Redirect virus

2 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

Redirect virus13th July 2010, 2:07 pm

I seem to have some kind of virus that redirects me to different sites about half of the time. I have a new Dell computer with windows 7. Thanks much.

Re: Redirect virus13th July 2010, 7:55 pm

Hello.

Please note the following information about the malware forum:

Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
If you have already asked for help somewhere, please post the link to the topic you were helped.
We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

Reply to this topic with the word BUMP, or
see this topic.
Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

Re: Redirect virus14th July 2010, 1:01 pm

Tried to run ComboFix and it said I have an incompatible OS. ComboFix only works for workstations with windows 2000 and XP. I have Windows 7 and it is a 64 bit system. Thanks.

Re: Redirect virus14th July 2010, 6:20 pm

Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet

Double-click on drweb-cureit.exe to start the program.
An Express Scan of your PC notice will appear.
Under Start the Express Scan Now, Click OK to start the scan.
This is a short scan that will scan the files currently running in memory.
If something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the Scan tab and UNcheck Heuristic analysis
Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
When finished, a message will be displayed at the bottom advising if any viruses were found.
Click Yes to all if it asks if you want to cure/move the file.
When the scan has finished, look if you can see the icon next to the files found.
If so, click it, then click the next icon right below and select Move incurable.
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the DrWeb.csv report to your Desktop.
Exit Dr.Web Cureit when you have finished.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Re: Redirect virus14th July 2010, 11:44 pm

Ran it and it came up with no infections.

Re: Redirect virus15th July 2010, 6:24 am

Please download MySystem-Search from one of the following links:

Download mirror 1

Download mirror 2

Save the file to your Desktop.
Double-click on mss.exe
Allow it to run, and follow the prompts.
Once done, it will launch a log.
Post it in your next reply.

Note: the logs are long. Please use more than one post, if necessary.

Re: Redirect virus15th July 2010, 12:41 pm

MySystem-Search

MSS v1.6

Basic System Information

Username: Jerryscoins - Date: 07/15/2010 - Time: 5:36:23

Microsoft Windows [Version 6.1.7600]
Processor type: Intel64 Family 6 Model 30 Stepping 5, GenuineIntel
Total processors: 8
Computer Name: JERRYSCOINS-PC
Logon Server: \\JERRYSCOINS-PC

CD Emulation Drivers running?

Roxio found!

Peer-to-Peer applications?

File associations

.exe=exefile
.scr=scrfile
.pif=piffile
.com=comfile
.bat=batfile
.cmd=cmdfile
.log=txtfile
.txt=txtfile
.reg=regfile
.sys=sysfile
.dll=dllfile
.ini=inifile
.inf=inffile

Running processes

Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 24 K
System 4 Services 0 5,512 K
smss.exe 352 Services 0 1,376 K
csrss.exe 488 Services 0 5,448 K
wininit.exe 552 Services 0 4,916 K
csrss.exe 576 Console 1 7,400 K
services.exe 608 Services 0 11,256 K
lsass.exe 624 Services 0 12,164 K
lsm.exe 632 Services 0 4,728 K
winlogon.exe 728 Console 1 8,608 K
svchost.exe 796 Services 0 10,612 K
svchost.exe 912 Services 0 9,664 K
atiesrxx.exe 976 Services 0 4,944 K
svchost.exe 136 Services 0 23,556 K
svchost.exe 364 Services 0 121,032 K
svchost.exe 600 Services 0 44,288 K
audiodg.exe 1060 Services 0 19,564 K
TrustedInstaller.exe 1100 Services 0 15,556 K
svchost.exe 1152 Services 0 17,732 K
DockLogin.exe 1280 Services 0 3,992 K
svchost.exe 1344 Services 0 17,032 K
spoolsv.exe 1456 Services 0 15,048 K
sched.exe 1484 Services 0 1,388 K
svchost.exe 1504 Services 0 16,124 K
avguard.exe 1624 Services 0 11,848 K
dldtcoms.exe 1656 Services 0 6,320 K
svchost.exe 1708 Services 0 17,824 K
SeaPort.exe 1772 Services 0 10,664 K
SftService.exe 1848 Services 0 7,552 K
svchost.exe 1888 Services 0 5,808 K
TomTomHOMEService.exe 1920 Services 0 3,160 K
IAStorDataMgrSvc.exe 1964 Services 0 16,596 K
avshadow.exe 2000 Services 0 5,072 K
conhost.exe 1088 Services 0 3,052 K
avmailc.exe 2600 Services 0 1,220 K
avwebgrd.exe 2620 Services 0 8,240 K
WUDFHost.exe 2876 Services 0 6,540 K
atieclxx.exe 2984 Console 1 6,804 K
WmiPrvSE.exe 3056 Services 0 7,364 K
taskhost.exe 2264 Console 1 7,016 K
dwm.exe 704 Console 1 30,388 K
explorer.exe 1196 Console 1 49,072 K
DSUpd.exe 3108 Console 1 18,672 K
conhost.exe 3132 Console 1 5,368 K
STService.exe 3204 Console 1 12,864 K
vds.exe 3320 Services 0 8,920 K
RAVCpl64.exe 3392 Console 1 11,144 K
rundll32.exe 3404 Console 1 6,328 K
rundll32.exe 3416 Console 1 6,948 K
ipoint.exe 3460 Console 1 16,724 K
itype.exe 3516 Console 1 23,020 K
TomTomHOMERunner.exe 3524 Console 1 7,404 K
IAStorIcon.exe 3644 Console 1 21,616 K
ShwiconXP9106.exe 3688 Console 1 6,156 K
DataSafeOnline.exe 3808 Console 1 40,080 K
MOM.exe 3816 Console 1 5,028 K
sprtcmd.exe 3904 Console 1 4,052 K
avgnt.exe 3928 Console 1 6,852 K
CCC.exe 3636 Console 1 3,684 K
SearchIndexer.exe 3608 Services 0 15,916 K
wmpnetwk.exe 4160 Services 0 6,228 K
svchost.exe 4476 Services 0 10,152 K
firefox.exe 4784 Console 1 97,336 K
plugin-container.exe 4936 Console 1 16,980 K
sprtsvc.exe 3976 Services 0 1,348 K
svchost.exe 4576 Services 0 8,420 K
taskeng.exe 4756 Console 1 6,772 K
jusched.exe 4460 Console 1 1,064 K
svchost.exe 1868 Services 0 4,624 K
iexplore.exe 4864 Console 1 43,676 K
iexplore.exe 4116 Console 1 71,308 K
wltuser.exe 3968 Console 1 11,308 K
FlashUtil10h_ActiveX.exe 4272 Console 1 5,808 K
iexplore.exe 4760 Console 1 34,660 K
SearchProtocolHost.exe 3092 Services 0 8,972 K
SearchFilterHost.exe 3792 Services 0 7,836 K
mss.exe 2744 Console 1 4,536 K
conhost.exe 4148 Console 1 6,060 K
cmd.exe 2248 Console 1 3,920 K
tasklist.exe 4708 Console 1 5,508 K
WmiPrvSE.exe 3852 Services 0 6,820 K

Hidden objects

PATH: C:\windows

ctfile.rfc
Installer
WindowsShell.Manifest

PATH: C:\windows\system32

api-ms-win-core-console-l1-1-0.dll
api-ms-win-core-datetime-l1-1-0.dll
api-ms-win-core-debug-l1-1-0.dll
api-ms-win-core-delayload-l1-1-0.dll
api-ms-win-core-errorhandling-l1-1-0.dll
api-ms-win-core-fibers-l1-1-0.dll
api-ms-win-core-file-l1-1-0.dll
api-ms-win-core-handle-l1-1-0.dll
api-ms-win-core-heap-l1-1-0.dll
api-ms-win-core-interlocked-l1-1-0.dll
api-ms-win-core-io-l1-1-0.dll
api-ms-win-core-libraryloader-l1-1-0.dll
api-ms-win-core-localization-l1-1-0.dll
api-ms-win-core-localregistry-l1-1-0.dll
api-ms-win-core-memory-l1-1-0.dll
api-ms-win-core-misc-l1-1-0.dll
api-ms-win-core-namedpipe-l1-1-0.dll
api-ms-win-core-processenvironment-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-0.dll
api-ms-win-core-profile-l1-1-0.dll
api-ms-win-core-rtlsupport-l1-1-0.dll
api-ms-win-core-string-l1-1-0.dll
api-ms-win-core-synch-l1-1-0.dll
api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-threadpool-l1-1-0.dll
api-ms-win-core-util-l1-1-0.dll
api-ms-win-core-xstate-l1-1-0.dll
api-ms-win-security-base-l1-1-0.dll
api-ms-win-security-lsalookup-l1-1-0.dll
api-ms-win-security-sddl-l1-1-0.dll
api-ms-win-service-core-l1-1-0.dll
api-ms-win-service-management-l1-1-0.dll
api-ms-win-service-management-l2-1-0.dll
api-ms-win-service-winsvc-l1-1-0.dll

PATH: C:\windows\system32\drivers

PATH: C:\

$Recycle.Bin
dell.sdr
Documents and Settings
hiberfil.sys
MSOCache
pagefile.sys
ProgramData
System Recovery
System Volume Information

User Profile check

Jerryscoins
Pammie
Public

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Users
Default REG_EXPAND_SZ %SystemDrive%\Users\Default
Public REG_EXPAND_SZ %SystemDrive%\Users\Public
ProgramData REG_EXPAND_SZ %SystemDrive%\ProgramData

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
Flags REG_DWORD 0xc
State REG_DWORD 0x0
RefCount REG_DWORD 0x1
Sid REG_BINARY 010100000000000512000000
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ C:\Windows\ServiceProfiles\LocalService
Flags REG_DWORD 0x0
State REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ C:\Windows\ServiceProfiles\NetworkService
Flags REG_DWORD 0x0
State REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-960392066-395415308-1727593315-1000
ProfileImagePath REG_EXPAND_SZ C:\Users\Jerryscoins
Flags REG_DWORD 0x0
State REG_DWORD 0x0
Sid REG_BINARY 010500000000000515000000826B3E390C8F911763FBF866E8030000
ProfileLoadTimeLow REG_DWORD 0x0
ProfileLoadTimeHigh REG_DWORD 0x0
RefCount REG_DWORD 0x2
RunLogonscriptSync REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-960392066-395415308-1727593315-1003
ProfileImagePath REG_EXPAND_SZ C:\Users\Pammie
Flags REG_DWORD 0x0
State REG_DWORD 0x0
Sid REG_BINARY 010500000000000515000000826B3E390C8F911763FBF866EB030000
ProfileLoadTimeLow REG_DWORD 0x0
ProfileLoadTimeHigh REG_DWORD 0x0
RefCount REG_DWORD 0x0
RunLogonscriptSync REG_DWORD 0x0

Current Scheduled Tasks

PATH: C:\Windows\Tasks

SCHEDLGU.TXT
SA.DAT

Windows Drivers and NT-Services

Volume in drive C is OS
Volume Serial Number is E052-2116

Directory of C:\Windows\System32\Drivers

Volume in drive C is OS
Volume Serial Number is E052-2116

Directory of C:\Windows\System32\Drivers

05/11/2009 12:49 PM 51,992 avgntdd.sys
05/11/2009 12:49 PM 17,016 avgntmgr.sys
06/10/2009 02:14 PM 3,440,660 gm.dls
06/10/2009 02:14 PM 646 gmreadme.txt
06/26/2009 08:27 AM 65,520 RxFilter.sys
07/13/2009 06:19 PM 19,008 wimmount.sys
07/13/2009 10:37 PM en-US
07/13/2009 10:37 PM UMDF
06/14/2010 02:40 PM 4,246 1028_Dell_STU_8100.mrk
07/12/2010 08:14 AM .
07/12/2010 08:14 AM ..
7 File(s) 3,599,088 bytes
4 Dir(s) 939,425,357,824 bytes free

Virtual drives found?

Environment variables

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Jerryscoins\AppData\Roaming
CLASSPATH=.;C:\Program Files (x86)\Java\jre6\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=JERRYSCOINS-PC
ComSpec=C:\Windows\system32\cmd.exe
EMC_AUTOPLAY=c:\Program Files (x86)\Common Files\Roxio Shared\
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Jerryscoins
LOCALAPPDATA=C:\Users\Jerryscoins\AppData\Local
LOGONSERVER=\\JERRYSCOINS-PC
NUMBER_OF_PROCESSORS=8
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static;c:\Program Files (x86)\Common Files\Roxio Shared\10.0\DLLShared\;c:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\;C:\Program Files (x86)\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 30 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=1e05
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files (x86)
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=$P$G
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files (x86)\Java\jre6\lib\ext\QTJava.zip
RoxioCentral=c:\Program Files (x86)\Common Files\Roxio Shared\10.0\Roxio Central36\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\JERRYS~1\AppData\Local\Temp
TMP=C:\Users\JERRYS~1\AppData\Local\Temp
USERDOMAIN=Jerryscoins-PC
USERNAME=Jerryscoins
USERPROFILE=C:\Users\Jerryscoins
windir=C:\Windows

Stealth malware?

Internet Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
AutoHide REG_SZ yes
Security Risk Page REG_SZ about:SecurityRisk
Extensions Off Page REG_SZ about:NoAdd-ons
Default_Search_URL REG_SZ http://go.microsoft.com/fwlink/?LinkId=54896
Default_Page_URL REG_SZ http://go.microsoft.com/fwlink/?LinkId=69157
Anchor_Visitation_Horizon REG_BINARY 01000000
Cache_Percent_of_Disk REG_BINARY 0A000000
Placeholder_Width REG_BINARY 1A000000
Placeholder_Height REG_BINARY 1A000000
Default_Secondary_Page_URL REG_MULTI_SZ
Use_Async_DNS REG_SZ yes
Start Page REG_SZ http://go.microsoft.com/fwlink/?LinkId=69157
Local Page REG_SZ C:\Windows\SysWOW64\blank.htm
Search Page REG_SZ http://go.microsoft.com/fwlink/?LinkId=54896
Delete_Temp_Files_On_Exit REG_SZ yes
Enable_Disk_Cache REG_SZ yes
TabProcGrowth REG_SZ Medium
Print_Background REG_DWORD 0x0
AlwaysShowMenus REG_DWORD 0x0
StatusBarWeb REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ErrorThresholds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\UrlTemplate

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
IE5_UA_Backup_Flag REG_SZ 5.0
User Agent REG_SZ Mozilla/4.0 (compatible; MSIE 8.0; Win32)
EmailName REG_SZ User@
PrivDiscUiShown REG_DWORD 0x1
EnableHttp1_1 REG_DWORD 0x1
WarnOnIntranet REG_DWORD 0x1
MimeExclusionListForCache REG_SZ multipart/mixed multipart/x-mixed-replace multipart/x-byteranges
AutoConfigProxy REG_SZ wininet.dll
UseSchannelDirectly REG_BINARY 01000000
EnableNegotiate REG_DWORD 0x1
WarnOnPost REG_BINARY 01000000
UrlEncoding REG_DWORD 0x0
SecureProtocols REG_DWORD 0xa8
PrivacyAdvanced REG_DWORD 0x0
ZonesSecurityUpgrade REG_BINARY 1DA90C642C10CB01
DisableCachingOfSSLPages REG_DWORD 0x0
WarnonZoneCrossing REG_DWORD 0x0
CertificateRevocation REG_DWORD 0x1
MigrateProxy REG_DWORD 0x1
ProxyEnable REG_DWORD 0x0
SyncMode5 REG_DWORD 0x4

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CACHE
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\

Re: Redirect virus15th July 2010, 12:45 pm

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CACHE
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Protocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\TemplatePolicies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Disable Script Debugger REG_SZ yes
Anchor Underline REG_SZ yes
Cache_Update_Frequency REG_SZ Once_Per_Session
Display Inline Images REG_SZ yes
Do404Search REG_BINARY 01000000
Local Page REG_SZ C:\Windows\system32\blank.htm
Save_Session_History_On_Exit REG_SZ no
Show_FullURL REG_SZ no
Show_StatusBar REG_SZ yes
Show_ToolBar REG_SZ yes
Show_URLinStatusBar REG_SZ yes
Show_URLToolBar REG_SZ yes
Use_DlgBox_Colors REG_SZ yes
Search Page REG_SZ http://go.microsoft.com/fwlink/?LinkId=54896
XMLHTTP REG_DWORD 0x1
NoUpdateCheck REG_DWORD 0x1
UseClearType REG_SZ no
Enable Browser Extensions REG_SZ yes
Play_Background_Sounds REG_SZ yes
Play_Animations REG_SZ yes
Start Page REG_SZ http://g.msn.com/USCON/1
Default_Page_URL REG_SZ http://g.msn.com/USCON/1
DisableFirstRunCustomize REG_DWORD 0x1
CompatibilityFlags REG_DWORD 0x0
FullScreen REG_SZ no
Window_Placement REG_BINARY 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD9000000D9000000F903000059030000
NotifyDownloadComplete REG_SZ yes
Check_Associations REG_SZ yes
Use FormSuggest REG_SZ no

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default Feeds
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
{CFBFAE00-17A6-11D0-99CB-00C04FD64497} REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
Locked REG_DWORD 0x0
{21FA44EF-376D-4D53-9B0F-8A89D3229068} REG_BINARY 00

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote

Protocol hijack?

Security Center

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
DisableNotifications REG_DWORD 0x0
EnableFirewall REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
DisableNotifications REG_DWORD 0x0
EnableFirewall REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile
DisableNotifications REG_DWORD 0x0
EnableFirewall REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging

Uninstall List

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avira AntiVir Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dell Dock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GoToAssist
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{9F0A32A5-4EBF-4B9D-A3CD-31579F2E1400}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB931906
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox (3.6.6)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUSR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC-Doctor for Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SmallBall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\THX TruStudio PC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\THXAudioCP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TomTom HOME
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinLiveSuite_Wave3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{010A785B-F920-4350-821B-6309909C20BB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{03CEC5A3-648C-3E00-7CDB-C049B47A5EDC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{051EF664-EB85-8320-1184-35136C6B0BEF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{052bac4a-6f79-46d4-a024-1ce1b4f73cd4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{055EE59D-217B-43A7-ABFF-507B966405D8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0566E404-1FCB-16C4-C265-9415012650D5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{07BB25C3-55B6-303C-1E7C-2C528555014D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{08E81ABD-79F7-49C2-881F-FD6CB0975693}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{098122AB-C605-4853-B441-C0A4EB359B75}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13766F76-6C8C-4E57-A9F3-3212D1C6E0D1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1583FB9E-D1D7-A29B-F3D3-7D6B74D75128}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{178832DE-9DE0-4C87-9F82-9315A9B03985}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1EE6959C-49F2-5D45-A007-776A7A053043}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{205C6BDD-7B73-42DE-8505-9A093F35A238}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{222E1C7F-5892-0015-BF94-914B7EBEB564}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83216020FF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{38001EBD-D270-2BBC-CEAE-B88BDE197E16}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3B4E636E-9D65-4D67-BA61-189800823F52}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3D5044A5-97B8-45C0-B956-BB2376569188}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{42D68A86-DB1C-4256-B8C9-5D0D92919AF5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{42E0794B-B4A6-CDB6-308F-04A5CA54B81E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{45338B07-A236-4270-9A77-EBB4115517B5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{537BF16E-7412-448C-95D8-846E85A1D817}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{553255F3-78FD-40F1-A6F8-6882140265FE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{599EAA99-BBA8-C8FF-C2EA-04D0C8FA6D89}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5DFB9027-0099-5816-8428-CF25B64B46C9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{612B5D2E-8084-4102-91DE-24281E4EFB2C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{634CE363-2BB8-FF85-83C3-734699DFC570}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6412CECE-8172-4BE5-935B-6CECACD2CA87}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6545416A-A60A-8DE4-3590-15F0662461DF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{770657D0-A123-3C07-8E44-1C83EC895118}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{774A70C8-29CA-565A-FB84-01B408F119B2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A74E887-8F0F-4017-AF53-CBA42211AAA5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A9DE8C3-5B21-34EC-DE5D-BAFAB8D8C9D9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{8F1CC9B4-0BAE-4800-96A7-13B75C83B246}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-0011-0000-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{3D462F23-F81B-4740-B4B4-ED2A07E9AC23}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{4AFF4060-93DD-4BBE-8896-BFB90EC5D6D1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91D1580F-35C5-8D29-144C-605E3568B3A5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{95140000-0070-0000-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{958FD5FD-1F71-493B-CC6C-4922F3EA2356}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{981029E0-7FC9-4CF3-AB39-6F133621921A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{995F1E2E-F542-4310-8E1D-9926F5A279B3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9A25302D-30C0-39D9-BD6F-21E6EC160475}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F0A32A5-4EBF-4B9D-A3CD-31579F2E1400}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9FDFB9AE-B7A9-3481-E85C-08E7FA6D620B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A0AD3E2F-427D-09F9-85FB-450E35A03046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A1D31E2C-C7E1-2E6E-EAE9-0C3BAFB5B1F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A69D7B32-2BE9-42BF-B576-69B5E0FF7394}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A9668246-FB70-4103-A1E3-66C9BC2EFB49}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A91000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2C07E85-76D6-DC01-48A9-7577AD95CD70}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B91C2CFE-15D0-C863-963A-DFF09D2AE726}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BACF2A73-2F91-9657-F9B5-10723A9B1E5B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C73A3942-84C8-4597-9F9B-EE227DCBA758}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C8694EE7-24F3-6593-FE50-00E575C79272}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CDF7810C-10AB-7E95-ABC5-0D60C5761876}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D103C4BA-F905-437A-8049-DB24763BBE36}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5D35107-8CFE-5FFB-2D64-1CE29202493B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D8D98FAB-17E7-A123-D654-6574E6187EE2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DAC44207-C17F-DAFA-CE5D-010AB94A38AB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DDCCBB78-8FFB-4FDE-912F-930E4D9FBC67}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E2DFE069-083E-4631-9B6C-43C48E991DE5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E31C77D0-B0F0-318B-0A39-F57BF54D22AD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EA3CD5E7-0C84-2479-6490-B6228F87B174}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EC877639-07AB-495C-BFD1-D63AF9140810}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ECEB9207-85FE-3004-CD20-5DAEE0F1D1E0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ED439A64-F018-4DD4-8BA5-328D85AB09AB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF85FEF4-EB92-4075-A6D2-5F519BB30A2C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F68AFC71-77CD-0B22-4C4F-C09097E058E9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FDB46DE7-9045-47BB-970A-3E4ED5369E03}

Adobe Products

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX
DisplayName REG_SZ Adobe Flash Player 10 ActiveX
Publisher REG_SZ Adobe Systems Incorporated
DisplayVersion REG_SZ 10.1.53.64
HelpLink REG_SZ http://www.adobe.com/go/flashplayer_support/
NoModify REG_DWORD 0x1
NoRepair REG_DWORD 0x1
RequiresIESysFile REG_SZ 4.70.0.1155
URLInfoAbout REG_SZ http://www.adobe.com
URLUpdateInfo REG_SZ http://www.adobe.com/go/getflashplayer/
VersionMajor REG_DWORD 0xa
VersionMinor REG_DWORD 0x1
UninstallString REG_SZ C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe -maintain activex
DisplayIcon REG_SZ C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe
EstimatedSize REG_DWORD 0x1800

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin
DisplayName REG_SZ Adobe Flash Player 10 Plugin
DisplayVersion REG_SZ 10.0.45.2
Publisher REG_SZ Adobe Systems Incorporated
URLInfoAbout REG_SZ http://www.adobe.com/go/getflashplayer
DisplayIcon REG_SZ C:\Windows\SysWOW64\Macromed\Flash\uninstall_plugin.exe
UninstallString REG_SZ C:\Windows\SysWOW64\Macromed\Flash\uninstall_plugin.exe
NoModify REG_DWORD 0x1
NoRepair REG_DWORD 0x1

Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TomTomHOME.exe REG_SZ "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" -s

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
IAStorIcon REG_SZ C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
ShwiconXP9106 REG_SZ C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
StartCCC REG_SZ "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
Adobe Reader Speed Launcher REG_SZ "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Dell DataSafe Online REG_SZ "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
THX Audio Control Panel REG_SZ "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r
UpdReg REG_SZ C:\Windows\UpdReg.EXE
DellSupportCenter REG_SZ "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
avgnt REG_SZ "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
QuickTime Task REG_SZ "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
BCSSync REG_SZ "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

Restrictions - Internet Explorer

Restrictions - REGEDIT

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools REG_DWORD 0x0

Restrictions - Explorer

DNS Settings

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{41040E11-10E5-46BF-8E32-1F08C68F9582}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}

Windows IP Configuration

Host Name . . . . . . . . . . . . : Jerryscoins-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd1.wa.comcast.net.

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : hsd1.wa.comcast.net.
Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
Physical Address. . . . . . . . . : B8-AC-6F-A1-C3-B7
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:43b9:4386:0:285c:227f:a758:7011(Preferred)
Temporary IPv6 Address. . . . . . : 2002:43b9:4386:0:24a0:7173:af5d:980a(Preferred)
Link-local IPv6 Address . . . . . : fe80::285c:227f:a758:7011%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.101(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, July 15, 2010 5:25:22 AM
Lease Expires . . . . . . . . . . : Friday, July 16, 2010 5:25:22 AM
Default Gateway . . . . . . . . . : fe80::223:69ff:fec6:b42e%11
192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 196652143
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-A8-50-8F-B8-AC-6F-A1-C3-B7
DNS Servers . . . . . . . . . . . : 192.168.1.1
68.87.69.150
68.87.85.102
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.hsd1.wa.comcast.net.:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsd1.wa.comcast.net.
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:ce3:3d86:bc46:bc79(Preferred)
Link-local IPv6 Address . . . . . : fe80::ce3:3d86:bc46:bc79%15(Preferred)
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

AppInit DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs REG_SZ

Shell Service Object Delay Load

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
WebCheck REG_SZ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

Shell Execute Hooks

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{B5A7F190-DDA6-4420-B3BA-52453494E6CD} REG_SZ Groove GFS Stub Execution Hook

Image File Execution Options

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\accicons.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cnfnot32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dw20.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwtrig20.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\groove.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEInstal.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\infopath.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstordb.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstore.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ois.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onelev.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ose.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outlook.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpst.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpreview.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv .exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxp.exe

Security Providers

Local Security Authority

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
auditbaseobjects REG_DWORD 0x0
auditbasedirectories REG_DWORD 0x0
crashonauditfail REG_DWORD 0x0
fullprivilegeauditing REG_BINARY 00
Bounds REG_BINARY 0030000000200000
LimitBlankPasswordUse REG_DWORD 0x1
NoLmHash REG_DWORD 0x1
Notification Packages REG_MULTI_SZ scecli
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u
Authentication Packages REG_MULTI_SZ msv1_0
LsaPid REG_DWORD 0x270
SecureBoot REG_DWORD 0x1
ProductType REG_DWORD 0x3
disabledomaincreds REG_DWORD 0x0
everyoneincludesanonymous REG_DWORD 0x0
forceguest REG_DWORD 0x0
restrictanonymous REG_DWORD 0x0
restrictanonymoussam REG_DWORD 0x1

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Credssp
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Data
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\GBG
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\JD
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\MSV1_0
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Skew1
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache

AppCert DLLs

App Paths

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\AcroRd32.exe
Path REG_SZ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
(Default) REG_SZ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\ActiveXReplacer.exe
(Default) REG_SZ c:\Program Files (x86)\Common Files\Roxio Shared\10.0\DLLShared\ActiveXReplacer.exe
Path REG_SZ c:\Program Files (x86)\Common Files\Roxio Shared\10.0\DLLShared\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\BackupPlg.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\Components\FileBackup\BackupPlg.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\Backup_Central10.exe
Path REG_SZ c:\Program Files (x86)\Roxio\BackOnTrack\Main\Backup_Central10.exe
(Default) REG_SZ c:\Program Files (x86)\Roxio\BackOnTrack\Main\Backup_Central10.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\CheckQuotasPlg.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\Components\PSTImageExt\CheckQuotasPlg.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\cmmgr32.exe
CmstpExtensionDll REG_SZ C:\Windows\system32\cmcfg32.dll
CmNative REG_DWORD 0x2

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\Creator10.exe
(Default) REG_SZ c:\Program Files (x86)\Roxio\Creator Classic 10\Creator10.exe
Path REG_SZ c:\Program Files (x86)\Roxio\Creator Classic 10\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\dvdmaker.exe
(Default) REG_EXPAND_SZ %ProgramFiles%\DVD Maker\dvdmaker.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\excel.exe
(Default) REG_SZ C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE
Path REG_SZ C:\Program Files (x86)\Microsoft Office\Office14\
SaveURL REG_SZ 1
useURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\firefox.exe
(Default) REG_SZ C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Path REG_SZ C:\Program Files (x86)\Mozilla Firefox

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\FRestorePlg.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\Components\FileBackup\FRestorePlg.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\GROOVE.EXE
(Default) REG_SZ C:\PROGRA~2\MIF5BA~1\Office14\GROOVE.EXE
Path REG_SZ C:\Program Files (x86)\Microsoft Office\Office14\
useURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\IEXPLORE.EXE
(Default) REG_SZ C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Path REG_SZ C:\Program Files (x86)\Internet Explorer;

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\infopath.exe
useURL REG_SZ 1
(Default) REG_SZ C:\PROGRA~2\MIF5BA~1\Office14\INFOPATH.EXE
Path REG_SZ C:\Program Files (x86)\Microsoft Office\Office14\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\install.exe
BlockOnTSNonInstallMode REG_DWORD 0x1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\IPoint.exe
Path REG_SZ C:\Program Files\Microsoft IntelliPoint\
(Default) REG_SZ "C:\Program Files\Microsoft IntelliPoint\IPoint.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\itype.exe
Path REG_SZ C:\Program Files\Microsoft IntelliType Pro\
(Default) REG_SZ C:\Program Files\Microsoft IntelliType Pro\itype.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\javaws.exe
(Default) REG_SZ C:\Program Files (x86)\Java\jre6\bin\javaws.exe
Path REG_SZ C:\Program Files (x86)\Java\jre6\bin

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\Journal.exe
(Default) REG_EXPAND_SZ %ProgramFiles%\Windows Journal\Journal.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\Launcher.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\Launch_Retrieve.exe
(Default) REG_SZ c:\Program Files (x86)\Roxio\Retrieve 10\Launch_Retrieve.exe
Path REG_SZ c:\Program Files (x86)\Roxio\Retrieve 10\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\LpAndTapeAssistant10.exe
(Default) REG_SZ c:\Program Files (x86)\Roxio\Audio Capture 10\LpAndTapeAssistant10.exe
Path REG_SZ c:\Program Files (x86)\Roxio\Audio Capture 10\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\MediaCapture10.exe
(Default) REG_SZ c:\Program Files (x86)\Roxio\Media Import 10\MediaCapture10.exe
Path REG_SZ c:\Program Files (x86)\Roxio\Media Import 10\;c:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\migwiz.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\mip.exe
(Default) REG_EXPAND_SZ %CommonProgramFiles%\Microsoft Shared\Ink\mip.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\MousInfo.exe
Path REG_SZ C:\Program Files\Microsoft IntelliPoint\
(Default) REG_SZ "C:\Program Files\Microsoft IntelliPoint\Mousinfo.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\mplayer2.exe
(Default) REG_EXPAND_SZ %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
Path REG_EXPAND_SZ %ProgramFiles(x86)%\Windows Media Player

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\MSACCESS.EXE
(Default) REG_SZ C:\PROGRA~2\MIF5BA~1\Office14\MSACCESS.EXE
Path REG_SZ C:\Program Files (x86)\Microsoft Office\Office14\
useURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\mskey.exe
Path REG_SZ C:\Program Files\Microsoft IntelliType Pro\
(Default) REG_SZ "C:\Program Files\Microsoft IntelliType Pro\mskey.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\MSNMSGR.EXE
(Default) REG_SZ C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe
Path REG_SZ C:\Program Files (x86)\Windows Live\Messenger\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\MsoHtmEd.exe
useURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\msoxmled.exe
(Default) REG_SZ C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
useURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\MSPUB.EXE
(Default) REG_SZ C:\PROGRA~2\MIF5BA~1\Office14\MSPUB.EXE
Path REG_SZ C:\Program Files (x86)\Microsoft Office\Office14\
useURL REG_DWORD 0x1
SaveURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\MusicDiscCreator10.exe
(Default) REG_SZ c:\Program Files (x86)\Roxio\Audio Master 10\MusicDiscCreator10.exe
Path REG_SZ c:\Program Files (x86)\Roxio\Audio Master 10\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\ois.exe
(Default) REG_SZ C:\PROGRA~2\MIF5BA~1\Office14\OIS.EXE
Path REG_SZ C:\Program Files (x86)\Microsoft Office\Office14\
SaveURL REG_SZ 0
useURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\OneNote.exe
(Default) REG_SZ C:\PROGRA~2\MIF5BA~1\Office14\ONENOTE.EXE
Path REG_SZ C:\Program Files (x86)\Microsoft Office\Office14\
SaveURL REG_SZ 1
useURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\OUTLOOK.EXE
(Default) REG_SZ C:\PROGRA~2\MIF5BA~1\Office14\OUTLOOK.EXE
Path REG_SZ C:\Program Files (x86)\Microsoft Office\Office14\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\pbrush.exe
(Default) REG_EXPAND_SZ %SystemRoot%\System32\mspaint.exe
Path REG_EXPAND_SZ %SystemRoot%\System32

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\PhotoSuite10.exe
Path REG_SZ c:\Program Files (x86)\Roxio\PhotoSuite 10\;c:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\
(Default) REG_SZ c:\Program Files (x86)\Roxio\PhotoSuite 10\PhotoSuite10.exe

Re: Redirect virus15th July 2010, 12:48 pm

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\PictureViewer.exe
Path REG_SZ C:\Program Files (x86)\QuickTime\
(Default) REG_SZ C:\Program Files (x86)\QuickTime\PictureViewer.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\powerpnt.exe
(Default) REG_SZ C:\PROGRA~2\MIF5BA~1\Office14\POWERPNT.EXE
Path REG_SZ C:\Program Files (x86)\Microsoft Office\Office14\
useURL REG_SZ 1
SaveURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\PowerShell.exe
(Default) REG_SZ %SystemRoot%\system32\WindowsPowerShell\v1.0\PowerShell.exe
Path REG_SZ %SystemRoot%\system32\WindowsPowerShell\v1.0\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\ProtectRP.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\Components\ProtectRP\ProtectRP.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\PSTRestoreExtPlg.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\Components\PSTRestoreExt\PSTRestoreExtPlg.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\QuickTimePlayer.exe
(Default) REG_SZ C:\Program Files (x86)\QuickTime\QuickTimePlayer.exe
Path REG_SZ C:\Program Files (x86)\QuickTime\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\Retrieve10.exe
(Default) REG_SZ c:\Program Files (x86)\Roxio\Retrieve 10\Retrieve10.exe
Path REG_SZ c:\Program Files (x86)\Roxio\Retrieve 10\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\RMCPlg.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\Components\RMCCpn\RMCPlg.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\Roxio_Central36.exe
Path REG_SZ c:\Program Files (x86)\Common Files\Roxio Shared\10.0\Roxio Central36\Main\
(Default) REG_SZ c:\Program Files (x86)\Common Files\Roxio Shared\10.0\Roxio Central36\Main\Roxio_Central36.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\RoxMediaDB10.exe
(Default) REG_SZ c:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
Path REG_SZ c:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\;c:\Program Files (x86)\Common Files\Roxio Shared\10.0\DLLShared\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\RoxWizardLauncher10.exe
(Default) REG_SZ c:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCom\RoxWizardLauncher10.exe
Path REG_SZ c:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCom\;c:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\RxQSoundEdit10.exe
(Default) REG_SZ c:\Program Files (x86)\Roxio\Sound Editor 10\RxQSoundEdit10.exe
Path REG_SZ c:\Program Files (x86)\Roxio\Sound Editor 10\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\RxTagEdit10.exe
(Default) REG_SZ c:\Program Files (x86)\Roxio\Audio Master 10\RxTagEdit10.exe
Path REG_SZ c:\Program Files (x86)\Roxio\Audio Master 10\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\SchedulerPlg.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\SchedulerPlg.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\setup.exe
BlockOnTSNonInstallMode REG_DWORD 0x1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\sidebar.exe
(Default) REG_EXPAND_SZ "%ProgramFiles%\Windows Sidebar\sidebar.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\SmallBall.exe
Path REG_SZ C:\My Games\SmallBall
(Default) REG_SZ C:\My Games\SmallBall\SmallBall.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\SnippingTool.exe
(Default) REG_EXPAND_SZ %SystemRoot%\system32\SnippingTool.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\SoundEdit10.exe
(Default) REG_SZ c:\Program Files (x86)\Roxio\Sound Editor 10\SoundEdit10.exe
Path REG_SZ c:\Program Files (x86)\Roxio\Sound Editor 10\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\stax.exe
(Default) REG_SZ c:\Program Files (x86)\Roxio\stax.exe
Path REG_SZ c:\Program Files (x86)\Roxio\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\STImageExtPlg.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\Components\PSTImageExt\STImageExtPlg.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\STRestorePlg.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Restore\STRestorePlg.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\STService.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\table30.exe
UseShortName REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\TabTip.exe
(Default) REG_EXPAND_SZ %CommonProgramFiles%\microsoft shared\ink\TabTip.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\THXAudio.exe
Path REG_SZ C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP
(Default) REG_SZ C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\Toaster.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\ToasterLauncher.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\ToasterLauncher.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\Update.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\Update.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\UpgradePlg.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Upgrade\UpgradePlg.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\USBBootPlg.exe
(Default) REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup\Components\RMCCpn\USBBootPlg.exe
Path REG_SZ C:\Program Files (x86)\Dell DataSafe Local Backup

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\VCGProxyFileManager10.exe
(Default) REG_SZ c:\Program Files (x86)\Roxio\VideoCore 10\VCGProxyFileManager10.exe
Path REG_SZ c:\Program Files (x86)\Roxio\VideoCore 10\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\wab.exe
(Default) REG_EXPAND_SZ %ProgramFiles%\Windows Mail\wab.exe
Path REG_EXPAND_SZ %ProgramFiles%\Windows Mail

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\wabmig.exe
(Default) REG_EXPAND_SZ %ProgramFiles%\Windows Mail\wabmig.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\Winword.exe
(Default) REG_SZ C:\PROGRA~2\MIF5BA~1\Office14\WINWORD.EXE
Path REG_SZ C:\Program Files (x86)\Microsoft Office\Office14\
useURL REG_SZ 1
SaveURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\wlmail.exe
(Default) REG_EXPAND_SZ C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
Path REG_EXPAND_SZ C:\Program Files (x86)\Windows Live\Mail\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\wmplayer.exe
(Default) REG_EXPAND_SZ %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
Path REG_EXPAND_SZ %ProgramFiles(x86)%\Windows Media Player

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\WORDPAD.EXE
(Default) REG_EXPAND_SZ "%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\WRITE.EXE
(Default) REG_EXPAND_SZ "%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE"

Mozilla

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
(Default) REG_SZ 1.9.2.6
CurrentVersion REG_SZ 3.6.6 (en-US)

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\3.6.6 (en-US)
(Default) REG_SZ 3.6.6 (en-US)

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\3.6.6 (en-US)\Main
Install Directory REG_SZ C:\Program Files (x86)\Mozilla Firefox
PathToExe REG_SZ C:\Program Files (x86)\Mozilla Firefox\firefox.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\3.6.6 (en-US)\Uninstall
Description REG_SZ Mozilla Firefox (3.6.6)

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.6.6
GeckoVer REG_SZ 1.9.2.6

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.6.6\bin
PathToExe REG_SZ C:\Program Files (x86)\Mozilla Firefox\firefox.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.6.6\extensions
Components REG_SZ C:\Program Files (x86)\Mozilla Firefox\components
Plugins REG_SZ C:\Program Files (x86)\Mozilla Firefox\plugins

Shared Task Scheduler

SafeBoot

SafeBootMinimal

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EFS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Power
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vmms
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}

SafeBootNetwork

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppInfo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BFE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\bowser
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dfsc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dhcp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dot3Svc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Eaphost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EFS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File system
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Filter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\IKEEXT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\KeyIso
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHosts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Messenger
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MPSDrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MPSSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mrxsmb
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mrxsmb10
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mrxsmb20
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NativeWifiP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ndiscap
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\netprofm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NlaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Nsi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nsiproxy.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NTDS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PolicyAgent
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Power
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ProfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdbss
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpencdd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sacsvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCardSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SWPRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TabletInputService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TBS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\VDS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vmms
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\volmgr.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\volmgrx.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinDefend
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wlansvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WudfPf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WudfRd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WudfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WudfUsbccidDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{50DD5230-BA8A-11D1-BF5D-0000F805F530}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{533C5B84-EC70-11D2-9505-00C04F79DEAF}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}

File Rename Operations - Session

Known DLLs - Session

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDlls
clbcatq REG_SZ clbcatq.dll
ole32 REG_SZ ole32.dll
advapi32 REG_SZ advapi32.dll
COMDLG32 REG_SZ COMDLG32.dll
DllDirectory REG_EXPAND_SZ %SystemRoot%\system32
DllDirectory32 REG_EXPAND_SZ %SystemRoot%\syswow64
gdi32 REG_SZ gdi32.dll
IERTUTIL REG_SZ IERTUTIL.dll
IMAGEHLP REG_SZ IMAGEHLP.dll
IMM32 REG_SZ IMM32.dll
kernel32 REG_SZ kernel32.dll
LPK REG_SZ LPK.dll
MSCTF REG_SZ MSCTF.dll
MSVCRT REG_SZ MSVCRT.dll
NORMALIZ REG_SZ NORMALIZ.dll
NSI REG_SZ NSI.dll
OLEAUT32 REG_SZ OLEAUT32.dll
PSAPI REG_SZ PSAPI.DLL
rpcrt4 REG_SZ rpcrt4.dll
sechost REG_SZ sechost.dll
Setupapi REG_SZ Setupapi.dll
SHELL32 REG_SZ SHELL32.dll
SHLWAPI REG_SZ SHLWAPI.dll
URLMON REG_SZ URLMON.dll
user32 REG_SZ user32.dll
USP10 REG_SZ USP10.dll
WININET REG_SZ WININET.dll
WLDAP32 REG_SZ WLDAP32.dll
WS2_32 REG_SZ WS2_32.dll
DifxApi REG_SZ difxapi.dll

Downloaded program files (ActiveX)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}

PATH: C:\windows\Downloaded Program Files

dwusplay.dll
dwusplay.exe
FP_AX_CAB_INSTALLER.exe
isusweb.dll
swflash.inf

Mountpoints

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1e769427-83e1-11df-b1c7-b8ac6fa1c3b7}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1e76942a-83e1-11df-b1c7-b8ac6fa1c3b7}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6a1da121-8fc5-11df-b870-b8ac6fa1c3b7}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8deb4dea-77f7-11df-9551-806e6f6e6963}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8deb4ded-77f7-11df-9551-806e6f6e6963}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{be84911c-7c21-11df-b59b-b8ac6fa1c3b7}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fa26d112-8bb7-11df-a21d-b8ac6fa1c3b7}

Winlogon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
DefaultDomainName REG_SZ
DefaultUserName REG_SZ
Userinit REG_SZ userinit.exe
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

Windows Update

Security Software Information

*Note*: Some security software does not store itself in the WMI.

{END OF FILE}

Re: Redirect virus15th July 2010, 7:07 pm

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Copy and paste the entire report in your next reply.

Re: Redirect virus15th July 2010, 11:40 pm

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4317

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/15/2010 4:39:00 PM
mbam-log-2010-07-15 (16-39-00).txt

Scan type: Quick scan
Objects scanned: 141636
Time elapsed: 2 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Re: Redirect virus17th July 2010, 6:08 pm

Download MBRCheck to your desktop.

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

Re: Redirect virus17th July 2010, 9:12 pm

MBRCheck, version 1.1.1

(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

931 GB \\.\PhysicalDrive0 Dell Inspiron MBR code detected

Done! Press ENTER to exit..

Re: Redirect virus18th July 2010, 3:33 am

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
Accept the License agreement and click on next.
It will, by default, install it to your desktop folder. Click Next.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.

Hidden Startup Objects

System Memory

Disk Boot Sectors.

My Computer.

Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.

Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be neutralized then choose the delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Re: Redirect virus18th July 2010, 3:07 pm

The report had no detections on it.

Re: Redirect virus18th July 2010, 6:59 pm

And the redirects still continue?

Re: Redirect virus18th July 2010, 10:25 pm

No they are finally gone. Thanks very much. I know I should probably be asking this in a different forum but I have Avira, the paid version. It has let several virus' on my old computer and now this one. I know done are perfect but was wondering if there is any you suggest over Avira. Thanks again.

Re: Redirect virus19th July 2010, 5:59 am

Kaspersky Internet Security, http://www.kaspersky.com

Please run a free online scan with the ESET Online Scanner

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Re: Redirect virus19th July 2010, 1:23 pm

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=006d7f2dcea90246bbeb1cbb7e8f5555
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-19 01:06:50
# local_time=2010-07-19 06:06:50 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=1792 16777215 100 0 1612348 1612348 0 0
# compatibility_mode=5893 16776573 100 94 0 31087104 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=109195
# found=0
# cleaned=0
# scan_time=1156

Re: Redirect virus20th July 2010, 2:16 am

If there are no more issues, then it is time to clean up.

To manually create a new Restore Point

Go to Control Panel and select System and Maintenance
Select System
On the left select Advance System Settings and accept the warning if you get one
Select System Protection Tab
Select Create at the bottom
Type in a name i.e. Clean
Select Create

Now we can purge the infected ones

Go back to the System and Maintenance page
Select Performance Information and Tools
On the left select Open Disk Cleanup
Select Files from all users and accept the warning if you get one
In the drop down box select your main drive i.e. C
For a few moments the system will make some calculations
Select the More Options tab
In the System Restore and Shadow Backups select Clean up
Select Delete on the pop up
Select OK
Select Delete

You are now done

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Re: Redirect virus20th July 2010, 3:59 am

Results of screen317's Security Check version 0.99.4
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Avira AntiVir Premium
WMI entry may not exist for antivirus; attempting automatic update.
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 20
Adobe Flash Player 10.0.45.2
Adobe Reader 9.1.2
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.6)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Re: Redirect virus20th July 2010, 4:09 am

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

===============================

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

SpywareBlaster
SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
Spybot - Search & Destroy.
Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Securing your computer

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

Firefox may be downloaded from here: http://www.getfirefox.com
Opera is available here: http://www.opera.com/download/

See this page for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Redirect virus

Redirect virus13th July 2010, 2:07 pm

Re: Redirect virus13th July 2010, 7:55 pm

Re: Redirect virus14th July 2010, 1:01 pm

Re: Redirect virus14th July 2010, 6:20 pm

Re: Redirect virus14th July 2010, 11:44 pm

Re: Redirect virus15th July 2010, 6:24 am

Re: Redirect virus15th July 2010, 12:41 pm

Re: Redirect virus15th July 2010, 12:45 pm

Re: Redirect virus15th July 2010, 12:48 pm

Re: Redirect virus15th July 2010, 7:07 pm

Re: Redirect virus15th July 2010, 11:40 pm

Re: Redirect virus17th July 2010, 6:08 pm

Re: Redirect virus17th July 2010, 9:12 pm

Re: Redirect virus18th July 2010, 3:33 am

Re: Redirect virus18th July 2010, 3:07 pm

Re: Redirect virus18th July 2010, 6:59 pm

Re: Redirect virus18th July 2010, 10:25 pm

Re: Redirect virus19th July 2010, 5:59 am

Re: Redirect virus19th July 2010, 1:23 pm

Re: Redirect virus20th July 2010, 2:16 am

Re: Redirect virus20th July 2010, 3:59 am

Re: Redirect virus20th July 2010, 4:09 am

Re: Redirect virus21st July 2010, 2:56 am

Re: Redirect virus21st July 2010, 3:39 am

Re: Redirect virus

Redirect virus

descriptionRedirect virus13th July 2010, 2:07 pm

descriptionRe: Redirect virus13th July 2010, 7:55 pm

descriptionRe: Redirect virus14th July 2010, 1:01 pm

descriptionRe: Redirect virus14th July 2010, 6:20 pm

descriptionRe: Redirect virus14th July 2010, 11:44 pm

descriptionRe: Redirect virus15th July 2010, 6:24 am

descriptionRe: Redirect virus15th July 2010, 12:41 pm

descriptionRe: Redirect virus15th July 2010, 12:45 pm

descriptionRe: Redirect virus15th July 2010, 12:48 pm

descriptionRe: Redirect virus15th July 2010, 7:07 pm

descriptionRe: Redirect virus15th July 2010, 11:40 pm

descriptionRe: Redirect virus17th July 2010, 6:08 pm

descriptionRe: Redirect virus17th July 2010, 9:12 pm

descriptionRe: Redirect virus18th July 2010, 3:33 am

descriptionRe: Redirect virus18th July 2010, 3:07 pm

descriptionRe: Redirect virus18th July 2010, 6:59 pm

descriptionRe: Redirect virus18th July 2010, 10:25 pm

descriptionRe: Redirect virus19th July 2010, 5:59 am

descriptionRe: Redirect virus19th July 2010, 1:23 pm

descriptionRe: Redirect virus20th July 2010, 2:16 am

descriptionRe: Redirect virus20th July 2010, 3:59 am

descriptionRe: Redirect virus20th July 2010, 4:09 am

descriptionRe: Redirect virus21st July 2010, 2:56 am

descriptionRe: Redirect virus21st July 2010, 3:39 am

descriptionRe: Redirect virus

Redirect virus13th July 2010, 2:07 pm

Re: Redirect virus13th July 2010, 7:55 pm

Re: Redirect virus14th July 2010, 1:01 pm

Re: Redirect virus14th July 2010, 6:20 pm

Re: Redirect virus14th July 2010, 11:44 pm

Re: Redirect virus15th July 2010, 6:24 am

Re: Redirect virus15th July 2010, 12:41 pm

Re: Redirect virus15th July 2010, 12:45 pm

Re: Redirect virus15th July 2010, 12:48 pm

Re: Redirect virus15th July 2010, 7:07 pm

Re: Redirect virus15th July 2010, 11:40 pm

Re: Redirect virus17th July 2010, 6:08 pm

Re: Redirect virus17th July 2010, 9:12 pm

Re: Redirect virus18th July 2010, 3:33 am

Re: Redirect virus18th July 2010, 3:07 pm

Re: Redirect virus18th July 2010, 6:59 pm

Re: Redirect virus18th July 2010, 10:25 pm

Re: Redirect virus19th July 2010, 5:59 am

Re: Redirect virus19th July 2010, 1:23 pm

Re: Redirect virus20th July 2010, 2:16 am

Re: Redirect virus20th July 2010, 3:59 am

Re: Redirect virus20th July 2010, 4:09 am

Re: Redirect virus21st July 2010, 2:56 am

Re: Redirect virus21st July 2010, 3:39 am

Re: Redirect virus