Download Link: hxxp://6sq.net/toolbar/6sqtoolbar.exe File Name: 6sqtoolbar.exe File size: 470307 bytes MD5: 20220fc3509d0b0cb36dfd42fedf7916 SHA1: fb85a7e2337c1dabbf001e8750804bd04403736b PEiD: - VirusTotal Result: 11/32 (34.38%) AntiVir: DR/Mostofate.AA Avast: Win32:Adware-gen CAT-QuickHeal: Win32.AdWare.MyTool.f DrWeb: Adware.Softomate Fortinet: Adware/Mostofate Ikarus: Win32.SuspectCrc Kaspersky: not-a-virus:AdWare.Win32.Mostofate.aa Rising: Adware.Win32.Softomate.aa Sophos: SearchIt VBA32: AdWare.Win32.Mostofate.aa Webwasher-Gateway: Trojan.Dropper.Mostofate.AA Analysis Report: http://malwareinfo.freeforums.org/6sq-net-toolbar-6sqtoolbar-exe-t29.html File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0005 Time/Date stamp: 3FEDD615 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00005E00 Size of initialized data: 0001D600 Size of uninitialized data: 00008000 Address of entry point: 0000409B Base of code: 00001000 Base of data: 00007000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00031000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 00005CCA 00001000 00005E00 00000400 60000020 .rdata 000011B8 00007000 00001200 00006200 40000040 .data 0001B08C 00009000 00000400 00007400 C0000040 .ndata 00008000 00025000 00000000 00000000 C0000080 .rsrc 00004000 0002D000 00004000 00007800 40000040 Import table (libraries: 8) COMCTL32.dll (imports: 4) ImageList_Create #17 ImageList_AddMasked ImageList_Destroy KERNEL32.dll (imports: 66) GetExitCodeProcess WaitForSingleObject ExpandEnvironmentStringsA GetEnvironmentVariableA lstrcmpiA FindNextFileA DeleteFileA FindFirstFileA SetFileTime GetFileAttributesA CompareFileTime SearchPathA GetShortPathNameA GetFullPathNameA MoveFileA lstrcatA SetCurrentDirectoryA CreateDirectoryA SetFileAttributesA CreateFileA GetFileSize GetModuleFileNameA GetTickCount CopyFileA SetErrorMode lstrcpynA GetCommandLineA GetWindowsDirectoryA GetTempPathA GetUserDefaultLangID GetDiskFreeSpaceA GetVersion GlobalUnlock GlobalLock GlobalAlloc CreateProcessA RemoveDirectoryA GetTempFileNameA SetEndOfFile UnmapViewOfFile MapViewOfFile CreateFileMappingA lstrcpyA lstrlenA GetSystemDirectoryA EnterCriticalSection Sleep LeaveCriticalSection InitializeCriticalSection CloseHandle GlobalFree GetModuleHandleA LoadLibraryA CreateThread GetProcAddress FreeLibrary MultiByteToWideChar GetCurrentProcess WritePrivateProfileStringA GetPrivateProfileStringA WriteFile ReadFile SetFilePointer FindClose MulDiv ExitProcess USER32.dll (imports: 60) CreateDialogParamA DialogBoxParamA GetClassInfoA CreateWindowExA SystemParametersInfoA RegisterClassA EndDialog SetFocus ScreenToClient GetWindowRect GetWindowLongA SetClassLongA IsWindowEnabled SetWindowPos LoadCursorA SetCursor GetDlgItemTextA MapWindowPoints GetMessagePos LoadBitmapA CallWindowProcA CloseClipboard SetClipboardData EmptyClipboard OpenClipboard TrackPopupMenu AppendMenuA CreatePopupMenu GetSystemMetrics SetDlgItemTextA MessageBoxA CharPrevA DestroyWindow SetTimer SetForegroundWindow ShowWindow CharNextA wsprintfA SendMessageTimeoutA FindWindowExA IsWindow GetDlgItem GetSysColor SetWindowLongA LoadImageA GetDC EnableWindow PeekMessageA DispatchMessageA ExitWindowsEx PostQuitMessage SendMessageA DefWindowProcA BeginPaint GetClientRect FillRect GetWindowTextA DrawTextA EndPaint InvalidateRect GDI32.dll (imports: 10) SetBkColor GetDeviceCaps CreateFontIndirectA DeleteObject CreateSolidBrush CreateFontA SetBkMode SetTextColor CreateBrushIndirect SelectObject ADVAPI32.dll (imports: 9) RegEnumValueA RegEnumKeyA RegQueryValueExA RegSetValueExA RegDeleteKeyA RegOpenKeyExA RegDeleteValueA RegCreateKeyA RegCloseKey SHELL32.dll (imports: 6) ShellExecuteA SHBrowseForFolderA SHGetPathFromIDListA SHGetMalloc SHGetSpecialFolderLocation SHFileOperationA ole32.dll (imports: 3) OleInitialize OleUninitialize CoCreateInstance VERSION.dll (imports: 3) GetFileVersionInfoSizeA GetFileVersionInfoA VerQueryValueA Process Info: Process ID 420 Filename C:\6sqtoolbar.exe Filesize 470307 bytes MD5 20220fc3509d0b0cb36dfd42fedf7916 Start Reason AnalysisTarget File System Info: Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsn1.tmp Get File Attributes: C:\file.exe Flags: (SECURITY_ANONYMOUS) Open File: C:\file.exe (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsn3.tmp Find File: C:\Program Files Find File: C:\Program Files\6SQ Toolbar Get File Attributes: C:\Program Files\6SQ Toolbar\6sqtoolbar.dll Flags: (SECURITY_ANONYMOUS) Create/Open File: C:\Program Files\6SQ Toolbar\6sqtoolbar.dll (OPEN_ALWAYS) Get File Attributes: C:\Program Files\6SQ Toolbar\6sqtoolbar.crc Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\Program Files\6SQ Toolbar\6sqtoolbar.crc Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\Program Files\6SQ Toolbar\6sqtoolbar.crc Set File Time: C:\Program Files\6SQ Toolbar\6sqtoolbar.crc Set File Attributes: C:\Program Files\6SQ Toolbar\6sqtoolbar.dll Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Create File: C:\Program Files\6SQ Toolbar\6sqtoolbar.dll Set File Time: C:\Program Files\6SQ Toolbar\6sqtoolbar.dll Get File Attributes: C:\Program Files\6SQ Toolbar\basis.xml Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\Program Files\6SQ Toolbar\basis.xml Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\Program Files\6SQ Toolbar\basis.xml Set File Time: C:\Program Files\6SQ Toolbar\basis.xml Get File Attributes: C:\Program Files\6SQ Toolbar\demo_logo.bmp Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\Program Files\6SQ Toolbar\demo_logo.bmp Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\Program Files\6SQ Toolbar\demo_logo.bmp Set File Time: C:\Program Files\6SQ Toolbar\demo_logo.bmp Get File Attributes: C:\Program Files\6SQ Toolbar\favicon.ico Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\Program Files\6SQ Toolbar\favicon.ico Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\Program Files\6SQ Toolbar\favicon.ico Set File Time: C:\Program Files\6SQ Toolbar\favicon.ico Get File Attributes: C:\Program Files\6SQ Toolbar\icons.bmp Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\Program Files\6SQ Toolbar\icons.bmp Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\Program Files\6SQ Toolbar\icons.bmp Set File Time: C:\Program Files\6SQ Toolbar\icons.bmp Get File Attributes: C:\Program Files\6SQ Toolbar\mini_logo.bmp Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\Program Files\6SQ Toolbar\mini_logo.bmp Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\Program Files\6SQ Toolbar\mini_logo.bmp Set File Time: C:\Program Files\6SQ Toolbar\mini_logo.bmp Get File Attributes: C:\Program Files\6SQ Toolbar\msvcp60.dll Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\Program Files\6SQ Toolbar\msvcp60.dll Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\Program Files\6SQ Toolbar\msvcp60.dll Set File Time: C:\Program Files\6SQ Toolbar\msvcp60.dll Get File Attributes: C:\Program Files\6SQ Toolbar\msvcrt.dll Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\Program Files\6SQ Toolbar\msvcrt.dll Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\Program Files\6SQ Toolbar\msvcrt.dll Set File Time: C:\Program Files\6SQ Toolbar\msvcrt.dll Get File Attributes: C:\Program Files\6SQ Toolbar\version.txt Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\Program Files\6SQ Toolbar\version.txt Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\Program Files\6SQ Toolbar\version.txt Set File Time: C:\Program Files\6SQ Toolbar\version.txt Get File Attributes: C:\Program Files\6SQ Toolbar\your_logo.bmp Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\Program Files\6SQ Toolbar\your_logo.bmp Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\Program Files\6SQ Toolbar\your_logo.bmp Set File Time: C:\Program Files\6SQ Toolbar\your_logo.bmp Get File Attributes: C:\Program Files\6SQ Toolbar\your_logo.bmp_16.bmp Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\Program Files\6SQ Toolbar\your_logo.bmp_16.bmp Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\Program Files\6SQ Toolbar\your_logo.bmp_16.bmp Set File Time: C:\Program Files\6SQ Toolbar\your_logo.bmp_16.bmp Get File Attributes: C:\Program Files\6SQ Toolbar\your_logo.bmp_32.bmp Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\Program Files\6SQ Toolbar\your_logo.bmp_32.bmp Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\Program Files\6SQ Toolbar\your_logo.bmp_32.bmp Set File Time: C:\Program Files\6SQ Toolbar\your_logo.bmp_32.bmp Get File Attributes: C:\Program Files\6SQ Toolbar Flags: (SECURITY_ANONYMOUS) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\regsvr32.exe () Find File: regsvr32.exe Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion "ProgramFilesDir" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Enable Browser Extensions" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Process Management: Creates Process - Filename () CommandLine: (C:\WINDOWS\system32\regsvr32 /s "C:\Program Files\6SQ Toolbar\6sqtoolbar.dll") As User: () Creation Flags: () Kill Process - Filename () CommandLine: () Target PID: (420) As User: () Creation Flags: () System Info: Get System Directory Process Started: Process ID 472 Filename C:\WINDOWS\system32\regsvr32 /s C:\Program Files\6SQ Toolbar\6sqtoolbar.dll Filesize 11776 bytes MD5 9709ead856a690333138ac40804f914e Start Reason CreateProcess COM: COM Create Instance: OLE32.DLL, ProgID: (), Interface ID: ({0002E012-0000-0000-C000-000000000046}) COM Create Instance: C:\WINDOWS\system32\mlang.dll, ProgID: (), Interface ID: ({275C23E1-3747-11D0-9FEA-00AA003F8646}) COM Create Instance: %SystemRoot%\system32\msxml3.dll, ProgID: (Microsoft.XMLDOM.1.0), Interface ID: ({00000000-0000-0000-C000-000000000046}) COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({000214E6-0000-0000-C000-000000000046}) COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) File System Activity: Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: C:\Program Files\6SQ Toolbar\6sqtoolbar.dll (OPEN_EXISTING) Open File: C:\Program Files\6SQ Toolbar\basis.xml (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Program Files\6SQ Toolbar\favicon.ico Flags: (SECURITY_ANONYMOUS) Open File: C:\Program Files\6SQ Toolbar\version.txt (OPEN_EXISTING) Open File: \\.\PIPE\wkssvc (OPEN_EXISTING) Get File Attributes: C:\Program Files\6SQ Toolbar Flags: (SECURITY_ANONYMOUS) Get File Attributes: iexplore.exe Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\system32\shdocvw.dll (OPEN_EXISTING) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: C:\Program Files\Internet Explorer\iexplore.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Program Files\Internet Explorer\iexplore.exe:Zone.Identifier Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Program Files\desktop.ini Flags: (SECURITY_ANONYMOUS) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\Program Files\Internet Explorer\iexplore.exe () Find File: iexplore.exe Find File: C:\Program Files\6SQ Toolbar\*.dll Registry Changes: HKEY_CLASSES_ROOT\XBTB03506.IEToolbar.1 "" = IE Toolbar HKEY_CLASSES_ROOT\XBTB03506.IEToolbar.1\CLSID "" = {050EB4EE-027A-4005-9454-1434E1A187B9} HKEY_CLASSES_ROOT\XBTB03506.IEToolbar "" = IE Toolbar HKEY_CLASSES_ROOT\XBTB03506.IEToolbar\CLSID "" = {050EB4EE-027A-4005-9454-1434E1A187B9} HKEY_CLASSES_ROOT\XBTB03506.IEToolbar\CurVer "" = XBTB03506.IEToolbar.1 HKEY_CLASSES_ROOT\CLSID\{050EB4EE-027A-4005-9454-1434E1A187B9} "" = IE Toolbar HKEY_CLASSES_ROOT\CLSID\{050EB4EE-027A-4005-9454-1434E1A187B9}\ProgID "" = XBTB03506.IEToolbar.1 HKEY_CLASSES_ROOT\CLSID\{050EB4EE-027A-4005-9454-1434E1A187B9}\VersionIndependentProgID "" = XBTB03506.IEToolbar HKEY_CLASSES_ROOT\CLSID\{050EB4EE-027A-4005-9454-1434E1A187B9}\InprocServer32 "" = C:\PROGRA~1\6SQTOO~1\6SQTOO~1.DLL HKEY_CLASSES_ROOT\CLSID\{050EB4EE-027A-4005-9454-1434E1A187B9}\InprocServer32 "ThreadingModel" = Apartment HKEY_CLASSES_ROOT\CLSID\{050EB4EE-027A-4005-9454-1434E1A187B9}\TypeLib "" = {E26E848C-C85B-4081-979C-A0046E6F329F} HKEY_CLASSES_ROOT\ToolBand.XBTP03506.1 "" = XBTP03506 Class HKEY_CLASSES_ROOT\ToolBand.XBTP03506.1\CLSID "" = {ADE34BA8-D2D3-4be6-94D4-C25B871F6905} HKEY_CLASSES_ROOT\ToolBand.XBTP03506 "" = XBTP03506 Class HKEY_CLASSES_ROOT\ToolBand.XBTP03506\CLSID "" = {ADE34BA8-D2D3-4be6-94D4-C25B871F6905} HKEY_CLASSES_ROOT\ToolBand.XBTP03506\CurVer "" = ToolBand.XBTP03506.1 HKEY_CLASSES_ROOT\CLSID\{ADE34BA8-D2D3-4be6-94D4-C25B871F6905} "" = XBTP03506 Class HKEY_CLASSES_ROOT\CLSID\{ADE34BA8-D2D3-4be6-94D4-C25B871F6905}\ProgID "" = ToolBand.XBTP03506.1 HKEY_CLASSES_ROOT\CLSID\{ADE34BA8-D2D3-4be6-94D4-C25B871F6905}\VersionIndependentProgID "" = ToolBand.XBTP03506 HKEY_CLASSES_ROOT\CLSID\{ADE34BA8-D2D3-4be6-94D4-C25B871F6905}\InprocServer32 "" = C:\PROGRA~1\6SQTOO~1\6SQTOO~1.DLL HKEY_CLASSES_ROOT\CLSID\{ADE34BA8-D2D3-4be6-94D4-C25B871F6905}\InprocServer32 "ThreadingModel" = Apartment HKEY_CLASSES_ROOT\CLSID\{ADE34BA8-D2D3-4be6-94D4-C25B871F6905}\TypeLib "" = {E26E848C-C85B-4081-979C-A0046E6F329F} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ADE34BA8-D2D3-4be6-94D4-C25B871F6905} "" = XBTP03506 HKEY_CLASSES_ROOT\TypeLib\{E26E848C-C85B-4081-979C-A0046E6F329F}\1.0 "" = Toolbar 1.0 Type Library HKEY_CLASSES_ROOT\TypeLib\{E26E848C-C85B-4081-979C-A0046E6F329F}\1.0\FLAGS "" = 0 HKEY_CLASSES_ROOT\TypeLib\{E26E848C-C85B-4081-979C-A0046E6F329F}\1.0\0\win32 "" = C:\Program Files\6SQ Toolbar\6sqtoolbar.dll HKEY_CLASSES_ROOT\TypeLib\{E26E848C-C85B-4081-979C-A0046E6F329F}\1.0\HELPDIR "" = C:\Program Files\6SQ Toolbar\ HKEY_CURRENT_USER\software\XBTB03506\Toolbar "corruptedMsg" = One of the XML files is corrupted or invalid. Press OK to uninstall. HKEY_CURRENT_USER\software\XBTB03506\Toolbar "uninstallMsg" = ?????6SQ???? HKEY_CURRENT_USER\software\XBTB03506\Toolbar "updateMsg" = ????????6SQ???? HKEY_CURRENT_USER\software\XBTB03506\Toolbar "autoUpdateMsg" = ???6SQ???????,?????????? HKEY_CURRENT_USER\software\XBTB03506\Toolbar "versionError" = ??????????? HKEY_CURRENT_USER\software\XBTB03506\Toolbar "connectionError" = ???????. HKEY_CURRENT_USER\software\XBTB03506\Toolbar "lastVersionMsg" = ??????????? HKEY_CURRENT_USER\software\XBTB03506\Toolbar "contextMenuItemName" = 6SQ????? HKEY_CURRENT_USER\software\XBTB03506\Toolbar "closeAllWindowsForUpdate" = ????????IE???????,????? HKEY_CURRENT_USER\software\XBTB03506\Toolbar "firstURL" = http://www.6sq.net/ HKEY_CURRENT_USER\software\XBTB03506\Toolbar "serverpath" = http://www.6sq.net/toolbar/ HKEY_CURRENT_USER\software\XBTB03506\Toolbar "updateUrl" = http://www.6sq.net/toolbar/6sqtoolbar.cab HKEY_CURRENT_USER\software\XBTB03506\Toolbar "urlAfterUpdate" = HKEY_CURRENT_USER\software\XBTB03506\Toolbar "urlAfterUninstall" = HKEY_CURRENT_USER\software\XBTB03506\Toolbar "contextSearch" = http://www.google.com/search?q=%selection HKEY_CURRENT_USER\software\XBTB03506\Toolbar "OpenNew" = 0 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "AutoComplete" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "KeepHistory" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "RunSearchAutomatically" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "RunSearchDragAutomatically" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "DescriptiveText" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "ShowHighlightButton" = 0 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "ShowFindButtons" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "UpdateAutomatically" = 2 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "EditWidthcombo1" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "Widthcombo11" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar "#EditWidthcombo1#" = Widthcombo11 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "PopStop" = Untitled Toolbar has blocked a Pop-up window HKEY_CURRENT_USER\software\XBTB03506\Toolbar "ErrorMsg" = Error HKEY_CURRENT_USER\software\XBTB03506\Toolbar "AlertMsg" = Alert HKEY_CURRENT_USER\software\XBTB03506\Toolbar "FindWord" = Select %currentword on the page HKEY_CURRENT_USER\software\XBTB03506\Toolbar "CloseWindow" = 1 HKEY_CLASSES_ROOT\XBTB03506.XBTB03506.1\ "" = 6SQ Toolbar HKEY_CLASSES_ROOT\XBTB03506.XBTB03506.1\CLSID "" = {050EB4EE-027A-4005-9454-1434E1A187B9} HKEY_CLASSES_ROOT\XBTB03506.XBTB03506\ "" = 6SQ Toolbar HKEY_CLASSES_ROOT\XBTB03506.XBTB03506\CLSID "" = {050EB4EE-027A-4005-9454-1434E1A187B9} HKEY_CLASSES_ROOT\XBTB03506.XBTB03506\CurVer "" = XBTB03506.XBTB03506.1 HKEY_CLASSES_ROOT\CLSID\{050EB4EE-027A-4005-9454-1434E1A187B9} "" = 6SQ Toolbar HKEY_CLASSES_ROOT\CLSID\{050EB4EE-027A-4005-9454-1434E1A187B9}\ProgID "" = XBTB03506.XBTB03506.1 HKEY_CLASSES_ROOT\CLSID\{050EB4EE-027A-4005-9454-1434E1A187B9}\VersionIndependentProgID "" = XBTB03506.XBTB03506 HKEY_CLASSES_ROOT\CLSID\{050EB4EE-027A-4005-9454-1434E1A187B9}\InprocServer32 "" = C:\Program Files\6SQ Toolbar\6sqtoolbar.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN "iexplore.exe" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar "{050EB4EE-027A-4005-9454-1434E1A187B9}" = [REG_BINARY, size: 1 bytes] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{050EB4EE-027A-4005-9454-1434E1A187B9} "ButtonText" = 6SQ Toolbar HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{050EB4EE-027A-4005-9454-1434E1A187B9} "CLSID" = {1FBA04EE-3024-11d2-8F1F-0000F87ABD16}. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{050EB4EE-027A-4005-9454-1434E1A187B9} "Default Visible" = yes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{050EB4EE-027A-4005-9454-1434E1A187B9} "HotIcon" = C:\Program Files\6SQ Toolbar\favicon.ico HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{050EB4EE-027A-4005-9454-1434E1A187B9} "Icon" = C:\Program Files\6SQ Toolbar\favicon.ico HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{050EB4EE-027A-4005-9454-1434E1A187B9} "MenuStatusBar" = 6SQ Toolbar HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{050EB4EE-027A-4005-9454-1434E1A187B9} "MenuText" = 6SQ Toolbar HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{050EB4EE-027A-4005-9454-1434E1A187B9} "ClsidExtension" = {050EB4EE-027A-4005-9454-1434E1A187B9} HKEY_CURRENT_USER\software\XBTB03506\Toolbar "toolbar_id" = {E2123294-BBA9-4973-B966-F1DE76CFD5BF} HKEY_CURRENT_USER\software\XBTB03506\Toolbar "toolbar_version" = HKEY_CURRENT_USER\software\XBTB03506\Toolbar "firstTime" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "TBShow" = 1 Registry Reads: HKEY_CLASSES_ROOT\.dll "" HKEY_CLASSES_ROOT\TypeLib\{E26E848C-C85B-4081-979C-A0046E6F329F}\1.0 "" HKEY_CLASSES_ROOT\TypeLib\{E26E848C-C85B-4081-979C-A0046E6F329F}\1.0\FLAGS "" HKEY_CLASSES_ROOT\TypeLib\{E26E848C-C85B-4081-979C-A0046E6F329F}\1.0\0\win32 "" HKEY_CLASSES_ROOT\TypeLib\{E26E848C-C85B-4081-979C-A0046E6F329F}\1.0\HELPDIR "" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "ProgramPath" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "OpenNew" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "AutoComplete" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "KeepHistory" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "RunSearchAutomatically" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "RunSearchDragAutomatically" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "DescriptiveText" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "ShowHighlightButton" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "ShowFindButtons" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "UpdateAutomatically" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "EditWidthcombo1" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "toolbar_id" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "Updating" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "firstURL" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "updateXML" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 "" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Process Management: Creates Process - Filename (iexplore.exe) CommandLine: (http://www.6sq.net/) As User: () Creation Flags: () Kill Process - Filename () CommandLine: () Target PID: (472) As User: () Creation Flags: () System Info: Get System Directory Get Computer Name Process Stsrted: Process ID 488 Filename C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.6sq.net/ Filesize 93184 bytes MD5 e7484514c0464642be7b4dc2689354c8 Start Reason CreateProcess COM: COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({00000000-0000-0000-C000-000000000046}) COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({47851649-A2EF-4E67-BAEC-C6A153AC72EC}) COM Create Instance: %SystemRoot%\system32\SHELL32.dll, ProgID: (), Interface ID: ({EE1F7637-E138-11D1-8379-00C04FD918D0}) COM Create Instance: %SystemRoot%\System32\cscui.dll, ProgID: (), Interface ID: ({0C6C4200-C589-11D0-999A-00C04FD655E1}) COM Create Instance: C:\PROGRA~1\6SQTOO~1\6SQTOO~1.DLL, ProgID: (ToolBand.XBTP03506.1), Interface ID: ({FC4801A3-2BA9-11CF-A229-00AA003D7352}) COM Create Instance: C:\WINDOWS\system32\mlang.dll, ProgID: (), Interface ID: ({275C23E1-3747-11D0-9FEA-00AA003F8646}) COM Create Instance: %SystemRoot%\system32\msxml3.dll, ProgID: (Microsoft.XMLDOM.1.0), Interface ID: ({00000000-0000-0000-C000-000000000046}) COM Create Instance: C:\Program Files\6SQ Toolbar\6sqtoolbar.dll, ProgID: (XBTB03506.XBTB03506.1), Interface ID: ({EB0FE172-1A3A-11D0-89B3-00A0C90A90AC}) COM Create Instance: shell32.dll, ProgID: (lnkfile), Interface ID: ({000214EE-0000-0000-C000-000000000046}) COM Create Instance: C:\WINDOWS\system32\urlmon.dll, ProgID: (), Interface ID: ({79EAC9EF-BAF9-11CE-8C82-00AA004BA90B}) COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({000214E6-0000-0000-C000-000000000046}) COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({85CB6900-4D95-11CF-960C-0080C7F4EE85}) COM Create Instance: , ProgID: (), Interface ID: ({00000149-0000-0000-C000-000000000046}) COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({A5ACA655-7FB8-43DC-A433-8D87B69C70A0}) COM Get Class Object: %SystemRoot%\system32\shdocvw.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) COM Get Class Object: oleaut32.dll, Interface ID: ({D5F569D0-593B-101A-B569-08002B2DBF7A}) COM Get Class Object: %SystemRoot%\system32\mshtml.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) File System Activities: Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Open File: \\.\pipe\!win$ (OPEN_EXISTING) Open File: C:\WINDOWS\system32\WININET.dll (OPEN_EXISTING) Open File: C:\WINDOWS\System32\cscui.dll (OPEN_EXISTING) Open File: \\.\shadow (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: C:\Documents and Settings\Sandbox\Favorites\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\Sandbox\Favorites\Links Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\desktop.ini Flags: (SECURITY_ANONYMOUS) Open File: C:\PROGRA~1\6SQTOO~1\basis.xml (OPEN_EXISTING) Open File: C:\Program Files\6SQ Toolbar\6sqtoolbar.dll (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\Program Files\6SQ Toolbar\6sqtoolbar.dll () Find File: 6sqtoolbar.dll Find File: C:\PROGRA~1\6SQTOO~1\*.dll Get File Attributes: C:\PROGRA~1\6SQTOO~1\your_logo.bmp Flags: (SECURITY_ANONYMOUS) Open File: C:\PROGRA~1\6SQTOO~1\affid.dat (OPEN_EXISTING) Open File: C:\PROGRA~1\6SQTOO~1\version.txt (OPEN_EXISTING) Get File Attributes: C:\Documents and Settings\Sandbox\Start Menu\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\All Users\Start Menu\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\All Users\Application Data\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\Sandbox\Application Data\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\Sandbox\My Documents\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\Sandbox\My Documents\My Pictures\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Program Files\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\All Users\Documents\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\wkssvc (OPEN_EXISTING) Get File Attributes: C:\Documents and Settings\All Users\Documents\My Music\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\All Users\Documents\My Videos\desktop.ini Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\system32\shdocvw.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\stdole2.tlb (OPEN_EXISTING) Open File: \\.\PIPE\ROUTER (OPEN_EXISTING) Create/Open File: \Device\Tcp (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Open File: \\.\Ip (OPEN_EXISTING) Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Find File: C:\WINDOWS\system32\Ras\*.pbk Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS) Open File: c:\autoexec.bat (OPEN_EXISTING) Find File: C:\Documents and Settings\Sandbox\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Read INI File: C:\Documents and Settings\Sandbox\Favorites\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\Sandbox\Favorites\desktop.ini [.ShellClassInfo] LocalizedResourceName = C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\desktop.ini [.ShellClassInfo] LocalizedResourceName = C:\Documents and Settings\Sandbox\Start Menu\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\Sandbox\Start Menu\desktop.ini [.ShellClassInfo] LocalizedResourceName = C:\Documents and Settings\All Users\Start Menu\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\All Users\Start Menu\desktop.ini [.ShellClassInfo] LocalizedResourceName = C:\Documents and Settings\All Users\Application Data\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\All Users\Application Data\desktop.ini [.ShellClassInfo] LocalizedResourceName = C:\Documents and Settings\Sandbox\Application Data\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\Sandbox\Application Data\desktop.ini [.ShellClassInfo] LocalizedResourceName = C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy.A] Owner = C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy] PersonalizedName = C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy.A] PersonalizedName = C:\Documents and Settings\Sandbox\My Documents\My Pictures\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\Sandbox\My Documents\My Pictures\desktop.ini [DeleteOnCopy.A] Owner = C:\Documents and Settings\Sandbox\My Documents\My Pictures\desktop.ini [DeleteOnCopy] PersonalizedName = C:\Documents and Settings\Sandbox\My Documents\My Pictures\desktop.ini [DeleteOnCopy.A] PersonalizedName = C:\Documents and Settings\All Users\Documents\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\All Users\Documents\desktop.ini [.ShellClassInfo] LocalizedResourceName = C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini [.ShellClassInfo] LocalizedResourceName = C:\Documents and Settings\All Users\Documents\My Music\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\All Users\Documents\My Music\desktop.ini [.ShellClassInfo] LocalizedResourceName = C:\Documents and Settings\All Users\Documents\My Videos\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\All Users\Documents\My Videos\desktop.ini [.ShellClassInfo] LocalizedResourceName = WIN.INI [windows] DragScrollInset = WIN.INI [windows] DragScrollDelay = WIN.INI [windows] DragDelay = WIN.INI [windows] DragScrollInterval = Mutexes: Creates Mutex: Shell.CMruPidlList Creates Mutex: RasPbFile Opens Mutex: WininetStartupMutex Registry Changes: HKEY_CURRENT_USER\software\XBTB03506\Toolbar "CurrentFont" = Tahoma HKEY_CURRENT_USER\software\XBTB03506\Toolbar "FontSize" = [REG_DWORD, value: 0000000D] HKEY_CURRENT_USER\software\XBTB03506\Toolbar "CurrentLayout" = [REG_DWORD, value: 00000000] HKEY_CURRENT_USER\software\XBTB03506\Toolbar "ToolbarIsFailed" = [REG_DWORD, value: 00000000] HKEY_CURRENT_USER\software\XBTB03506\Toolbar "corruptedMsg" = One of the XML files is corrupted or invalid. Press OK to uninstall. HKEY_CURRENT_USER\software\XBTB03506\Toolbar "uninstallMsg" = ?????6SQ???? HKEY_CURRENT_USER\software\XBTB03506\Toolbar "updateMsg" = ????????6SQ???? HKEY_CURRENT_USER\software\XBTB03506\Toolbar "autoUpdateMsg" = ???6SQ???????,?????????? HKEY_CURRENT_USER\software\XBTB03506\Toolbar "versionError" = ??????????? HKEY_CURRENT_USER\software\XBTB03506\Toolbar "connectionError" = ???????. HKEY_CURRENT_USER\software\XBTB03506\Toolbar "lastVersionMsg" = ??????????? HKEY_CURRENT_USER\software\XBTB03506\Toolbar "contextMenuItemName" = 6SQ????? HKEY_CURRENT_USER\software\XBTB03506\Toolbar "closeAllWindowsForUpdate" = ????????IE???????,????? HKEY_CURRENT_USER\software\XBTB03506\Toolbar "firstURL" = http://www.6sq.net/ HKEY_CURRENT_USER\software\XBTB03506\Toolbar "serverpath" = http://www.6sq.net/toolbar/ HKEY_CURRENT_USER\software\XBTB03506\Toolbar "updateUrl" = http://www.6sq.net/toolbar/6sqtoolbar.cab HKEY_CURRENT_USER\software\XBTB03506\Toolbar "urlAfterUpdate" = HKEY_CURRENT_USER\software\XBTB03506\Toolbar "urlAfterUninstall" = HKEY_CURRENT_USER\software\XBTB03506\Toolbar "contextSearch" = http://www.google.com/search?q=%selection HKEY_CURRENT_USER\software\XBTB03506\Toolbar "OpenNew" = 0 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "AutoComplete" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "KeepHistory" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "RunSearchAutomatically" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "RunSearchDragAutomatically" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "DescriptiveText" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "ShowHighlightButton" = 0 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "ShowFindButtons" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "UpdateAutomatically" = 2 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "EditWidthcombo1" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "Widthcombo11" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar "#EditWidthcombo1#" = Widthcombo11 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "PopStop" = Untitled Toolbar has blocked a Pop-up window HKEY_CURRENT_USER\software\XBTB03506\Toolbar "ErrorMsg" = Error HKEY_CURRENT_USER\software\XBTB03506\Toolbar "AlertMsg" = Alert HKEY_CURRENT_USER\software\XBTB03506\Toolbar "FindWord" = Select %currentword on the page HKEY_CURRENT_USER\software\XBTB03506\Toolbar "CloseWindow" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_button_032612" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_021209" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_020586" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_006598" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_020801" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_separator_006171" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_combo_013051" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_button_021347" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_020513" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_017873" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_005183" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_010735" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_separator_018925" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_button_006936" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_separator_000120" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_button_020211" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_separator_005253" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_button_004563" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_separator_019286" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_button_023640" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_separator_024861" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_button_028753" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar "blockPopups" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar "updateXML" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "Scope" = [REG_DWORD, value: 000002D0] HKEY_CURRENT_USER\software\XBTB03506\Toolbar "TBBreak" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\software\XBTB03506\Toolbar "TBPos" = [REG_DWORD, value: 00000064] HKEY_CURRENT_USER\software\XBTB03506\Toolbar "firstTime" = 0 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "OldOS" = [REG_DWORD, value: 00000000] HKEY_CURRENT_USER\software\XBTB03506\Toolbar "CountOS" = [REG_DWORD, value: 00000000] HKEY_CURRENT_USER\software\XBTB03506\Toolbar "m_bWorking" = 1 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "m_bWorking" = 0 HKEY_CURRENT_USER\software\XBTB03506\Toolbar "toolbar_version" = 6SQ Toolbar 2.0 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\ "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "Enable" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "Size" = [REG_DWORD, value: 0000000A] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "InitHits" = [REG_DWORD, value: 00000064] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "Factor" = [REG_DWORD, value: 00000014] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International "W2KLpk" = [REG_DWORD, value: 00000001] Registry Reads: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{a5e46e3a-8849-11d1-9d8c-00c04fc99d61}\InProcServer32 "" HKEY_CLASSES_ROOT\.htm "" HKEY_CLASSES_ROOT\.htm "Content Type" HKEY_CLASSES_ROOT\.html "" HKEY_CLASSES_ROOT\.html "Content Type" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{5b4dae26-b807-11d0-9815-00c04fd91972}\InProcServer32 "" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32 "" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "ProgramPath" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "firstTime" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{050eb4ee-027a-4005-9454-1434e1a187b9}\InProcServer32 "" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "BlockedCounter" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "CurrentFont" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "FontSize" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "CurrentLayout" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "TBFace" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "OpenNew" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "AutoComplete" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "KeepHistory" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "RunSearchAutomatically" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "RunSearchDragAutomatically" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "DescriptiveText" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "ShowHighlightButton" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "ShowFindButtons" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "UpdateAutomatically" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "EditWidthcombo1" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "@redirect" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_button_032612" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_021209" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_020586" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_006598" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_020801" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "@" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_separator_006171" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "@searchGoogle" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_combo_013051" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_button_021347" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_020513" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_017873" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_005183" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_item_010735" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_separator_018925" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_button_006936" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_separator_000120" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_button_020211" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_separator_005253" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_button_004563" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_separator_019286" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "@blockPopups" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_button_023640" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_separator_024861" HKEY_CURRENT_USER\software\XBTB03506\Toolbar\tb_items "tbs_button_028753" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "DescriptiveImage" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "EditWidthcombo" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "blockPopups" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "ToolbarIsFailed" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "updateXML" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "TBWidth" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "TBPos" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "TBBreak" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00021401-0000-0000-c000-000000000046}\InProcServer32 "" HKEY_CURRENT_USER\software\XBTB03506\Toolbar "toolbar_id" HKEY_CLASSES_ROOT\http "EditFlags" HKEY_CLASSES_ROOT\http "URL Protocol" HKEY_CLASSES_ROOT\https "EditFlags" HKEY_CLASSES_ROOT\https "URL Protocol" HKEY_CLASSES_ROOT\ftp "EditFlags" HKEY_CLASSES_ROOT\ftp "URL Protocol" HKEY_CLASSES_ROOT\gopher "EditFlags" HKEY_CLASSES_ROOT\gopher "URL Protocol" HKEY_CLASSES_ROOT\telnet "" HKEY_CLASSES_ROOT\telnet "EditFlags" HKEY_CLASSES_ROOT\telnet "URL Protocol" HKEY_CLASSES_ROOT\telnet\DefaultIcon "" HKEY_CLASSES_ROOT\telnet\shell\open\command "" HKEY_CLASSES_ROOT\rlogin "" HKEY_CLASSES_ROOT\rlogin "EditFlags" HKEY_CLASSES_ROOT\rlogin "URL Protocol" HKEY_CLASSES_ROOT\rlogin\DefaultIcon "" HKEY_CLASSES_ROOT\rlogin\shell\open\command "" HKEY_CLASSES_ROOT\tn3270 "" HKEY_CLASSES_ROOT\tn3270 "EditFlags" HKEY_CLASSES_ROOT\tn3270 "URL Protocol" HKEY_CLASSES_ROOT\tn3270\DefaultIcon "" HKEY_CLASSES_ROOT\tn3270\shell\open\command "" HKEY_CLASSES_ROOT\mailto "" HKEY_CLASSES_ROOT\mailto "EditFlags" HKEY_CLASSES_ROOT\mailto "URL Protocol" HKEY_CLASSES_ROOT\mailto\DefaultIcon "" HKEY_CLASSES_ROOT\mailto\shell\open\command "" HKEY_CLASSES_ROOT\news "" HKEY_CLASSES_ROOT\news "EditFlags" HKEY_CLASSES_ROOT\news "URL Protocol" HKEY_CLASSES_ROOT\news\DefaultIcon "" HKEY_CLASSES_ROOT\news\shell\open\command "" HKEY_CLASSES_ROOT\.url "" HKEY_CLASSES_ROOT\InternetShortcut "" HKEY_CLASSES_ROOT\InternetShortcut "EditFlags" HKEY_CLASSES_ROOT\InternetShortcut "IsShortcut" HKEY_CLASSES_ROOT\InternetShortcut "NeverShowExt" HKEY_CLASSES_ROOT\InternetShortcut\CLSID "" HKEY_CLASSES_ROOT\InternetShortcut\DefaultIcon "" HKEY_CLASSES_ROOT\InternetShortcut\shellex\IconHandler "" HKEY_CLASSES_ROOT\InternetShortcut\shellex\PropertySheetHandlers\{FBF23B40-E3F0-101B-8488-00AA003E56F8} "" HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8} "" HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32 "" HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32 "ThreadingModel" HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32 "LoadWithoutCOM" HKEY_CLASSES_ROOT\http\shell\open\command "" HKEY_CLASSES_ROOT\http\shell\open\ddeexec "" HKEY_CLASSES_ROOT\http\shell\open\ddeexec "NoActivateHandler" HKEY_CLASSES_ROOT\http\shell\open\ddeexec\Application "" HKEY_CLASSES_ROOT\http\shell\open\ddeexec\Topic "" HKEY_CLASSES_ROOT\https\shell\open\command "" HKEY_CLASSES_ROOT\https\shell\open\ddeexec "" HKEY_CLASSES_ROOT\https\shell\open\ddeexec "NoActivateHandler" HKEY_CLASSES_ROOT\https\shell\open\ddeexec\Application "" HKEY_CLASSES_ROOT\https\shell\open\ddeexec\Topic "" HKEY_CLASSES_ROOT\ftp\shell\open\command "" HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec "" HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec "NoActivateHandler" HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec\Application "" HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec\Topic "" HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec\ifExec "" HKEY_CLASSES_ROOT\gopher\shell\open\command "" HKEY_CLASSES_ROOT\gopher\shell\open\ddeexec "" HKEY_CLASSES_ROOT\gopher\shell\open\ddeexec "NoActivateHandler" HKEY_CLASSES_ROOT\gopher\shell\open\ddeexec\Application "" HKEY_CLASSES_ROOT\gopher\shell\open\ddeexec\Topic "" HKEY_CLASSES_ROOT\htmlfile\shell "" HKEY_CLASSES_ROOT\htmlfile\shell\open "" HKEY_CLASSES_ROOT\htmlfile\shell\open\command "" HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec "" HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec "NoActivateHandler" HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\Application "" HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\Topic "" HKEY_CLASSES_ROOT\mhtmlfile\shell "" HKEY_CLASSES_ROOT\htmlfile\shell\opennew "" HKEY_CLASSES_ROOT\htmlfile\shell\opennew\command "" HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec "" HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec\IfExec "" HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec "NoActivateHandler" HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec\Application "" HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec\Topic "" HKEY_CLASSES_ROOT\mhtmlfile\shell\open "" HKEY_CLASSES_ROOT\mhtmlfile\shell\open\command "" HKEY_CLASSES_ROOT\mhtmlfile\shell\open\ddeexec "" HKEY_CLASSES_ROOT\mhtmlfile\shell\open\ddeexec\Application "" HKEY_CLASSES_ROOT\mhtmlfile\shell\open\ddeexec\Topic "" HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew "" HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\command "" HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec "" HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec\IfExec "" HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec "NoActivateHandler" HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec\Application "" HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec\Topic "" HKEY_CLASSES_ROOT\CLSID\{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} "" HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command "" HKEY_CLASSES_ROOT\InternetShortcut\shell\open "CLSID" HKEY_CLASSES_ROOT\InternetShortcut\shell\open "LegacyDisable" HKEY_CLASSES_ROOT\InternetShortcut\shellex\ContextMenuHandlers\{FBF23B40-E3F0-101B-8488-00AA003E56F8} "" HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\shellex\MayChangeDefaultMenu "" HKEY_CLASSES_ROOT\InternetShortcut\shellex\PropertyHandler "" HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command "" HKEY_CLASSES_ROOT\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 "" HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0 "win32" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 "" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9ba05972-f6a8-11cf-a442-00a0c90a8f39}\InProcServer32 "" HKEY_CLASSES_ROOT "Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\ProxyStubClsid32" HKEY_CLASSES_ROOT "Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\Forward" HKEY_CLASSES_ROOT\Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\TypeLib "" HKEY_CLASSES_ROOT\Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\TypeLib "Version" HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win32 "" HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 "win32" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc "UDTAlignmentPolicy" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "10" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders "SecurityProviders" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Name" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Comment" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Capabilities" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "RpcId" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Version" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Type" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "TokenSize" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Name" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Comment" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Capabilities" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "RpcId" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Version" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Type" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "TokenSize" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Name" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Comment" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Capabilities" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "RpcId" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Version" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Type" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "TokenSize" _HKEY(2300)_ "NumShape" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "Enable" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "Size" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\NLS\Language Groups "a" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International "W2KLpk" Registry Enums: HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B} HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1 Process Management: Open Process - Filename (C:\WINDOWS\explorer.exe) Target PID: (1484) Service Management: Open Service Manager - Name: "SCM" Open Service - Name: "RASMAN" System Info: Get System Directory Get Computer Name Get System Time User Management: Impersonate User - Domain: () User: (Sandbox) Get User Name Window: Find Window - Class Name ($C0E3) Window Name () Find Window - Class Name (Shell_TrayWnd) Window Name () Find Window - Class Name (MS_AutodialMonitor) Window Name () Find Window - Class Name (MS_WebcheckMonitor) Window Name () Network Activity: hxxp://58.61.156.182/ (58.61.156.182) Outgoing connection to remote server: 58.61.156.182 TCP port 80