBase = http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab โ†’
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} โ†’ - CodeBase = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab โ†’
{A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} โ†’ InetDownload Class - CodeBase = https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab โ†’
{AB86CE53-AC9F-449F-9399-D8ABCA09EC09} โ†’ Get_ActiveX Control - CodeBase = https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx โ†’

17

[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultLaunchPermission โ†’ 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM โ†’ Y โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MachineLaunchRestriction โ†’ 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MachineAccessRestriction โ†’ 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\{A50398B8-9075-4FBF-A7A1-456BF21937AD} โ†’ 1 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\{AD65A69D-3831-40D7-9629-9B0B50A93843} โ†’ 1 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\{0040D221-54A1-11D1-9DE0-006097042D69} โ†’ 1 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} โ†’ 1 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\System.EnterpriseServices.Thunk.dll โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify โ†’ 0 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify โ†’ 0 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify โ†’ 0 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride โ†’ 1 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride โ†’ 0 โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ โ†’ โ†’

18

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate not found. โ†’ โ†’
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages โ†’ msv1_0; โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Bounds โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages โ†’ kerberos;msv1_0;schannel;wdigest; โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid โ†’ 560 โ†’

19

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SecureBoot โ†’ 1 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\auditbaseobjects โ†’ 0 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\crashonauditfail โ†’ 0 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\disabledomaincreds โ†’ 0 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\everyoneincludesanonymous โ†’ 0 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy โ†’ 0 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forceguest โ†’ 1 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fullprivilegeauditing โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\limitblankpassworduse โ†’ 1 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel โ†’ 0 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\nodefaultadminowner โ†’ 1 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\nolmhash โ†’ 0 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous โ†’ 0 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymoussam โ†’ 1 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages โ†’ scecli; โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ImpersonatePrivilegeUpgradeToolHasRun โ†’ 1 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\enabledcom โ†’ y โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ProviderOrder โ†’ Windows NT Access Provider; โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ProviderPath โ†’ %SystemRoot%\system32\ntmarta.dll โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ โ†’ โ†’

20

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\Pattern โ†’ ร‘Dยปรณรคโ€œร‚/รฒยฝPR4รฝร82132fde
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\GrafBlumGroup โ†’ โ€œลธ.ยฎรทยน
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\Lookup โ†’ รฐ1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\ntlmminclientsec โ†’ 0 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\ntlmminserversec โ†’ 0 โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\SkewMatrix โ†’ Aโ€qรงPยขร„รผaหœรŽยกยจw#b โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\SSOURL โ†’ http://www.passport.com โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\Time โ†’ รพยยกโ‚ฌรร… โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ โ†’ โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\Name โ†’ Digest โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\Comment โ†’ Digest SSPI Authentication Package โ†’
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\Capabilities โ†’ 164