Jump to content

Recommended Posts

I received a pop-up telling me my computer was infected. Tried to run Malwarebytes, but it wouldn't run. Ran it in Safe Mode and below is the log. Tried to run Defogger, but it (along with all other executables) will not run. Should I run the standard processes in Safe Mode?

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6531

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 7.0.5730.13

5/8/2011 12:11:39 PM

mbam-log-2011-05-08 (12-11-39).txt

Scan type: Full scan (C:\|D:\|J:\|L:\|M:\|)

Objects scanned: 277563

Time elapsed: 1 hour(s), 11 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\mrd.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\mrd.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\mrd.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\hp_administrator\local settings\application data\mrd.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

Download Combofix from any of the links below but rename it to Iexplorer.com before saving it to your desktop.

Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

* IMPORTANT !!! Save Iexplorer.com to your Desktop

Link 1

Link 2<--Right Click and use Save As if using this link.

Double click on the Iexplorer.com ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Link to post
Share on other sites

Had to hit Cancel on the Open With box about 15-20 times when I opened ComboFix, but it finally started. Looks like this may have fixed the issue. Here's the log.

ComboFix 11-05-09.04 - HP_Administrator 05/10/2011 20:04:39.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3518.3023 [GMT -5:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\lexplorer.com

.

ADS - WINDOWS: deleted 24 bytes in 1 streams.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\HP_Administrator\Application Data\Adobe\AdobeUpdate .exe

c:\documents and settings\HP_Administrator\Application Data\Adobe\plugs

c:\documents and settings\HP_Administrator\Application Data\inst.exe

c:\documents and settings\HP_Administrator\WINDOWS

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\music\mainmenumusic.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\areabomb.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\beetlezap.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bonusrow.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bonustimer.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bucketfilled.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\clearpyramid.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1a.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1b.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1c.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2a.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2b.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2c.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\colorchain.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\dialogbox.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\drumbeat.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\fillrow.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\gateopen.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\helptip.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\powerup.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\rotateboardleft.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\timerup.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\warning.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\warning2.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\artifacts-bb.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\bar.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\chamber0.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\chamber1.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\circledoor.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\full_screen_dialog.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\global-hs-bb_large.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\global-hs-bb_small.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\help-bb_large.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\help-bb_small.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\hexfield.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\hidden-artifact_icon.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\large_dialog.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\local-hs-bb.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\mainmenu.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\small_dialog.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\textfield.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\trifield.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover4.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock4.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetletatoo.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\dirt.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\scarabpost.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\scarabpostovr.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\tritop.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\checkdown.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\checkup.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderknob.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderknobover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderrail.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\anwar\look\pl0001.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\bast\look\bl0001.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\kristine\look\kl0001.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\crackedstopper.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\cursor.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\doorlights.txt

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\fonts\jackarmstrong.mvec

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\fonts\lithos.mvec

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\greybomb.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\helptips\arrowkeys.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\helptips\helptip.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\levels\levels.dat

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\disk.mesh

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\equilateraltriangle.mesh

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\flattri.mesh

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\pyramid.mesh

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\quad.mesh

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\rotatingpyramid.mesh

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\scarabpanel.mesh

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\p1icon.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\page1-0.xml

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\page1-1.xml

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\panel1-0-1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\panel1-1-1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\scorecloud.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\setup.xml

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\areashockwave.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_4.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_starter.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_tail.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\flash.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\rubble.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\splash\playfirst_logo.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue0\snake_dirty.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\arm01_dirty.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\mask01_1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\statue01_dirty.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\stopper.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\timer.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\timerglow.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\timericon.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\tm.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\areabomb.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\areabombrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\blue.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\bluerollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\boardfill.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\bricktip.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared4.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared5.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared6.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye4.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\green.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\greenrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-blue.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-bluerollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-green.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-greenrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-red.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-redrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-yellow.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-yellowrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\red.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\redrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\wild.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\wildrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\yellow.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\yellowrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image0.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image1.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image2.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image3.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\bluebucket.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\buckettriangle.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\chainlink.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\chaintip.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\genericbucket.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\greenbucket.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\redbucket.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallblue.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallgreen.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallred.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallyellow.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\urnglow.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\urnplatform.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\yellowbucket.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\warning.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\error.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\game.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\gameover.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscore.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscoreinfo.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscoresubmit.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\instructions.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\leveldesign.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\levelover.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainarcade.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainconfirm.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\maincontinue.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\maingames.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainpuzzle.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\maphelptip.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\options.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\pause.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\quitconfirm.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\start.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\storyplayer.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\style.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\upsell.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\strings.xml

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\TriJinx.exe

c:\windows\jestertb.dll

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\DcJPYcfe.ini

c:\windows\system32\DcJPYcfe.ini2

D:\Autorun.inf

J:\Autorun.inf

M:\autorun.inf

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_NPF

.

.

((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))

.

.

2011-05-08 19:12 . 2011-05-08 19:12 -------- d-----w- c:\program files\ERUNT

2011-05-08 18:56 . 2011-05-08 18:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2011-05-08 16:00 . 2011-05-08 16:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-04-23 00:37 . 2011-04-23 00:37 -------- d-----w- c:\program files\iPod

2011-04-23 00:37 . 2011-04-23 00:38 -------- d-----w- c:\program files\iTunes

2011-04-23 00:34 . 2011-04-23 00:34 -------- d-----w- c:\program files\Bonjour

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2011-03-07 05:33 . 2004-08-09 21:00 692736 ------w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2004-08-09 21:00 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2004-08-09 21:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-18 21:36 . 2010-04-04 15:07 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2011-02-18 21:36 . 2010-04-04 15:07 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-02-17 19:00 . 2004-08-09 21:00 832512 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 19:00 . 2004-08-09 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 19:00 . 2004-08-09 21:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-17 19:00 . 2004-08-09 21:00 17408 ----a-w- c:\windows\system32\corpol.dll

2011-02-17 13:18 . 2004-08-09 21:00 455936 ------w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2004-08-09 21:00 357888 ------w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:32 . 2009-04-17 00:29 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-17 11:44 . 2004-08-09 21:00 389120 ----a-w- c:\windows\system32\html.iec

2011-02-15 12:56 . 2004-08-09 21:00 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-11 13:25 . 2006-08-18 13:21 229888 ----a-w- c:\windows\system32\fxscover.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-05 2424192]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-18 27136]

PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-18 27136]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:Remote Desktop

"65533:TCP"= 65533:TCP:Services

"52344:TCP"= 52344:TCP:Services

"8424:TCP"= 8424:TCP:Services

"8425:TCP"= 8425:TCP:Services

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/18/2008 5:44 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/18/2008 5:44 PM 67656]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/18/2008 5:44 PM 12872]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WUAUSERV

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet

uInternet Settings,ProxyOverride = <local>;*.local

Trusted Zone: turbotax.com

DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} - hxxp://l.yimg.com/jh/games/web_games/playtime/mysterysolitaire/SpinTopGamesLauncher.cab

DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} - hxxp://l.yimg.com/jh/games/web_games/sony/bewitched/main.cab

FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\two8lgn6.default\

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\HP_Administrator\Application Data\Move Networks

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-10 20:14

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

@DACL=(02 0000)

@=""

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]

@DACL=(02 0000)

@="Wireless"

"ProcessGroupPolicy"="ProcessWIRELESSPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]

@DACL=(02 0000)

@="Folder Redirection"

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"DllName"=expand:"fdeploy.dll"

"NoMachinePolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"NoGPOListChanges"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"GenerateGroupPolicy"="GenerateGroupPolicy"

"EventSources"=multi:"(Folder Redirection,Application)\00\00"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]

@DACL=(02 0000)

@="QoS Packet Scheduler"

"ProcessGroupPolicy"="ProcessPSCHEDPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]

@DACL=(02 0000)

@="Scripts"

"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"

"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"

"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"

"DllName"=expand:"gptext.dll"

"NoSlowLink"=dword:00000001

"NoGPOListChanges"=dword:00000001

"NotifyLinkTransition"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@DACL=(02 0000)

@="Internet Explorer Zonemapping"

"DllName"=expand:"iedkcs32.dll"

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

"DisplayName"=expand:"@iedkcs32.dll,-3051"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=expand:"scecli.dll"

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:000003c0

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

@DACL=(02 0000)

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"="iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

"DisplayName"=expand:"@iedkcs32.dll,-3014"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=expand:"scecli.dll"

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]

@DACL=(02 0000)

@="802.3 Group Policy"

"DisplayName"=expand:"@dot3gpclnt.dll,-100"

"ProcessGroupPolicyEx"="ProcessLANPolicyEx"

"GenerateGroupPolicy"="GenerateLANPolicy"

"DllName"=expand:"dot3gpclnt.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@DACL=(02 0000)

@="Microsoft Offline Files"

"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@DACL=(02 0000)

@="Software Installation"

"DllName"=expand:"appmgmts.dll"

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]

@DACL=(02 0000)

@="IP Security"

"ProcessGroupPolicy"="ProcessIPSECPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

@DACL=(02 0000)

"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

@DACL=(02 0000)

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

@DACL=(02 0000)

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=expand:"sclgntfy.dll"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

@DACL=(02 0000)

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

@DACL=(02 0000)

"Logon"="WLEventLogon"

"Logoff"="WLEventLogoff"

"Startup"="WLEventStartup"

"Shutdown"="WLEventShutdown"

"StartScreenSaver"="WLEventStartScreenSaver"

"StopScreenSaver"="WLEventStopScreenSaver"

"Lock"="WLEventLock"

"Unlock"="WLEventUnlock"

"StartShell"="WLEventStartShell"

"PostShell"="WLEventPostShell"

"Disconnect"="WLEventDisconnect"

"Reconnect"="WLEventReconnect"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000000

"SafeMode"=dword:00000001

"MaxWait"=dword:ffffffff

"DllName"=expand:"WgaLogon.dll"

"Event"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

@DACL=(02 0000)

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

"ASPNET"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(1900)

c:\windows\system32\WININET.dll

c:\program files\Windows Media Player\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\windows\arservice.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\dllhost.exe

.

**************************************************************************

.

Completion time: 2011-05-10 20:20:22 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-11 01:20

.

Pre-Run: 133,685,915,648 bytes free

Post-Run: 135,008,792,576 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 6C75F42277694879698D2307A9A73BA0

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=-
"52344:TCP"=-
"8424:TCP"=-
"8425:TCP"=-

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Ran ComboFix with CFScript as directed, log below. Tried several programs and everything seems to be working fine. Thanks for the help!

ComboFix 11-05-09.04 - HP_Administrator 05/11/2011 19:36:04.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3518.3120 [GMT -5:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\combofix.exe

Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt

.

.

((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 )))))))))))))))))))))))))))))))

.

.

2011-05-08 19:12 . 2011-05-08 19:12 -------- d-----w- c:\program files\ERUNT

2011-05-08 18:56 . 2011-05-08 18:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2011-05-08 16:00 . 2011-05-08 16:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-04-23 00:37 . 2011-04-23 00:37 -------- d-----w- c:\program files\iPod

2011-04-23 00:37 . 2011-04-23 00:38 -------- d-----w- c:\program files\iTunes

2011-04-23 00:34 . 2011-04-23 00:34 -------- d-----w- c:\program files\Bonjour

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2011-03-07 05:33 . 2004-08-09 21:00 692736 ------w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2004-08-09 21:00 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2004-08-09 21:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-18 21:36 . 2010-04-04 15:07 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2011-02-18 21:36 . 2010-04-04 15:07 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-02-17 19:00 . 2004-08-09 21:00 832512 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 19:00 . 2004-08-09 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 19:00 . 2004-08-09 21:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-17 19:00 . 2004-08-09 21:00 17408 ----a-w- c:\windows\system32\corpol.dll

2011-02-17 13:18 . 2004-08-09 21:00 455936 ------w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2004-08-09 21:00 357888 ------w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:32 . 2009-04-17 00:29 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-17 11:44 . 2004-08-09 21:00 389120 ----a-w- c:\windows\system32\html.iec

2011-02-15 12:56 . 2004-08-09 21:00 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-11 13:25 . 2006-08-18 13:21 229888 ----a-w- c:\windows\system32\fxscover.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-05 2424192]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-18 27136]

PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-18 27136]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:Remote Desktop

"65533:TCP"= 65533:TCP:Services

"52344:TCP"= 52344:TCP:Services

"8424:TCP"= 8424:TCP:Services

"8425:TCP"= 8425:TCP:Services

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/18/2008 5:44 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/18/2008 5:44 PM 67656]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/18/2008 5:44 PM 12872]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet

uInternet Settings,ProxyOverride = <local>;*.local

Trusted Zone: turbotax.com

DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} - hxxp://l.yimg.com/jh/games/web_games/playtime/mysterysolitaire/SpinTopGamesLauncher.cab

DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} - hxxp://l.yimg.com/jh/games/web_games/sony/bewitched/main.cab

FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\two8lgn6.default\

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\HP_Administrator\Application Data\Move Networks

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-11 19:47

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components]

@Denied: (Full) (Everyone)

@Denied: (Full) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]

@="IE7 Uninstall Stub"

"ComponentID"="IEUDINIT"

"DontAsk"=dword:00000002

"IsInstalled"=dword:00000001

"Locale"="*"

"StubPath"="c:\\WINDOWS\\system32\\ieudinit.exe"

"Version"="7,0,5730,0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

"DontAsk"=dword:00000002

"Version"="11,0,5721,5145"

"IsInstalled"=dword:00000000

"Stubpath"="c:\\WINDOWS\\inf\\unregmp2.exe /ShowWMP"

@="Microsoft Windows Media Player"

"ComponentID"="WMPACCESS"

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]

@="Internet Explorer"

"ComponentID"="IEACCESS"

"Dontask"=dword:00000002

"IsInstalled"=dword:00000001

"Locale"="*"

"StubPath"="c:\\WINDOWS\\system32\\ie4uinit.exe -UserIconConfig"

"Version"="6,0,5730,13"

"LocalizedName"="@c:\\WINDOWS\\system32\\ie4uinit.exe,-21"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

@="Browser Customizations"

"ComponentiD"="BRANDING.CAB"

"IsInstalled"=dword:00000001

"Locale"="*"

"LocalizedName"="@c:\\WINDOWS\\system32\\iedkcs32.dll,-3052"

"StubPath"="RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP"

"Version"="6,0,5730,13"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]

@="Outlook Express"

"ComponentID"="OEACCESS"

"Dontask"=dword:00000002

"IsInstalled"=dword:00000001

"Locale"="*"

"StubPath"=expand:"%systemroot%\\system32\\shmgrate.exe OCInstallUserConfigOE"

"Version"="2,0,0,0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\KB910393]

@="KB910393"

"ComponentID"="KB910393"

"DontAsk"=dword:00000002

"Locale"="*"

"StubPath"="rundll32.exe advpack.dll,LaunchINFSection c:\\WINDOWS\\INF\\EasyCDBlock.inf,PerUserInstall"

"IsInstalled"=dword:00000001

"Version"="1,0,0,0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}]

@="Java (Sun)"

"ComponentID"="JAVAVM"

"IsInstalled"=dword:00000001

"KeyFileName"="c:\\Program Files\\Java\\jre6\\bin\\regutils.dll"

"Version"="5,0,5000,0"

"Locale"="EN"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}]

@="Vector Graphics Rendering (VML)"

"ComponentID"="MSVML"

"Version"="6,0,2462,0001"

"IsInstalled"=hex:01,00,00,00

"Locale"="EN"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{1BC46932-21B2-4130-86E0-B4EB4F7A7A7B}]

@="Microsoft .NET Framework 1.0 Hotfix (KB887998)"

"IsInstalled"=dword:00000001

"ComponentID"="NDPKB887998"

"Version"="1,0,3705"

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]

@=""

"ComponentID"="NetShow"

"IsInstalled"=dword:00000001

"DontAsk"=dword:00000002

"Locale"="EN"

"StubPath"=""

"Version"="11,0,5721,5145"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

"ComponentID"="Microsoft Windows Media Player"

"DontAsk"=dword:00000002

"Locale"="ENU"

"StubPath"=""

"IsInstalled"=dword:00000001

@="Microsoft Windows Media Player 6.4"

"Version"="11,0,5721,5145"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{233C1507-6A77-46A4-9443-F871F945D258}]

"ComponentID"="Director"

"IsInstalled"=hex:01,00,00,00

"Version"="10,4,0,25"

"Locale"="EN"

@="Adobe Shockwave Director 10.4"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}]

@="DirectAnimation"

"IsInstalled"=dword:00000001

"Version"="6,0,3,531"

"Locale"="EN"

"ComponentID"="DirectAnimation"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{29E7D24F-BF30-45E7-8A40-AD27AFD8F5C6}]

@="Microsoft .NET Framework 1.0 Hotfix (KB979904)"

"IsInstalled"=dword:00000001

"ComponentID"="NDPKB979904"

"Version"="1,0,3705"

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}]

"ComponentID"="Director"

"IsInstalled"=hex:01,00,00,00

"Version"="10,4,0,25"

"Locale"="EN"

@="Adobe Shockwave Director 10.4"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{2A3320D6-C805-4280-B423-B665BDE33D8F}]

"ComponentID"="M979906"

@="Microsoft .NET Framework 1.1 Security Update (KB979906)"

"Version"="1,1,4322"

"Locale"="*"

"IsInstalled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]

"Version"="1,1,1,7"

@="Themes Setup"

"ComponentID"="Theme Component"

"IsInstalled"=dword:00000001

"Locale"="EN"

"StubPath"=expand:"%SystemRoot%\\system32\\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\\system32\\themeui.dll"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{2F6EFCE6-10DF-49F9-9E64-9AE3775B2588}]

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="1,1,4322"

"ComponentID"="M2416447"

@="Microsoft .NET Framework 1.1 Security Update (KB2416447)"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}]

@="Dynamic HTML Data Binding for Java"

"ComponentID"="TridataJava"

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="4,7,0,0320"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}]

"Version"="7,0,5730,13"

@="Offline Browsing Pack"

"ComponentID"="MobilePk"

"IsInstalled"=dword:00000001

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}]

@="Uniscribe"

"ComponentID"="USP10"

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="1,397,2406,1"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{407408d4-94ed-4d86-ab69-a7f649d112ee}]

@SACL=

@="Media Center"

"ComponentID"="Media Center Shortcut"

"IsInstalled"=dword:00000001

"StubPath"=expand:"%SystemRoot%\\System32\\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\\inf\\mcdftreg.inf"

"Version"="1,0,0,0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{411EDCF7-755D-414E-A74B-3DCD6583F589}]

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="1,1,4322"

"ComponentID"="S867460"

@="Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}]

@="Advanced Authoring"

"ComponentID"="AdvAuth"

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="6,0,2900,2180"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]

"Version"="6,0,2900,5512"

@="Microsoft Outlook Express 6"

"IsInstalled"=dword:00000001

"Locale"="EN"

"ComponentID"="MailNews"

"CloneUser"=dword:00000001

"StubPath"=expand:"\"%ProgramFiles%\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:WINNT /user /install"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]

@="NetMeeting 3.01"

"ComponentID"="NetMeeting"

"IsInstalled"=hex:01,00,00,00

"Version"="4,4,0,3400"

"Locale"="EN"

"StubPath"="rundll32.exe advpack.dll,LaunchINFSection c:\\WINDOWS\\INF\\msnetmtg.inf,NetMtg.Install.PerUser.NT"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]

@="DirectShow"

"ComponentID"="activemovie"

"IsInstalled"=dword:00000001

"DontAsk"=dword:00000002

"Locale"="EN"

"Version"="11,0,5721,5145"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}]

@="DirectDrawEx"

"ComponentID"="DirectDrawEx"

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="4,71,1113,0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}]

@="Internet Explorer Help"

"ComponentID"="HelpCont"

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="7,0,5730,13"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}]

@="DirectAnimation Java Classes"

"ComponentID"="DAJava"

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="6,00,01,0223"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}]

@="Microsoft Windows Script 5.7"

"ComponentID"="MSVBScript"

"IsInstalled"=dword:00000001

"Locale"="EN"

"Version"="5,7,6002,22589"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]

@="Windows Messenger 4.7"

"ComponentID"="Messenger"

"StubPath"="rundll32.exe advpack.dll,LaunchINFSection c:\\WINDOWS\\INF\\msmsgs.inf,BLC.QuietInstall.PerUser"

"Locale"="EN"

"Version"="4,7,0,3000"

"IsInstalled"=dword:00000001

"KeyFileName"="c:\\Program Files\\Messenger\\msmsgs.exe"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}]

"(Default)"="Internet Connection Wizard"

"ComponentID"="ICW"

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="5,00,2918,1900"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}]

@="Internet Explorer Setup Tools"

"ComponentID"="GenSetup"

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="7,0,5730,13"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}]

"Version"="7,0,5730,13"

@="Browsing Enhancements"

"ComponentID"="ExtraPack"

"IsInstalled"=dword:00000001

"Locale"="*"

"KeyFileName"="c:\\WINDOWS\\system32\\msieftp.dll"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]

@="Microsoft Windows Media Player"

"ComponentID"="Microsoft Windows Media Player"

"DontAsk"=dword:00000002

"Locale"="ENU"

"StubPath"="rundll32.exe advpack.dll,LaunchINFSection c:\\WINDOWS\\INF\\wmp11.inf,PerUserStub"

"IsInstalled"=dword:00000001

"Version"="11,0,5721,5145"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}]

@="MSN Site Access"

"ComponentID"="MSN_Auth"

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="4,9,9,2"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}]

"ComponentID"=".NETFramework"

@=".NET Framework"

"Locale"=""

"Version"="2,0,50727,0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]

"Version"="6,0,2900,5512"

@="Address Book 6"

"IsInstalled"=dword:00000001

"Locale"="EN"

"ComponentID"="WAB"

"StubPath"=expand:"\"%ProgramFiles%\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:WINNT /user /install"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]

"Version"="6,0,2900,2180"

@="Windows Desktop Update"

"ComponentID"="IE4Shell_NT"

"IsInstalled"=dword:00000001

"Locale"="en"

"StubPath"=expand:"regsvr32.exe /s /n /i:U shell32.dll"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]

"Version"="7,0,5730,13"

@="Internet Explorer"

"ComponentID"="BASEIE40_W2K"

"IsInstalled"=dword:00000001

"Locale"="en"

"StubPath"="c:\\WINDOWS\\system32\\ie4uinit.exe -BaseSettings"

"LocalizedName"="@c:\\WINDOWS\\system32\\ie4uinit.exe,-20"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]

"ComponentID"="DOTNETFRAMEWORKS"

"IsInstalled"=dword:00000001

"StubPath"="c:\\WINDOWS\\system32\\Rundll32.exe c:\\WINDOWS\\system32\\mscories.dll,Install"

"Version"="1,1,0,5000"

"DontAsk"=dword:00000002

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}]

@SACL=

@="Fax"

"ComponentID"="Fax"

"IsInstalled"=dword:00000001

"DontAsk"=dword:00000002

"Version"="5.1"

"Locale"="EN"

"StubPath"="rundll32.exe advpack.dll,LaunchINFSection c:\\WINDOWS\\INF\\fxsocm.inf,Fax.Install.PerUser"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}]

@="Dynamic HTML Data Binding"

"ComponentID"="Tridata"

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="7,0,5730,13"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]

@SACL=

@="Fax Provider"

"ComponentID"="Fax Provider"

"IsInstalled"=dword:00000001

"DontAsk"=dword:00000002

"Version"="5.1"

"Locale"="EN"

"StubPath"=""

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{B508B3F1-A24A-32C0-B310-85786919EF28}]

"Locale"=""

"Version"="2,0,50727,0"

"ComponentID"=".NETFramework"

@=".NET Framework"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{BDE0FA43-6952-4BA8-8C58-09AF690F88E1}]

@="Microsoft .NET Framework 1.0 Hotfix (KB930494)"

"IsInstalled"=dword:00000001

"ComponentID"="NDPKB930494"

"Version"="1,0,3705"

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}]

"Locale"=""

"Version"="2,0,50727,0"

"ComponentID"=".NETFramework"

@=".NET Framework"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}]

@="Internet Explorer Core Fonts"

"ComponentID"="Fontcore"

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="6,0,5730,13"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}]

"Locale"=""

"Version"="1,0,4322,1"

"ComponentID"=".NETFramework"

@=".NET Framework"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}]

@="Task Scheduler"

"ComponentID"="MSTASK"

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="4,71,1968,1"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}]

"ComponentID"="Windows Movie Maker v2.1"

"IsInstalled"=hex:01,00,00,00

"Version"="2,1,4026,0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@="Adobe Flash Player"

"ComponentID"="Flash"

"IsInstalled"=hex:01,00,00,00

"Version"="10.0.42.34"

"Locale"="EN"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}]

@="HTML Help"

"ComponentID"="HTMLHelp"

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="6,0,5730,13"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{E8EA5BD6-D931-4001-ABF6-81BAA500360A}]

@="Microsoft .NET Framework 1.0 Hotfix (KB953295)"

"IsInstalled"=dword:00000001

"ComponentID"="NDPKB953295"

"Version"="1,0,3705"

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}]

@="Active Directory Service Interface"

"ComponentID"="ADSI"

"IsInstalled"=hex:01,00,00,00

"Locale"="EN"

"Version"="5,0,00,0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{EA29D410-CE41-4953-A862-2DE706A1DAD7}]

@="Microsoft .NET Framework 1.0 Service Pack 3"

"IsInstalled"=dword:00000001

"ComponentID"="NDP10SP3"

"version"="1,0,3705"

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{FDC11A6F-17D1-48f9-9EA3-9051954BAA24}]

@=".NET Framework"

"ComponentID"=".NETFramework"

"Version"="1,0,3705,3"

"Locale"=""

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

@DACL=(02 0000)

@=""

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]

@DACL=(02 0000)

@="Wireless"

"ProcessGroupPolicy"="ProcessWIRELESSPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]

@DACL=(02 0000)

@="Folder Redirection"

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"DllName"=expand:"fdeploy.dll"

"NoMachinePolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"NoGPOListChanges"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"GenerateGroupPolicy"="GenerateGroupPolicy"

"EventSources"=multi:"(Folder Redirection,Application)\00\00"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]

@DACL=(02 0000)

@="QoS Packet Scheduler"

"ProcessGroupPolicy"="ProcessPSCHEDPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]

@DACL=(02 0000)

@="Scripts"

"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"

"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"

"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"

"DllName"=expand:"gptext.dll"

"NoSlowLink"=dword:00000001

"NoGPOListChanges"=dword:00000001

"NotifyLinkTransition"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@DACL=(02 0000)

@="Internet Explorer Zonemapping"

"DllName"=expand:"iedkcs32.dll"

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

"DisplayName"=expand:"@iedkcs32.dll,-3051"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=expand:"scecli.dll"

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:000003c0

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

@DACL=(02 0000)

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"="iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

"DisplayName"=expand:"@iedkcs32.dll,-3014"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=expand:"scecli.dll"

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]

@DACL=(02 0000)

@="802.3 Group Policy"

"DisplayName"=expand:"@dot3gpclnt.dll,-100"

"ProcessGroupPolicyEx"="ProcessLANPolicyEx"

"GenerateGroupPolicy"="GenerateLANPolicy"

"DllName"=expand:"dot3gpclnt.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@DACL=(02 0000)

@="Microsoft Offline Files"

"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@DACL=(02 0000)

@="Software Installation"

"DllName"=expand:"appmgmts.dll"

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]

@DACL=(02 0000)

@="IP Security"

"ProcessGroupPolicy"="ProcessIPSECPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

@DACL=(02 0000)

"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

@DACL=(02 0000)

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

@DACL=(02 0000)

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=expand:"sclgntfy.dll"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

@DACL=(02 0000)

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

@DACL=(02 0000)

"Logon"="WLEventLogon"

"Logoff"="WLEventLogoff"

"Startup"="WLEventStartup"

"Shutdown"="WLEventShutdown"

"StartScreenSaver"="WLEventStartScreenSaver"

"StopScreenSaver"="WLEventStopScreenSaver"

"Lock"="WLEventLock"

"Unlock"="WLEventUnlock"

"StartShell"="WLEventStartShell"

"PostShell"="WLEventPostShell"

"Disconnect"="WLEventDisconnect"

"Reconnect"="WLEventReconnect"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000000

"SafeMode"=dword:00000001

"MaxWait"=dword:ffffffff

"DllName"=expand:"WgaLogon.dll"

"Event"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

@DACL=(02 0000)

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

"ASPNET"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(652)

c:\windows\system32\WININET.dll

c:\program files\Windows Media Player\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\windows\arservice.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\dllhost.exe

.

**************************************************************************

.

Completion time: 2011-05-11 19:51:13 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-12 00:51

ComboFix2.txt 2011-05-11 01:20

.

Pre-Run: 135,032,623,104 bytes free

Post-Run: 135,016,894,464 bytes free

.

- - End Of File - - F6EE01AB238EBEAB30FA45CEC674E824

Link to post
Share on other sites

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.