TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Brenneka on March 02, 2008, 04:01:24 PM

Title: mIRC Virus or Whatever
Post by: Brenneka on March 02, 2008, 04:01:24 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:12:34, on 02/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\RECYCLER\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\mssvc.exe
C:\WINDOWS\system32\mssvcs.exe
C:\Program Files\ECI Telecoms\ECI USB ADSL\DSLMON.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\עדן\שולחן העבודה\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.satla-zone.com/forums/ (http://\"http://www.satla-zone.com/forums/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Ins3DT] D:\INSTALL4\INS3DT.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Documents and Settings\עדן\שולחן העבודה\Monitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [Microsoft Corporation Svchost Service] mssvc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Microsoft Help] C:\RECYCLER\svchost.exe
O4 - HKLM\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKLM\..\RunServices: [Microsoft Corporation Svchost Service] mssvc.exe
O4 - HKLM\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DLD.EXE] C:\Program Files\Download Direct\DLD.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [Microsoft Corporation Svchost Service] mssvc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKCU\..\RunServices: [Microsoft Corporation Svchost Service] mssvc.exe
O4 - HKCU\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\ECI Telecoms\ECI USB ADSL\DSLMON.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab (http://\"http://www.systemrequirementslab.com/sysreqlab2.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202306177953 (http://\"http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202306177953\")
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab (http://\"http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab\")
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab\")
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} - http://irc.nana.co.il/Cabs/launcher39.cab (http://\"http://irc.nana.co.il/Cabs/launcher39.cab\")
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{138FBCB5-DF29-4828-B640-71D6034CC076}: NameServer = 192.117.235.235 62.219.186.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{138FBCB5-DF29-4828-B640-71D6034CC076}: NameServer = 192.117.235.235 62.219.186.7
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8592 bytes


Thanks in advance!

Title: mIRC Virus or Whatever
Post by: guestolo on March 02, 2008, 04:04:38 PM

I just want to ensure I'm seeing all file names and registry entries involved with this

Can you do the following
Download [color=\"#008000\"]Deckard's System Scanner (dss.exe)[/color] (http://\"http://deckard.geekstogo.com/dss.exe\") to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post back just the Whole contents of Main.txt and Extra.txt

Title: mIRC Virus or Whatever
Post by: Brenneka on March 02, 2008, 04:17:54 PM

Deckard's System Scanner v20071014.68
Run by עדן on 2008-03-02 23:22:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-03-02 21:22:53 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-03-02 19:07:45 UTC - RP1 - נקודת ביקורת של המערכת


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as עדן.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:25:24, on 02/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\RECYCLER\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\mssvc.exe
C:\WINDOWS\system32\mssvcs.exe
C:\Program Files\ECI Telecoms\ECI USB ADSL\DSLMON.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\עדן\שולחן העבודה\dss.exe
C:\DOCUME~1\9E2D~1\F245~1\עדן.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.satla-zone.com/forums/ (http://\"http://www.satla-zone.com/forums/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Ins3DT] D:\INSTALL4\INS3DT.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Documents and Settings\עדן\שולחן העבודה\Monitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [Microsoft Corporation Svchost Service] mssvc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Microsoft Help] C:\RECYCLER\svchost.exe
O4 - HKLM\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKLM\..\RunServices: [Microsoft Corporation Svchost Service] mssvc.exe
O4 - HKLM\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DLD.EXE] C:\Program Files\Download Direct\DLD.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [Microsoft Corporation Svchost Service] mssvc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKCU\..\RunServices: [Microsoft Corporation Svchost Service] mssvc.exe
O4 - HKCU\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\ECI Telecoms\ECI USB ADSL\DSLMON.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab (http://\"http://www.systemrequirementslab.com/sysreqlab2.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202306177953 (http://\"http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202306177953\")
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab (http://\"http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab\")
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab\")
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} - http://irc.nana.co.il/Cabs/launcher39.cab (http://\"http://irc.nana.co.il/Cabs/launcher39.cab\")
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{138FBCB5-DF29-4828-B640-71D6034CC076}: NameServer = 192.117.235.235 62.219.186.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{138FBCB5-DF29-4828-B640-71D6034CC076}: NameServer = 192.117.235.235 62.219.186.7
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8493 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\9E2D~1\F245~1\backups\) ---------------

backup-20080301-194144-109 O4 - HKCU\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe
backup-20080301-194144-192 O4 - HKCU\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys <Not Verified; Analog Devices Inc.; ADSL USB WAN Driver>

S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys <Not Verified; Analog Deivces; ADI ADSL chipset loader>
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 npkcrypt - c:\program files\gravity\spiritusro\npkcrypt.sys (file missing)
S3 NTACCESS - e:\ntaccess.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 SetupNTGLM7X - e:\ntglm7x.sys (file missing)
S3 XDva002 - c:\windows\system32\xdva002.sys (file missing)
S3 XDva007 - c:\windows\system32\xdva007.sys (file missing)
S3 XDva009 - c:\windows\system32\xdva009.sys (file missing)
S3 XDva010 - c:\windows\system32\xdva010.sys (file missing)
S3 XDva020 - c:\windows\system32\xdva020.sys (file missing)
S3 XDva025 - c:\windows\system32\xdva025.sys (file missing)
S3 XDva031 - c:\windows\system32\xdva031.sys (file missing)
S3 XDva032 - c:\windows\system32\xdva032.sys (file missing)
S3 XDva033 - c:\windows\system32\xdva033.sys (file missing)
S3 XDva039 - c:\windows\system32\xdva039.sys (file missing)
S3 XDva041 - c:\windows\system32\xdva041.sys (file missing)
S3 XDva049 - c:\windows\system32\xdva049.sys (file missing)
S3 XDva054 - c:\windows\system32\xdva054.sys (file missing)
S3 XDva062 - c:\windows\system32\xdva062.sys (file missing)
S3 XDva078 - c:\windows\system32\xdva078.sys (file missing)
S3 XDva089 - c:\windows\system32\xdva089.sys (file missing)
S3 XDva090 - c:\windows\system32\xdva090.sys (file missing)
S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: מודם PCI
Device ID: PCI\VEN_10B9&DEV_5459&SUBSYS_545910A5&REV_00\4&1F7DBC9F&0&08F0
Manufacturer:
Name: מודם PCI
PNP Device ID: PCI\VEN_10B9&DEV_5459&SUBSYS_545910A5&REV_00\4&1F7DBC9F&0&08F0
Service:

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Standard Game Port
Device ID: ROOT\UNKNOWN\0000
Manufacturer: (התקני מערכת סטנדרטיים)
Name: Standard Game Port
PNP Device ID: ROOT\UNKNOWN\0000
Service: gameenum


-- Scheduled Tasks -------------------------------------------------------------

2008-03-02 22:31:42       330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-02-02 and 2008-03-02 -----------------------------

2008-03-02 15:53:06         0 d-------- C:\Program Files\Spybot - Search & Destroy2
2008-03-02 15:50:29    691545 --a------ C:\WINDOWS\unins001.exe
2008-03-02 15:50:29      2555 --a------ C:\WINDOWS\unins001.dat
2008-03-02 08:35:26     49152 --a------ C:\lawlok.exe
2008-03-02 08:14:17         0 d-------- C:\Documents and Settings\Administrator\Local Settings
2008-03-02 08:14:17         0 d-------- C:\Documents and Settings\Administrator\Cookies
2008-03-02 08:14:17         0 d-------- C:\Documents and Settings\Administrator\Application Data
2008-03-02 08:14:17         0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-03-02 08:14:16         0 d-------- C:\Documents and Settings\Administrator\Templates
2008-03-02 08:14:16    786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-01 21:55:24         0 d-------- C:\Program Files\Avira
2008-03-01 21:55:24         0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2008-03-01 11:46:56  10223616 --a------ C:\Documents and Settings\עדן\ntuser.dat
2008-02-27 20:49:34         0 d-------- C:\Documents and Settings\עדן\Application Data\NoNameScript
2008-02-27 20:13:01         0 d-------- C:\Program Files\mIRC
2008-02-27 19:06:21         0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\ESET
2008-02-27 17:49:02         0 d-------- C:\Documents and Settings\עדן\.housecall6.6
2008-02-27 17:45:45         0 d-------- C:\Documents and Settings\עדן\Application Data\Sun
2008-02-24 14:06:19      4682 --a------ C:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2008-02-24 14:05:22         0 d-------- C:\Program Files\Common Files\INCA Shared
2008-02-24 07:08:47         0 d-------- C:\Program Files\softnyx
2008-02-11 08:01:41         0 d-------- C:\Documents and Settings\עדן\Application Data\Adobe
2008-02-08 23:16:58         0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-03 05:50:49         0 d-------- C:\Program Files\MSXML 6.0


-- Find3M Report ---------------------------------------------------------------

2008-03-02 15:25:19         0 d-------- C:\Documents and Settings\עדן\Application Data\mIRC
2008-03-01 16:01:44         0 d-------- C:\Documents and Settings\עדן\Application Data\teamspeak2
2008-02-28 14:21:28    346000 --a------ C:\WINDOWS\system32\perfh00d.dat
2008-02-28 14:21:28     67544 --a------ C:\WINDOWS\system32\perfc00d.dat
2008-02-27 18:51:42         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-27 17:45:29         0 d-------- C:\Program Files\Java
2008-02-27 00:17:29         0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-24 14:05:22         0 d-a------ C:\Program Files\Common Files
2008-02-20 15:40:40         0 d-------- C:\Program Files\Warcraft III 2
2008-02-03 16:14:38         0 d-------- C:\Program Files\Knight Online
2008-01-30 17:48:05         0 d-------- C:\Documents and Settings\עדן\Application Data\uTorrent
2008-01-30 08:40:33         0 d-------- C:\Documents and Settings\עדן\Application Data\Publish Providers
2008-01-30 08:40:00         0 d-------- C:\Documents and Settings\עדן\Application Data\Sony
2008-01-30 08:33:10         0 d-------- C:\Program Files\Vstplugins
2008-01-30 08:32:35         0 d-------- C:\Program Files\Sony
2008-01-30 08:25:48         0 d-------- C:\Program Files\MSBuild
2008-01-30 08:19:22         0 d-------- C:\Program Files\Reference Assemblies
2008-01-29 21:57:37         0 d-------- C:\Documents and Settings\עדן\Application Data\Sony Setup
2008-01-29 21:56:48         0 d-------- C:\Program Files\Sony Setup
2008-01-26 21:59:10         0 d-------- C:\Program Files\DivX
2008-01-09 13:18:12   3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-09 13:16:10    196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-01-09 13:16:10     81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-01-09 13:16:02    802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-01-09 13:16:02    823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-09 13:16:02    823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-09 13:16:02    682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-05 17:09:08         0 d-------- C:\Program Files\KnightOnline
2008-01-03 16:39:59         0 dr-h----- C:\Documents and Settings\עדן\Application Data\SecuROM
2008-01-02 15:07:20         0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-01 16:13:01       693 --a------ C:\WINDOWS\eReg.dat
2007-12-31 20:30:19     50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2007-12-20 19:25:10     59804 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-12-11 21:43:44     12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/27/2004 02:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/27/2004 02:00 PM]
"Ins3DT"="D:\INSTALL4\INS3DT.EXE" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/30/2004 07:35 AM]
"nwiz"="nwiz.exe" [09/30/2004 07:35 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [09/30/2004 07:35 AM]
"Ulead AutoDetector"="C:\Documents and Settings\עדן\שולחן העבודה\Monitor.exe" []
"SoundMan"="SOUNDMAN.EXE" [09/16/2004 02:39 PM C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 04:40 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 05:20 PM]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [12/31/2007 08:30 PM]
"Microsoft Corporation Svchost Service"="mssvc.exe" [06/13/2007 03:21 PM C:\WINDOWS\system32\mssvc.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [12/21/2007 08:21 AM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/27/2004 02:00 PM C:\WINDOWS\system32\bthprops.cpl]
"Microsoft Help"="C:\RECYCLER\svchost.exe" [03/02/2008 04:10 PM]
"Microsoft Corporation Svchost Services"="mssvcs.exe" [06/13/2007 03:21 PM C:\WINDOWS\system32\mssvcs.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/27/2004 02:00 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:54 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [08/22/2006 09:52 AM]
"DLD.EXE"="C:\Program Files\Download Direct\DLD.exe" []
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [12/29/2007 02:05 PM]
"Microsoft Corporation Svchost Service"="mssvc.exe" [06/13/2007 03:21 PM C:\WINDOWS\system32\mssvc.exe]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe" [01/28/2008 11:43 AM]
"Microsoft Corporation Svchost Services"="mssvcs.exe" [06/13/2007 03:21 PM C:\WINDOWS\system32\mssvcs.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"Microsoft Corporation Svchost Service"=mssvc.exe
"Microsoft Corporation Svchost Services"=mssvcs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Corporation Svchost Service"=mssvc.exe
"Microsoft Corporation Svchost Services"=mssvcs.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users.WINDOWS\š”˜‰ˆ „š‡Œ„\š…‹‰…š\„”’Œ„\
DSLMON.lnk - C:\Program Files\ECI Telecoms\ECI USB ADSL\DSLMON.exe [12/09/2004 15:30:33]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 02:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 11:55 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"C:\Program Files\ICQLite\ICQLite.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs   BthServ




-- Hosts -----------------------------------------------------------------------

127.0.0.1   www.symantec.com
127.0.0.1   securityresponse.symantec.com
127.0.0.1   symantec.com
127.0.0.1   www.sophos.com
127.0.0.1   sophos.com
127.0.0.1   www.mcafee.com
127.0.0.1   mcafee.com
127.0.0.1   liveupdate.symantecliveupdate.com
127.0.0.1   www.viruslist.com
127.0.0.1   viruslist.com

35 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-03-02 23:26:08 ------------




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: Other (040d) - see http://preview.tinyurl.com/mhhp6 (http://\"http://preview.tinyurl.com/mhhp6\")

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
CPU 1: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 67%
Physical Memory (total/avail): 511.48 MiB / 164.47 MiB
Pagefile Memory (total/avail): 1249.8 MiB / 883.1 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1918.57 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 111.78 GiB total, 39.41 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3120023AS - 111.79 GiB - 1 partition
  \PARTITION0 (bootable) - מערכת קבצים ניתנת להתקנה - 111.78 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Norton AntiVirus v2007 (Symantec Corporation) [color=\"RED\"]Disabled[/color]
AV: Norton AntiVirus v2007 (Symantec Corporation) [color=\"RED\"]Disabled[/color] [color=\"RED\"]Outdated[/color]
AV: ESET NOD32 Antivirus 3.0 v3.0 (ESET, spol. s r. o.) [color=\"RED\"]Disabled[/color]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Neoact\\Carom3D\\CaromEngLauncher.exe"="C:\\Program Files\\Neoact\\Carom3D\\CaromEngLauncher.exe:*:Enabled:Last Update 2001/08/22"
"C:\\Program Files\\Hebrew Kazaa Lite\\klrun.exe"="C:\\Program Files\\Hebrew Kazaa Lite\\klrun.exe:*:Enabled:Hebrew Kazaa Lite"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Disabled:mIRC"
"C:\\Program Files\\Hebrew Kazaa Lite\\clean.kmd"="C:\\Program Files\\Hebrew Kazaa Lite\\clean.kmd:*:Enabled:clean"
"C:\\Program Files\\DAP\\DAP.exe"="C:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Documents and Settings\\עדן\\שולחן העבודה\\Tactial Ops\\TacticalOps1\\System\\TacticalOps.exe"="C:\\Documents and Settings\\עדן\\שולחן העבודה\\Tactial Ops\\TacticalOps1\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Documents and Settings\\עדן\\שולחן העבודה\\acp.exe"="C:\\Documents and Settings\\עדן\\שולחן העבודה\\acp.exe:*:Enabled:acp"
"C:\\Program Files\\Tactial Ops\\TacticalOps1\\System\\TacticalOps.exe"="C:\\Program Files\\Tactial Ops\\TacticalOps1\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Program Files\\KaZaA.co.il v3\\kazaalite.kpp"="C:\\Program Files\\KaZaA.co.il v3\\kazaalite.kpp:*:Enabled:kazaalite"
"C:\\Documents and Settings\\עדן\\שולחן העבודה\\Tactical Ops\\TacticalOps1\\System\\TacticalOps.exe"="C:\\Documents and Settings\\עדן\\שולחן העבודה\\Tactical Ops\\TacticalOps1\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Program Files\\Tactical Ops\\TacticalOps 1\\System\\TacticalOps.exe"="C:\\Program Files\\Tactical Ops\\TacticalOps 1\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Program Files\\eMule.co.il\\Fire eMule 7\\eMule.exe"="C:\\Program Files\\eMule.co.il\\Fire eMule 7\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Neoact\\Carom3D\\update.exe"="C:\\Program Files\\Neoact\\Carom3D\\update.exe:*:Enabled:Last Update 2001/08/22"
"C:\\Documents and Settings\\עדן\\שולחן העבודה\\KoXXX_225_sk8r\\_koXXX_.exe"="C:\\Documents and Settings\\עדן\\שולחן העבודה\\KoXXX_225_sk8r\\_koXXX_.exe:*:Enabled:_koXXX_"
"C:\\Documents and Settings\\עדן\\שולחן העבודה\\koXXX1461_223\\_koXXX_0.5_.exe"="C:\\Documents and Settings\\עדן\\שולחן העבודה\\koXXX1461_223\\_koXXX_0.5_.exe:*:Enabled:_koXXX_0.5_"
"C:\\Documents and Settings\\עדן\\שולחן העבודה\\USAK1461_225\\USAK1461_225\\_koXXX_.exe"="C:\\Documents and Settings\\עדן\\שולחן העבודה\\USAK1461_225\\USAK1461_225\\_koXXX_.exe:*:Enabled:_koXXX_"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Documents and Settings\\עדן\\שולחן העבודה\\rofl\\TacticalOps 1\\System\\TacticalOps.exe"="C:\\Documents and Settings\\עדן\\שולחן העבודה\\rofl\\TacticalOps 1\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Program Files\\Teamspeak2_RC2_Server\\server_windows.exe"="C:\\Program Files\\Teamspeak2_RC2_Server\\server_windows.exe:*:Enabled:Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Documents and Settings\\עדן\\שולחן העבודה\\rofl\\TacticalOps\\System\\TacticalOps.exe"="C:\\Documents and Settings\\עדן\\שולחן העבודה\\rofl\\TacticalOps\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\Tactical Ops\\TacticalOps 1\\System\\UCC.exe"="C:\\Program Files\\Tactical Ops\\TacticalOps 1\\System\\UCC.exe:*:Enabled:UCC"
"C:\\Program Files\\Valve\\hl.exe"="C:\\Program Files\\Valve\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Documents and Settings\\עדן\\Local Settings\\Temp\\Rar$EX00.547\\DL_file109.exe"="C:\\Documents and Settings\\עדן\\Local Settings\\Temp\\Rar$EX00.547\\DL_file109.exe:*:Disabled:Application MFC Download_manager"
"C:\\Program Files\\Monopol500\\Monopol.exe"="C:\\Program Files\\Monopol500\\Monopol.exe:*:Enabled:Monopol"
"C:\\UnrealTournament\\System\\UnrealTournament.exe"="C:\\UnrealTournament\\System\\UnrealTournament.exe:*:Enabled:UnrealTournament"
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\HelpCtr.exe"="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\HelpCtr.exe:*:Enabled:סיוע מרחוק - Windows Messenger ו- Voice"
"C:\\Program Files\\Tactical Ops\\TacticalOps 2\\System\\TacticalOps.exe"="C:\\Program Files\\Tactical Ops\\TacticalOps 2\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\xScript8\\mirc.exe"="C:\\xScript8\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Xscript10\\mirc.exe"="C:\\Program Files\\Xscript10\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Tactical Ops\\TacticalOps 3\\System\\TacticalOps.exe"="C:\\Program Files\\Tactical Ops\\TacticalOps 3\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Xscript10\\mirc.exe"="C:\\Xscript10\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"="C:\\Program Files\\The All-Seeing Eye\\eye.exe:*:Enabled:Yahoo! All-Seeing Eye"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Documents and Settings\\עדן\\Local Settings\\Temp\\Rar$EX01.047\\LogInServer\\VersionManager.exe"="C:\\Documents and Settings\\עדן\\Local Settings\\Temp\\Rar$EX01.047\\LogInServer\\VersionManager.exe:*:Enabled:VersionManager MFC ?? ????"
"C:\\Documents and Settings\\עדן\\שולחן העבודה\\new.logic.1.1.beta.1a\\emule.exe"="C:\\Documents and Settings\\עדן\\שולחן העבודה\\new.logic.1.1.beta.1a\\emule.exe:*:Enabled:eMule"
"C:\\Documents and Settings\\עדן\\שולחן העבודה\\emule.exe"="C:\\Documents and Settings\\עדן\\שולחן העבודה\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\mIRC2\\mirc.exe"="C:\\Program Files\\mIRC2\\mirc.exe:*:Enabled:mIRC"
"C:\\Documents and Settings\\עדן\\שולחן העבודה\\toserver\\System\\UCC.exe"="C:\\Documents and Settings\\עדן\\שולחן העבודה\\toserver\\System\\UCC.exe:*:Enabled:UCC"
"C:\\Program Files\\Tactical Ops\\TacticalOps 4\\System\\TacticalOps.exe"="C:\\Program Files\\Tactical Ops\\TacticalOps 4\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"="C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Warcraft III 2\\Warcraft III.exe"="C:\\Program Files\\Warcraft III 2\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"="C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme:*:Enabled:GunBound"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\’ƒ\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TAP-7409E23BDD
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\’ƒ
LOGONSERVER=\\TAP-7409E23BDD
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Ulead Systems\DVD
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\9E2D~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\9E2D~1\LOCALS~1\Temp
USERDOMAIN=TAP-7409E23BDD
USERNAME=’ƒ
USERPROFILE=C:\Documents and Settings\’ƒ
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

עדן (admin)


-- Add/Remove Programs ---------------------------------------------------------

 -->  -c"C:\Documents and Settings\עדן\שולחן העבודה\KOL Movies\IS32Inst.dll"
 --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
 --> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
 --> C:\WINDOWS\UNRecode.exe /UNINSTALL
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
עדכון עבור Windows XP (KB894391)‎ --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB898461)‎ --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB900485)‎ --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB904942)‎ --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB910437)‎ --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB911280)‎ --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB916595)‎ --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB920872)‎ --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB922582)‎ --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB925720)‎ --> "C:\WINDOWS\$NtUninstallKB925720$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB927891)‎ --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB929338)‎ --> "C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB930916)‎ --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB931836)‎ --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB933360)‎ --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB936357)‎ --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB938828)‎ --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
עדכון עבור Windows XP (KB942763)‎ --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB890046)‎ --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB893066)‎ --> "C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB893756)‎ --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB896358)‎ --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB896422)‎ --> "C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB896423)‎ --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB896424)‎ --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB896428)‎ --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB896688)‎ --> "C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB899587)‎ --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB899591)‎ --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB900725)‎ --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB901017)‎ --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB901190)‎ --> "C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB901214)‎ --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB902400)‎ --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB904706)‎ --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB905414)‎ --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB905749)‎ --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB905915)‎ --> "C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB908519)‎ --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB908531)‎ --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB911562)‎ --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB911567)‎ --> "C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB911927)‎ --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB912812)‎ --> "C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB912919)‎ --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB913446)‎ --> "C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB913580)‎ --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB914388)‎ --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB914389)‎ --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB916281)‎ --> "C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB917159)‎ --> "C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB917344)‎ --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB917422)‎ --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB917953)‎ --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB918118)‎ --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB918439)‎ --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB918899)‎ --> "C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB919007)‎ --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB920213)‎ --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB920214)‎ --> "C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB920670)‎ --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB920683)‎ --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB920685)‎ --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB921398)‎ --> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB921503)‎ --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB921883)‎ --> "C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB922616)‎ --> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB922760)‎ --> "C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB922819)‎ --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB923191)‎ --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB923414)‎ --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB923694)‎ --> "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB923980)‎ --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB924191)‎ --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB924270)‎ --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB924496)‎ --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB924667)‎ --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB925454)‎ --> "C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB925486)‎ --> "C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB925902)‎ --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB926255)‎ --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB926436)‎ --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB927779)‎ --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB927802)‎ --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB928255)‎ --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB928843)‎ --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB929123)‎ --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB930178)‎ --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB931261)‎ --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB931784)‎ --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB932168)‎ --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB933729)‎ --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
עדכון אבטחה עבור Windows XP (KB935839)‎ --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spunin

Title: mIRC Virus or Whatever
Post by: guestolo on March 02, 2008, 05:10:12 PM

We must disable some antispyware protections or they will interfere with any fixes we try

Disable AVG Antipspyware Guard
To disable AVG AS Guard:

    * Open AVG AntiSpyware by double-clicking the AVG AS system tray icon.
    * Click the Shield tab at the top
    * Click on the word active to change it to inactive.
    * Close AVG AntiSpyware.

Disable Windows Defender Protections:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

Disable Spybot's TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box.
Close Spybot

After you disabled Teatimer, download ResetTeaTimer.bat
http://downloads.subratam.org/ResetTeaTimer.bat (http://\"http://downloads.subratam.org/ResetTeaTimer.bat\")
to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Afterwards:
Please download the [color=\"red\"]OTMoveIt2 by OldTimer[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe\")[/url].

• Save it to your desktop.
  
• Double-click OTMoveIt2.exe to run it.
  
• Copy the file paths below to the clipboard in blue below by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  ==============================================================================
  
  [color=\"#0000FF\"]C:\WINDOWS\system32\mssvc.exe
  C:\WINDOWS\system32\mssvcs.exe
  C:\RECYCLER\svchost.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Ins3DT
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Service
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Help
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Services
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Service
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Services
  HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Service
  HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Services
  HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Service
  HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Services
  [/color]
  
  ==============================================================================
  
• Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the [color=\"yellow\"]yellow[/color] bar) and choose Paste.
  
  
• Click the red [color=\"red\"]Moveit![/color] button.
  
• Close OTMoveIt2
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
I'll need to see it later

After Windows has fully loaded
Download [color=\"red\"]SDFix[/color] (http://\"http://downloads.andymanchesta.com/RemovalTools/SDFix.exe\") and save this to your desktop

Reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

In safe mode

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Go to START>>My Computer>>Double click to open the C:\ folder

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  

I'll need to see that report later also

Nod32 may start working properly afterwards
Can you disable it temporarily for now by right click it's icon by the clock and disable it protections

Afterwards: Can you run an online virus scan at Kaspersky's
Use the Internet Explorer browser (or FireFox with IETab), and do an online scan with [color=\"blue\"]Kaspersky Online Scanner[/color] (http://\"http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html\")

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet [color=\"#3333FF\"]Explorer 7[/color] users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%[/i].)
The program launches and downloads the latest definition files.

• Once the files are downloaded click on Next
  
• Click on Scan Settings and configure as follows:
  • Scan using the following Anti-Virus database:
    [color=\"#6666CC\"]Extended[/color]
    
• Scan Options:
  [color=\"#6666CC\"]Scan Archives[/color]
  

[color=\"#6666CC\"]Scan Mail Bases[/color]
[/list]
[/list]

• Click OK and, under select a target to scan, select My Computer
  

When the scan is done, in the [color=\"Navy\"]Scan is completed [/color]window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
(http://i184.photobucket.com/albums/x99/guestolo/Kas-SaveReport-1.gif)
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the [color=\"Navy\"]Save as [/color]prompt, [color=\"navy\"]Save in[/color] area, select: Desktop
In the [color=\"navy\"]File name[/color] area, use KScan, or something similar
In [color=\"navy\"]Save as type[/color], click the drop arrow and select: Text file [*.txt]
Then, click: Save

Post back all the following: This will probably take more than one reply to post all the logs
Do so if needed please

1. Post the [color=\"Navy\"]Kaspersky Online Scanner Report [/color] in your reply.
2. Run a fresh scan/save logfile with Hijackthis and post it
3. Post the log from OTMoveit2.exe
4. Post the report from SDFix

Title: mIRC Virus or Whatever
Post by: Brenneka on March 03, 2008, 06:27:21 AM

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Monday, March 03, 2008 1:37:32 PM
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update:  3/03/2008
 Kaspersky Anti-Virus database records: 593857
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: extended
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   A:\
   C:\
   D:\
   E:\
   F:\

Scan Statistics:
   Total number of scanned objects: 196277
   Number of viruses found: 9
   Number of infected objects: 32
   Number of suspicious objects: 0
   Duration of the scan process: 02:52:33

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\9E2D~1\LOCALS~1\Temp\mirc631.exe/stream/data0014   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Deckard\System Scanner\backup\DOCUME~1\9E2D~1\LOCALS~1\Temp\mirc631.exe/stream   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Deckard\System Scanner\backup\DOCUME~1\9E2D~1\LOCALS~1\Temp\mirc631.exe   NSIS: infected - 2   skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB   Object is locked   skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat   Object is locked   skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat   Object is locked   skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat   Object is locked   skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat   Object is locked   skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Windows Defender\Support\MPLog-04062007-120718.log   Object is locked   skipped
C:\Documents and Settings\Eden\Local Settings\Temp\hsperfdata_Eden\1528   Object is locked   skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\עדן\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_6098_E88B_98E8_60D0\dfsr.db   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_6098_E88B_98E8_60D0\fsr.log   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_6098_E88B_98E8_60D0\fsrtmp.log   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_6098_E88B_98E8_60D0\tmp.edb   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1DD5A589-9E25-4EC3-B705-00A59267C27C}   Infected: Trojan.Win32.Qhost.ci   skipped
C:\Documents and Settings\עדן\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\History\History.IE5\MSHist012008030320080304\index.dat   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Temp\~DF4217.tmp   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Temp\~DF422A.tmp   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Temp\~DF72F5.tmp   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Temp\~DF8745.tmp   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat   Object is locked   skipped
C:\Documents and Settings\עדן\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\עדן\My Documents\mirc617.exe/data0001.bin   Infected: not-a-virus:Client-IRC.Win32.mIRC.617   skipped
C:\Documents and Settings\עדן\My Documents\mirc617.exe   mIRC: infected - 1   skipped
C:\Documents and Settings\עדן\My Documents\mirc621.exe/stream/data0008   Infected: not-a-virus:Client-IRC.Win32.mIRC.621   skipped
C:\Documents and Settings\עדן\My Documents\mirc621.exe/stream   Infected: not-a-virus:Client-IRC.Win32.mIRC.621   skipped
C:\Documents and Settings\עדן\My Documents\mirc621.exe   NSIS: infected - 2   skipped
C:\Documents and Settings\עדן\My Documents\mirc631.exe/stream/data0001/stream/data0014   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Documents and Settings\עדן\My Documents\mirc631.exe/stream/data0001/stream   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Documents and Settings\עדן\My Documents\mirc631.exe/stream/data0001   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Documents and Settings\עדן\My Documents\mirc631.exe/stream   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Documents and Settings\עדן\My Documents\mirc631.exe   NSIS: infected - 4   skipped
C:\Documents and Settings\עדן\My Documents\USAK1461_225.rar/USAK1461_225/USAK1461_225/_koXXX_.exe   Infected: Worm.Win32.Delf.ei   skipped
C:\Documents and Settings\עדן\My Documents\USAK1461_225.rar   RAR: infected - 1   skipped
C:\Documents and Settings\עדן\ntuser.dat   Object is locked   skipped
C:\Documents and Settings\עדן\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\עדן\שולחן העבודה\iCity\Xscript10a.exe/mirc.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.621   skipped
C:\Documents and Settings\עדן\שולחן העבודה\iCity\Xscript10a.exe   InstallCreator: infected - 1   skipped
C:\Documents and Settings\עדן\שולחן העבודה\rofl\mIRC_6.31-DVT.rar/mirc631.exe/stream/data0001/stream/data0014   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Documents and Settings\עדן\שולחן העבודה\rofl\mIRC_6.31-DVT.rar/mirc631.exe/stream/data0001/stream   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Documents and Settings\עדן\שולחן העבודה\rofl\mIRC_6.31-DVT.rar/mirc631.exe/stream/data0001   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Documents and Settings\עדן\שולחן העבודה\rofl\mIRC_6.31-DVT.rar/mirc631.exe/stream   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Documents and Settings\עדן\שולחן העבודה\rofl\mIRC_6.31-DVT.rar/mirc631.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Documents and Settings\עדן\שולחן העבודה\rofl\mIRC_6.31-DVT.rar   RAR: infected - 5   skipped
C:\Documents and Settings\עדן\שולחן העבודה\TO Matches\hiderun.zip/hiderun.exe   Infected: not-a-virus:RiskTool.Win32.HideExec.e   skipped
C:\Documents and Settings\עדן\שולחן העבודה\TO Matches\hiderun.zip   ZIP: infected - 1   skipped
C:\Program Files\DAP\History\עדן\_lasthist.dat   Object is locked   skipped
C:\Program Files\DAP\Log\DAP_REPORT.LOG   Object is locked   skipped
C:\Program Files\mIRC\mirc.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Program Files\mIRC\mirc.exe.bak   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\SDFix\backups\HOSTS   Infected: Email-Worm.Win32.Anker.n   skipped
C:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
C:\System Volume Information\_restore{0D1368F3-4705-4684-A322-DC445637B4F1}\RP2\change.log   Object is locked   skipped
C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
C:\WINDOWS\SchedLgU.Txt   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\edb.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb   Object is locked   skipped
C:\WINDOWS\system32\config\AppEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\default   Object is locked   skipped
C:\WINDOWS\system32\config\default.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\Internet.evt   Object is locked   skipped
C:\WINDOWS\system32\config\SAM   Object is locked   skipped
C:\WINDOWS\system32\config\SAM.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SecEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\software   Object is locked   skipped
C:\WINDOWS\system32\config\software.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SysEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\system   Object is locked   skipped
C:\WINDOWS\system32\config\system.LOG   Object is locked   skipped
C:\WINDOWS\system32\drivers\sptd.sys   Object is locked   skipped
C:\WINDOWS\system32\h323log.txt   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP   Object is locked   skipped
C:\WINDOWS\WindowsUpdate.log   Object is locked   skipped
C:\_OTMoveIt\MovedFiles\03032008_084547\WINDOWS\system32\mssvc.exe   Infected: Backdoor.Win32.Rbot.hyo   skipped
C:\תוכנות\DivX\DivXPro502GAINBundle.exe/Gain_Trickler.exe   Infected: not-a-virus:AdWare.Win32.Gator.3202   skipped
C:\תוכנות\DivX\DivXPro502GAINBundle.exe   Vise: infected - 1   skipped

Scan process completed.

Title: mIRC Virus or Whatever
Post by: Brenneka on March 03, 2008, 06:29:04 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:39:23, on 03/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ECI Telecoms\ECI USB ADSL\DSLMON.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\עדן\שולחן העבודה\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.satla-zone.com/forums/">...one.com/forums/ (http://\"http://<a%20href="http://www.satla-zone.com/forums/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=691...k/?LinkId=69157 (http://\"http://<A%20href="http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=548...k/?LinkId=54896 (http://\"http://<a%20href="http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Documents and Settings\עדן\שולחן העבודה\Monitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKLM\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DLD.EXE] C:\Program Files\Download Direct\DLD.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKCU\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\ECI Telecoms\ECI USB ADSL\DSLMON.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab (http://\"http://<A%20href="http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab\")
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysre.../sysreqlab2.cab (http://\"http://<a%20href="http://www.systemrequirementslab.com/sysreqlab2.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202306177953 (http://\"http://<A%20href="http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202306177953\")
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab (http://\"http://<a%20href="http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab\")
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (http://\"http://<A%20href="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab\")
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} - http://irc.nana.co.il/Cabs/launcher39.cab&.../launcher39.cab (http://\"http://<a%20href="http://irc.nana.co.il/Cabs/launcher39.cab\")
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab (http://\"http://<A%20href="http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{138FBCB5-DF29-4828-B640-71D6034CC076}: NameServer = 192.117.235.235 62.219.186.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{138FBCB5-DF29-4828-B640-71D6034CC076}: NameServer = 192.117.235.235 62.219.186.7
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8151 bytes

Title: mIRC Virus or Whatever
Post by: Brenneka on March 03, 2008, 06:33:01 AM

As for the OTMoveIt log, in the first time I copy\pasted what you said but without the C in the first line, so I did it twice: one without the C in the first line and the second time I copy\pasted everything again.

LOG #1:

[Custom Input]
< :\WINDOWS\system32\mssvc.exe >
File/Folder :\WINDOWS\system32\mssvc.exe not found.
< C:\WINDOWS\system32\mssvcs.exe >
C:\WINDOWS\system32\mssvcs.exe moved successfully.
< C:\RECYCLER\svchost.exe >
C:\RECYCLER\svchost.exe moved successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Ins3DT >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Ins3DT deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Service >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Service deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Help >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Help deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Services >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Services deleted successfully.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Service >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Service deleted successfully.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Services >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Services deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Service >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Service deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Services >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Services deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Service >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Service deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Services >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Services deleted successfully.
 
OTMoveIt2 v1.0.20 log created on 03032008_084456


LOG #2:

[Custom Input]
< C:\WINDOWS\system32\mssvc.exe >
C:\WINDOWS\system32\mssvc.exe moved successfully.
< C:\WINDOWS\system32\mssvcs.exe >
File/Folder C:\WINDOWS\system32\mssvcs.exe not found.
< C:\RECYCLER\svchost.exe >
File/Folder C:\RECYCLER\svchost.exe not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Ins3DT >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Ins3DT not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Service >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Service deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Help >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Help not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Services >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Services deleted successfully.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Service >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Service deleted successfully.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Services >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Corporation Svchost Services deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Service >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Service deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Services >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Services deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Service >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Service deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Services >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Microsoft Corporation Svchost Services deleted successfully.
 
OTMoveIt2 v1.0.20 log created on 03032008_084547

Title: mIRC Virus or Whatever
Post by: Brenneka on March 03, 2008, 06:34:09 AM

SDFix: Version 1.151

Run by ’ƒ on Mon 03/03/2008 at 09:03 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\CMMGR32.EXE - Deleted

 

Folder C:\WINDOWS\system32\service - Removed


Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-03-03 09:11:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"\xf892\5\x5da\5\x5c0\5\xf891\5 ?A?s?y?n?c? ?\x5d9\5\xf890\5 ?R?A?S?"=str(7):"1\0"
"\xf892\5\xf88d\5\x5d0\5\xf88d\5-?\xf88d\5\x5d6\5\xf88d\5\x5c0\5\x5f0\5 ?\x5d9\5\xf890\5 ?\xf892\5\x5da\5\x5f2\5\xf892\5\xf893\5 ?\xf892\5\x5d0\5\x5f1\5\x5da\5"=str(7):"1\0"
"\x5f0\5\x5da\5\x5d7\5\xf893\5 ?B?l?u?e?t?o?o?t?h? ?(?\x5d8\5\x5d9\5\x5da\5 ?\x5da\5\x5d7\5\x5d9\5\x5f1\5\x5d8\5\x5da\5 ?\x5c0\5\xf88d\5\x5d9\5\xf88d\5\x5da\5)?"=str(7):"1\0"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd10a3d8]
"001842e212e7"=hex:af,23,1c,64,71,33,8a,ef,36,c3,e0,39,a3,c0,e0,eb
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\\x5d7\5\x5c1\5\x5d6\5\xf88d\5\xf891\5 ]
"EventMessageFile"=str(2):"%SystemRoot%\System32\cscui.dll"
"TypesSupported"="0x00000007"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\\x5d9\5\xf88d\5\x5d8\5\x5f1\5\x5da\5 ]
"EventMessageFile"=str(2):"%SystemRoot%\System32\NTMSEVT.DLL"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:55fe8dd5
"s2"=dword:30a86891
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:01,be,8d,c7,78,d9,e6,26,19,d2,34,97,4c,5e,6a,27,d0,7c,da,6a,8c,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:b2,be,44,75,3a,74,31,e8,e9,45,24,5c,44,d3,19,93,3c,84,e8,4d,a4,..
"a0"=hex:20,01,00,00,61,e4,a6,21,8e,7b,7a,c5,c1,be,12,a7,7f,20,db,69,e7,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:de,e9,3a,b4,55,76,bd,64,70,8a,e8,4c,06,11,ef,85,e4,23,2f,e4,35,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:2d,01,1f,c8,92,9d,74,e0,1a,26,0a,5f,0c,2b,52,95,74,4a,a1,e4,0e,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:c2,52,32,8e,dc,69,af,84,4b,88,7f,30,02,c4,b1,6d,78,f5,03,b7,45,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:69,3c,80,28,03,ef,90,68,de,b6,9c,62,12,20,11,6d,8d,02,ad,86,0f,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"\xf892\5\x5da\5\x5c0\5\xf891\5 ?A?s?y?n?c? ?\x5d9\5\xf890\5 ?R?A?S?"=str(7):"1\0"
"\xf892\5\xf88d\5\x5d0\5\xf88d\5-?\xf88d\5\x5d6\5\xf88d\5\x5c0\5\x5f0\5 ?\x5d9\5\xf890\5 ?\xf892\5\x5da\5\x5f2\5\xf892\5\xf893\5 ?\xf892\5\x5d0\5\x5f1\5\x5da\5"=str(7):"1\0"
"\x5f0\5\x5da\5\x5d7\5\xf893\5 ?B?l?u?e?t?o?o?t?h? ?(?\x5d8\5\x5d9\5\x5da\5 ?\x5da\5\x5d7\5\x5d9\5\x5f1\5\x5d8\5\x5da\5 ?\x5c0\5\xf88d\5\x5d9\5\xf88d\5\x5da\5)?"=str(7):"1\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0009dd10a3d8]
"001842e212e7"=hex:af,23,1c,64,71,33,8a,ef,36,c3,e0,39,a3,c0,e0,eb
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\\x5d7\5\x5c1\5\x5d6\5\xf88d\5\xf891\5 ]
"EventMessageFile"=str(2):"%SystemRoot%\System32\cscui.dll"
"TypesSupported"="0x00000007"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\\x5d9\5\xf88d\5\x5d8\5\x5f1\5\x5da\5 ]
"EventMessageFile"=str(2):"%SystemRoot%\System32\NTMSEVT.DLL"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:01,be,8d,c7,78,d9,e6,26,19,d2,34,97,4c,5e,6a,27,d0,7c,da,6a,8c,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:b2,be,44,75,3a,74,31,e8,e9,45,24,5c,44,d3,19,93,3c,84,e8,4d,a4,..
"a0"=hex:20,01,00,00,61,e4,a6,21,8e,7b,7a,c5,c1,be,12,a7,7f,20,db,69,e7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:de,e9,3a,b4,55,76,bd,64,70,8a,e8,4c,06,11,ef,85,e4,23,2f,e4,35,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:2d,01,1f,c8,92,9d,74,e0,1a,26,0a,5f,0c,2b,52,95,74,4a,a1,e4,0e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:c2,52,32,8e,dc,69,af,84,4b,88,7f,30,02,c4,b1,6d,78,f5,03,b7,45,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:69,3c,80,28,03,ef,90,68,de,b6,9c,62,12,20,11,6d,8d,02,ad,86,0f,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\Publishers\\xf892\5\x5d4\5\x5d8\5\x5d1\5\xf891\5 ]
@="{CFCCC7A0-A282-11D1-9082-006008059382}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\x5c1\5\x5d8\5\xf88d\5\x5d8\5\x5da\5 ?\xf892\5\x5f3\5\x5c3\5\xf890\5 ?\x5d9\5\xf890\5 ?W?i?n?d?o?w?s?"="",,,,,,,,,,,,,""
"\x5f0\5\x5d0\5\x5d4\5\x5d9\5\x5f0\5 ?\x5d9\5\xf890\5 ?W?i?n?d?o?w?s?"=""C:\WINDOWS\Cursors\rainbow.ani,,C:\WINDOWS\Cursors\appstart.ani,C:\WINDOWS\Cursors\hourglas.ani,C:\WINDOWS\Cursors\cross.cur,,,,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,,""
"\xf890\5\x5c1\5\xf893\5 ?\x5da\5\xf890\5\x5da\5-?\xf892\5\xf88d\5\xf892\5\x5c3\5\xf88d\5"=""C:\WINDOWS\Cursors\3dwarro.cur,,C:\WINDOWS\Cursors\appstar3.ani,C:\WINDOWS\Cursors\hourgla3.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dwno.cur,C:\WINDOWS\Cursors\3dwns.cur,C:\WINDOWS\Cursors\3dwwe.cur,C:\WINDOWS\Cursors\3dwnwse.cur,C:\WINDOWS\Cursors\3dwnesw.cur,C:\WINDOWS\Cursors\3dwmove.cur,""
"\xf88d\5\x5c3\5\xf88d\5\xf88d\5\xf891\5 ?1?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"\xf88d\5\x5c3\5\xf88d\5\xf88d\5\xf891\5 ?2?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,""
"\x5c3\5\xf88d\5\x5d0\5\x5f1\5\x5f2\5\x5c0\5\x5f1\5\x5d8\5"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur,""
"\x5d1\5\x5c2\5\x5d0\5\x5f1\5\xf893\5 ?\xf892\5\xf88d\5\x5f1\5\x5d9\5\xf893\5"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
"\xf892\5\x5d0\5\x5d6\5\x5f3\5"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"\xf892\5\x5f1\5\x5c2\5\x5c3\5\xf890\5"=""C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,""
"\x5d9\5\xf88d\5\x5d0\5\x5f1\5\xf88d\5\xf88d\5\xf891\5"=""C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,""
"\x5c0\5\x5d8\5\x5c3\5 ?\x5da\5\xf890\5\x5da\5-?\xf892\5\xf88d\5\xf892\5\x5c3\5\xf88d\5"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\appstar2.ani,C:\WINDOWS\Cursors\hourgla2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dgno.cur,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
"\x5d9\5\x5f3\5\x5f1\5\x5d8\5 ?\x5d9\5\xf890\5 ?W?i?n?d?o?w?s? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\x5d9\5\x5f3\5\x5f1\5\x5d8\5 ?\x5d9\5\xf890\5 ?W?i?n?d?o?w?s? ?(?\x5c2\5\x5c3\5\x5f1\5\xf890\5)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\x5d9\5\x5f3\5\x5f1\5\x5d8\5 ?\x5d9\5\xf890\5 ?W?i?n?d?o?w?s? ?(?\x5c2\5\x5c3\5\x5f1\5\xf890\5 ?\xf892\5\x5c0\5\x5f1\5\x5c3\5)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
"\x5d6\5\x5c1\5\x5d2\5\xf88d\5\xf891\5 ?\x5f0\5\x5d4\5\x5f1\5\xf88f\5\xf88d\5\xf891\5 ?\x5d9\5\xf890\5 ?W?i?n?d?o?w?s?"="C:\WINDOWS\cursors\arrow_i.cur,C:\WINDOWS\cursors\help_i.cur,C:\WINDOWS\cursors\wait_i.cur,C:\WINDOWS\cursors\busy_i.cur,C:\WINDOWS\cursors\cross_i.cur,C:\WINDOWS\cursors\beam_i.cur,C:\WINDOWS\cursors\pen_i.cur,C:\WINDOWS\cursors\no_i.cur,C:\WINDOWS\cursors\size4_i.cur,C:\WINDOWS\cursors\size3_i.cur,C:\WINDOWS\cursors\size2_i.cur,C:\WINDOWS\cursors\size1_i.cur,C:\WINDOWS\cursors\move_i.cur,C:\WINDOWS\cursors\up_i.cur"
"\x5d6\5\x5c1\5\x5d2\5\xf88d\5\xf891\5 ?\x5f0\5\x5d4\5\x5f1\5\xf88f\5\xf88d\5\xf891\5 ?\x5d9\5\xf890\5 ?W?i?n?d?o?w?s? ?(?\x5c2\5\x5c3\5\x5f1\5\xf890\5)?"="C:\WINDOWS\cursors\arrow_im.cur,C:\WINDOWS\cursors\help_im.cur,C:\WINDOWS\cursors\wait_im.cur,C:\WINDOWS\cursors\busy_im.cur,C:\WINDOWS\cursors\cross_im.cur,C:\WINDOWS\cursors\beam_im.cur,C:\WINDOWS\cursors\pen_im.cur,C:\WINDOWS\cursors\no_im.cur,C:\WINDOWS\cursors\size4_im.cur,C:\WINDOWS\cursors\size3_im.cur,C:\WINDOWS\cursors\size2_im.cur,C:\WINDOWS\cursors\size1_im.cur,C:\WINDOWS\cursors\move_im.cur,C:\WINDOWS\cursors\up_im.cur"
"\x5d6\5\x5c1\5\x5d2\5\xf88d\5\xf891\5 ?\x5f0\5\x5d4\5\x5f1\5\xf88f\5\xf88d\5\xf891\5 ?\x5d9\5\xf890\5 ?W?i?n?d?o?w?s? ?(?\x5c2\5\x5c3\5\x5f1\5\xf890\5 ?\xf892\5\x5c0\5\x5f1\5\x5c3\5)?"="C:\WINDOWS\cursors\arrow_il.cur,C:\WINDOWS\cursors\help_il.cur,C:\WINDOWS\cursors\wait_il.cur,C:\WINDOWS\cursors\busy_il.cur,C:\WINDOWS\cursors\cross_il.cur,C:\WINDOWS\cursors\beam_il.cur,C:\WINDOWS\cursors\pen_il.cur,C:\WINDOWS\cursors\no_il.cur,C:\WINDOWS\cursors\size4_il.cur,C:\WINDOWS\cursors\size3_il.cur,C:\WINDOWS\cursors\size2_il.cur,C:\WINDOWS\cursors\size1_il.cur,C:\WINDOWS\cursors\move_il.cur,C:\WINDOWS\cursors\up_il.cur"
"\x5d1\5\x5f4\5\x5d0\5\x5c3\5\x5d8\5\x5f4\5\xf88d\5 ?\x5d9\5\xf890\5 ?W?i?n?d?o?w?s? ?(?\x5c2\5\x5c3\5\x5f1\5\xf890\5)?"="C:\WINDOWS\cursors\arrow_m.cur,C:\WINDOWS\cursors\help_m.cur,C:\WINDOWS\cursors\wait_m.cur,C:\WINDOWS\cursors\busy_m.cur,C:\WINDOWS\cursors\cross_m.cur,C:\WINDOWS\cursors\beam_m.cur,C:\WINDOWS\cursors\pen_m.cur,C:\WINDOWS\cursors\no_m.cur,C:\WINDOWS\cursors\size4_m.cur,C:\WINDOWS\cursors\size3_m.cur,C:\WINDOWS\cursors\size2_m.cur,C:\WINDOWS\cursors\size1_m.cur,C:\WINDOWS\cursors\move_m.cur,C:\WINDOWS\cursors\up_m.cur"
"\x5d1\5\x5f4\5\x5d0\5\x5c3\5\x5d8\5\x5f4\5\xf88d\5 ?\x5d9\5\xf890\5 ?W?i?n?d?o?w?s? ?(?\x5c2\5\x5c3\5\x5f1\5\xf890\5 ?\xf892\5\x5c0\5\x5f1\5\x5c3\5)?"="C:\WINDOWS\cursors\arrow_l.cur,C:\WINDOWS\cursors\help_l.cur,C:\WINDOWS\cursors\wait_l.cur,C:\WINDOWS\cursors\busy_l.cur,C:\WINDOWS\cursors\cross_l.cur,C:\WINDOWS\cursors\beam_l.cur,C:\WINDOWS\cursors\pen_l.cur,C:\WINDOWS\cursors\no_l.cur,C:\WINDOWS\cursors\size4_l.cur,C:\WINDOWS\cursors\size3_l.cur,C:\WINDOWS\cursors\size2_l.cur,C:\WINDOWS\cursors\size1_l.cur,C:\WINDOWS\cursors\move_l.cur,C:\WINDOWS\cursors\up_l.cur"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\\xf892\5\x5c3\5\x5d4\5\x5d1\5\x5f1\5\x5da\5]
@="{2227A280-3AEA-1069-A2DE-08002B30309D}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DocFolderPaths]
"\x5d2\5\x5c3\5\xf893\5"="C:\Documents and Settings\\x5e2\x5d3\x5df\My Documents"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\\x5d7\5\x5c1\5\x5d6\5\xf88d\5\xf891\5 ]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\\x5d7\5\x5c1\5\x5d6\5\xf88d\5\xf891\5 ]
@="{effc2928-37b1-11d2-a3c1-00c04fb1782a}"
"Priority"=dword:000000ca
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\\x5d7\5\x5c1\5\x5d6\5\xf88d\5\xf891\5 ]
@="{750fdf0f-2a26-11d1-a3ea-080036587f03}"
"Priority"=dword:000000c9
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\\x5da\5\xf892\5\x5f1\5\x5d0\5\x5da\5 ]
@="{67cf8cbd-e5c0-44f7-9de5-e1d599d626d8}"
"Description"="\x200f\x200f\x5e7\x5d1\x5e6\x5d9\x5dd \x5d0\x5dc\x5d4 \x5d3\x5e8\x5d5\x5e9\x5d9\x5dd \x5d0\x5dd \x5d1\x5e8\x5e6\x5d5\x5e0\x5da \x5dc\x5d4\x5e1\x5d9\x5e8 \x5d2\x5d9\x5e8\x5e1\x5d4 \x5d6\x5d5 \x5e9\x5dc Windows \x5d5\x5dc\x5d7\x5d6\x5d5\x5e8 \x5dc\x5de\x5e2\x5e8\x5db\x5ea \x5d4\x5d4\x5e4\x5e2\x5dc\x5d4 \x5d4\x5e7\x5d5\x5d3\x5de\x5ea."
"Display"="\x5e7\x5d1\x5e6\x5d9 \x5d2\x5d9\x5d1\x5d5\x5d9 \x5e2\x5d1\x5d5\x5e8 \x5de\x5e2\x5e8\x5db\x5ea \x5d4\x5d4\x5e4\x5e2\x5dc\x5d4 \x5d4\x5e7\x5d5\x5d3\x5de\x5ea"
"IconPath"=str(2):"%SystemRoot%\system32\osuninst.EXE,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hints\\x5d2\5\x5c3\5\xf893\5]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Unimodem\DeviceSpecific\\xf892\5\x5f1\5\x5c3\5\xf891\5 ]
"RefCount"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Unimodem\DeviceSpecific\\xf892\5\x5f1\5\x5c3\5\xf891\5 \Responses]
"<cr>"=hex:01,00,00,00,00,00,00,00,00,00
"<lf>"=hex:01,00,00,00,00,00,00,00,00,00
"<cr><lf>OK<cr><lf>"=hex:00,00,00,00,00,00,00,00,00,00
"<cr><lf>RING<cr><lf>"=hex:08,00,00,00,00,00,00,00,00,00
"<cr><lf>NO CARRIER<cr><lf>"=hex:04,00,00,00,00,00,00,00,00,00
"<cr><lf>ERROR<cr><lf>"=hex:03,00,00,00,00,00,00,00,00,00
"<cr><lf>NO DIALTONE<cr><lf>"=hex:05,00,00,00,00,00,00,00,00,00
"<cr><lf>BUSY<cr><lf>"=hex:06,00,00,00,00,00,00,00,00,00
"<cr><lf>NO ANSWER<cr><lf>"=hex:07,00,00,00,00,00,00,00,00,00
"<cr><lf>CONNECT<cr><lf>"=hex:02,00,00,00,00,00,00,00,00,00
"0<cr>"=hex:00,00,00,00,00,00,00,00,00,00
"2<cr>"=hex:08,00,00,00,00,00,00,00,00,00
"3<cr>"=hex:04,00,00,00,00,00,00,00,00,00
"4<cr>"=hex:03,00,00,00,00,00,00,00,00,00
"6<cr>"=hex:05,00,00,00,00,00,00,00,00,00
"7<cr>"=hex:06,00,00,00,00,00,00,00,00,00
"8<cr>"=hex:07,00,00,00,00,00,00,00,00,00
"OK"=hex:00,00,00,00,00,00,00,00,00,00
"RING"=hex:08,00,00,00,00,00,00,00,00,00
"NO CARRIER"=hex:04,00,00,00,00,00,00,00,00,00
"ERROR"=hex:03,00,00,00,00,00,00,00,00,00
"NO DIALTONE"=hex:05,00,00,00,00,00,00,00,00,00
"NO DIAL TONE"=hex:05,00,00,00,00,00,00,00,00,00
"BUSY"=hex:06,00,00,00,00,00,00,00,00,00
"NO ANSWER"=hex:07,00,00,00,00,00,00,00,00,00
"FAX"=hex:03,00,00,00,00,00,00,00,00,00
"DATA"=hex:03,00,00,00,00,00,00,00,00,00
"VOICE"=hex:03,00,00,00,00,00,00,00,00,00
"RINGING"=hex:01,00,00,00,00,00,00,00,00,00
"DIALING"=hex:01,00,00,00,00,00,00,00,00,00
"RRING"=hex:01,00,00,00,00,00,00,00,00,00
"DELAYED"=hex:1d,00,00,00,00,00,00,00,00,00
"BLACKLISTED"=hex:1c,00,00,00,00,00,00,00,00,00
"+FCERROR"=hex:03,00,00,00,00,00,00,00,00,00
"CONNECT"=hex:02,00,00,00,00,00,00,00,00,00
"CONNECT/ARQ"=hex:02,02,00,00,00,00,00,00,00,00
"CONNECT/REL"=hex:02,02,00,00,00,00,00,00,00,00
"CONNECT/MNP"=hex:02,02,00,00,00,00,00,00,00,00
"CONNECT/LAP-M"=hex:02,02,00,00,00,00,00,00,00,00
"CONNECT/V42BIS"=hex:02,03,00,00,00,00,00,00,00,00
"CONNECT/V42b"=hex:02,03,00,00,00,00,00,00,00,00
"CONNECT 300"=hex:02,00,2c,01,00,00,00,00,00,00
"CONNECT 300/ARQ"=hex:02,02,2c,01,00,00,00,00,00,00
"CONNECT 300/REL"=hex:02,02,2c,01,00,00,00,00,00,00
"CONNECT 300/MNP"=hex:02,02,2c,01,00,00,00,00,00,00
"CONNECT 300/LAP-M"=hex:02,02,2c,01,00,00,00,00,00,00
"CONNECT 300/V42BIS"=hex:02,03,2c,01,00,00,00,00,00,00
"CONNECT 300/V42b"=hex:02,03,2c,01,00,00,00,00,00,00
"CONNECT 600"=hex:02,00,58,02,00,00,00,00,00,00
"CONNECT 600/ARQ"=hex:02,02,58,02,00,00,00,00,00,00
"CONNECT 600/REL"=hex:02,02,58,02,00,00,00,00,00,00
"CONNECT 600/MNP"=hex:02,02,58,02,00,00,00,00,00,00
"CONNECT 600/LAP-M"=hex:02,02,58,02,00,00,00,00,00,00
"CONNECT 600/V42BIS"=hex:02,03,58,02,00,00,00,00,00,00
"CONNECT 600/V42b"=hex:02,03,58,02,00,00,00,00,00,00
"CONNECT 0600"=hex:02,00,58,02,00,00,00,00,00,00
"CONNECT 0600/ARQ"=hex:02,02,58,02,00,00,00,00,00,00
"CONNECT 0600/REL"=hex:02,02,58,02,00,00,00,00,00,00
"CONNECT 0600/MNP"=hex:02,02,58,02,00,00,00,00,00,00
"CONNECT 0600/LAP-M"=hex:02,02,58,02,00,00,00,00,00,00
"CONNECT 0600/V42BIS"=hex:02,03,58,02,00,00,00,00,00,00
"CONNECT 0600/V42b"=hex:02,03,58,02,00,00,00,00,00,00
"CONNECT 1200"=hex:02,00,b0,04,00,00,00,00,00,00
"CONNECT 1200/ARQ"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 1200/REL"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 1200/MNP"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 1200/LAP-M"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 1200/V42BIS"=hex:02,03,b0,04,00,00,00,00,00,00
"CONNECT 1200/V42b"=hex:02,03,b0,04,00,00,00,00,00,00
"CONNECT 1200/75"=hex:02,00,b0,04,00,00,00,00,00,00
"CONNECT 1200/75/ARQ"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 1200/75/REL"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 1200/75/MNP"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 1200/75/LAP-M"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 1200/75/V42BIS"=hex:02,03,b0,04,00,00,00,00,00,00
"CONNECT 1200/75/V42b"=hex:02,03,b0,04,00,00,00,00,00,00
"CONNECT 1200TX/75RX"=hex:02,00,b0,04,00,00,00,00,00,00
"CONNECT 1200TX/75RX/ARQ"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 1200TX/75RX/REL"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 1200TX/75RX/MNP"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 1200TX/75RX/LAP-M"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 1200TX/75RX/V42BIS"=hex:02,03,b0,04,00,00,00,00,00,00
"CONNECT 1200TX/75RX/V42b"=hex:02,03,b0,04,00,00,00,00,00,00
"CONNECT 75/1200"=hex:02,00,b0,04,00,00,00,00,00,00
"CONNECT 75/1200/ARQ"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 75/1200/REL"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 75/1200/MNP"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 75/1200/LAP-M"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 75/1200/V42BIS"=hex:02,03,b0,04,00,00,00,00,00,00
"CONNECT 75/1200/V42b"=hex:02,03,b0,04,00,00,00,00,00,00
"CONNECT 75TX/1200RX"=hex:02,00,b0,04,00,00,00,00,00,00
"CONNECT 75TX/1200RX/ARQ"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 75TX/1200RX/REL"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 75TX/1200RX/MNP"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 75TX/1200RX/LAP-M"=hex:02,02,b0,04,00,00,00,00,00,00
"CONNECT 75TX/1200RX/V42BIS"=hex:02,03,b0,04,00,00,00,00,00,00
"CONNECT 75TX/1200RX/V42b"=hex:02,03,b0,04,00,00,00,00,00,00
"CONNECT 2400"=hex:02,00,60,09,00,00,00,00,00,00
"CONNECT 2400/ARQ"=hex:02,02,60,09,00,00,00,00,00,00
"CONNECT 2400/REL"=hex:02,02,60,09,00,00,00,00,00,00
"CONNECT 2400/MNP"=hex:02,02,60,09,00,00,00,00,00,00
"CONNECT 2400/LAP-M"=hex:02,02,60,09,00,00,00,00,00,00
"CONNECT 2400/V42BIS"=hex:02,03,60,09,00,00,00,00,00,00
"CONNECT 2400/V42b"=hex:02,03,60,09,00,00,00,00,00,00
"CONNECT 4800"=hex:02,00,c0,12,00,00,00,00,00,00
"CONNECT 4800/ARQ"=hex:02,02,c0,12,00,00,00,00,00,00
"CONNECT 4800/REL"=hex:02,02,c0,12,00,00,00,00,00,00
"CONNECT 4800/MNP"=hex:02,02,c0,12,00,00,00,00,00,00
"CONNECT 4800/LAP-M"=hex:02,02,c0,12,00,00,00,00,00,00
"CONNECT 4800/V42BIS"=hex:02,03,c0,12,00,00,00,00,00,00
"CONNECT 4800/V42b"=hex:02,03,c0,12,00,00,00,00,00,00
"CONNECT 7200"=hex:02,00,20,1c,00,00,00,00,00,00
"CONNECT 7200/ARQ"=hex:02,02,20,1c,00,00,00,00,00,00
"CONNECT 7200/REL"=hex:02,02,20,1c,00,00,00,00,00,00
"CONNECT 7200/MNP"=hex:02,02,20,1c,00,00,00,00,00,00
"CONNECT 7200/LAP-M"=hex:02,02,20,1c,00,00,00,00,00,00
"CONNECT 7200/V42BIS"=hex:02,03,20,1c,00,00,00,00,00,00
"CONNECT 7200/V42b"=hex:02,03,20,1c,00,00,00,00,00,00
"CONNECT 9600"=hex:02,00,80,25,00,00,00,00,00,00
"CONNECT 9600/ARQ"=hex:02,02,80,25,00,00,00,00,00,00
"CONNECT 9600/REL"=hex:02,02,80,25,00,00,00,00,00,00
"CONNECT 9600/MNP"=hex:02,02,80,25,00,00,00,00,00,00
"CONNECT 9600/LAP-M"=hex:02,02,80,25,00,00,00,00,00,00
"CONNECT 9600/V42BIS"=hex:02,03,80,25,00,00,00,00,00,00
"CONNECT 9600/V42b"=hex:02,03,80,25,00,00,00,00,00,00
"CONNECT 12000"=hex:02,00,e0,2e,00,00,00,00,00,00
"CONNECT 12000/ARQ"=hex:02,02,e0,2e,00,00,00,00,00,00
"CONNECT 12000/REL"=hex:02,02,e0,2e,00,00,00,00,00,00
"CONNECT 12000/MNP"=hex:02,02,e0,2e,00,00,00,00,00,00
"CONNECT 12000/LAP-M"=hex:02,02,e0,2e,00,00,00,00,00,00
"CONNECT 12000/V42BIS"=hex:02,03,e0,2e,00,00,00,00,00,00
"CONNECT 12000/V42b"=hex:02,03,e0,2e,00,00,00,00,00,00
"CONNECT 14400"=hex:02,00,40,38,00,00,00,00,00,00
"CONNECT 14400/ARQ"=hex:02,02,40,38,00,00,00,00,00,00
"CONNECT 14400/REL"=hex:02,02,40,38,00,00,00,00,00,00
"CONNECT 14400/MNP"=hex:02,02,40,38,00,00,00,00,00,00
"CONNECT 14400/LAP-M"=hex:02,02,40,38,00,00,00,00,00,00
"CONNECT 14400/V42BIS"=hex:02,03,40,38,00,00,00,00,00,00
"CONNECT 14400/V42b"=hex:02,03,40,38,00,00,00,00,00,00
"CONNECT 16800"=hex:02,00,a0,41,00,00,00,00,00,00
"CONNECT 16800/ARQ"=hex:02,02,a0,41,00,00,00,00,00,00
"CONNECT 16800/REL"=hex:02,02,a0,41,00,00,00,00,00,00
"CONNECT 16800/MNP"=hex:02,02,a0,41,00,00,00,00,00,00
"CONNECT 16800/LAP-M"=hex:02,02,a0,41,00,00,00,00,00,00
"CONNECT 16800/V42BIS"=hex:02,03,a0,41,00,00,00,00,00,00
"CONNECT 16800/V42b"=hex:02,03,a0,41,00,00,00,00,00,00
"CONNECT 19200"=hex:02,00,00,4b,00,00,00,00,00,00
"CONNECT 19200/ARQ"=hex:02,02,00,4b,00,00,00,00,00,00
"CONNECT 19200/REL"=hex:02,02,00,4b,00,00,00,00,00,00
"CONNECT 19200/MNP"=hex:02,02,00,4b,00,00,00,00,00,00
"CONNECT 19200/LAP-M"=hex:02,02,00,4b,00,00,00,00,00,00
"CONNECT 19200/V42BIS"=hex:02,03,00,4b,00,00,00,00,00,00
"CONNECT 19200/V42b"=hex:02,03,00,4b,00,00,00,00,00,00
"CONNECT 21600"=hex:02,00,60,54,00,00,00,00,00,00
"CONNECT 21600/ARQ"=hex:02,02,60,54,00,00,00,00,00,00
"CONNECT 21600/REL"=hex:02,02,60,54,00,00,00,00,00,00
"CONNECT 21600/MNP"=hex:02,02,60,54,00,00,00,00,00,00
"CONNECT 21600/LAP-M"=hex:02,02,60,54,00,00,00,00,00,00
"CONNECT 21600/V42BIS"=hex:02,03,60,54,00,00,00,00,00,00
"CONNECT 21600/V42b"=hex:02,03,60,54,00,00,00,00,00,00
"CONNECT 24000"=hex:02,00,c0,5d,00,00,00,00,00,00
"CONNECT 24000/ARQ"=hex:02,02,c0,5d,00,00,00,00,00,00
"CONNECT 24000/REL"=hex:02,02,c0,5d,00,00,00,00,00,00
"CONNECT 24000/MNP"=hex:02,02,c0,5d,00,00,00,00,00,00
"CONNECT 24000/LAP-M"=hex:02,02,c0,5d,00,00,00,00,00,00
"CONNECT 24000/V42BIS"=hex:02,03,c0,5d,00,00,00,00,00,00
"CONNECT 24000/V42b"=hex:02,03,c0,5d,00,00,00,00,00,00
"CONNECT 26400"=hex:02,00,20,67,00,00,00,00,00,00
"CONNECT 26400/ARQ"=hex:02,02,20,67,00,00,00,00,00,00
"CONNECT 26400/REL"=hex:02,02,20,67,00,00,00,00,00,00
"CONNECT 26400/MNP"=hex:02,02,20,67,00,00,00,00,00,00
"CONNECT 26400/LAP-M"=hex:02,02,20,67,00,00,00,00,00,00
"CONNECT 26400/V42BIS"=hex:02,03,20,67,00,00,00,00,00,00
"CONNECT 26400/V42b"=hex:02,03,20,67,00,00,00,00,00,00
"CONNECT 28800"=hex:02,00,80,70,00,00,00,00,00,00
"CONNECT 28800/ARQ"=hex:02,02,80,70,00,00,00,00,00,00
"CONNECT 28800/REL"=hex:02,02,80,70,00,00,00,00,00,00
"CONNECT 28800/MNP"=hex:02,02,80,70,00,00,00,00,00,00
"CONNECT 28800/LAP-M"=hex:02,02,80,70,00,00,00,00,00,00
"CONNECT 28800/V42BIS"=hex:02,03,80,70,00,00,00,00,00,00
"CONNECT 28800/V42b"=hex:02,03,80,70,00,00,00,00,00,00
"CONNECT 38400"=hex:02,00,00,00,00,00,00,96,00,00
"CONNECT 38400/ARQ"=hex:02,02,00,00,00,00,00,96,00,00
"CONNECT 38400/REL"=hex:02,02,00,00,00,00,00,96,00,00
"CONNECT 38400/MNP"=hex:02,02,00,00,00,00,00,96,00,00
"CONNECT 38400/LAP-M"=hex:02,02,00,00,00,00,00,96,00,00
"CONNECT 38400/V42BIS"=hex:02,03,00,00,00,00,00,96,00,00
"CONNECT 38400/V42b"=hex:02,03,00,00,00,00,00,96,00,00
"CONNECT 57600"=hex:02,00,00,00,00,00,00,e1,00,00
"CONNECT 57600/ARQ"=hex:02,02,00,00,00,00,00,e1,00,00
"CONNECT 57600/REL"=hex:02,02,00,00,00,00,00,e1,00,00
"CONNECT 57600/MNP"=hex:02,02,00,00,00,00,00,e1,00,00
"CONNECT 57600/LAP-M"=hex:02,02,00,00,00,00,00,e1,00,00
"CONNECT 57600/V42BIS"=hex:02,03,00,00,00,00,00,e1,00,00
"CONNECT 57600/V42b"=hex:02,03,00,00,00,00,00,e1,00,00
"CONNECT 115200"=hex:02,00,00,00,00,00,00,c2,01,00
"CONNECT 115200/ARQ"=hex:02,02,00,00,00,00,00,c2,01,00
"CONNECT 115200/REL"=hex:02,02,00,00,00,00,00,c2,01,00
"CONNECT 115200/MNP"=hex:02,02,00,00,00,00,00,c2,01,00
"CONNECT 115200/LAP-M"=hex:02,02,00,00,00,00,00,c2,01,00
"CONNECT 115200/V42BIS"=hex:02,03,00,00,00,00,00,c2,01,00
"CONNECT 115200/V42b"=hex:02,03,00,00,00,00,00,c2,01,00
"CONNECT 115,200"=hex:02,00,00,00,00,00,00,c2,01,00
"CONNECT 115,200/ARQ"=hex:02,02,00,00,00,00,00,c2,01,00
"CONNECT 115,200/REL"=hex:02,02,00,00,00,00,00,c2,01,00
"CONNECT 115,200/MNP"=hex:02,02,00,00,00,00,00,c2,01,00
"CONNECT 115,200/LAP-M"=hex:02,02,00,00,00,00,00,c2,01,00
"CONNECT 115,200/V42BIS"=hex:02,03,00,00,00,00,00,c2,01,00
"CONNECT 115,200/V42b"=hex:02,03,00,00,00,00,00,c2,01,00
"CONNECT 230400"=hex:02,00,00,00,00,00,00,84,03,00
"CONNECT 230400/ARQ"=hex:02,02,00,00,00,00,00,84,03,00
"CONNECT 230400/REL"=hex:02,02,00,00,00,00,00,84,03,00
"CONNECT 230400/MNP"=hex:02,02,00,00,00,00,00,84,03,00
"CONNECT 230400/LAP-M"=hex:02,02,00,00,00,00,00,84,03,00
"CONNECT 230400/V42BIS"=hex:02,03,00,00,00,00,00,84,03,00
"CONNECT 230400/V42b"=hex:02,03,00,00,00,00,00,84,03,00
"CARRIER 300"=hex:01,00,2c,01,00,00,00,00,00,00
"CARRIER 1200"=hex:01,00,b0,04,00,00,00,00,00,00
"CARRIER 1200/75"=hex:01,00,b0,04,00,00,00,00,00,00
"CARRIER 75/1200"=hex:01,00,b0,04,00,00,00,00,00,00
"CARRIER 2400"=hex:01,00,60,09,00,00,00,00,00,00
"CARRIER 4800"=hex:01,00,c0,12,00,00,00,00,00,00
"CARRIER 7200"=hex:01,00,20,1c,00,00,00,00,00,00
"CARRIER 9600"=hex:01,00,80,25,00,00,00,00,00,00
"CARRIER 12000"=hex:01,00,e0,2e,00,00,00,00,00,00
"CARRIER 14400"=hex:01,00,40,38,00,00,00,00,00,00
"CARRIER 16800"=hex:01,00,a0,41,00,00,00,00,00,00
"CARRIER 19200"=hex:01,00,00,4b,00,00,00,00,00,00
"CARRIER 21600"=hex:01,00,60,54,00,00,00,00,00,00
"CARRIER 24000"=hex:01,00,c0,5d,00,00,00,00,00,00
"CARRIER 26400"=hex:01,00,20,67,00,00,00,00,00,00
"CARRIER 28800"=hex:01,00,80,70,00,00,00,00,00,00
"COMPRESSION: CLASS 5"=hex:01,03,00,00,00,00,00,00,00,00
"COMPRESSION: MNP5"=hex:01,03,00,00,00,00,00,00,00,00
"COMPRESSION: V.42BIS"=hex:01,03,00,00,00,00,00,00,00,00
"COMPRESSION: V.42 BIS"=hex:01,03,00,00,00,00,00,00,00,00
"COMPRESSION: ADC"=hex:01,01,00,00,00,00,00,00,00,00
"COMPRESSION: NONE"=hex:01,00,00,00,00,00,00,00,00,00
"PROTOCOL: NONE"=hex:01,00,00,00,00,00,00,00,00,00
"PROTOCOL: ERROR-CONTROL/LAPB"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: ERROR-CONTROL/LAPB/HDX"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: ERROR-CONTROL/LAPB/AFT"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: X.25/LAPB"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: X.25/LAPB/HDX"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: X.25/LAPB/AFT"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: LAPM"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: LAP-M"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: LAPM/HDX"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: LAP-M/HDX"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: LAPM/AFT"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: LAP-M/AFT"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: ALT"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: ALT-CELLULAR"=hex:01,0a,00,00,00,00,00,00,00,00
"PROTOCOL: MNP"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: MNP2"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: MNP3"=hex:01,02,00,00,00,00,00,00,00,00
"PROTOCOL: MNP4"=hex:01,02,00,00,00,00,00,00,00,00
"AUTOSTREAM: LEVEL 1"=hex:01,00,00,00,00,00,00,00,00,00
"AUTOSTREAM: LEVEL 2"=hex:01,00,00,00,00,00,00,00,00,00
"AUTOSTREAM: LEVEL 3"=hex:01,00,00,00,00,00,00,00,00,00
"CARRIER 31200 V.23"=hex:01,00,e0,79,00,00,00,00,00,00
"CARRIER 31200"=hex:01,00,e0,79,00,00,00,00,00,00
"CARRIER 31200/VFC"=hex:01,00,e0,79,00,00,00,00,00,00
"CARRIER 33600 V.23"=hex:01,00,40,83,00,00,00,00,00,00
"CARRIER 33600"=hex:01,00,40,83,00,00,00,00,00,00
"CARRIER 33600/VFC"=hex:01,00,40,83,00,00,00,00,00,00
"CONNECT 31200 EC"=hex:02,02,e0,79,00,00,00,00,00,00
"CONNECT 31200 EC/V42"=hex:02,02,e0,79,00,00,00,00,00,00
"CONNECT 31200 EC/V42BIS"=hex:02,03,e0,79,00,00,00,00,00,00
"CONNECT 31200 REL"=hex:02,02,e0,79,00,00,00,00,00,00
"CONNECT 31200 REL/MNP5"=hex:02,03,e0,79,00,00,00,00,00,00
"CONNECT 31200 REL/V42"=hex:02,02,e0,79,00,00,00,00,00,00
"CONNECT 31200 REL/V42BIS"=hex:02,03,e0,79,00,00,00,00,00,00
"CONNECT 31200"=hex:02,00,e0,79,00,00,00,00,00,00
"CONNECT 31200/ARQ"=hex:02,02,e0,79,00,00,00,00,00,00
"CONNECT 31200/LAP-M"=hex:02,02,e0,79,00,00,00,00,00,00
"CONNECT 31200/MNP"=hex:02,02,e0,79,00,00,00,00,00,00
"CONNECT 31200/REL"=hex:02,02,e0,79,00,00,00,00,00,00
"CONNECT 31200/REL-LAPM V.42 BIS"=hex:02,03,e0,79,00,00,00,00,00,00
"CONNECT 31200/REL-LAPM"=hex:02,02,e0,79,00,00,00,00,00,00
"CONNECT 31200/V42B"=hex:02,03,e0,79,00,00,00,00,00,00
"CONNECT 31200/V42BIS"=hex:02,03,e0,79,00,00,00,00,00,00
"CONNECT 33600 EC"=hex:02,02,40,83,00,00,00,00,00,00
"CONNECT 33600 EC/V42"=hex:02,02,40,83,00,00,00,00,00,00
"CONNECT 33600 EC/V42BIS"=hex:02,03,40,83,00,00,00,00,00,00
"CONNECT 33600 REL"=hex:02,02,40,83,00,00,00,00,00,00
"CONNECT 33600 REL/MNP5"=hex:02,03,40,83,00,00,00,00,00,00
"CONNECT 33600 REL/V42"=hex:02,02,40,83,00,00,00,00,00,00
"CONNECT 33600 REL/V42BIS"=hex:02,03,40,83,00,00,00,00,00,00
"CONNECT 33600"=hex:02,00,40,83,00,00,00,00,00,00
"CONNECT 33600/ARQ"=hex:02,02,40,83,00,00,00,00,00,00
"CONNECT 33600/LAP-M"=hex:02,02,40,83,00,00,00,00,00,00
"CONNECT 33600/MNP"=hex:02,02,40,83,00,00,00,00,00,00
"CONNECT 33600/REL"=hex:02,02,40,83,00,00,00,00,00,00
"CONNECT 33600/REL-LAPM V.42 BIS"=hex:02,03,40,83,00,00,00,00,00,00
"CONNECT 33600/REL-LAPM"=hex:02,02,40,83,00,00,00,00,00,00
"CONNECT 33600/V42B"=hex:02,03,40,83,00,00,00,00,00,00
"CONNECT 33600/V42BIS"=hex:02,03,40,83,00,00,00,00,00,00
"CONNECT 31200/REL-MNP"=hex:02,02,e0,79,00,00,00,00,00,00
"CONNECT 33600/REL-MNP"=hex:02,02,40,83,00,00,00,00,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\Realtek AC97 Audio\\x5c1\5\x5d7\5\x5d8\5\x5da\5 ]
"LineStates"=hex:04,00,00,00,d1,05,e7,05,e8,05,ea,05,20,00,d4,05,e7,05,dc,05,d8,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\Realtek AC97 Audio\\x5c1\5\x5d7\5\x5d8\5\x5da\5 ]
"LineStates"=hex:00,00,00,00,d1,05,e7,05,e8,05,ea,05,20,00,e2,05,d5,05,e6,05,de,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x5f0\5\x5d4\5\x5d2\5\xf890\5\x5f0\5]
"Order"=hex:08,00,00,00,02,00,00,00,0a,01,00,00,01,00,00,00,02,00,00,00,74,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xf892\5\x5d9\5\x5f3\5\x5d7\5\xf88d\5\xf891\5]
"Order"=hex:08,00,00,00,02,00,00,00,02,07,00,00,01,00,00,00,0b,00,00,00,8a,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x5d2\5\x5f2\5\x5d8\5\xf88d\5\xf891\5]
"Order"=hex:08,00,00,00,02,00,00,00,dc,08,00,00,01,00,00,00,0e,00,00,00,d0,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x5d2\5\x5f2\5\x5d8\5\xf88d\5\xf891\5\\x5c1\5\xf88d\5\x5c3\5\x5f1\5\x5d8\5]
"Order"=hex:08,00,00,00,02,00,00,00,24,01,00,00,01,00,00,00,02,00,00,00,90,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x5d2\5\x5f2\5\x5d8\5\xf88d\5\xf891\5\\xf88f\5\xf890\5\xf88d\5 ]
"Order"=hex:08,00,00,00,02,00,00,00,58,06,00,00,01,00,00,00,0a,00,00,00,a6,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x5d2\5\x5f2\5\x5d8\5\xf88d\5\xf891\5\\x5d0\5\x5c2\5\xf88d\5\x5d9\5\x5f1\5\x5da\5]
"Order"=hex:08,00,00,00,02,00,00,00,6a,02,00,00,01,00,00,00,04,00,00,00,92,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x5d2\5\x5f2\5\x5d8\5\xf88d\5\xf891\5\\x5da\5\x5d7\5\x5d9\5\x5f1\5\x5d8\5\x5da\5]
"Order"=hex:08,00,00,00,02,00,00,00,1c,04,00,00,01,00,00,00,06,00,00,00,ac,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups]
"\xf892\5\x5d9\5\x5f3\5\x5d7\5\xf88d\5\xf891\5"="\x5e2\x5d6\x5e8\x5d9\x5dd\\x5de\x5e9\x5d7\x5e7\x5d9\x5dd"

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 4


Remaining Services :

 

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Neoact\\Carom3D\\CaromEngLauncher.exe"="C:\\Program Files\\Neoact\\Carom3D\\CaromEngLauncher.exe:*:Enabled:Last Update 2001/08/22"
"C:\\Program Files\\Hebrew Kazaa Lite\\klrun.exe"="C:\\Program Files\\Hebrew Kazaa Lite\\klrun.exe:*:Enabled:Hebrew Kazaa Lite"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Disabled:mIRC"
"C:\\Program Files\\Hebrew Kazaa Lite\\clean.kmd"="C:\\Program Files\\Hebrew Kazaa Lite\\clean.kmd:*:Enabled:clean"
"C:\\Program Files\\DAP\\DAP.exe"="C:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\Tactial Ops\\TacticalOps1\\System\\TacticalOps.exe"="C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\Tactial Ops\\TacticalOps1\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\acp.exe"="C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\acp.exe:*:Enabled:acp"
"C:\\Program Files\\Tactial Ops\\TacticalOps1\\System\\TacticalOps.exe"="C:\\Program Files\\Tactial Ops\\TacticalOps1\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Program Files\\KaZaA.co.il v3\\kazaalite.kpp"="C:\\Program Files\\KaZaA.co.il v3\\kazaalite.kpp:*:Enabled:kazaalite"
"C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\Tactical Ops\\TacticalOps1\\System\\TacticalOps.exe"="C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\Tactical Ops\\TacticalOps1\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Program Files\\Tactical Ops\\TacticalOps 1\\System\\TacticalOps.exe"="C:\\Program Files\\Tactical Ops\\TacticalOps 1\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Program Files\\eMule.co.il\\Fire eMule 7\\eMule.exe"="C:\\Program Files\\eMule.co.il\\Fire eMule 7\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Neoact\\Carom3D\\update.exe"="C:\\Program Files\\Neoact\\Carom3D\\update.exe:*:Enabled:Last Update 2001/08/22"
"C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\KoXXX_225_sk8r\\_koXXX_.exe"="C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\KoXXX_225_sk8r\\_koXXX_.exe:*:Enabled:_koXXX_"
"C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\koXXX1461_223\\_koXXX_0.5_.exe"="C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\koXXX1461_223\\_koXXX_0.5_.exe:*:Enabled:_koXXX_0.5_"
"C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\USAK1461_225\\USAK1461_225\\_koXXX_.exe"="C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\USAK1461_225\\USAK1461_225\\_koXXX_.exe:*:Enabled:_koXXX_"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\rofl\\TacticalOps 1\\System\\TacticalOps.exe"="C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\rofl\\TacticalOps 1\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Program Files\\Teamspeak2_RC2_Server\\server_windows.exe"="C:\\Program Files\\Teamspeak2_RC2_Server\\server_windows.exe:*:Enabled:Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\rofl\\TacticalOps\\System\\TacticalOps.exe"="C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\rofl\\TacticalOps\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\Tactical Ops\\TacticalOps 1\\System\\UCC.exe"="C:\\Program Files\\Tactical Ops\\TacticalOps 1\\System\\UCC.exe:*:Enabled:UCC"
"C:\\Program Files\\Valve\\hl.exe"="C:\\Program Files\\Valve\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Documents and Settings\\’ƒ\\Local Settings\\Temp\\Rar$EX00.547\\DL_file109.exe"="C:\\Documents and Settings\\’ƒ\\Local Settings\\Temp\\Rar$EX00.547\\DL_file109.exe:*:Disabled:Application MFC Download_manager"
"C:\\Program Files\\Monopol500\\Monopol.exe"="C:\\Program Files\\Monopol500\\Monopol.exe:*:Enabled:Monopol"
"C:\\UnrealTournament\\System\\UnrealTournament.exe"="C:\\UnrealTournament\\System\\UnrealTournament.exe:*:Enabled:UnrealTournament"
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\HelpCtr.exe"="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\HelpCtr.exe:*:Enabled:‘‰…’ Ž˜‡…— - Windows Messenger …- Voice"
"C:\\Program Files\\Tactical Ops\\TacticalOps 2\\System\\TacticalOps.exe"="C:\\Program Files\\Tactical Ops\\TacticalOps 2\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\xScript8\\mirc.exe"="C:\\xScript8\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Xscript10\\mirc.exe"="C:\\Program Files\\Xscript10\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Tactical Ops\\TacticalOps 3\\System\\TacticalOps.exe"="C:\\Program Files\\Tactical Ops\\TacticalOps 3\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Xscript10\\mirc.exe"="C:\\Xscript10\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"="C:\\Program Files\\The All-Seeing Eye\\eye.exe:*:Enabled:Yahoo! All-Seeing Eye"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Documents and Settings\\’ƒ\\Local Settings\\Temp\\Rar$EX01.047\\LogInServer\\VersionManager.exe"="C:\\Documents and Settings\\’ƒ\\Local Settings\\Temp\\Rar$EX01.047\\LogInServer\\VersionManager.exe:*:Enabled:VersionManager MFC ?? ????"
"C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\new.logic.1.1.beta.1a\\emule.exe"="C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\new.logic.1.1.beta.1a\\emule.exe:*:Enabled:eMule"
"C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\emule.exe"="C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\mIRC2\\mirc.exe"="C:\\Program Files\\mIRC2\\mirc.exe:*:Enabled:mIRC"
"C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\toserver\\System\\UCC.exe"="C:\\Documents and Settings\\’ƒ\\™…Œ‡ „’…ƒ„\\toserver\\System\\UCC.exe:*:Enabled:UCC"
"C:\\Program Files\\Tactical Ops\\TacticalOps 4\\System\\TacticalOps.exe"="C:\\Program Files\\Tactical Ops\\TacticalOps 4\\System\\TacticalOps.exe:*:Enabled:TacticalOps"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:×–Torrent"
"C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"="C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Warcraft III 2\\Warcraft III.exe"="C:\\Program Files\\Warcraft III 2\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"="C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme:*:Enabled:GunBound"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 26 May 2007     1,185,802 A..HR --- "C:\Program Files\KOSS\KO.exe"
Sat 26 May 2007     1,185,802 A..H. --- "C:\Program Files\KOSS2\KO.exe"
Sat 28 Jul 2007     1,814,528 A..H. --- "C:\Program Files\Maor-israel\KS.exe"
Mon 28 Jan 2008     1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy2\SDUpdate.exe"
Mon 28 Jan 2008     5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy2\SpybotSD.exe"
Mon 28 Jan 2008     2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe"
Thu 20 May 2004         4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 28 Jul 2007     1,814,528 A..

Title: mIRC Virus or Whatever
Post by: guestolo on March 03, 2008, 09:32:46 PM

Apparently your a mIRC user, so if the files look legit to you we can leave them
according to Kaspersky scan, any infected file you don't trust from the Kaspersky scan, remove

How are things running now?

Title: mIRC Virus or Whatever
Post by: Brenneka on March 04, 2008, 02:09:02 AM

Ok but the kaspersky scan shows that I'm infected with various viruses and not 1, and I did the kaspersky scan
as the last thing, so does it means that I'm still infected with all the viruses Kaspersky scan showed?
If so, please tell me what should I do in order to remove them.
Oh and things are going fine now, I dont have the error messages when windows start, but I'm still not sure about the mIRC
messages (which are being sent hiddenly), I cant see if I send them or not, do you think this one got fixed also?

Thank you so much guestolo! You're such a great person!

EDIT #1:
Ok I deleted everything Kaspersky said it's infected, none of them are really important for me and I dont need them.
BUT, the 2 files mssvc.exe and mssvcs.exe are in the _OTMoveIt backup folder and Kaspersky says they are infected,
I need to delete them? They are important? (By the way, both files are still with the wierd icons, media and image icons)
Thanks ALOT! /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Title: mIRC Virus or Whatever
Post by: guestolo on March 04, 2008, 09:46:03 AM

Did you just recently uninstall Norton 2007?
It looks as if dss.exe still sees remnants of it

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

 

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\xScript8\\mirc.exe"=-
"C:\\Program Files\\Xscript10\\mirc.exe"=-
"C:\\Xscript10\\mirc.exe"=-

Double click on fix.reg and allow to add/merge to the registry at the prompt

OTMoveit2.exe

• Please double-click OTMoveIt.exe to run it.
  
• Click the Cleanup! button
  A list will be downloaded>>Allow it Internet access if prompted by your Firewall
  Don't change anything in this list
  
• Select Yes at the prompt
  Wait for the confirmation box to open to reboot the computer
  Don't mouseclick during the wait as you may cause the tool to stall
  
• Select Yes to reboot Now
  

NOTE: This procedure will also delete OTMoveit.exe from desktop

Back in Windows

Post back and let me know how things are still running
Also, let me know about Norton's AV

Title: mIRC Virus or Whatever
Post by: Brenneka on March 04, 2008, 10:17:57 AM

Everything's running cool, but as I said before I'm still not sure about the mIRC, is it safe now to log on
mIRC without any worries for it to spam virus websites again?
About the mIRC locations that you posted, I don't use this script and I dont need it, I also deleted it.
I want first to delete all mIRC setups + directories, anything which is related to mIRC and then I'll redownload it.
I already deleted all of the mIRC files that Kaspersky showed, and also deleted\uninstalled everything which has something to do
with mIRC.
As for the Norton, I uninstalled it before like 1 year or so, very stupid AV.
The most urgnet thing for me now is to log on mIRC without any worries of the virus spamming.
Once again, THANKS ALOT!!! /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: mIRC Virus or Whatever
Post by: Brenneka on March 04, 2008, 11:30:56 AM

By the way, now I downloaded fresh new mIRC installation and scanned it with Kaspersky online
scanner, have a look:

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Tuesday, March 04, 2008 6:41:15 PM
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update:  4/03/2008
 Kaspersky Anti-Virus database records: 595714
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: extended
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - A file:
   C:\Documents and Settings\עדן\שולחן העבודה\mirc631.exe

Scan Statistics:
   Total number of scanned objects: 1
   Number of viruses found: 1
   Number of infected objects: 5
   Number of suspicious objects: 0
   Duration of the scan process: 00:00:04

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\עדן\שולחן העבודה\mirc631.exe/stream/data0001/stream/data0014   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Documents and Settings\עדן\שולחן העבודה\mirc631.exe/stream/data0001/stream   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Documents and Settings\עדן\שולחן העבודה\mirc631.exe/stream/data0001   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Documents and Settings\עדן\שולחן העבודה\mirc631.exe/stream   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   skipped
C:\Documents and Settings\עדן\שולחן העבודה\mirc631.exe   NSIS: infected - 4   skipped

Scan process completed.


So every mIRC file that I download will always be infected forever? /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

Title: mIRC Virus or Whatever
Post by: guestolo on March 04, 2008, 07:31:23 PM

As indicated by the scan, it's not a Virus, is more riskware, there is a chance of malware exploiting the program
and using it maliciously, but it's not saying it's a virus itself

So it is safe to use, just ensure to keep up with it's updates
And be careful what you download

Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Select>>Create a New restore point
Give it a name, any name,
eg... Brenneka
 and click Create
Windows will prompt when it was created successfully

When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

Since it appears not all of Norton's may have been removed
I suggest that you go to the following link
Norton Removal Tool (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2007080716254939?Open&docid=2005033108162039&nsf=tsgeninfo.nsf&view=docid\")
Follow all of STEP 3

I suggest that you add SpywareBlaster to your protection software
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

If your spyware protections are still disabled, now would be a good time to reenable them

Take a look at miekiemoes site with other ideas on How to prevent Malware: (http://\"http://users.telenet.be/bluepatchy/miekiemoes/prevention.html\")

I hope that helps  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: mIRC Virus or Whatever
Post by: Brenneka on March 05, 2008, 06:45:19 AM

Once again, thanks alot guestolo!
Everything's perfect right now, I hope it still stay like that /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Case solved! /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Title: mIRC Virus or Whatever
Post by: guestolo on March 05, 2008, 08:50:53 AM

Good work, I'll lock this topic as your problems are resolved
Take care  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />