Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Troublesome Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Troublesome Malware

Unread postby Driftmom » May 4th, 2009, 6:24 pm

That was a pretty fast scan! Here is the log:

SystemLook v1.0 by jpshortstuff (24.04.09)
Log created at 18:22 on 04/05/2009 by HP_Administrator (Administrator - Elevation successful)

========== regfind ==========

Searching for "$sys$crater"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\$sys$crater]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\$sys$crater]

Searching for "mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDXGTHKN]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mdxgthkn]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mdxgthkn]
""ImagePath""=="\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mdxgthkn.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mdxgthkn]
""ImagePath""=="\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mdxgthkn.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mdxgthkn\Enum]
""0""=="Root\LEGACY_MDXGTHKN\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDXGTHKN]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDXGTHKN\0000]
""Service""=="mdxgthkn"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdxgthkn]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdxgthkn]
""ImagePath""=="\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mdxgthkn.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdxgthkn]
""ImagePath""=="\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mdxgthkn.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdxgthkn\Enum]
""0""=="Root\LEGACY_MDXGTHKN\0000"

-=End Of File=-
Driftmom
Regular Member
 
Posts: 20
Joined: April 11th, 2009, 12:46 pm
Advertisement
Register to Remove

Re: Troublesome Malware

Unread postby peku006 » May 5th, 2009, 1:45 am

Hi Driftmom

1 - Download and Run SWReg
Please create a new folder on the Desktop by right-clicking and selecting New > Folder

Next, download SWReg
Save it to the new folder on the Desktop.

Now, launch Notepad, (Start > Run, type in: notepad)
Copy/paste all the text inside the code box below to Notepad:

Code: Select all
FOR %%R IN (
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\$sys$crater"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\$sys$crater"
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDXGTHKN"
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDXGTHKN\0000"
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mdxgthkn"
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mdxgthkn\Enum"
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN"
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MDXGTHKN\0000"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDXGTHKN"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDXGTHKN\0000"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdxgthkn"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdxgthkn\Enum"
) DO (
SWReg ACL %%R /OM
SWReg ACL %%R /GE:F /I ENABLE
SWReg DELETE %%R
)
exit

In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: the same folder where you saved SWReg
File Name: fixreg.bat
Save as Type: All files
Click: Save
Exit out of Notepad.

Note: Both swreg.exe and fixreg.bat must be in the same folder for this to work.

Locate fixreg.bat in the new folder and double-click on it.

2 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
$sys$crater
mdxgthkn


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

3 - Status Check
Please reply with

1. the ComboFix log(C:\ComboFix.txt)

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Troublesome Malware

Unread postby Driftmom » May 5th, 2009, 7:55 pm

New ComboFix log:

ComboFix 09-05-05.03 - HP_Administrator 05/05/2009 19:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.451 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
.

((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-04-25 20:27 . 2009-04-25 20:27 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-24 00:39 . 2009-04-24 00:39 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-04-24 00:39 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 00:39 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 00:39 . 2009-04-24 00:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-24 00:39 . 2009-04-24 00:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 19:38 . 2009-04-18 19:38 -------- d-----w C:\rsit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 02:13 . 2006-09-28 00:47 -------- d-----w c:\program files\DISC
2009-04-25 20:27 . 2006-09-28 00:17 -------- d-----w c:\program files\Java
2009-03-06 14:44 . 2004-08-10 04:00 283648 ------w c:\windows\system32\pdh.dll
2009-02-20 08:14 . 2004-08-10 04:00 668160 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:14 . 2004-08-10 04:00 81920 ------w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2004-08-10 04:00 723456 ------w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-10 04:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-10 11:00 714752 ------w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-10 04:00 616960 ------w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-10 04:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:22 . 2004-08-10 11:00 2136064 ------w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-10 04:00 110592 ------w c:\windows\system32\services.exe
2009-02-06 16:54 . 2004-08-10 04:00 35328 ------w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-10 11:00 2015744 ------w c:\windows\system32\ntkrnlpa.exe
2004-08-10 04:00 . 2004-08-10 04:00 94784 --sh--w c:\windows\twain.dll
2004-08-10 04:00 . 2004-08-10 04:00 50688 --sh--w c:\windows\twain_32.dll
2004-08-10 04:00 . 2004-08-10 04:00 1028096 --sh--w c:\windows\system32\mfc42.dll
2004-08-10 04:00 . 2004-08-10 04:00 54784 --sh--w c:\windows\system32\msvcirt.dll
2004-08-10 04:00 . 2004-08-10 04:00 413696 --sh--w c:\windows\system32\msvcp60.dll
2004-08-10 04:00 . 2004-08-10 04:00 343040 --sh--w c:\windows\system32\msvcrt.dll
2007-12-04 18:38 . 2004-08-10 04:00 550912 --sh--w c:\windows\system32\oleaut32.dll
2004-08-10 04:00 . 2004-08-10 04:00 83456 --sh--w c:\windows\system32\olepro32.dll
2004-08-10 04:00 . 2004-08-10 04:00 11776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-04-23_01.36.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-05 23:33 . 2009-05-05 23:33 16384 c:\windows\temp\Perflib_Perfdata_fc.dat
- 2005-08-31 04:07 . 2009-04-23 01:29 53640 c:\windows\system32\perfc009.dat
+ 2005-08-31 04:07 . 2009-05-05 23:37 53640 c:\windows\system32\perfc009.dat
+ 2004-08-10 11:00 . 2004-08-10 11:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2006-09-28 00:58 . 2006-04-13 17:30 3327 c:\windows\system32\pcintro\FirstBoot.bat
+ 2004-08-10 04:00 . 2004-08-09 21:00 2589 c:\windows\I386\RUNW32.BAT
- 2005-08-31 04:07 . 2009-04-23 01:29 382022 c:\windows\system32\perfh009.dat
+ 2005-08-31 04:07 . 2009-05-05 23:37 382022 c:\windows\system32\perfh009.dat
+ 2009-04-25 20:27 . 2009-04-25 20:27 148888 c:\windows\system32\javaws.exe
+ 2009-04-25 20:27 . 2009-04-25 20:27 144792 c:\windows\system32\javaw.exe
+ 2009-04-25 20:27 . 2009-04-25 20:27 144792 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2007-03-15 24104]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 34904]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-28 180269]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 1052672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-31 1095256]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-25 148888]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]
HPAiODevice(hp officejet 7100 series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2002-11-23 495682]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-9-27 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c674fb5-c997-11db-a519-001839111ba4}]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31f46720-85f7-11dd-940e-001839111ba4}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\sdqq9t6m.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 19:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\GTGina.dll

- - - - - - - > 'explorer.exe'(3420)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-05 19:42
ComboFix-quarantined-files.txt 2009-05-05 23:42
ComboFix2.txt 2009-05-04 02:22
ComboFix3.txt 2009-04-24 00:36
ComboFix4.txt 2009-04-23 01:39

Pre-Run: 147,040,845,824 bytes free
Post-Run: 147,026,878,464 bytes free

157 --- E O F --- 2009-04-23 12:41
Driftmom
Regular Member
 
Posts: 20
Joined: April 11th, 2009, 12:46 pm

Re: Troublesome Malware

Unread postby peku006 » May 6th, 2009, 2:44 am

Hi Driftmom
Looking good :)

1 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

2 - Status Check
Please reply with

a fresh HijackThis log
description of any problems you are having with your PC

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Troublesome Malware

Unread postby Driftmom » May 6th, 2009, 2:53 pm

Alright! I'm glad to hear that.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:08 PM, on 5/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\update.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe nogui
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 8415 bytes
Driftmom
Regular Member
 
Posts: 20
Joined: April 11th, 2009, 12:46 pm

Re: Troublesome Malware

Unread postby peku006 » May 7th, 2009, 2:29 am

Hi Driftmom

Congratulations, your log looks clean! :)

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time :

Turn off System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.
Turn ON System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Is your pc running slow?
Read What to do if your Computer is running slowly

Happy surfing and stay clean! :thumbup:
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Troublesome Malware

Unread postby Driftmom » May 7th, 2009, 8:43 pm

Before I can celebrate, something came up. I'm not sure what happened, but my AntiVirus program is saying that I have Rootkit.XCP.2 and XCP.3 on my system. My son helped me copy and paste the file path locations for both:

C:\WINDOWS\system32\$sys$caj.dll
C:\WINDOWS\system32\$sys$upgtool.exe
Driftmom
Regular Member
 
Posts: 20
Joined: April 11th, 2009, 12:46 pm

Re: Troublesome Malware

Unread postby peku006 » May 8th, 2009, 3:02 am

Hi Driftmom
it was not good news angry9:
INFORMATION ABOUT XCP PROTECTED CDs

Please download OTScanIt2 from Geeks to Go by OldTimer. Alternate download site.
Save it to your desktop.
  1. Double click on OTScanIt2.exe to run it.
  2. Click on Extract. Once done, when prompted. Click OK and click Close.
    This is a self-extracting file...It will create a folder named OTScanIt2 on your desktop.
  3. Double click on the OTScanIt2 folder to open... then double click on OTScanIt2.exe to run it.
  4. Under Rookit Search, select Yes.
  5. Click on Run Scan at the top left hand corner. It may take a few minutes...be patient, let it run.
  6. When done, Notepad will open with the log file "OTScanIt.Txt" contents.
Please post the contents of the OTScanIt.Txt Notepad file in your next reply.

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Troublesome Malware

Unread postby Driftmom » May 10th, 2009, 7:18 pm

Here's the OTScanIt log:

Code: Select all
OTScanIt2 logfile created on: 5/10/2009 6:22:32 PM - Run 1
OTScanIt2 by OldTimer - Version 1.0.14.0     Folder = C:\Documents and Settings\HP_Administrator\Desktop\OTScanIt2
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
958.48 Mb Total Physical Memory | 454.68 Mb Available Physical Memory | 47.44% Memory free
2.26 Gb Paging File | 1.80 Gb Available in Paging File | 79.54% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 177.45 Gb Total Space | 136.92 Gb Free Space | 77.16% Space Free | Partition Type: NTFS
Drive D: | 8.84 Gb Total Space | 0.55 Gb Free Space | 6.18% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: ROSEMARY
Current User Name: HP_Administrator
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days
 
[Processes - Safe List]
aolacsd.exe -> %CommonProgramFiles%\AOL\ACS\AOLAcsd.exe -> [2004/10/20 09:40:04 | 00,010,328 | R--- | M] (America Online)
arpwrmsg.exe -> %SystemRoot%\ARPWRMSG.EXE -> [2005/08/03 02:19:16 | 00,077,312 | ---- | M] (Microsoft)
arservice.exe -> %SystemRoot%\arservice.exe -> [2005/08/03 02:19:16 | 00,058,880 | ---- | M] (Microsoft)
avgnt.exe -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgnt.exe -> [2008/06/12 14:28:45 | 00,266,497 | ---- | M] (Avira GmbH)
avguard.exe -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avguard.exe -> [2008/10/15 14:30:02 | 00,151,297 | ---- | M] (Avira GmbH)
discover.exe -> %ProgramFiles%\DISC\DISCover.exe -> [2007/10/30 22:57:54 | 01,095,256 | ---- | M] (Digital Interactive Systems Corporation)
discstreamhub.exe -> %ProgramFiles%\DISC\DiscStreamHub.exe -> [2007/10/30 22:57:56 | 00,075,352 | ---- | M] (Digital Interactive Systems Corporation, Inc.)
dmascheduler.exe -> %ProgramFiles%\HP DigitalMedia Archive\DMAScheduler.exe -> [2006/04/13 12:05:00 | 00,090,112 | ---- | M] (Sonic Solutions)
ehmsas.exe -> %SystemRoot%\eHome\ehmsas.exe -> [2005/08/05 23:56:28 | 00,046,592 | ---- | M] (Microsoft Corporation)
ehrecvr.exe -> %SystemRoot%\eHome\ehRecvr.exe -> [2005/12/15 22:14:40 | 00,237,568 | ---- | M] (Microsoft Corporation)
ehsched.exe -> %SystemRoot%\eHome\ehSched.exe -> [2005/08/05 23:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation)
ehtray.exe -> %SystemRoot%\ehome\ehtray.exe -> [2005/09/30 00:01:14 | 00,067,584 | ---- | M] (Microsoft Corporation)
explorer.exe -> %SystemRoot%\Explorer.EXE -> [2007/06/13 06:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation)
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> [2009/04/18 15:35:56 | 00,307,704 | ---- | M] (Mozilla Corporation)
hpbootop.exe -> %ProgramFiles%\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe -> [2006/02/16 01:34:58 | 00,249,856 | ---- | M] (Hewlett-Packard Company)
hpgs2wnd.exe -> %ProgramFiles%\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe -> [2001/07/03 10:11:52 | 00,057,344 | ---- | M] (Hewlett-Packard)
hpgs2wnf.exe -> %ProgramFiles%\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe -> [2001/07/03 10:17:04 | 00,065,536 | ---- | M] ()
hpoevm07.exe -> %ProgramFiles%\Hewlett-Packard\AiO\Shared\Bin\hpoevm07.exe -> [2002/11/23 18:31:54 | 00,299,008 | ---- | M] (Hewlett-Packard Co.)
hpofxm07.exe -> %ProgramFiles%\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe -> [2002/11/23 19:29:12 | 00,188,416 | ---- | M] (Hewlett-Packard Co.)
hpogrp07.exe -> %ProgramFiles%\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe -> [2002/11/23 17:55:48 | 00,495,682 | ---- | M] (Hewlett-Packard Co.)
hposts07.exe -> %ProgramFiles%\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe -> [2002/11/23 18:57:36 | 00,294,912 | ---- | M] (Hewlett-Packard Co.)
hpqste08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqSTE08.exe -> [2005/09/24 01:27:56 | 00,204,800 | ---- | M] (Hewlett-Packard Development Company, L.P.)
hpqtra08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> [2005/09/24 00:28:44 | 00,282,624 | ---- | M] (Hewlett-Packard Development Company, L.P.)
hpsysdrv.exe -> %SystemRoot%\system\hpsysdrv.exe -> [1998/05/07 12:04:38 | 00,052,736 | ---- | M] (Hewlett-Packard Company)
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> [2005/09/24 00:08:54 | 00,049,152 | ---- | M] (Hewlett-Packard Development Company, L.P.)
hpzipm12.exe -> %SystemRoot%\system32\HPZipm12.exe -> [2004/09/29 12:14:36 | 00,069,632 | ---- | M] (HP)
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> [2007/04/27 11:25:52 | 00,500,800 | ---- | M] (Apple Inc.)
ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> [2007/04/27 11:25:58 | 00,257,088 | ---- | M] (Apple Inc.)
jqs.exe -> %ProgramFiles%\Java\jre6\bin\jqs.exe -> [2009/04/25 16:27:38 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
jusched.exe -> %ProgramFiles%\Java\jre6\bin\jusched.exe -> [2009/04/25 16:27:38 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.)
kbd.exe -> %SystemDrive%\HP\KBD\KBD.EXE -> [2005/02/02 19:44:24 | 00,061,440 | ---- | M] (Hewlett-Packard Company)
lssrvc.exe -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> [2006/06/21 07:08:48 | 00,049,152 | ---- | M] (Hewlett-Packard Company)
mcrdsvc.exe -> %SystemRoot%\ehome\mcrdsvc.exe -> [2005/08/05 23:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation)
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> [2006/05/09 18:50:00 | 00,131,139 | ---- | M] (NVIDIA Corporation)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2009/04/11 16:32:52 | 00,494,080 | ---- | M] (OldTimer Tools)
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> [2007/04/27 09:41:54 | 00,282,624 | ---- | M] (Apple Inc.)
reader_sl.exe -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> [2008/04/23 03:38:16 | 00,029,696 | ---- | M] (Adobe Systems Incorporated)
rthdcpl.exe -> %SystemRoot%\RTHDCPL.EXE -> [2006/06/13 23:05:26 | 16,239,616 | ---- | M] (Realtek Semiconductor Corp.)
sched.exe -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\sched.exe -> [2008/10/15 14:31:53 | 00,068,865 | ---- | M] (Avira GmbH)
updates from hp.exe -> %ProgramFiles%\Updates from HP\9972322\Program\Updates from HP.exe -> [2006/09/27 20:58:31 | 00,036,903 | ---- | M] (Hewlett-Packard)
wlservice.exe -> %ProgramFiles%\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe -> [2005/07/04 16:46:04 | 00,053,307 | ---- | M] (GEMTEKS)
wmiprvse.exe -> %SystemRoot%\system32\wbem\wmiprvse.exe -> [2009/02/06 12:39:29 | 00,227,840 | ---- | M] (Microsoft Corporation)
wscntfy.exe -> %SystemRoot%\system32\wscntfy.exe -> [2004/08/10 00:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation)
wusb54gc.exe -> %ProgramFiles%\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe -> [2005/11/22 13:44:44 | 05,245,952 | ---- | M] (Linksys)
zunelauncher.exe -> %ProgramFiles%\Zune\ZuneLauncher.exe -> [2007/03/14 20:03:04 | 00,024,104 | ---- | M] (Microsoft Corporation)
zunenss.exe -> %ProgramFiles%\Zune\ZuneNss.exe -> [2007/03/14 17:19:30 | 00,975,400 | ---- | M] (Microsoft Corporation)
 
[Win32 Services - Safe List]
(AntiVirScheduler) Avira AntiVir Personal - Free Antivirus Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\sched.exe -> [2008/10/15 14:31:53 | 00,068,865 | ---- | M] (Avira GmbH)
(AntiVirService) Avira AntiVir Personal - Free Antivirus Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avguard.exe -> [2008/10/15 14:30:02 | 00,151,297 | ---- | M] (Avira GmbH)
(AOL ACS) AOL Connectivity Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\AOL\ACS\AOLAcsd.exe -> [2004/10/20 09:40:04 | 00,010,328 | R--- | M] (America Online)
(ARSVC) ARSVC [Win32_Own | Auto | Running] -> %SystemRoot%\arservice.exe -> [2005/08/03 02:19:16 | 00,058,880 | ---- | M] (Microsoft)
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -> [2004/07/15 11:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation)
(ehRecvr) Media Center Receiver Service [Win32_Own | Auto | Running] -> %SystemRoot%\eHome\ehRecvr.exe -> [2005/12/15 22:14:40 | 00,237,568 | ---- | M] (Microsoft Corporation)
(ehSched) Media Center Scheduler Service [Win32_Own | Auto | Running] -> %SystemRoot%\eHome\ehSched.exe -> [2005/08/05 23:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation)
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dll -> [2004/08/10 00:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation)
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> [2004/10/22 13:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation)
(iPod Service) iPod Service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> [2007/04/27 11:25:52 | 00,500,800 | ---- | M] (Apple Inc.)
(JavaQuickStarterService) Java Quick Starter [Win32_Own | Auto | Running] -> %ProgramFiles%\Java\jre6\bin\jqs.exe -> [2009/04/25 16:27:38 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> [2006/06/21 07:08:48 | 00,049,152 | ---- | M] (Hewlett-Packard Company)
(McrdSvc) Media Center Extender Service [Win32_Own | Auto | Running] -> %SystemRoot%\ehome\mcrdsvc.exe -> [2005/08/05 23:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation)
(MHN) MHN [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\System32\mhn.dll -> [2004/08/10 06:11:50 | 00,085,504 | ---- | M] (Microsoft Corporation)
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> [2006/05/09 18:50:00 | 00,131,139 | ---- | M] (NVIDIA Corporation)
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Auto | Running] -> %SystemRoot%\system32\HPZipm12.exe -> [2004/09/29 12:14:36 | 00,069,632 | ---- | M] (HP)
(WUSB54GCSVC) WUSB54GCSVC [Win32_Own | Auto | Running] ->  -> File not found
(ZuneNetworkSvc) Zune Network Sharing Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Zune\ZuneNss.exe -> [2007/03/14 17:19:30 | 00,975,400 | ---- | M] (Microsoft Corporation)
 
[Driver Services - Safe List]
(AegisP) AEGIS Protocol (IEEE 802.1x) v3.4.3.0 [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\AegisP.sys -> [2007/04/09 21:13:31 | 00,020,747 | ---- | M] (Meetinghouse Data Communications)
(AFS2K) AFS2K [Kernel | System | Running] -> %SystemRoot%\System32\drivers\AFS2K.SYS -> [2004/10/07 21:16:04 | 00,035,840 | ---- | M] (Oak Technology Inc.)
(AmdK8) AMD Processor Driver [Kernel | System | Running] -> %SystemRoot%\system32\DRIVERS\AmdK8.sys -> [2005/03/09 17:53:00 | 00,036,352 | ---- | M] (Advanced Micro Devices)
(avgio) avgio [Kernel | System | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgio.sys -> [2007/02/27 15:25:01 | 00,011,840 | ---- | M] (Avira GmbH)
(avgntflt) avgntflt [File_System | On_Demand | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgntflt.sys -> [2008/05/20 16:29:41 | 00,052,032 | ---- | M] (Avira GmbH)
(avipbb) avipbb [Kernel | System | Running] -> %SystemRoot%\system32\DRIVERS\avipbb.sys -> [2008/10/30 11:21:03 | 00,075,072 | ---- | M] (Avira GmbH)
(BCM42RLY) BCM42RLY [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\BCM42RLY.SYS -> [2005/02/01 18:18:38 | 00,017,992 | ---- | M] (Broadcom Corporation)
(GEARAspiWDM) GEARAspiWDM [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\Drivers\GEARAspiWDM.sys -> [2006/09/19 14:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.)
(hcwPP2) Hauppauge WinTV PVR PCI II ([23|25|26]xxx) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\hcwPP2.sys -> [2006/04/13 19:47:38 | 00,168,064 | ---- | M] (Hauppauge Computer Works, Inc.)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HDAudBus.sys -> [2005/01/08 03:07:18 | 00,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider)
(HPZid412) IEEE-1284.4 Driver HPZid412 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HPZid412.sys -> [2005/03/08 00:43:25 | 00,051,120 | R--- | M] (HP)
(HPZipr12) Print Class Driver for IEEE-1284.4 HPZipr12 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HPZipr12.sys -> [2005/03/08 00:43:26 | 00,016,496 | R--- | M] (HP)
(HPZius12) USB to IEEE-1284.4 Translation Driver HPZius12 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HPZius12.sys -> [2005/03/08 00:43:27 | 00,021,744 | R--- | M] (HP)
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\RtkHDAud.sys -> [2006/06/14 14:04:12 | 04,299,264 | ---- | M] (Realtek Semiconductor Corp.)
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\nv4_mini.sys -> [2006/05/09 18:50:00 | 03,535,680 | ---- | M] (NVIDIA Corporation)
(NVENETFD) NVIDIA nForce Networking Controller Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\NVENETFD.sys -> [2006/03/03 18:31:02 | 00,034,176 | ---- | M] (NVIDIA Corporation)
(nvnetbus) NVIDIA Network Bus Enumerator [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\nvnetbus.sys -> [2006/03/03 18:31:04 | 00,013,056 | ---- | M] (NVIDIA Corporation)
(Ps2) Ps2 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\PS2.sys -> [2005/12/12 20:27:00 | 00,019,072 | ---- | M] (Hewlett-Packard Company)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ptilink.sys -> [2004/08/10 00:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\System32\Drivers\PxHelp20.sys -> [2006/03/09 14:00:00 | 00,046,080 | ---- | M] (Sonic Solutions)
(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\RTL8139.SYS -> [2004/08/03 17:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\secdrv.sys -> [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(ssmdrv) ssmdrv [Kernel | System | Running] -> %SystemRoot%\system32\DRIVERS\ssmdrv.sys -> [2007/03/01 10:34:22 | 00,028,352 | ---- | M] (Avira GmbH)
(USB_RNDIS) Compact Wireless-G USB Network Adapter with SpeedBooster [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\usb8023.sys -> [2004/08/10 00:00:00 | 00,012,672 | ---- | M] (Microsoft Corporation)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://www.msn.com/ -> 
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://www.msn.com/ -> 
HKEY_CURRENT_USER\: SearchURL\\"provider" ->  -> 
HKEY_CURRENT_USER\: URLSearchHooks\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> [2006/04/27 01:19:50 | 00,438,848 | ---- | M] (Yahoo! Inc.)
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\FireFox\Profiles\sdqq9t6m.default\prefs.js -> 
extensions.enabledItems -> {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13 ->
extensions.enabledItems -> jqs@sun.com:1.0 ->
extensions.enabledItems -> {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.5 ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com -> %ProgramFiles%\JAVA\JRE6\LIB\DEPLOY\JQS\FF [C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF] -> [2009/04/25 16:27:40 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions ->  -> 
HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Components -> %ProgramFiles%\MOZILLA FIREFOX\COMPONENTS [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2009/04/18 15:36:13 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Plugins -> %ProgramFiles%\MOZILLA FIREFOX\PLUGINS [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2009/04/25 16:27:51 | 00,000,000 | ---D | M]
< FireFox Extensions [User Folders] > -> 
 -> C:\Documents and Settings\HP_Administrator\Application Data\mozilla\Extensions -> [2006/11/29 16:33:45 | 00,000,335 | ---- | M] ()
 -> C:\Documents and Settings\HP_Administrator\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} -> [2006/11/29 16:33:45 | 00,000,335 | ---- | M] ()
 -> C:\Documents and Settings\HP_Administrator\Application Data\mozilla\Firefox\Profiles\sdqq9t6m.default\extensions -> [2009/04/25 16:28:17 | 00,096,446 | ---- | M] ()
< FireFox Extensions [Program Folders] > -> 
 -> C:\PROGRAM FILES\MOZILLA FIREFOX\extensions -> [2009/04/18 15:36:07 | 09,742,840 | ---- | M] (Mozilla Foundation)
 -> C:\PROGRAM FILES\MOZILLA FIREFOX\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} -> [2009/04/18 15:36:07 | 09,742,840 | ---- | M] (Mozilla Foundation)
 -> C:\PROGRAM FILES\MOZILLA FIREFOX\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} -> [2009/04/18 15:36:07 | 09,742,840 | ---- | M] (Mozilla Foundation)
< FireFox Components [Program Folders] > -> 
C:\PROGRAM FILES\MOZILLA FIREFOX\components\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\components -> [2009/04/18 15:36:13 | 00,000,000 | ---D | M]
browserdirprovider.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\components\browserdirprovider.dll -> [2009/04/18 15:35:43 | 00,023,032 | ---- | M] (Mozilla Foundation)
brwsrcmp.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\components\brwsrcmp.dll -> [2009/04/18 15:35:43 | 00,134,648 | ---- | M] (Mozilla Foundation)
< FireFox Plugins [Program Folders] > -> 
C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins -> [2009/04/25 16:27:51 | 00,000,000 | ---D | M]
flashplayer.xpt -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\flashplayer.xpt -> [2006/11/09 15:35:00 | 00,000,856 | ---- | M] ()
np32dsw.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\np32dsw.dll -> [2007/08/07 13:35:32 | 00,049,152 | ---- | M] (Adobe Systems, Inc.)
npdeploytk.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npdeploytk.dll -> [2009/04/25 16:27:39 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.)
npnul32.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npnul32.dll -> [2009/04/18 15:36:01 | 00,065,528 | ---- | M] (mozilla.org)
nppdf32.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\nppdf32.dll -> [2006/12/18 04:18:30 | 00,077,824 | ---- | M] (Adobe Systems Inc.)
npqtplugin.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npqtplugin.dll -> [2007/05/09 13:22:51 | 00,131,072 | ---- | M] (Apple Inc.)
npqtplugin2.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npqtplugin2.dll -> [2007/05/09 13:22:51 | 00,131,072 | ---- | M] (Apple Inc.)
npqtplugin3.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npqtplugin3.dll -> [2007/05/09 13:22:52 | 00,131,072 | ---- | M] (Apple Inc.)
npqtplugin4.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npqtplugin4.dll -> [2007/05/09 13:22:52 | 00,131,072 | ---- | M] (Apple Inc.)
npqtplugin5.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npqtplugin5.dll -> [2007/05/09 13:22:52 | 00,131,072 | ---- | M] (Apple Inc.)
npqtplugin6.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npqtplugin6.dll -> [2007/05/09 13:22:52 | 00,131,072 | ---- | M] (Apple Inc.)
npqtplugin7.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npqtplugin7.dll -> [2007/05/09 13:22:52 | 00,131,072 | ---- | M] (Apple Inc.)
NPSWF32.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\NPSWF32.dll -> [2006/11/09 16:20:00 | 02,111,096 | ---- | M] ()
NPSWF32_FlashUtil.exe -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\NPSWF32_FlashUtil.exe -> [2006/11/09 16:20:00 | 00,190,072 | ---- | M] (Adobe Systems, Inc.)
QuickTimePlugin.class -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\QuickTimePlugin.cla -> [2007/05/09 13:22:51 | 00,004,208 | ---- | M] ()
ShockwavePlugin.class -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\ShockwavePlugin.cla -> [2007/08/07 13:04:52 | 00,001,144 | ---- | M] ()
< FireFox SearchPlugins [Program Folders] > -> 
C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins -> [2009/04/18 15:36:13 | 00,000,000 | ---D | M]
amazondotcom.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\amazondotcom.xml -> [2009/04/18 15:36:04 | 00,001,394 | ---- | M] ()
answers.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\answers.xml -> [2009/04/18 15:36:04 | 00,002,193 | ---- | M] ()
creativecommons.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\creativecommons.xml -> [2009/04/18 15:36:04 | 00,001,534 | ---- | M] ()
eBay.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\eBay.xml -> [2009/04/18 15:36:04 | 00,002,343 | ---- | M] ()
google.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\google.xml -> [2009/04/18 15:36:04 | 00,001,706 | ---- | M] ()
wikipedia.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\wikipedia.xml -> [2009/04/18 15:36:04 | 00,001,178 | ---- | M] ()
yahoo.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\yahoo.xml -> [2009/04/18 15:36:04 | 00,000,792 | ---- | M] ()
< HOSTS File > (27 bytes and 1 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
Reset Hosts
127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{02478D38-C3F9-4EFB-9B51-7695ECA05670} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar Helper] -> [2006/04/27 01:19:50 | 00,438,848 | ---- | M] (Yahoo! Inc.)
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/12/18 04:16:42 | 00,059,032 | ---- | M] (Adobe Systems Incorporated)
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> %ProgramFiles%\Java\jre6\bin\jp2ssv.dll [Java(tm) Plug-In 2 SSV Helper] -> [2009/04/25 16:27:38 | 00,035,840 | ---- | M] (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} [HKLM] -> %ProgramFiles%\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [JQSIEStartDetectorImpl Class] -> [2009/04/25 16:27:40 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> [2006/04/27 01:19:50 | 00,438,848 | ---- | M] (Yahoo! Inc.)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> [2006/04/27 01:19:50 | 00,438,848 | ---- | M] (Yahoo! Inc.)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"AlwaysReady Power Message APP" -> %SystemRoot%\ARPWRMSG.EXE [ARPWRMSG.EXE] -> [2005/08/03 02:19:16 | 00,077,312 | ---- | M] (Microsoft)
"AOLDialer" -> %CommonProgramFiles%\AOL\ACS\AOLDial.exe [C:\Program Files\Common Files\AOL\ACS\AOLDial.exe] -> [2004/10/20 09:40:04 | 00,034,904 | R--- | M] (America Online)
"avgnt" -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgnt.exe ["C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min] -> [2008/06/12 14:28:45 | 00,266,497 | ---- | M] (Avira GmbH)
"DISCover" -> %ProgramFiles%\DISC\DISCover.exe [C:\Program Files\DISC\DISCover.exe nogui] -> [2007/10/30 22:57:54 | 01,095,256 | ---- | M] (Digital Interactive Systems Corporation)
"DMAScheduler" -> %ProgramFiles%\HP DigitalMedia Archive\DMAScheduler.exe ["c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"] -> [2006/04/13 12:05:00 | 00,090,112 | ---- | M] (Sonic Solutions)
"ehTray" -> %SystemRoot%\ehome\ehtray.exe [C:\WINDOWS\ehome\ehtray.exe] -> [2005/09/30 00:01:14 | 00,067,584 | ---- | M] (Microsoft Corporation)
"ftutil2" -> %SystemRoot%\system32\ftutil2.DLL [rundll32.exe ftutil2.dll,SetWriteCacheMode] -> [2004/06/07 17:05:38 | 00,106,496 | ---- | M] (Promise Technology, Inc.)
"HP Software Update" -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe [C:\Program Files\HP\HP Software Update\HPWuSchd2.exe] -> [2005/09/24 00:08:54 | 00,049,152 | ---- | M] (Hewlett-Packard Development Company, L.P.)
"HPBootOp" -> %ProgramFiles%\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe ["C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run] -> [2006/02/16 01:34:58 | 00,249,856 | ---- | M] (Hewlett-Packard Company)
"iTunesHelper" -> %ProgramFiles%\iTunes\iTunesHelper.exe ["C:\Program Files\iTunes\iTunesHelper.exe"] -> [2007/04/27 11:25:58 | 00,257,088 | ---- | M] (Apple Inc.)
"masqform.exe" -> %ProgramFiles%\PureEdge\Viewer 6.0\masqform.exe [C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser] -> [2003/12/03 13:43:52 | 01,052,672 | ---- | M] (PureEdge Solutions Inc.)
"NvCplDaemon" -> %SystemRoot%\system32\NvCpl.DLL [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> [2006/05/09 18:50:00 | 07,311,360 | ---- | M] (NVIDIA Corporation)
"nwiz" -> %SystemRoot%\system32\nwiz.exe [nwiz.exe /install] -> [2006/05/09 18:50:00 | 01,519,616 | ---- | M] ()
"QuickTime Task" -> %ProgramFiles%\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> [2007/04/27 09:41:54 | 00,282,624 | ---- | M] (Apple Inc.)
"Recguard" -> %SystemRoot%\SMINST\RECGUARD.EXE [C:\WINDOWS\SMINST\RECGUARD.EXE] -> [2005/07/23 01:14:00 | 00,237,568 | ---- | M] ()
"Reminder" -> %SystemRoot%\Creator\Remind_XP.exe ["C:\Windows\Creator\Remind_XP.exe"] -> [2004/12/14 05:23:44 | 00,663,552 | ---- | M] (SoftThinks)
"RTHDCPL" -> %SystemRoot%\RTHDCPL.EXE [RTHDCPL.EXE] -> [2006/06/13 23:05:26 | 16,239,616 | ---- | M] (Realtek Semiconductor Corp.)
"Share-to-Web Namespace Daemon" -> %ProgramFiles%\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe] -> [2001/07/03 10:11:52 | 00,057,344 | ---- | M] (Hewlett-Packard)
"SunJavaUpdateSched" -> %ProgramFiles%\Java\jre6\bin\jusched.exe ["C:\Program Files\Java\jre6\bin\jusched.exe"] -> [2009/04/25 16:27:38 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.)
"TkBellExe" -> %CommonProgramFiles%\Real\Update_OB\realsched.exe ["C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot] -> [2006/09/27 20:40:47 | 00,180,269 | ---- | M] (RealNetworks, Inc.)
"Zune Launcher" -> %ProgramFiles%\Zune\ZuneLauncher.exe ["C:\Program Files\Zune\ZuneLauncher.exe"] -> [2007/03/14 20:03:04 | 00,024,104 | ---- | M] (Microsoft Corporation)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> [2008/04/23 03:38:16 | 00,029,696 | ---- | M] (Adobe Systems Incorporated)
%AllUsersProfile%\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> [2005/09/24 00:28:44 | 00,282,624 | ---- | M] (Hewlett-Packard Development Company, L.P.)
%AllUsersProfile%\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk -> %ProgramFiles%\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe -> [2002/11/23 17:55:48 | 00,495,682 | ---- | M] (Hewlett-Packard Co.)
%AllUsersProfile%\Start Menu\Programs\Startup\Microsoft Office.lnk -> %ProgramFiles%\Microsoft Office\Office\OSA9.EXE -> [2000/01/21 04:15:54 | 00,065,588 | ---- | M] (Microsoft Corporation)
%AllUsersProfile%\Start Menu\Programs\Startup\Updates From HP.lnk -> %ProgramFiles%\Updates from HP\9972322\Program\Updates from HP.exe -> [2006/09/27 20:58:31 | 00,036,903 | ---- | M] (Hewlett-Packard)
< HP_Administrator Startup Folder > -> C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup -> 
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDrives" ->  [0] -> File not found
\\"NoCDBurning" ->  [0] -> File not found
\\"HonorAutoRunSetting" ->  [1] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" ->  [0] -> File not found
\\"legalnoticecaption" ->  [] -> File not found
\\"legalnoticetext" ->  [] -> File not found
\\"shutdownwithoutlogon" ->  [1] -> File not found
\\"undockwithoutlogon" ->  [1] -> File not found
\\"InstallVisualStyle" -> %SystemRoot%\Resources\Themes\Royale\Royale.mss [C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles] -> File not found
\\"InstallTheme" -> %SystemRoot%\Resources\Themes\Royale.the [C:\WINDOWS\Resources\Themes\Royale.theme] -> File not found
\\"DisableRegistryTools" ->  [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
Add to AMV Convert Tool... -> %ProgramFiles%\MP3 Player Utilities 4.00\AMVConverter\grab.html [C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html] -> [2006/02/16 10:37:38 | 00,000,890 | ---- | M] ()
Add to Media Manager... -> %ProgramFiles%\MP3 Player Utilities 4.00\MediaManager\grab.html [C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html] -> [2006/02/15 09:30:44 | 00,000,890 | ---- | M] ()
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{E2D4D26B-0180-43a4-B05F-462D6D54C789}:C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm [HKLM] -> %SystemRoot%\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm [Button: Internet Connection Help] -> [2006/09/27 21:01:10 | 00,000,706 | ---- | M] ()
{E2D4D26B-0180-43a4-B05F-462D6D54C789}:C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm [HKLM] -> %SystemRoot%\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm [Menu: Internet Connection Help] -> [2006/09/27 21:01:10 | 00,000,706 | ---- | M] ()
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> [2004/10/13 19:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2004/10/13 19:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] ->  [Reg Error: Value error.] -> File not found
CmdMapping\\"{E2D4D26B-0180-43a4-B05F-462D6D54C789}" [HKLM] ->  [Internet Connection Help] -> File not found
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 19:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5233 domain(s) found. -> 
trymedia.com .[http] -> Trusted sites -> 
trymedia.com .[https] -> Trusted sites -> 
49 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5233 domain(s) found. -> 
48 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab [Java Plug-in 1.6.0_13] -> 
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab [Java Plug-in 1.6.0_13] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab [Java Plug-in 1.6.0_13] -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{0C17A3B4-3F7B-4712-AC6B-1D15C0E1599B} ->    (1394 Net Adapter) -> 
{245582C6-3E1A-4415-A1FE-FD0E27D8D091} ->    (NVIDIA nForce Networking Controller) -> 
{2A0F2A6F-FE01-491D-95EA-C28E1AADE5FB} ->    () -> 
{892900FC-9814-4488-99C0-81491C1EE93D} ->    (HP EN1207D-TX PCI 10/100 Fast Ethernet Adapter) -> 
{8B4C7C9A-CFFC-4944-A5EF-05ABE5A942B7} ->    (Compact Wireless-G USB Network Adapter with SpeedBooster) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> %SystemRoot%\Explorer.exe -> [2007/06/13 06:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
*GinaDLL* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\GinaDLL -> 
GTGina.dll -> %SystemRoot%\system32\GTGina.dll -> [2005/11/03 17:41:18 | 00,032,768 | ---- | M] (Gemtek)
*MultiFile Done* -> -> 
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2004/08/10 00:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe" -> C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP] -> [2006/09/27 20:58:31 | 00,036,903 | ---- | M] (Hewlett-Packard)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2004/08/10 00:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" -> C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe [C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL] -> [2004/10/20 09:40:04 | 00,010,328 | R--- | M] (America Online)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" -> C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL] -> [2004/10/20 09:40:04 | 00,034,904 | R--- | M] (America Online)
"C:\Program Files\DISC\DISCover.exe" -> C:\Program Files\DISC\DISCover.exe [C:\Program Files\DISC\DISCover.exe:*:Enabled:DISCover Drop & Play System] -> [2007/10/30 22:57:54 | 01,095,256 | ---- | M] (Digital Interactive Systems Corporation)
"C:\Program Files\DISC\DiscStreamHub.exe" -> C:\Program Files\DISC\DiscStreamHub.exe [C:\Program Files\DISC\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub] -> [2007/10/30 22:57:56 | 00,075,352 | ---- | M] (Digital Interactive Systems Corporation, Inc.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe [C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe] -> [2005/05/12 08:34:58 | 00,151,635 | ---- | M] (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe [C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe] -> [2005/05/24 02:34:36 | 00,057,344 | ---- | M] (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe [C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe] -> [2005/05/24 02:17:46 | 00,225,280 | ---- | M] (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" -> C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe [C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe] -> [2005/05/24 02:18:00 | 00,040,960 | ---- | M] (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" -> C:\Program Files\HP\Digital Imaging\bin\hposid01.exe [C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe] -> [2005/05/24 02:13:32 | 00,081,920 | ---- | M] (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe [C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe] -> [2005/05/24 02:42:00 | 00,172,032 | ---- | M] (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe [C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe] -> [2005/05/12 07:28:02 | 01,081,344 | ---- | M] (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe [C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe] -> [2005/05/12 10:06:08 | 00,200,704 | ---- | M] ()
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe [C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe] -> [2005/09/24 01:27:56 | 00,204,800 | ---- | M] (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe] -> [2005/09/24 00:28:44 | 00,282,624 | ---- | M] (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe [C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe] -> [2005/05/24 02:18:52 | 00,458,752 | ---- | M] (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" -> C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe [C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe] -> [2006/02/10 02:41:28 | 00,573,440 | ---- | M] ( )
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" -> C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe [C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe] -> [2006/02/10 02:43:36 | 00,110,592 | R--- | M] (Hewlett-Packard)
"C:\Program Files\iTunes\iTunes.exe" -> C:\Program Files\iTunes\iTunes.exe [C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes] -> [2007/04/27 11:25:54 | 14,672,448 | ---- | M] (Apple Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" -> C:\Program Files\LimeWire\LimeWire.exe [C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire] -> [2007/06/29 19:31:09 | 00,147,456 | ---- | M] (Lime Wire, LLC)
"C:\Program Files\Messenger\msmsgs.exe" -> C:\Program Files\Messenger\msmsgs.exe [C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger] -> [2004/10/13 19:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe" -> C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP] -> [2006/09/27 20:58:31 | 00,036,903 | ---- | M] (Hewlett-Packard)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
"AlternateShell" -> cmd.exe -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" -> %SystemRoot%\system32\DRIVERS\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2004/08/10 00:00:00 | 00,049,536 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > ->  -> 
C:\AUTOEXEC.BAT [PATH=%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625 | PATH=%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625 | ] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] -> [2006/09/27 20:54:07 | 00,000,100 | ---- | M] ()
D:\AUTOEXEC.BAT [] -> D:\AUTOEXEC.BAT [ FAT32 ] -> [2001/07/27 08:07:38 | 00,000,000 | -HS- | M] ()
D:\AUTORUN.FCB [[AUTORUN] | ShellExecute=Info.exe protect.ed 480 480 | ] -> D:\AUTORUN.FCB [ FAT32 ] -> [2004/04/30 00:01:14 | 00,000,053 | -HS- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
\J
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J\Shell
\J\Shell\\"" ->  [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J\Shell\AutoRun
\J\Shell\AutoRun\\"" ->  [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J\Shell\AutoRun\command
\J\Shell\AutoRun\command\\"" -> J:\LaunchU3.exe [J:\LaunchU3.exe -a] -> File not found
\{1c674fb5-c997-11db-a519-001839111ba4}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1c674fb5-c997-11db-a519-001839111ba4}\Shell
\{1c674fb5-c997-11db-a519-001839111ba4}\Shell\\"" ->  [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1c674fb5-c997-11db-a519-001839111ba4}\Shell\AutoRun
\{1c674fb5-c997-11db-a519-001839111ba4}\Shell\AutoRun\\"" ->  [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1c674fb5-c997-11db-a519-001839111ba4}\Shell\AutoRun\command
\{1c674fb5-c997-11db-a519-001839111ba4}\Shell\AutoRun\command\\"" -> J:\LaunchU3.exe [J:\LaunchU3.exe] -> File not found
\{31f46720-85f7-11dd-940e-001839111ba4}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{31f46720-85f7-11dd-940e-001839111ba4}\Shell
\{31f46720-85f7-11dd-940e-001839111ba4}\Shell\\"" ->  [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{31f46720-85f7-11dd-940e-001839111ba4}\Shell\AutoRun
\{31f46720-85f7-11dd-940e-001839111ba4}\Shell\AutoRun\\"" ->  [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{31f46720-85f7-11dd-940e-001839111ba4}\Shell\AutoRun\command
\{31f46720-85f7-11dd-940e-001839111ba4}\Shell\AutoRun\command\\"" -> J:\LaunchU3.exe [J:\LaunchU3.exe -a] -> File not found
 
 
[Files/Folders - Created Within 30 Days]
1 C:\Documents and Settings\HP_Administrator\Desktop\*.tmp files -> C:\Documents and Settings\HP_Administrator\Desktop\*.tmp -> 
OTScanIt2 -> %UserProfile%\Desktop\OTScanIt2 -> [2009/05/10 18:22:04 | 00,000,000 | ---D | C]
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/05/10 18:21:48 | 00,665,196 | ---- | C] ()
RECYCLER -> %SystemDrive%\RECYCLER -> [2009/05/06 14:55:21 | 00,000,000 | -HSD | C]
Parent Center-Notice of Intent to Apply.docx -> %UserProfile%\Desktop\Parent Center-Notice of Intent to Apply.docx -> [2009/05/04 08:35:15 | 00,012,232 | ---- | C] ()
2009YOLM-Minutes4-24-09 -> %UserProfile%\Desktop\2009YOLM-Minutes4-24-09 -> [2009/04/27 07:20:50 | 00,045,029 | ---- | C] ()
Malwarebytes -> %AppData%\Malwarebytes -> [2009/04/23 20:39:05 | 00,000,000 | ---D | C]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/04/23 20:39:04 | 00,015,504 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/04/23 20:39:04 | 00,000,707 | ---- | C] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/04/23 20:39:02 | 00,038,496 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware -> %ProgramFiles%\Malwarebytes' Anti-Malware -> [2009/04/23 20:39:01 | 00,000,000 | ---D | C]
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes -> [2009/04/23 20:39:01 | 00,000,000 | ---D | C]
mbam-setup.exe -> %UserProfile%\Desktop\mbam-setup.exe -> [2009/04/23 20:37:30 | 02,967,800 | ---- | C] (Malwarebytes Corporation                                    )
temp -> %SystemRoot%\temp -> [2009/04/23 20:36:40 | 00,000,000 | ---D | C]
SWXCACLS.exe -> %SystemRoot%\SWXCACLS.exe -> [2009/04/22 21:29:30 | 00,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> %SystemRoot%\SWREG.exe -> [2009/04/22 21:29:30 | 00,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> %SystemRoot%\SWSC.exe -> [2009/04/22 21:29:30 | 00,136,704 | ---- | C] (SteelWerX)
vFind.exe -> %SystemRoot%\vFind.exe -> [2009/04/22 21:29:30 | 00,117,248 | ---- | C] ()
sed.exe -> %SystemRoot%\sed.exe -> [2009/04/22 21:29:30 | 00,098,816 | ---- | C] ()
grep.exe -> %SystemRoot%\grep.exe -> [2009/04/22 21:29:30 | 00,080,412 | ---- | C] ()
zip.exe -> %SystemRoot%\zip.exe -> [2009/04/22 21:29:30 | 00,068,096 | ---- | C] ()
NIRCMD.exe -> %SystemRoot%\NIRCMD.exe -> [2009/04/22 21:29:30 | 00,029,696 | ---- | C] (NirSoft)
ERDNT -> %SystemRoot%\ERDNT -> [2009/04/22 21:29:25 | 00,000,000 | ---D | C]
Qoobox -> %SystemDrive%\Qoobox -> [2009/04/22 21:29:21 | 00,000,000 | ---D | C]
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [2009/04/22 21:28:28 | 03,012,988 | R--- | C] ()
OLa's Wedding Thank you.doc -> %UserProfile%\My Documents\OLa's Wedding Thank you.doc -> [2009/04/20 23:57:27 | 00,020,480 | ---- | C] ()
regsearch.zip -> %UserProfile%\Desktop\regsearch.zip -> [2009/04/19 17:56:10 | 00,345,156 | ---- | C] ()
rsit -> %SystemDrive%\rsit -> [2009/04/18 15:38:08 | 00,000,000 | ---D | C]
OST-Notice of Intent to Apply(2).docx -> %UserProfile%\Desktop\OST-Notice of Intent to Apply(2).docx -> [2009/04/18 01:03:39 | 00,011,814 | ---- | C] ()
OST-Notice of Intent to Apply.docx -> %UserProfile%\Desktop\OST-Notice of Intent to Apply.docx -> [2009/04/18 01:03:03 | 00,011,814 | ---- | C] ()
~$msleur Approach Order Confirmation.doc -> %UserProfile%\My Documents\~$msleur Approach Order Confirmation.doc -> [2009/04/11 14:47:20 | 00,000,162 | -H-- | C] ()
Pimsleur Approach Order Confirmation.doc -> %UserProfile%\My Documents\Pimsleur Approach Order Confirmation.doc -> [2009/04/11 11:49:21 | 00,026,112 | ---- | C] ()
WLAN.INI -> %SystemRoot%\System32\WLAN.INI -> [2007/04/09 21:13:14 | 00,001,361 | ---- | C] ()
HP_48BitScanUpdatePatch.ini -> %SystemRoot%\HP_48BitScanUpdatePatch.ini -> [2007/01/25 16:31:39 | 00,000,214 | ---- | C] ()
cdplayer.ini -> %SystemRoot%\cdplayer.ini -> [2007/01/24 16:38:46 | 00,000,025 | ---- | C] ()
PureEdgeAPI.ini -> %SystemRoot%\PureEdgeAPI.ini -> [2007/01/09 11:02:09 | 00,000,061 | ---- | C] ()
MSQOLE.DLL -> %SystemRoot%\System32\MSQOLE.DLL -> [2007/01/09 11:02:07 | 00,167,936 | ---- | C] ()
ODBC.INI -> %SystemRoot%\ODBC.INI -> [2006/12/07 00:12:24 | 00,000,376 | ---- | C] ()
GTW32N50.dll -> %SystemRoot%\System32\GTW32N50.dll -> [2006/11/18 21:29:48 | 00,094,208 | ---- | C] ()
DevMgr.ini -> %SystemRoot%\DevMgr.ini -> [2006/11/18 21:24:28 | 00,002,723 | ---- | C] ()
Hposcv07.INI -> %SystemRoot%\Hposcv07.INI -> [2006/11/18 21:19:56 | 00,000,020 | ---- | C] ()
smscfg.ini -> %SystemRoot%\smscfg.ini -> [2006/09/27 21:24:24 | 00,000,061 | ---- | C] ()
USBkey.sys -> %SystemRoot%\System32\drivers\USBkey.sys -> [2006/09/27 21:03:50 | 00,028,848 | ---- | C] ()
CHODDI.SYS -> %SystemRoot%\System32\CHODDI.SYS -> [2006/09/27 20:57:42 | 00,014,317 | ---- | C] ()
hpreg.dll -> %SystemRoot%\System32\hpreg.dll -> [2006/09/27 20:57:35 | 00,045,056 | ---- | C] ()
QUICKEN.INI -> %SystemRoot%\QUICKEN.INI -> [2006/09/27 20:54:21 | 00,000,174 | ---- | C] ()
WININIT.INI -> %SystemRoot%\WININIT.INI -> [2006/09/27 20:42:11 | 00,000,228 | ---- | C] ()
NSSetDefaultBrowser.ini -> %SystemRoot%\NSSetDefaultBrowser.ini -> [2006/09/27 20:41:31 | 00,000,698 | ---- | C] ()
fxsperf.ini -> %SystemRoot%\System32\fxsperf.ini -> [2006/09/27 20:35:17 | 00,001,793 | ---- | C] ()
hcwXDS.dll -> %SystemRoot%\System32\hcwXDS.dll -> [2006/09/27 20:33:13 | 00,102,400 | ---- | C] ()
nvwdmcpl.dll -> %SystemRoot%\System32\nvwdmcpl.dll -> [2006/09/27 20:32:11 | 01,662,976 | ---- | C] ()
nview.dll -> %SystemRoot%\System32\nview.dll -> [2006/09/27 20:32:11 | 01,466,368 | ---- | C] ()
nvwimg.dll -> %SystemRoot%\System32\nvwimg.dll -> [2006/09/27 20:32:11 | 01,019,904 | ---- | C] ()
nvhwvid.dll -> %SystemRoot%\System32\nvhwvid.dll -> [2006/09/27 20:32:11 | 00,573,440 | ---- | C] ()
nvshell.dll -> %SystemRoot%\System32\nvshell.dll -> [2006/09/27 20:32:11 | 00,466,944 | ---- | C] ()
nvnt4cpl.dll -> %SystemRoot%\System32\nvnt4cpl.dll -> [2006/09/27 20:32:11 | 00,286,720 | ---- | C] ()
nvapi.dll -> %SystemRoot%\System32\nvapi.dll -> [2006/09/27 20:32:10 | 00,106,496 | ---- | C] ()
orun32.ini -> %SystemRoot%\orun32.ini -> [2006/09/27 20:30:42 | 00,000,791 | ---- | C] ()
pythoncom22.dll -> %SystemRoot%\System32\pythoncom22.dll -> [2006/09/27 20:09:10 | 00,323,584 | ---- | C] ()
pywintypes22.dll -> %SystemRoot%\System32\pywintypes22.dll -> [2006/09/27 20:09:10 | 00,094,208 | ---- | C] ()
bcbmm.dll -> %SystemRoot%\System32\bcbmm.dll -> [2006/09/27 20:08:50 | 00,016,896 | ---- | C] ()
px.ini -> %SystemRoot%\System32\px.ini -> [2006/06/16 14:58:18 | 00,000,000 | ---- | C] ()
win.ini -> %SystemRoot%\win.ini -> [2005/08/31 00:02:00 | 00,000,883 | ---- | C] ()
system.ini -> %SystemRoot%\system.ini -> [2005/08/30 16:52:36 | 00,000,227 | ---- | C] ()
psisdecd.dll -> %SystemRoot%\System32\psisdecd.dll -> [2005/08/06 00:01:54 | 00,239,104 | ---- | C] ()
armcex.dll -> %SystemRoot%\armcex.dll -> [2005/08/03 02:19:16 | 00,050,176 | ---- | C] ()
qt-mt331.dll -> %SystemRoot%\System32\qt-mt331.dll -> [2004/09/16 23:24:26 | 03,375,104 | ---- | C] ()
ADFUUD.SYS -> %SystemRoot%\System32\drivers\ADFUUD.SYS -> [2004/09/16 13:26:40 | 00,012,634 | ---- | C] ()
ADFUUD.SYS -> %SystemRoot%\ADFUUD.SYS -> [2004/09/16 13:26:40 | 00,012,634 | ---- | C] ()
oeminfo.ini -> %SystemRoot%\System32\oeminfo.ini -> [2004/07/26 10:51:38 | 00,000,560 | ---- | C] ()
win2000.dll -> %SystemRoot%\System32\win2000.dll -> [2002/11/23 19:48:16 | 00,159,744 | ---- | C] ()
hptcpmon.ini -> %SystemRoot%\System32\hptcpmon.ini -> [2001/07/06 15:30:00 | 00,003,399 | ---- | C] ()
MSRTEDIT.DLL -> %SystemRoot%\System32\MSRTEDIT.DLL -> [1999/01/22 14:46:56 | 00,065,536 | ---- | C] ()
REGOBJ.DLL -> %SystemRoot%\System32\REGOBJ.DLL -> [1998/01/12 04:00:00 | 00,040,448 | ---- | C] ()
 
[Files/Folders - Modified Within 30 Days]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
1 C:\Documents and Settings\HP_Administrator\My Documents\*.tmp files -> C:\Documents and Settings\HP_Administrator\My Documents\*.tmp -> 
1 C:\Documents and Settings\HP_Administrator\Desktop\*.tmp files -> C:\Documents and Settings\HP_Administrator\Desktop\*.tmp -> 
13 C:\Documents and Settings\HP_Administrator\Local Settings\temp\*.tmp files -> C:\Documents and Settings\HP_Administrator\Local Settings\temp\*.tmp -> 
13 C:\Documents and Settings\HP_Administrator\Local Settings\temp\*.tmp files -> C:\Documents and Settings\HP_Administrator\Local Settings\temp\*.tmp -> 
1 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp -> 
hpsysdrv.DAT -> %SystemRoot%\System\hpsysdrv.DAT -> [2009/05/10 18:22:16 | 00,000,186 | ---- | M] ()
NTUSER.DAT -> %UserProfile%\NTUSER.DAT -> [2009/05/10 18:21:57 | 06,815,744 | -H-- | M] ()
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/05/10 18:21:50 | 00,665,196 | ---- | M] ()
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [2009/05/10 18:20:35 | 00,001,158 | ---- | M] ()
Perflib_Perfdata_cb4.dat -> %UserProfile%\Local Settings\temp\Perflib_Perfdata_cb4.dat -> [2009/05/10 18:20:31 | 00,000,000 | ---- | M] ()
nvapps.xml -> %SystemRoot%\System32\nvapps.xml -> [2009/05/10 18:20:29 | 00,043,531 | ---- | M] ()
Perflib_Perfdata_d8.dat -> %SystemRoot%\Temp\Perflib_Perfdata_d8.dat -> [2009/05/10 18:20:21 | 00,016,384 | ---- | M] ()
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [2009/05/10 18:20:19 | 00,000,006 | -H-- | M] ()
bootstat.dat -> %SystemRoot%\bootstat.dat -> [2009/05/10 18:20:17 | 00,002,048 | --S- | M] ()
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [2009/05/10 18:20:16 | 10,051,13344 | -HS- | M] ()
ntuser.ini -> %UserProfile%\ntuser.ini -> [2009/05/10 18:19:11 | 00,000,178 | -HS- | M] ()
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [2009/05/07 20:44:43 | 00,441,690 | ---- | M] ()
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [2009/05/07 20:44:43 | 00,382,022 | ---- | M] ()
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [2009/05/07 20:44:43 | 00,053,640 | ---- | M] ()
system.ini -> %SystemRoot%\system.ini -> [2009/05/05 19:41:26 | 00,000,227 | ---- | M] ()
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [2009/05/05 19:38:28 | 03,012,988 | R--- | M] ()
Parent Center-Notice of Intent to Apply.docx -> %UserProfile%\Desktop\Parent Center-Notice of Intent to Apply.docx -> [2009/05/04 08:35:16 | 00,012,232 | ---- | M] ()
qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [2009/05/04 08:14:05 | 00,004,096 | ---- | M] ()
qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [2009/05/04 08:14:05 | 00,004,096 | ---- | M] ()
hosts -> %SystemRoot%\System32\drivers\etc\hosts -> [2009/05/03 22:18:26 | 00,000,027 | ---- | M] ()
vFind.exe -> %SystemRoot%\vFind.exe -> [2009/05/01 15:36:46 | 00,117,248 | ---- | M] ()
2009YOLM-Minutes4-24-09 -> %UserProfile%\Desktop\2009YOLM-Minutes4-24-09 -> [2009/04/27 07:20:50 | 00,045,029 | ---- | M] ()
2008 CHRIST APOSTOLIC CHURCH MONTHLY CONTRIBUTION.doc -> %UserProfile%\My Documents\2008 CHRIST APOSTOLIC CHURCH MONTHLY CONTRIBUTION.doc -> [2009/04/25 09:17:09 | 00,565,760 | ---- | M] ()
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/04/23 20:39:04 | 00,000,707 | ---- | M] ()
mbam-setup.exe -> %UserProfile%\Desktop\mbam-setup.exe -> [2009/04/23 20:37:42 | 02,967,800 | ---- | M] (Malwarebytes Corporation                                    )
2009 CAC  INDIVIDUAL CONTRIBUTION.xls -> %UserProfile%\My Documents\2009 CAC  INDIVIDUAL CONTRIBUTION.xls -> [2009/04/21 11:45:36 | 00,152,064 | ---- | M] ()
OLa's Wedding Thank you.doc -> %UserProfile%\My Documents\OLa's Wedding Thank you.doc -> [2009/04/21 00:52:51 | 00,020,480 | ---- | M] ()
regsearch.zip -> %UserProfile%\Desktop\regsearch.zip -> [2009/04/19 17:56:10 | 00,345,156 | ---- | M] ()
OLa's Wedding.doc -> %UserProfile%\My Documents\OLa's Wedding.doc -> [2009/04/18 15:33:22 | 00,019,456 | ---- | M] ()
imsins.BAK -> %SystemRoot%\imsins.BAK -> [2009/04/18 03:03:26 | 00,001,374 | ---- | M] ()
OST-Notice of Intent to Apply(2).docx -> %UserProfile%\Desktop\OST-Notice of Intent to Apply(2).docx -> [2009/04/18 01:03:37 | 00,011,814 | ---- | M] ()
OST-Notice of Intent to Apply.docx -> %UserProfile%\Desktop\OST-Notice of Intent to Apply.docx -> [2009/04/18 01:03:01 | 00,011,814 | ---- | M] ()
~$msleur Approach Order Confirmation.doc -> %UserProfile%\My Documents\~$msleur Approach Order Confirmation.doc -> [2009/04/11 14:47:20 | 00,000,162 | -H-- | M] ()
Pimsleur Approach Order Confirmation.doc -> %UserProfile%\My Documents\Pimsleur Approach Order Confirmation.doc -> [2009/04/11 11:49:22 | 00,026,112 | ---- | M] ()
CalMRU.dat -> %AllUsersProfile%\Application Data\Microsoft\Works\CalMRU.dat -> [2007/02/03 03:47:01 | 00,000,012 | ---- | M] ()
wklntsk1.dat -> %AllUsersProfile%\Application Data\Microsoft\Works\wklntsk1.dat -> [2006/11/18 21:26:39 | 00,166,221 | ---- | M] ()
wkcalcat.dat -> %AllUsersProfile%\Application Data\Microsoft\Works\wkcalcat.dat -> [2006/11/18 21:25:13 | 00,016,384 | ---- | M] ()
IadHide5.dll -> %UserProfile%\Local Settings\temp\IadHide5.dll -> [2006/09/27 20:58:28 | 00,024,613 | ---- | M] (BackWeb)
[CatchMe Rootkit Scan by GMER]
< Windows folder & sub-folders >
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
< Document and Settings folder & sub folders >
scanning hidden files ...
C:\Documents and Settings\HP_Administrator\My Documents\My DVDs\Untitled\Untitled.dvd:Afp_AfpInfo 48 bytes
scan completed successfully
hidden files: 157
 
< End of report >
Driftmom
Regular Member
 
Posts: 20
Joined: April 11th, 2009, 12:46 pm

Re: Troublesome Malware

Unread postby peku006 » May 11th, 2009, 8:15 am

Hi Driftmom

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :regfind
    $sys$caj.dll
    $sys$upgtool.exe
    
     

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Troublesome Malware

Unread postby Driftmom » May 11th, 2009, 7:48 pm

Here it is:

SystemLook v1.0 by jpshortstuff (24.04.09)
Log created at 19:46 on 11/05/2009 by HP_Administrator (Administrator - Elevation successful)

========== regfind ==========

Searching for "$sys$caj.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
""{4D36E965-E325-11CE-BFC1-08002BE10318}""=="SysSetup.Dll,StorageCoInstaller SysSetup.Dll,CriticalDeviceCoInstaller $sys$caj.dll,CoInstallCdrom"

Searching for "$sys$upgtool.exe"
No data found.

-=End Of File=-
Driftmom
Regular Member
 
Posts: 20
Joined: April 11th, 2009, 12:46 pm

Re: Troublesome Malware

Unread postby peku006 » May 12th, 2009, 3:09 am

Hi Driftmom
we have to start over again

Launch Notepad, and copy/paste the box below into a new text file. Save it as Options.txt on your Desktop.
Code: Select all
RegSearch Options File

[Search]
$sys$
ECDDiskProducer
SonyBMG
crater
aries
qwap

[Exclude]

[Options]
Filter=KVDLUI

Download Registry Search and extract it. Doubleclick the icon to run and click on "Import...". Select the file you created above. Click "OK" and Registry Search will search the Registry and report what it finds. Post that here.

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Troublesome Malware

Unread postby Driftmom » May 12th, 2009, 2:40 pm

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 5/12/2009 2:38:55 PM for strings:
; '$sys$'
; 'ecddiskproducer'
; 'sonybmg'
; 'crater'
; 'aries'
; 'qwap'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\$sys$reference]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD5-48AA-11D2-8432-006008C3FBFC}]
@="Object for constructing type libraries for scriptlets"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{273380E8-1438-4B2C-95B0-713284FBC302}\InprocServer32]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msinfo.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{273380E8-1438-4B2C-95B0-713284FBC302}\ToolboxBitmap32]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msinfo.dll, 102"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{349C6ABE-A30C-11D1-ABE5-00C04FC30999}]
@="MSOLAPAuxiliaries Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{349C6ABE-A30C-11D1-ABE5-00C04FC30999}\ProgID]
@="MSOlapAdmin.MSOLAPAuxiliaries.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{349C6ABE-A30C-11D1-ABE5-00C04FC30999}\VersionIndependentProgID]
@="MSOlapAdmin.MSOLAPAuxiliaries"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4CE546FF-9128-465E-B5C5-5A36CFC2C285}\InprocServer32]
@="C:\\Program Files\\Common Files\\MSSoap\\Binaries\\mssoap1.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ECB650F-4630-41D3-AC9A-C8F926FC5907}\InprocServer32]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msinfo.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6205B8C9-75FF-4623-A50A-88E1F14EAFF2}\InprocServer32]
@="C:\\Program Files\\Common Files\\MSSoap\\Binaries\\mssoap1.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86D54F3D-652D-4ab3-A1A6-14D403F6C813}\InProcServer32]
@="C:\\Program Files\\Common Files\\MSSoap\\Binaries\\mssoap1.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C5754F7-ADF5-4D82-B181-0F8FC5EA882B}\InProcServer32]
@="C:\\Program Files\\Common Files\\MSSoap\\Binaries\\mssoap1.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0F93E27-F05D-4153-A151-F3720369A4C7}\InprocServer32]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msinfo.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AA535F30-D78F-4985-ACDE-21E523848432}\InprocServer32]
@="C:\\Program Files\\Quicken\\qwapp.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AA535F30-D78F-4985-ACDE-21E523848432}\ToolboxBitmap32]
@="C:\\PROGRA~1\\Quicken\\qwapp.dll, 101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ADE424F3-AA10-471D-8A0A-687534555900}\InProcServer32]
@="C:\\Program Files\\Common Files\\MSSoap\\Binaries\\mssoap1.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB023FC5-AA10-47CE-8A0A-6875C17B5914}\InProcServer32]
@="C:\\Program Files\\Common Files\\MSSoap\\Binaries\\mssoap1.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C79C91A1-DB06-11D2-9E0C-00105A26F05D}\InprocServer32]
@="C:\\Program Files\\Quicken\\qwapp.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C79C91A1-DB06-11D2-9E0C-00105A26F05D}\ToolboxBitmap32]
@="C:\\PROGRA~1\\Quicken\\qwapp.dll, 101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E16C0594-128F-11D1-97E4-00C04FB9618A}]
@="ARIES Log Recovery Engine"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EBB2FF12-861A-42b6-B815-B1AF4D944916}\InProcServer32]
@="C:\\Program Files\\Common Files\\MSSoap\\Binaries\\mssoap1.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F25BC7B7-C60D-4FB9-AAE4-3CA0F6C7038A}\InprocServer32]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\brpinfo.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC7D9E02-3F9E-11d3-93C0-00C04F72DAF7}\InprocServer32]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC7D9E02-3F9E-11d3-93C0-00C04F72DAF7}\InstalledVersion]
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe"="5,1,2600,1106"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC7D9E06-3F9E-11d3-93C0-00C04F72DAF7}\InprocServer32]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC7D9E08-3F9E-11d3-93C0-00C04F72DAF7}\InprocServer32]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC7D9E09-3F9E-11d3-93C0-00C04F72DAF7}\InprocServer32]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDE424F3-AA10-471D-8A0A-6875C17B5914}\InProcServer32]
@="C:\\Program Files\\Common Files\\MSSoap\\Binaries\\mssoap1.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HCP]
"FriendlyTypeName"="@C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HCAppRes.dll,-2100"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HCP\shell\open\command]
@="\"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe\" -FromHCP -url \"%1\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000209AC-0000-0000-C000-000000000046}]
@="Dictionaries"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000209E0-0000-0000-C000-000000000046}]
@="HangulHanjaConversionDictionaries"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0EAB7ECB-567A-4532-B6D6-1F87C555B78B}]
@="IHMESharedLibrariesEventHandler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{349C6ABD-A30C-11D1-ABE5-00C04FC30999}]
@="IMSOLAPAuxiliaries"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSInfo.Document]
"FriendlyTypeName"="@C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msinfo.dll,-391"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSOlapAdmin.MSOLAPAuxiliaries]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSOlapAdmin.MSOLAPAuxiliaries]
@="MSOLAPAuxiliaries Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSOlapAdmin.MSOLAPAuxiliaries\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSOlapAdmin.MSOLAPAuxiliaries.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSOlapAdmin.MSOLAPAuxiliaries.1]
@="MSOLAPAuxiliaries Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSOlapAdmin.MSOLAPAuxiliaries.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MsRcIncident\DefaultIcon]
; Contents of value:
; %SystemRoot%\PCHealth\HelpCtr\Binaries\HelpCtr.exe
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,50,00,43,00,48,00,65,00,61,00,6c,00,74,00,68,00,5c,00,48,00,65,00,\
6c,00,70,00,43,00,74,00,72,00,5c,00,42,00,69,00,6e,00,61,00,72,00,69,00,65,\
00,73,00,5c,00,48,00,65,00,6c,00,70,00,43,00,74,00,72,00,2e,00,65,00,78,00,\
65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MsRcIncident\shell\open\command]
; Contents of value:
; %SystemRoot%\PCHealth\HelpCtr\Binaries\HelpCtr.exe -Mode "hcp://system/Remote%%20Assistance/RAClientLayout.xml" -url "hcp://system/Remote%%20Assistance/Interaction/Client/rctoolScreen1.htm" -ExtraArgument "IncidentFile=%1"
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,50,00,43,00,48,00,65,00,61,00,6c,00,74,00,68,00,5c,00,48,00,65,00,\
6c,00,70,00,43,00,74,00,72,00,5c,00,42,00,69,00,6e,00,61,00,72,00,69,00,65,\
00,73,00,5c,00,48,00,65,00,6c,00,70,00,43,00,74,00,72,00,2e,00,65,00,78,00,\
65,00,20,00,2d,00,4d,00,6f,00,64,00,65,00,20,00,22,00,68,00,63,00,70,00,3a,\
00,2f,00,2f,00,73,00,79,00,73,00,74,00,65,00,6d,00,2f,00,52,00,65,00,6d,00,\
6f,00,74,00,65,00,25,00,25,00,32,00,30,00,41,00,73,00,73,00,69,00,73,00,74,\
00,61,00,6e,00,63,00,65,00,2f,00,52,00,41,00,43,00,6c,00,69,00,65,00,6e,00,\
74,00,4c,00,61,00,79,00,6f,00,75,00,74,00,2e,00,78,00,6d,00,6c,00,22,00,20,\
00,2d,00,75,00,72,00,6c,00,20,00,22,00,68,00,63,00,70,00,3a,00,2f,00,2f,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,2f,00,52,00,65,00,6d,00,6f,00,74,00,65,\
00,25,00,25,00,32,00,30,00,41,00,73,00,73,00,69,00,73,00,74,00,61,00,6e,00,\
63,00,65,00,2f,00,49,00,6e,00,74,00,65,00,72,00,61,00,63,00,74,00,69,00,6f,\
00,6e,00,2f,00,43,00,6c,00,69,00,65,00,6e,00,74,00,2f,00,72,00,63,00,74,00,\
6f,00,6f,00,6c,00,53,00,63,00,72,00,65,00,65,00,6e,00,31,00,2e,00,68,00,74,\
00,6d,00,22,00,20,00,2d,00,45,00,78,00,74,00,72,00,61,00,41,00,72,00,67,00,\
75,00,6d,00,65,00,6e,00,74,00,20,00,22,00,49,00,6e,00,63,00,69,00,64,00,65,\
00,6e,00,74,00,46,00,69,00,6c,00,65,00,3d,00,25,00,31,00,22,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scriptlet.TypeLib]
@="Object for constructing type libraries for scriptlets"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E2B30D0-E0A2-11D2-9E11-00105A26F05D}\1.0\0\win32]
@="C:\\Program Files\\Quicken\\qwapp.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{7AC18319-0739-4377-8984-848573D519A5}\1.0\0\win32]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msinfo.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{7AC18319-0739-4377-8984-848573D519A5}\1.0\HELPDIR]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{833E4000-AFF7-4AC3-AAC2-9F24C1457BCE}\1.0\0\win32]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpSvc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{833E4000-AFF7-4AC3-AAC2-9F24C1457BCE}\1.0\HELPDIR]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C65657D9-5C4B-421E-8DA6-AD4D590FE854}\1.0\0\win32]
@="C:\\Program Files\\Common Files\\MSSoap\\Binaries\\mssoap1.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C65657D9-5C4B-421E-8DA6-AD4D590FE854}\1.0\HELPDIR]
@="C:\\Program Files\\Common Files\\MSSoap\\Binaries"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CA9F6CB1-47F1-4874-90CB-C674E9A86495}\1.0\0\win32]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\brpinfo.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CA9F6CB1-47F1-4874-90CB-C674E9A86495}\1.0\HELPDIR]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FC7D9000-3F9E-11D3-93C0-00C04F72DAF7}\1.0\0\win32]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe\\2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FC7D9000-3F9E-11D3-93C0-00C04F72DAF7}\1.0\HELPDIR]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FC7D9E00-3F9E-11D3-93C0-00C04F72DAF7}\1.0\0\win32]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe\\1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FC7D9E00-3F9E-11D3-93C0-00C04F72DAF7}\1.0\HELPDIR]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\ECDDiscProducers]
"SONYBMG"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB906569\Filelist\1]
"Location"="C:\\WINDOWS\\pchealth\\helpctr\\binaries"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HELPCTR.EXE]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSCONFIG.EXE]
; Contents of value:
; %systemroot%\pchealth\helpctr\Binaries\MSCONFIG.EXE
@=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,74,00,25,\
00,5c,00,70,00,63,00,68,00,65,00,61,00,6c,00,74,00,68,00,5c,00,68,00,65,00,\
6c,00,70,00,63,00,74,00,72,00,5c,00,42,00,69,00,6e,00,61,00,72,00,69,00,65,\
00,73,00,5c,00,4d,00,53,00,43,00,4f,00,4e,00,46,00,49,00,47,00,2e,00,45,00,\
58,00,45,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF7D04D7D6686694E95295E98D20F43B]
"F5908182C6BF8C2428E7A004C69CFA5F"="C?\\Program Files\\Quicken\\qwapp.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Quicken\\qwapp.dll"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7]
"Identity"="Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries,processorArchitecture=\"x86\",publicKeyToken=\"6595b64144ccf1df\",type=\"win32\",version=\"6.0.0.0\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\Codebases]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\Codebases\OS]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\Files]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\Files\0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\Files\1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\Files\2]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\Files\3]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\References]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a]
"Identity"="Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries,processorArchitecture=\"x86\",publicKeyToken=\"6595b64144ccf1df\",type=\"win32\",version=\"6.0.9792.0\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\Codebases]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\Codebases\U_KB924667]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\Files]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\Files\0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\Files\1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\Files\2]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\Files\3]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\References]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.6.0.Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_d7ea3c6f]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.6.0.Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_d7ea3c6f]
"Identity"="policy.6.0.Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries,processorArchitecture=\"x86\",publicKeyToken=\"6595b64144ccf1df\",type=\"win32-policy\",version=\"6.0.9792.0\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.6.0.Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_d7ea3c6f\Codebases]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.6.0.Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_d7ea3c6f\Codebases\U_KB924667]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.6.0.Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_d7ea3c6f\Files]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.6.0.Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_d7ea3c6f\References]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="DisableNXShowUI"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer]
; Contents of value:
; %SystemRoot%\PCHealth\HelpCtr\Binaries\HelpCtr.exe
"MicrosoftRedirectionProgram"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,\
52,00,6f,00,6f,00,74,00,25,00,5c,00,50,00,43,00,48,00,65,00,61,00,6c,00,74,\
00,68,00,5c,00,48,00,65,00,6c,00,70,00,43,00,74,00,72,00,5c,00,42,00,69,00,\
6e,00,61,00,72,00,69,00,65,00,73,00,5c,00,48,00,65,00,6c,00,70,00,43,00,74,\
00,72,00,2e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\SONYBMG]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CoDeviceInstallers]
; Contents of value:
; SysSetup.Dll,StorageCoInstaller
; SysSetup.Dll,CriticalDeviceCoInstaller
; $sys$caj.dll,CoInstallCdrom
;
"{4D36E965-E325-11CE-BFC1-08002BE10318}"=hex(7):53,00,79,00,73,00,53,00,65,00,\
74,00,75,00,70,00,2e,00,44,00,6c,00,6c,00,2c,00,53,00,74,00,6f,00,72,00,61,\
00,67,00,65,00,43,00,6f,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,65,00,\
72,00,00,00,53,00,79,00,73,00,53,00,65,00,74,00,75,00,70,00,2e,00,44,00,6c,\
00,6c,00,2c,00,43,00,72,00,69,00,74,00,69,00,63,00,61,00,6c,00,44,00,65,00,\
76,00,69,00,63,00,65,00,43,00,6f,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,\
00,65,00,72,00,00,00,24,00,73,00,79,00,73,00,24,00,63,00,61,00,6a,00,2e,00,\
64,00,6c,00,6c,00,2c,00,43,00,6f,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,\
00,43,00,64,00,72,00,6f,00,6d,00,00,00,00,00
; Contents of value:
; $sys$caj.dll,CoInstallPC
;
"{FF646F80-8DEF-11D2-9449-00105A075F6B}"=hex(7):24,00,73,00,79,00,73,00,24,00,\
63,00,61,00,6a,00,2e,00,64,00,6c,00,6c,00,2c,00,43,00,6f,00,49,00,6e,00,73,\
00,74,00,61,00,6c,00,6c,00,50,00,43,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\gencdrom]
; Contents of value:
; $sys$crater
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\{8534CEBA-BD6C-44B0-A083-437A5CA6F402}\Ndi]
"HelpText"="A protocol layered on TCP/IP which preserves message boundaries. This instance of the protocol is for use by the file sharing protocol."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\CdRomHL-DT-ST_DVDRRW_GSA-H20L________________S742____\5&349d9d64&0&0.0.0]
; Contents of value:
; $sys$crater
; imapi
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,69,00,6d,00,61,00,70,00,69,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCIIDE\IDEChannel\4&113c7f93&0&0]
; Contents of value:
; $sys$cor
;
"UpperFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,6f,00,72,00,00,00,00,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$LIM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$LIM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$LIM\0000]
"Service"="$sys$lim"
"DeviceDesc"="$sys$lim"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$OCT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$OCT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$OCT\0000]
"Service"="$sys$oct"
"DeviceDesc"="$sys$oct"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_$SYS$OCT\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\CdRom&Ven_SanDisk&Prod_Cruzer&Rev_7.01\0775000C7401721B&1]
; Contents of value:
; $sys$crater
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\CdRom&Ven_SanDisk&Prod_Cruzer&Rev_7.01\173832168300119C&1]
; Contents of value:
; $sys$crater
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\CdRom&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_3.21\00001623B2721C16&1]
; Contents of value:
; $sys$crater
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\CdRom&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_3.27\000016718673FB4A&1]
; Contents of value:
; $sys$crater
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\HelpSvc]
"EventMessageFile"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HCAppRes.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters]
; Contents of value:
; %WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll
"ServiceDll"=hex(2):25,00,57,00,49,00,4e,00,44,00,49,00,52,00,25,00,5c,00,50,\
00,43,00,48,00,65,00,61,00,6c,00,74,00,68,00,5c,00,48,00,65,00,6c,00,70,00,\
43,00,74,00,72,00,5c,00,42,00,69,00,6e,00,61,00,72,00,69,00,65,00,73,00,5c,\
00,70,00,63,00,68,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ZuneNetworkSvc]
"Description"="Shares Zune media libraries to Zune devices using Universal Plug and Play"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\CoDeviceInstallers]
; Contents of value:
; SysSetup.Dll,StorageCoInstaller
; SysSetup.Dll,CriticalDeviceCoInstaller
; $sys$caj.dll,CoInstallCdrom
;
"{4D36E965-E325-11CE-BFC1-08002BE10318}"=hex(7):53,00,79,00,73,00,53,00,65,00,\
74,00,75,00,70,00,2e,00,44,00,6c,00,6c,00,2c,00,53,00,74,00,6f,00,72,00,61,\
00,67,00,65,00,43,00,6f,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,65,00,\
72,00,00,00,53,00,79,00,73,00,53,00,65,00,74,00,75,00,70,00,2e,00,44,00,6c,\
00,6c,00,2c,00,43,00,72,00,69,00,74,00,69,00,63,00,61,00,6c,00,44,00,65,00,\
76,00,69,00,63,00,65,00,43,00,6f,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,\
00,65,00,72,00,00,00,24,00,73,00,79,00,73,00,24,00,63,00,61,00,6a,00,2e,00,\
64,00,6c,00,6c,00,2c,00,43,00,6f,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,\
00,43,00,64,00,72,00,6f,00,6d,00,00,00,00,00
; Contents of value:
; $sys$caj.dll,CoInstallPC
;
"{FF646F80-8DEF-11D2-9449-00105A075F6B}"=hex(7):24,00,73,00,79,00,73,00,24,00,\
63,00,61,00,6a,00,2e,00,64,00,6c,00,6c,00,2c,00,43,00,6f,00,49,00,6e,00,73,\
00,74,00,61,00,6c,00,6c,00,50,00,43,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\CriticalDeviceDatabase\gencdrom]
; Contents of value:
; $sys$crater
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\{8534CEBA-BD6C-44B0-A083-437A5CA6F402}\Ndi]
"HelpText"="A protocol layered on TCP/IP which preserves message boundaries. This instance of the protocol is for use by the file sharing protocol."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\IDE\CdRomHL-DT-ST_DVDRRW_GSA-H20L________________S742____\5&349d9d64&0&0.0.0]
; Contents of value:
; $sys$crater
; imapi
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,69,00,6d,00,61,00,70,00,69,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\PCIIDE\IDEChannel\4&113c7f93&0&0]
; Contents of value:
; $sys$cor
;
"UpperFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,6f,00,72,00,00,00,00,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$LIM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$LIM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$LIM\0000]
"Service"="$sys$lim"
"DeviceDesc"="$sys$lim"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$OCT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$OCT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$OCT\0000]
"Service"="$sys$oct"
"DeviceDesc"="$sys$oct"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_$SYS$OCT\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\USBSTOR\CdRom&Ven_SanDisk&Prod_Cruzer&Rev_7.01\0775000C7401721B&1]
; Contents of value:
; $sys$crater
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\USBSTOR\CdRom&Ven_SanDisk&Prod_Cruzer&Rev_7.01\173832168300119C&1]
; Contents of value:
; $sys$crater
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\USBSTOR\CdRom&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_3.21\00001623B2721C16&1]
; Contents of value:
; $sys$crater
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\USBSTOR\CdRom&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_3.27\000016718673FB4A&1]
; Contents of value:
; $sys$crater
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\HelpSvc]
"EventMessageFile"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HCAppRes.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\helpsvc\Parameters]
; Contents of value:
; %WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll
"ServiceDll"=hex(2):25,00,57,00,49,00,4e,00,44,00,49,00,52,00,25,00,5c,00,50,\
00,43,00,48,00,65,00,61,00,6c,00,74,00,68,00,5c,00,48,00,65,00,6c,00,70,00,\
43,00,74,00,72,00,5c,00,42,00,69,00,6e,00,61,00,72,00,69,00,65,00,73,00,5c,\
00,70,00,63,00,68,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ZuneNetworkSvc]
"Description"="Shares Zune media libraries to Zune devices using Universal Plug and Play"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CoDeviceInstallers]
; Contents of value:
; SysSetup.Dll,StorageCoInstaller
; SysSetup.Dll,CriticalDeviceCoInstaller
; $sys$caj.dll,CoInstallCdrom
;
"{4D36E965-E325-11CE-BFC1-08002BE10318}"=hex(7):53,00,79,00,73,00,53,00,65,00,\
74,00,75,00,70,00,2e,00,44,00,6c,00,6c,00,2c,00,53,00,74,00,6f,00,72,00,61,\
00,67,00,65,00,43,00,6f,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,65,00,\
72,00,00,00,53,00,79,00,73,00,53,00,65,00,74,00,75,00,70,00,2e,00,44,00,6c,\
00,6c,00,2c,00,43,00,72,00,69,00,74,00,69,00,63,00,61,00,6c,00,44,00,65,00,\
76,00,69,00,63,00,65,00,43,00,6f,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,\
00,65,00,72,00,00,00,24,00,73,00,79,00,73,00,24,00,63,00,61,00,6a,00,2e,00,\
64,00,6c,00,6c,00,2c,00,43,00,6f,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,\
00,43,00,64,00,72,00,6f,00,6d,00,00,00,00,00
; Contents of value:
; $sys$caj.dll,CoInstallPC
;
"{FF646F80-8DEF-11D2-9449-00105A075F6B}"=hex(7):24,00,73,00,79,00,73,00,24,00,\
63,00,61,00,6a,00,2e,00,64,00,6c,00,6c,00,2c,00,43,00,6f,00,49,00,6e,00,73,\
00,74,00,61,00,6c,00,6c,00,50,00,43,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\gencdrom]
; Contents of value:
; $sys$crater
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\{8534CEBA-BD6C-44B0-A083-437A5CA6F402}\Ndi]
"HelpText"="A protocol layered on TCP/IP which preserves message boundaries. This instance of the protocol is for use by the file sharing protocol."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\CdRomHL-DT-ST_DVDRRW_GSA-H20L________________S742____\5&349d9d64&0&0.0.0]
; Contents of value:
; $sys$crater
; imapi
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,69,00,6d,00,61,00,70,00,69,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCIIDE\IDEChannel\4&113c7f93&0&0]
; Contents of value:
; $sys$cor
;
"UpperFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,6f,00,72,00,00,00,00,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$LIM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$LIM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$LIM\0000]
"Service"="$sys$lim"
"DeviceDesc"="$sys$lim"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$OCT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$OCT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$OCT\0000]
"Service"="$sys$oct"
"DeviceDesc"="$sys$oct"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$OCT\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\CdRom&Ven_SanDisk&Prod_Cruzer&Rev_7.01\0775000C7401721B&1]
; Contents of value:
; $sys$crater
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\CdRom&Ven_SanDisk&Prod_Cruzer&Rev_7.01\173832168300119C&1]
; Contents of value:
; $sys$crater
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\CdRom&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_3.21\00001623B2721C16&1]
; Contents of value:
; $sys$crater
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\CdRom&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_3.27\000016718673FB4A&1]
; Contents of value:
; $sys$crater
;
"LowerFilters"=hex(7):24,00,73,00,79,00,73,00,24,00,63,00,72,00,61,00,74,00,65,\
00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\HelpSvc]
"EventMessageFile"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HCAppRes.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc\Parameters]
; Contents of value:
; %WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll
"ServiceDll"=hex(2):25,00,57,00,49,00,4e,00,44,00,49,00,52,00,25,00,5c,00,50,\
00,43,00,48,00,65,00,61,00,6c,00,74,00,68,00,5c,00,48,00,65,00,6c,00,70,00,\
43,00,74,00,72,00,5c,00,42,00,69,00,6e,00,61,00,72,00,69,00,65,00,73,00,5c,\
00,70,00,63,00,68,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ZuneNetworkSvc]
"Description"="Shares Zune media libraries to Zune devices using Universal Plug and Play"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\pchealth\\uploadlb\\binaries\\uploadm.exe"="PC Health Upload Manager"

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\pchealth\\uploadlb\\binaries\\uploadm.exe"="PC Health Upload Manager"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\pchealth\\uploadlb\\binaries\\uploadm.exe"="PC Health Upload Manager"

[HKEY_USERS\S-1-5-21-4210031451-2624482458-1344547406-1007\Software\$sys$reference]

[HKEY_USERS\S-1-5-21-4210031451-2624482458-1344547406-1007\Software\Microsoft\Shared Tools\Proofing Tools\Custom Dictionaries]

[HKEY_USERS\S-1-5-21-4210031451-2624482458-1344547406-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"d"="cmd /k sc delete $sys$aries\\1"

[HKEY_USERS\S-1-5-21-4210031451-2624482458-1344547406-1007\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe"="Microsoft Help and Support Center"
"@C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msinfo.dll,-391"="MSInfo Document"

[HKEY_USERS\S-1-5-21-4210031451-2624482458-1344547406-1007\Software\PureEdge\Viewer\SSCE\en_US]
"LexFileFilterStr"="Dictionary files (*.tlx)|*.tlx|External dictionaries (*.dic)|*.dic|Text files (*.txt)|*.txt|All files (*.*)|*.*|"

[HKEY_USERS\S-1-5-21-4210031451-2624482458-1344547406-1007\Software\SONYBMG]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\pchealth\\uploadlb\\binaries\\uploadm.exe"="PC Health Upload Manager"

; End Of The Log...
Driftmom
Regular Member
 
Posts: 20
Joined: April 11th, 2009, 12:46 pm

Re: Troublesome Malware

Unread postby peku006 » May 13th, 2009, 3:49 am

Hi Driftmom

We will begin with XCP2_Uninstaller.exe. Please visit this webpage for download links, and instructions for running the tool:
http://cp.sonybmg.com/xcp/english/updates.html

With that done, please post back a fresh HiJackThis log. Also, please let me know if you encountered any problems while you were following the instructions I posted.

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Troublesome Malware

Unread postby Driftmom » May 13th, 2009, 8:49 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:49 PM, on 5/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe nogui
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 7979 bytes
Driftmom
Regular Member
 
Posts: 20
Joined: April 11th, 2009, 12:46 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 59 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware