Download Link: hxxp://reddii.org/traffic/ft01/loader.exe File Name: loader.exe VirusTotal Result: 20/32 (62.5%) AntiVir 7.6.0.85 2008.04.11 TR/Dldr.Tiny.IQ.28 Avast 4.8.1169.0 2008.04.12 Win32:Tiny-IA AVG 7.5.0.516 2008.04.12 Downloader.Generic7.VZ BitDefender 7.2 2008.04.12 MemScan:Trojan.Downloader.Tiny.IQ CAT-QuickHeal 9.50 2008.04.12 (Suspicious) - DNAScan ClamAV 0.92.1 2008.04.12 Trojan.Downloader-10105 DrWeb 4.44.0.09170 2008.04.12 Trojan.Packed.151 eTrust-Vet 31.3.5692 2008.04.11 Win32/Behdevy F-Secure 6.70.13260.0 2008.04.11 W32/Tibs.gen159 Fortinet 3.14.0.0 2008.04.12 W32/Dloader.J!tr Ikarus T3.1.1.26.0 2008.04.12 Trojan.Win32.Trojan-Downloader.Tiny.NCT Kaspersky 7.0.0.125 2008.04.12 Heur.Downloader NOD32v2 3020 2008.04.11 Win32/TrojanDownloader.Tiny.NCT Norman 5.80.02 2008.04.12 W32/Tibs.gen159 Panda 9.0.0.4 2008.04.12 Suspicious file Prevx1 V2 2008.04.12 Heuristic: Suspicious Code Sophos 4.28.0 2008.04.12 Mal/DownLdr-J Sunbelt 3.0.1041.0 2008.04.12 Trojan-Downloader.Tiny.IQ VBA32 3.12.6.4 2008.04.06 Win32.TrojanDownloader.Tiny.NCT Webwasher-Gateway 6.6.2 2008.04.11 Trojan.Dldr.Tiny.IQ.28 File Info: File size: 1712 bytes MD5...: 159b35f4ef26836035bf2e545f677dd6 SHA1..: 20722f7bd0f0555d69310308a244001ffbc43fa5 SHA256: 9774f9efb9128b993640cf99954463d88bebac575037bf132c1cf341cf8fcfb3 SHA512: 5017ff67483a242fd2603170e5899c6281365c9a0616965d77b93c62038b5728 bb8d6b9d52a991745a912782a59dedc03ae1e4c86ef33786a17ef4f2bdf8dee1 PEInfo: PE Structure information Base Data: Entry Point Address.: 0x40132f Time Date Stamp.....: 0x4629edaf (Sat Apr 21 10:55:43 2007) Machine Type.......: 0x14c (I386) Code Offset = 00000200, Code Size = 00000367 Data Offset = 00000600, Data Size = 000000B0 Number of Objects = 0002 (dec), Imagebase = 00400000h Object01: .text RVA: 00001000 Offset: 00000200 Size: 00000367 Flags: E0000020 Object02: .data RVA: 00002000 Offset: 00000600 Size: 000000B0 Flags: C0000040 Process Description: Filename: loader.exe MD5: 159b35f4ef26836035bf2e545f677dd6 SHA-1: 20722f7bd0f0555d69310308a244001ffbc43fa5 File Size: 1712 Bytes Command Line: C:\loader.exe Load Time DLL: Module Name Base Address Size C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000B0000 C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F5000 Run Time DLL: Module Name Base Address Size C:\WINDOWS\system32\NETAPI32.dll 0x5B860000 0x00054000 C:\WINDOWS\system32\comctl32.dll 0x5D090000 0x0009A000 C:\WINDOWS\system32\faultrep.dll 0x69450000 0x00016000 C:\WINDOWS\system32\WINSTA.dll 0x76360000 0x00010000 C:\WINDOWS\system32\IMM32.DLL 0x76390000 0x0001D000 C:\WINDOWS\system32\USERENV.dll 0x769C0000 0x000B3000 C:\WINDOWS\system32\WTSAPI32.dll 0x76F50000 0x00008000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 0x773D0000 0x00103000 C:\WINDOWS\system32\SETUPAPI.dll 0x77920000 0x000F3000 C:\WINDOWS\system32\apphelp.dll 0x77B40000 0x00022000 C:\WINDOWS\system32\VERSION.dll 0x77C00000 0x00008000 C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000 C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000 C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000 C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00047000 C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000 C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000 C:\WINDOWS\system32\shell32.dll 0x7C9C0000 0x00815000 C:\WINDOWS\system32\USER32.dll Files Created: C:\DOCUME~1\user\LOCALS~1\Temp\48a0_appcompat.txt Files Read: C:\WINDOWS\system32\winsock.dll PIPE\lsarpc Files Changed: C:\DOCUME~1\user\LOCALS~1\Temp\48a0_appcompat.txt PIPE\lsarpc Registry Read: Key Name Value Times HKLM\Software\Microsoft\PCHealth\ErrorReporting AllOrNone 1 1 HKLM\Software\Microsoft\PCHealth\ErrorReporting DoReport 1 1 HKLM\Software\Microsoft\PCHealth\ErrorReporting IncludeKernelFaults 1 1 HKLM\Software\Microsoft\PCHealth\ErrorReporting IncludeMicrosoftApps 1 1 HKLM\Software\Microsoft\PCHealth\ErrorReporting IncludeWindowsApps 1 1 HKLM\Software\Microsoft\PCHealth\ErrorReporting ShowUI 1 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug Auto 1 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug Debugger drwtsn32 -p %ld -e %ld -g 1 HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 1 HKLM\System\Setup SystemSetupInProgress 0 1 Process Created: Executable Command Line dwwin.exe C:\WINDOWS\system32\dwwin.exe -x -s 156 drwtsn32 C:\WINDOWS\system32\drwtsn32 -p 284 -e 120 -g Process Started: Filename: dwwin.exe MD5: 7c25440617eee6f69709aa8c915d2c32 SHA-1: 40747172146706013a3334d475b5df0116c56643 File Size: 180224 Bytes Command Line: C:\WINDOWS\system32\dwwin.exe -x -s 156 Registry Values Changed: Key Name New Value HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common AppData C:\Documents and Settings\All Users\Application Data HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders AppData C:\Documents and Settings\user\Application Data HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\user\Local Settings\Temporary Internet Files HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies C:\Documents and Settings\user\Cookies HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders History C:\Documents and Settings\user\Local Settings\History HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Personal C:\Documents and Settings\user\My Documents HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings MigrateProxy 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings 0x460000005f00000001000000000000000000000000000000040000000000 Registry Values Read: Key Name Value Times HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings UrlEncoding 0x00000000 2 HKLM\Software\Microsoft\Tracing EnableConsoleTracing 0 1 HKLM\Software\Microsoft\Tracing\RASAPI32 ConsoleTracingMask 4294901760 2 HKLM\Software\Microsoft\Tracing\RASAPI32 EnableConsoleTracing 0 2 HKLM\Software\Microsoft\Tracing\RASAPI32 EnableFileTracing 0 2 HKLM\Software\Microsoft\Tracing\RASAPI32 FileDirectory %windir%\tracing 4 HKLM\Software\Microsoft\Tracing\RASAPI32 FileTracingMask 4294901760 2 HKLM\Software\Microsoft\Tracing\RASAPI32 MaxFileSize 1048576 2 HKLM\Software\Microsoft\Windows NT\CurrentVersion DigitalProductId 0xa40000000300000037363438372d3333372d383432393935352d32323631 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug Debugger drwtsn32 -p %ld -e %ld -g 4 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList AllUsersProfile All Users 3 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList DefaultUserProfile Default User 3 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ProfilesDirectory %SystemDrive%\Documents and Settings 6 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1229272821-1004336348-527237240-1003 ProfileImagePath %SystemDrive%\Documents and Settings\user 3 HKLM\Software\Microsoft\Windows\CurrentVersion CommonFilesDir C:\Program Files\Common Files 4 HKLM\Software\Microsoft\Windows\CurrentVersion ProgramFilesDir C:\Program Files 4 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common AppData %ALLUSERSPROFILE%\Application Data 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content PerUserItem 1 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies PerUserItem 1 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History PerUserItem 1 1 HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 5 HKLM\System\CurrentControlSet\Control\Session Manager\Environment ComSpec %SystemRoot%\system32\cmd.exe 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment FP_NO_HOST_CHECK NO 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment NUMBER_OF_PROCESSORS 1 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment OS Windows_NT 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_ARCHITECTURE x86 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_IDENTIFIER x86 Family 6 Model 3 Stepping 3, GenuineIntel 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_LEVEL 6 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_REVISION 0303 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment Path %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment TEMP %SystemRoot%\TEMP 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment TMP %SystemRoot%\TEMP 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment _NT_SYMBOL_PATH srv*C:\Symbols*http://msdl.microsoft.com/download/symbols 6 HKLM\System\CurrentControlSet\Control\Session Manager\Environment windir %SystemRoot% 6 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters WinSock_Registry_Version 2.0 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Num_Catalog_Entries 3 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Serial_Access_Num 4 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 DisplayString Tcpip 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 LibraryPath %SystemRoot%\System32\mswsock.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ProviderId 0x409d05229e7ecf11ae5a00aa00a7112b 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 SupportedNameSpace 12 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 DisplayString NTDS 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 LibraryPath %SystemRoot%\System32\winrnr.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ProviderId 0xee37263b80e5cf11a55500c04fd8d4ac 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 SupportedNameSpace 32 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 DisplayString Network Location Awareness (NLA) Namespace 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 LibraryPath %SystemRoot%\System32\mswsock.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ProviderId 0x3a244266a83ba64abaa52e0bd71fdd83 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 SupportedNameSpace 15 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Next_Catalog_Entry_ID 1012 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Num_Catalog_Entries 11 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Serial_Access_Num 4 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\Setup SystemSetupInProgress 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment TEMP %USERPROFILE%\Local Settings\Temp 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment TMP %USERPROFILE%\Local Settings\Temp 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS EnableHttp1_1 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS EnableNegotiate 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS MimeExclusionListForCache multipart/mixed multipart/x-mixed-replace multipart/x-byteranges 4 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS SecureProtocols 160 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS WarnOnPost 0x01000000 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS WarnOnZoneCrossing 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings CertificateRevocation 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings DisableCachingOfSSLPages 0 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Internet Explorer\Settings Anchor Color 0,0,255 4 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ParseAutoexec 1 3 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders AppData %USERPROFILE%\Application Data 3 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cache %USERPROFILE%\Local Settings\Temporary Internet Files 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cookies %USERPROFILE%\Cookies 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders History %USERPROFILE%\Local Settings\History 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Personal %USERPROFILE%\My Documents 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache Signature Client UrlCache MMF Ver 5.2 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Content CacheLimit 163410 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Content CachePrefix 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies CachePrefix Cookie: 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CacheOptions 11 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012007101520071022 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CachePrefix :2007101520071022: 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CacheRepair 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CacheOptions 11 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012007102220071029 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CachePrefix :2007102220071029: 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CacheRepair 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CacheOptions 11 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012007110120071102 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CachePrefix :2007110120071102: 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CacheRepair 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CacheLimit 1000 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CacheOptions 8 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CachePath %USERPROFILE%\UserData 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CachePrefix UserData 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CacheRepair 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CacheOptions 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CachePath %USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CachePrefix feedplat: 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CacheRepair 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\History CacheLimit 8192 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\History CachePrefix Visited: 2 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings MigrateProxy 1 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0 1 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections DefaultConnectionSettings 0x3c0000000200000001000000000000000000000000000000040000000000 2 HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings 0x460000005e00000001000000000000000000000000000000040000000000 4 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment APPDATA C:\Documents and Settings\user\Application Data 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment CLIENTNAME Console 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment HOMEDRIVE C: 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment HOMEPATH \Documents and Settings\user 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment HOMESHARE 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment LOGONSERVER \\USER 6 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment SESSIONNAME Console Registry Keys Monitored: Key Name Watch subtree Notify Filter Count HKLM\Software\Microsoft\Tracing\RASAPI32 0 Attributes Change,Value Change,Security Descriptor Change 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 0 Key Change 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 0 Key Change 1 Files Deleted: C:\DOCUME~1\user\LOCALS~1\Temp\3850F.dmp C:\DOCUME~1\user\LOCALS~1\Temp\48a0_appcompat.txt Files Created: C:\DOCUME~1\user\LOCALS~1\Temp\3850F.dmp Files Read: C:\WINDOWS\win.ini C:\loader.exe PIPE\lsarpc c:\autoexec.bat Files MOdified: PIPE\lsarpc Process Stsrted: Filename: services.exe MD5: c6ce6eec82f187615d1002bb3bb50ed4 SHA-1: b958912d139cb8dbfeeacdd38ba048c4f452174e File Size: 108032 Bytes Command Line: C:\WINDOWS\system32\services.exe Registry Keys Created: HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control Registry Values Changed: HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control ActiveService RasMan HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control ActiveService TapiSrv Registry Values Read: Key Name Value Times HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0303\4&2C5A7332&0 ClassGUID {4D36E96B-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0400\4&2C5A7332&0 ClassGUID {4D36E978-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0501\1 ClassGUID {4D36E978-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0700\4&2C5A7332&0 ClassGUID {4D36E969-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0A03\1 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0F13\4&2C5A7332&0 ClassGUID {4D36E96F-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI_HAL\PNP0C08\0 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\DISPLAY\DEFAULT_MONITOR\4&2946A9FF&0&11223344&00&02 ClassGUID {4D36E96E-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\ CDROMQEMU_QEMU_CD-ROM________________________0.9.____\ 4D51303030302033202020202020202020202020 ClassGUID {4D36E965-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\ DISKQEMU_HARDDISK___________________________0.9.0___\ 4D51303030302031202020202020202020202020 ClassGUID {4D36E967-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ISAPNP\READDATAPORT\0 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\LPTENUM\MICROSOFTRAWPORT\5&34A37E9F&0&LPT1 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&0 ClassGUID {4D36E96A-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&1 ClassGUID {4D36E96A-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_1013&DEV_00B8&SUBSYS_00000000&REV_00\3&13C0B0C5&0&10 ClassGUID {4D36E968-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 2 HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18 DeviceDesc Realtek RTL8029(AS)-based Ethernet Adapter (Generic) 2 HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18 Driver {4D36E972-E325-11CE-BFC1-08002BE10318}\0001 2 HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_1237&SUBSYS_00000000&REV_02\3&13C0B0C5&0&00 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7000&SUBSYS_00000000&REV_00\3&13C0B0C5&0&08 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7010&SUBSYS_00000000&REV_00\3&13C0B0C5&0&09 ClassGUID {4D36E96A-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\ACPI_HAL\0000 ClassGUID {4D36E966-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\DMIO\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\FTDISK\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_AFD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_BEEP\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMBOOT\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMLOAD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_FIPS\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_GPC\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_HTTP\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPNAT\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPSEC\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_KSECDD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MNMDD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MOUNTMGR\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISTAPI\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISUIO\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDIS\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDPROXY\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NETBT\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NULL\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARTMGR\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARVDM\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RASACD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RDPCDD\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TCPIP\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VGASAVE\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VOLSNAP\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WANARP\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMACM ClassGUID {4D36E96C-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMDRV ClassGUID {4D36E96C-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMMCI ClassGUID {4D36E96C-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVCD ClassGUID {4D36E96C-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVID ClassGUID {4D36E96C-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000 Capabilities 0 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000 ClassGUID {4D36E96D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000 ConfigFlags 0 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MODEM\0000 Driver {4D36E96D-E325-11CE-BFC1-08002BE10318}\0000 2 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_L2TPMINIPORT\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 2 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 DeviceDesc WAN Miniport (IP) 2 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 Driver {4D36E972-E325-11CE-BFC1-08002BE10318}\0008 2 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPPOEMINIPORT\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPTPMINIPORT\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PSCHEDMP\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PSCHEDMP\0001 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PTIMINIPORT\0000 ClassGUID {4D36E972-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDPDR\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_KBD\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_MOU\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0000 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0001 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0002 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0003 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0004 ClassGUID {4D36E97D-E325-11CE-BFC1-08002BE10318} 1 HKLM\SYSTEM\CONTROLSET001\ENUM\STORAGE\VOLUME\1&30A96598&0&SIGNATURE95619561OFFSET7E00LENGTH13F291800 ClassGUID {71A27CDD-812A-11D0-BEC7-08002BE2092F} 1 HKLM\SYSTEM\CONTROLSET001\SERVICES\PlugPlay PlugPlayServiceType 3 1 HKLM\SYSTEM\CONTROLSET001\SERVICES\RasMan\Enum 0 Root\LEGACY_RASMAN\0000 3 HKLM\SYSTEM\CONTROLSET001\SERVICES\RasMan\Enum Count 1 6 HKLM\SYSTEM\CONTROLSET001\SERVICES\RpcSs\Enum 0 Root\LEGACY_RPCSS\0000 1 HKLM\SYSTEM\CONTROLSET001\SERVICES\RpcSs\Enum Count 1 2 HKLM\SYSTEM\CONTROLSET001\SERVICES\TapiSrv\Enum 0 Root\LEGACY_TAPISRV\0000 2 HKLM\SYSTEM\CONTROLSET001\SERVICES\TapiSrv\Enum Count 1 4 HKLM\System\CurrentControlSet\Services\PlugPlay ObjectName LocalSystem 1 HKLM\System\CurrentControlSet\Services\RasMan ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs 1 HKLM\System\CurrentControlSet\Services\RasMan ObjectName LocalSystem 2 HKLM\System\CurrentControlSet\Services\RpcSs ObjectName NT AUTHORITY\NetworkService 1 HKLM\System\CurrentControlSet\Services\TapiSrv ImagePath %SystemRoot%\System32\svchost.exe -k netsvcs 1 HKLM\System\CurrentControlSet\Services\TapiSrv ObjectName LocalSystem Files Read: C:\ntsvcs, Flags: Named pipe Files Modified: C:\WINDOWS\system32\config\AppEvent.Evt C:\WINDOWS\system32\config\SysEvent.Evt C:\ntsvcs, Flags: Named pipe Process Started: Filename: drwtsn32.exe MD5: c9f5e1de6da983e89e714ed80c11f000 SHA-1: 1717b633478fb107d3c26344f710328b93ae550c File Size: 45568 Bytes Command Line: C:\WINDOWS\system32\drwtsn32 -p 284 -e 120 -g egistry Values Changed: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common AppData C:\Documents and Settings\All Users\Application Data Registry Read: Key Name Value Times HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Identifier x86 Family 6 Model 3 Stepping 3 1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion CurrentBuildNumber 2600 1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion CurrentType Uniprocessor Free 1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization user 1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner user 1 HKLM\SYSTEM\CurrentControlSet\Control\Windows CSDVersion 512 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion CurrentType Uniprocessor Free 2 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common AppData %ALLUSERSPROFILE%\Application Data 1 HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 2 HKLM\software\microsoft\DrWatson AppendToLogFile 1 1 HKLM\software\microsoft\DrWatson CrashDumpType 1 1 HKLM\software\microsoft\DrWatson CreateCrashDump 1 1 HKLM\software\microsoft\DrWatson DumpAllThreads 1 1 HKLM\software\microsoft\DrWatson DumpSymbols 0 1 HKLM\software\microsoft\DrWatson Instructions 10 1 HKLM\software\microsoft\DrWatson MaximumCrashes 10 1 HKLM\software\microsoft\DrWatson NumberOfCrashes 10 1 HKLM\software\microsoft\DrWatson SoundNotification 0 1 HKLM\software\microsoft\DrWatson VisualNotification 0 1 HKLM\software\microsoft\DrWatson WaveFile 1 Files Created: C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Files Read: C:\loader.exe PIPE\lsarpc Files Changed: PIPE\lsarpc Other Application Access: Process: C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe Process: C:\WINDOWS\explorer.exe Process: C:\WINDOWS\system32\alg.exe Process: C:\WINDOWS\system32\cmd.exe Process: C:\WINDOWS\system32\csrss.exe Process: C:\WINDOWS\system32\ctfmon.exe Process: C:\WINDOWS\system32\drwtsn32.exe Process: C:\WINDOWS\system32\ftvmdmsrv.exe Process: C:\WINDOWS\system32\lsass.exe Process: C:\WINDOWS\system32\services.exe Process: C:\WINDOWS\system32\smss.exe Process: C:\WINDOWS\system32\spoolsv.exe Process: C:\WINDOWS\system32\svchost.exe Process: C:\WINDOWS\system32\winlogon.exe Process: C:\WINDOWS\system32\wscntfy.exe Process: C:\WINDOWS\system32\wuauclt.exe Process: C:\exec\popupKiller.exe Process: C:\loader.exe