Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Many Pops Ups And The Spy Guard


  • This topic is locked This topic is locked
31 replies to this topic

#1 ljsmith82

ljsmith82

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 02 August 2006 - 11:28 PM

i follow teh steps but i still dont know with what please help



Logfile of HijackThis v1.99.1
Scan saved at 12:27:39 AM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\isnotify.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ismon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\l3jdfs.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\{917BE940-0A64-1033-1106-030416200001}\Update.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\WNSXS~1\chkdsk.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,wjcofdg.exe
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [uvixtu] C:\WINDOWS\system32\ueeguw.exe reg_run
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PCchat] C:\DOCUME~1\OWNER~1.ROB\LOCALS~1\Temp\Rar$EX00.516\PCchat.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [epy9J] "C:\WINDOWS\system32\l3jdfs.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [qspav] C:\WINDOWS\system32\ueeguw.exe reg_run
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ousc] "C:\WINDOWS\WNSXS~1\chkdsk.exe" -vt yazr
O4 - HKCU\..\Run: [Nxisxbwb] C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\My Documents\?ecurity\j?vaw.exe
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/bestfriends/miniclipGameLoader.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150581190484
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {D5BA18F2-FF61-465F-831D-A6850B94FC01} - C:\WINDOWS\system32\vf1v62x.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\nopdb.dll
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE

BC AdBot (Login to Remove)

 


#2 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:10:01 PM

Posted 03 August 2006 - 03:00 AM

Hello and welcome!

Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip
  • Unzip all files to a convenient location such as C:\Qoofix.
  • Go to the folder you unzipped all files and run Qoofix.exe.
  • Click Begin Removal and wait for the scan to finish.
  • If an infection has been found, select yes to restart your computer.
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Please post the contents of qoofix logfile, smitfraudfix logfile and the uninstall_list. Make sure when you copy and paste them into a reply to this thread that they are the whole log! Thanks.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#3 ljsmith82

ljsmith82
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 03 August 2006 - 01:10 PM

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [8/3/2006] at [1:43:27 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [8/3/2006] at [1:45:55 PM]

Note: Some registry keys may have been removed.



when i downloaded SmitfraudFix and saved it and when i try to strat it a window comes up and right away goes away and for hijackthis when i clikc on save log for the unistall it wont come up is this due to the virus or infection i have

#4 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:10:01 PM

Posted 03 August 2006 - 02:37 PM

It might be F-Secure blocking it from running. Please disable it, and then try running smitfraudfix and follow the instructions for it in my previous post...


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#5 ljsmith82

ljsmith82
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 03 August 2006 - 05:29 PM

i disabled it and it still wont work should i unistall it and find another anti virus

#6 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:10:01 PM

Posted 04 August 2006 - 02:45 AM

We can fix it! It's about two steps.. here's the first...

Sometimes this problem is caused by a path value under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment not set right (no REG_EXPAND_SZ data type).

Open notepad and copy and paste the following that is in bold, into notepad:

C:\Windows\system32\reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /s >> look.txt
start notepad look.txt


Save this as look.bat , choose to save as *all files and place it on your desktop.

Open up look.txt and copy and paste the contents into a reply here.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#7 ljsmith82

ljsmith82
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 04 August 2006 - 02:16 PM

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
ComSpec REG_EXPAND_SZ %SystemRoot%\system32\cmd.exe
Path REG_SZ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;
windir REG_EXPAND_SZ %SystemRoot%
OS REG_SZ Windows_NT
PROCESSOR_ARCHITECTURE REG_SZ x86
PROCESSOR_LEVEL REG_SZ 15
PROCESSOR_IDENTIFIER REG_SZ x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_REVISION REG_SZ 0209
NUMBER_OF_PROCESSORS REG_SZ 1
PATHEXT REG_SZ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
TEMP REG_EXPAND_SZ %SystemRoot%\TEMP
TMP REG_EXPAND_SZ %SystemRoot%\TEMP
CLASSPATH REG_EXPAND_SZ C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
QTJAVA REG_EXPAND_SZ C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
FP_NO_HOST_CHECK REG_SZ NO





thanks for the help i cant wait to stop this virus and stop the pop ups every 2 mintues

#8 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:10:01 PM

Posted 04 August 2006 - 09:45 PM

Hey! :thumbsup: .. This should fix it!:

Download FIXPATH2.ZIP. Extract the files to a folder in C:\, like C:\FIXPATH2.

RUNNING THE PROGRAM:

* Open a command prompt window by going to start > run and copy and type: cmd
In the command prompt, type: cd C:\

So you should get C:\>

Then type: cd FIXPATH2

So you should get: C:\>fixpath2

Then type: FIXPATH.EXE
* It will display some preliminary information, and ask if it should continue and check for errors. Click Yes.
* If it successfully updates the Path value in the registry, you will need to
reboot for the change to take effect. !! This is really important !!


After reboot, try to run SmitfraudFix again following the instructions I posted for it in post #2


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#9 ljsmith82

ljsmith82
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 04 August 2006 - 10:19 PM

here is the smitfraud but the unistall notepad for hijackthis still did not come up



SmitFraudFix v2.79

Scan done at 23:15:11.43, Fri 08/04/2006
Run from C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !

C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Application Data


Start Menu


C:\DOCUME~1\OWNER~1.ROB\FAVORI~1

C:\DOCUME~1\OWNER~1.ROB\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop


C:\Program Files

C:\Program Files\Safety Bar\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"


Scanning wininet.dll infection


End

#10 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:10:01 PM

Posted 04 August 2006 - 10:50 PM

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

then...

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#11 ljsmith82

ljsmith82
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 04 August 2006 - 11:24 PM

here the the first report

SmitFraudFix v2.79

Scan done at 0:21:36.35, Sat 08/05/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\Program Files\Safety Bar\ Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#12 ljsmith82

ljsmith82
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 04 August 2006 - 11:50 PM

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...
qoologic 8/5/2006 12:27:32 AM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 12/28/2005 1:18:28 PM 38912 C:\WINDOWS\mtuninst.exe
UPX! 8/2/2006 5:15:56 AM 39424 C:\WINDOWS\YAXUninst.exe

Checking %System% folder...
PEC2 7/16/2003 4:26:44 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 7/6/2006 9:21:46 PM 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 8/2/2006 5:15:56 AM 155136 C:\WINDOWS\SYSTEM32\oins.exe
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 7/16/2003 4:50:38 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/5/2006 12:31:12 AM S 2048 C:\WINDOWS\bootstat.dat
6/18/2006 5:22:10 AM H 0 C:\WINDOWS\inf\oem30.inf
10/31/2011 2:05:46 PM HS 1537 C:\WINDOWS\page files\maxmeg.sys
6/17/2006 7:00:12 PM RHS 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_9.cab
6/22/2006 12:38:00 AM RHS 168 C:\WINDOWS\system32\F290167991.sys
6/22/2006 12:38:08 AM HS 2516 C:\WINDOWS\system32\KGyGaAvL.sys
7/31/2006 9:43:44 PM HS 40973 C:\WINDOWS\system32\opnopmk.dll
7/31/2006 10:21:34 PM HS 364390 C:\WINDOWS\system32\rqstv.bak1
8/5/2006 12:31:54 AM HS 496124 C:\WINDOWS\system32\rqstv.bak2
8/2/2006 10:22:38 AM HS 497466 C:\WINDOWS\system32\rqstv.ini
8/5/2006 12:36:16 AM HS 495588 C:\WINDOWS\system32\rqstv.ini2
8/2/2006 6:22:00 PM HS 497215 C:\WINDOWS\system32\rqstv.tmp
7/31/2006 10:21:28 PM HS 573492 C:\WINDOWS\system32\vtsqr.dll
6/19/2006 4:20:58 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
8/5/2006 12:31:36 AM H 24576 C:\WINDOWS\system32\config\default.LOG
8/5/2006 12:31:32 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
8/5/2006 12:31:12 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
8/5/2006 12:33:00 AM H 1024 C:\WINDOWS\system32\config\software.LOG
8/5/2006 12:36:18 AM H 1024 C:\WINDOWS\system32\config\system.LOG
7/17/2006 2:35:10 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
7/25/2006 5:33:56 PM S 341 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8
7/25/2006 5:33:56 PM S 413 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165
7/25/2006 5:33:56 PM S 574 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5
7/17/2006 2:36:02 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD
7/25/2006 5:33:56 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8
7/25/2006 5:33:56 PM S 98 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165
7/25/2006 5:33:56 PM S 136 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5
7/17/2006 2:36:02 PM S 146 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD
8/5/2006 12:24:40 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
6/26/2006 11:24:58 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e07e21f4-44e4-4265-9e03-986098916b4e
6/26/2006 11:24:58 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/5/2006 12:30:02 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 9/20/2005 9:35:12 AM 77824 C:\WINDOWS\SYSTEM32\igfxcpl(2).cpl
Intel Corporation 9/20/2005 9:35:12 AM 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Macrovision Corporation 8/11/2005 5:29:46 PM 73728 C:\WINDOWS\SYSTEM32\ISUSPM.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 2:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 7/16/2003 4:32:24 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 7/16/2003 4:37:20 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft 3/2/1999 5:10:02 PM 49152 C:\WINDOWS\SYSTEM32\speech.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 7/16/2003 4:47:58 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 7/16/2003 4:32:24 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 7/16/2003 4:37:20 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 7/16/2003 4:47:58 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Intel Corporation 4/7/2003 4:14:30 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0016\DriverFiles\igfxcpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/4/2006 11:03:28 PM 1766 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
12/27/2005 10:23:52 PM HS 84 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini
8/5/2006 12:30:16 AM 1042 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\F-Secure Anti-Virus 2006.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/27/2005 2:12:32 PM HS 62 C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini
3/1/2006 1:07:50 AM 1759 C:\Documents and Settings\All Users.WINDOWS\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
12/27/2005 10:23:52 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
12/27/2005 2:12:32 PM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini
7/31/2006 10:13:50 PM 542235 C:\Documents and Settings\Administrator\Application Data\Sskknwrd.dll
7/31/2006 11:06:22 PM 64 C:\Documents and Settings\Administrator\Application Data\Sskuknwrd.dll

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{23814B80-52A2-11d0-BC1A-004095606CB9}
F-Secure = C:\Program Files\F-Secure Internet Security\Common\fpshx.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2FreeContMenu
{A155339D-CCCD-4714-85EB-3754B804C9DF} = C:\PROGRA~1\A-SQUA~2\A2FREE~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{23814B80-52A2-11d0-BC1A-004095606CB9}
F-Secure = C:\Program Files\F-Secure Internet Security\Common\fpshx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8711CF54-E9C5-4DB4-9B9F-7D67393CC771}
Vdrw Class = C:\WINDOWS\system32\vf1v62x.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}
Windows Live Sign-in Helper = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{91774715-C175-461B-AE0D-0D7333E5CAC7}
= C:\WINDOWS\system32\vtsqr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5E2A3E7-00FE-4D31-A030-A10799DDCA66}
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{300DB664-75B5-47c0-8B45-A44ACCF73C00}
ButtonText = IE Shield :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{F4430FE8-2638-42e5-B849-800749B94EED}
ButtonText = PartyPoker.net : C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
uvixtu C:\WINDOWS\system32\ueeguw.exe reg_run
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
IPInSightLAN 01 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
IPInSightMonitor 01 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
dla C:\WINDOWS\system32\dla\tfswctrl.exe
StorageGuard "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
MCUpdateExe C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
MCAgentExe C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
Adobe Photo Downloader "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
ISUSPM Startup "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
ISUSScheduler "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
igfxtray C:\WINDOWS\system32\igfxtray.exe
igfxhkcmd C:\WINDOWS\system32\hkcmd.exe
igfxpers C:\WINDOWS\system32\igfxpers.exe
PCchat C:\DOCUME~1\OWNER~1.ROB\LOCALS~1\Temp\Rar$EX00.516\PCchat.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
WinampAgent C:\Program Files\Winamp\winampa.exe
QuickFinder Scheduler "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
epy9J "C:\WINDOWS\system32\l3jdfs.exe"
F-Secure Manager "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
F-Secure TNB "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
F-Secure Startup Wizard "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
New.net Startup rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
qspav C:\WINDOWS\system32\ueeguw.exe reg_run
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
kavsvc 2
iPodService 3
IDriverT 3


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch
path C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hamachi.lnk
path C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\hamachi.lnk
backup C:\WINDOWS\pss\hamachi.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Hamachi\hamachi.exe
item hamachi
path C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\hamachi.lnk
backup C:\WINDOWS\pss\hamachi.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Hamachi\hamachi.exe
item hamachi

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner.ROBERTO-OPCE9I9^Start Menu^Programs^Startup^MagicDisc.lnk
path C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Start Menu\Programs\Startup\MagicDisc.lnk
backup C:\WINDOWS\pss\MagicDisc.lnkStartup
location Startup
command C:\PROGRA~1\MAGICD~1\MAGICD~1.EXE
item MagicDisc
path C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Start Menu\Programs\Startup\MagicDisc.lnk
backup C:\WINDOWS\pss\MagicDisc.lnkStartup
location Startup
command C:\PROGRA~1\MAGICD~1\MAGICD~1.EXE
item MagicDisc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Photo Downloader
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item apdproxy
hkey HKLM
command "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item apdproxy
hkey HKLM
command "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\System32\ctfmon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\System32\ctfmon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DAEMON Tools
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item daemon
hkey HKLM
command "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item daemon
hkey HKLM
command "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dla
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tfswctrl
hkey HKLM
command C:\WINDOWS\system32\dla\tfswctrl.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tfswctrl
hkey HKLM
command C:\WINDOWS\system32\dla\tfswctrl.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\igfxhkcmd
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\system32\hkcmd.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\system32\hkcmd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\igfxpers
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxpers
hkey HKLM
command C:\WINDOWS\system32\igfxpers.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxpers
hkey HKLM
command C:\WINDOWS\system32\igfxpers.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\igfxtray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\system32\igfxtray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\system32\igfxtray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\INetBooster
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ISpBos
hkey HKCU
command C:\Program Files\Robust\Internet Booster\ISpBos.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ISpBos
hkey HKCU
command C:\Program Files\Robust\Internet Booster\ISpBos.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IPInSightLAN 01
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPClient
hkey HKLM
command "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPClient
hkey HKLM
command "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IPInSightMonitor 01
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPMon32
hkey HKLM
command "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPMon32
hkey HKLM
command "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ISUSPM Startup
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item isuspm
hkey HKLM
command "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item isuspm
hkey HKLM
command "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ISUSScheduler
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item issch
hkey HKLM
command "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item issch
hkey HKLM
command "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KAVPersonal50
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item kav
hkey HKLM
command C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item kav
hkey HKLM
command C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCAgentExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McAgent
hkey HKLM
command C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McAgent
hkey HKLM
command C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCUpdateExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McUpdate
hkey HKLM
command C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McUpdate
hkey HKLM
command C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MsnMsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MsnMsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\New.net Startup
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NEWDOT~2
hkey HKLM
command rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NEWDOT~2
hkey HKLM
command rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PCchat
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PCchat
hkey HKLM
command C:\DOCUME~1\OWNER~1.ROB\LOCALS~1\Temp\Rar$EX00.516\PCchat.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PCchat
hkey HKLM
command C:\DOCUME~1\OWNER~1.ROB\LOCALS~1\Temp\Rar$EX00.516\PCchat.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickFinder Scheduler
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item QFSCHD130
hkey HKLM
command "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item QFSCHD130
hkey HKLM
command "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TXP
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item txp
hkey HKLM
command c:\program files\topthemesxp\txp.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item txp
hkey HKLM
command c:\program files\topthemesxp\txp.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UpdateManager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sgtray
hkey HKLM
command "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sgtray
hkey HKLM
command "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Save
hkey HKCU
command "C:\Program Files\Save\Save.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Save
hkey HKCU
command "C:\Program Files\Save\Save.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSearch
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Search
hkey HKLM
command "C:\Program Files\WhenUSearch\Search.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Search
hkey HKLM
command "C:\Program Files\WhenUSearch\Search.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSearchWHSE
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item whse
hkey HKLM
command "C:\Program Files\WhenUSearch\whse.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item whse
hkey HKLM
command "C:\Program Files\WhenUSearch\whse.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinampAgent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winampa
hkey HKLM
command C:\Program Files\Winamp\winampa.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winampa
hkey HKLM
command C:\Program Files\Winamp\winampa.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Yahoo! Pager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item 1
hkey HKCU
command 1
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item 1
hkey HKCU
command 1
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\YBrowser
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ybrwicon
hkey HKLM
command C:\Program Files\Yahoo!\browser\ybrwicon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ybrwicon
hkey HKLM
command C:\Program Files\Yahoo!\browser\ybrwicon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 1
startup 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoCDBurning 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoCloseDragDropBands 0
NoMovingBands 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\Userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxdev.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtsqr
= C:\WINDOWS\system32\vtsqr.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winepi32
= winepi32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs C:\WINDOWS\system32\nopdb.dll


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/5/2006 12:36:22 AM

#13 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:10:01 PM

Posted 05 August 2006 - 06:04 PM

1. Download this file - combofix
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#14 ljsmith82

ljsmith82
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 05 August 2006 - 08:48 PM

when i ran it, my computer rebooted and then no log came up

#15 ljsmith82

ljsmith82
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 05 August 2006 - 08:54 PM

ok i re-ran it


Start Time= Sat 08/05/2006 21:51:22.29
Running from: C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Desktop

QuickScan did not find any signs of infected files

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

21:37:39.06

* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-07-24 15:31:24 1,163,264 "C:\WINDOWS\system32\l3jdfs.exe"
2006-07-26 15:59:44 159,744 "C:\WINDOWS\system32\apbzk.exe"
2006-07-31 21:54:10 28,672 "C:\WINDOWS\system32\cymmh.exe"
2006-05-19 08:59:42 148,480 "C:\WINDOWS\system32\dnsapi.dll"
2006-05-10 01:23:00 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-05-10 01:23:00 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-05-19 11:08:32 3,052,544 "C:\WINDOWS\system32\mshtml.dll"
2006-05-10 01:23:02 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-05-15 18:26:06 200,704 "C:\WINDOWS\system32\NPRCAS.dll"
2006-05-16 16:23:56 339,968 "C:\WINDOWS\system32\pxwave.dll"
2006-05-10 01:23:02 613,888 "C:\WINDOWS\system32\urlmon.dll"
2006-07-31 21:54:10 45,056 "C:\WINDOWS\system32\afdaqd3.exe"
2006-06-19 16:19:26 304,944 "C:\WINDOWS\system32\WgaTray.exe"
2006-07-31 21:54:12 28,672 "C:\WINDOWS\system32\whcixm7.exe"
2006-08-04 15:13:26 2 "C:\WINDOWS\system32\wnscpsv.exe"
2006-05-10 01:23:00 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-05-10 01:23:00 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-10 01:23:00 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-05-10 01:23:00 251,392 "C:\WINDOWS\system32\iepeers.dll"
2006-05-26 22:19:50 163,840 "C:\WINDOWS\system32\JGDW400.DLL"
2006-05-18 01:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-05-10 01:23:00 16,384 "C:\WINDOWS\system32\jsproxy.dll"
2006-07-31 21:43:44 40,973 "C:\WINDOWS\system32\opnopmk.dll"
2006-05-10 01:23:02 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-05-14 04:44:08 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-05-29 11:30:34 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
2006-05-10 01:23:02 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-07-31 21:54:12 221,184 "C:\WINDOWS\system32\vf1v62x.dll"
2006-05-16 16:23:56 28,672 "C:\WINDOWS\system32\VXBLOCK.dll"
2006-05-10 01:23:04 658,432 "C:\WINDOWS\system32\wininet.dll"
2006-05-10 01:23:00 1,054,208 "C:\WINDOWS\system32\danim.dll"
2006-08-03 21:54:00 81,920 "C:\WINDOWS\system32\nopdb.dll"
2006-05-16 16:23:54 450,560 "C:\WINDOWS\system32\pxdrv.dll"
2006-05-16 16:23:54 176,128 "C:\WINDOWS\system32\pxmas.dll"
2006-05-16 16:23:54 1,257,472 "C:\WINDOWS\system32\pxsfs.dll"
2006-07-31 22:21:28 573,492 "C:\WINDOWS\system32\vtsqr.dll"
2006-08-02 05:18:12 362 "C:\WINDOWS\tyknl.dll"
2006-07-31 21:53:54 53 "C:\WINDOWS\bppcwv.dat"
2006-05-31 15:53:16 18 "C:\WINDOWS\Expire.dat"
2006-08-03 02:20:50 4,395 "C:\WINDOWS\mozver.dat"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


07/31/2006 09:54 PM 28,672 cymmh.exe.vir
07/31/2006 09:53 PM 53 bppcwv.dat.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-07-31 21:54:10 45,056 "C:\WINDOWS\system32\afdaqd3.exe"
2006-06-19 16:19:26 304,944 "C:\WINDOWS\system32\WgaTray.exe"
2006-07-31 21:54:12 28,672 "C:\WINDOWS\system32\whcixm7.exe"
2006-08-04 15:13:26 2 "C:\WINDOWS\system32\wnscpsv.exe"
2006-07-24 15:31:24 1,163,264 "C:\WINDOWS\system32\l3jdfs.exe"
2006-07-26 15:59:44 159,744 "C:\WINDOWS\system32\apbzk.exe"
2006-05-10 01:23:00 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-05-10 01:23:00 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-10 01:23:00 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-05-10 01:23:00 251,392 "C:\WINDOWS\system32\iepeers.dll"
2006-05-26 22:19:50 163,840 "C:\WINDOWS\system32\JGDW400.DLL"
2006-05-18 01:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-05-10 01:23:00 16,384 "C:\WINDOWS\system32\jsproxy.dll"
2006-07-31 21:43:44 40,973 "C:\WINDOWS\system32\opnopmk.dll"
2006-05-10 01:23:02 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-05-14 04:44:08 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-05-29 11:30:34 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
2006-05-10 01:23:02 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-07-31 21:54:12 221,184 "C:\WINDOWS\system32\vf1v62x.dll"
2006-05-16 16:23:56 28,672 "C:\WINDOWS\system32\VXBLOCK.dll"
2006-05-10 01:23:04 658,432 "C:\WINDOWS\system32\wininet.dll"
2006-05-19 08:59:42 148,480 "C:\WINDOWS\system32\dnsapi.dll"
2006-05-10 01:23:00 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-05-10 01:23:00 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-05-19 11:08:32 3,052,544 "C:\WINDOWS\system32\mshtml.dll"
2006-05-10 01:23:02 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-05-15 18:26:06 200,704 "C:\WINDOWS\system32\NPRCAS.dll"
2006-05-16 16:23:56 339,968 "C:\WINDOWS\system32\pxwave.dll"
2006-05-10 01:23:02 613,888 "C:\WINDOWS\system32\urlmon.dll"
2006-05-10 01:23:00 1,054,208 "C:\WINDOWS\system32\danim.dll"
2006-08-03 21:54:00 81,920 "C:\WINDOWS\system32\nopdb.dll"
2006-05-16 16:23:54 450,560 "C:\WINDOWS\system32\pxdrv.dll"
2006-05-16 16:23:54 176,128 "C:\WINDOWS\system32\pxmas.dll"
2006-05-16 16:23:54 1,257,472 "C:\WINDOWS\system32\pxsfs.dll"
2006-07-31 22:21:28 573,492 "C:\WINDOWS\system32\vtsqr.dll"
2006-08-02 05:18:12 362 "C:\WINDOWS\tyknl.dll"
2006-05-31 15:53:16 18 "C:\WINDOWS\Expire.dat"
2006-08-03 02:20:50 4,395 "C:\WINDOWS\mozver.dat"


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-05 02:39:26 ( .D... ) "C:\Program Files\Fotobook Editor V3"
2006-08-05 02:38:34 ( .D... ) "C:\Program Files\Common Files\GTK"
2006-08-05 02:33:42 ( .D... ) "C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Application Data\Preclick Photo Organizer"
2006-08-05 02:33:32 ( .D... ) "C:\Program Files\Preclick"
2006-08-05 02:08:22 ( .D... ) "C:\Program Files\Webshots"
2006-08-05 02:08:22 ( .D... ) "C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Application Data\Webshots"
2006-08-05 02:02:16 ( .D... ) "C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Application Data\AdobeAUM"
2006-08-05 01:43:22 ( .D... ) "C:\Program Files\Picasa2"
2006-08-04 16:05:34 ( .D... ) "C:\Program Files\PPLive"
2006-08-04 16:05:28 ( .D... ) "C:\Program Files\Common Files\Synacast"
2006-08-04 15:13:26 2 ( A.... ) "C:\WINDOWS\system32\wnscpsv.exe"
2006-08-03 21:54:00 81920 ( A.... ) "C:\WINDOWS\system32\nopdb.dll"
2006-08-03 21:54:00 ( .D... ) "C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Application Data\??curity"
2006-08-03 00:24:00 ( .D... ) "C:\Program Files\HijackThis"
2006-08-02 22:13:32 ( .D... ) "C:\Program Files\Network Associates"
2006-08-02 17:39:44 ( .D... ) "C:\Program Files\Lavasoft"
2006-08-02 05:18:12 362 ( A.... ) "C:\WINDOWS\tyknl.dll"
2006-08-02 05:15:56 155136 ( A.... ) "C:\WINDOWS\system32\oins.exe"
2006-08-02 05:15:56 39424 ( A.... ) "C:\WINDOWS\YAXUninst.exe"
2006-08-01 03:58:28 ( .D... ) "C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Application Data\PEX"
2006-08-01 03:57:48 ( .D... ) "C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Application Data\F-Secure"
2006-08-01 03:27:14 118842 ( ....R ) "C:\WINDOWS\bwUnin-6.3.2.116-4476822L.exe"
2006-08-01 03:27:08 ( .D... ) "C:\Program Files\F-Secure Internet Security"
2006-08-01 01:50:46 ( .D... ) "C:\Program Files\a-squared Free"
2006-07-31 22:25:36 ( .D... ) "C:\Program Files\Roguescanfix"
2006-07-31 22:21:28 573492 ( ..SH. ) "C:\WINDOWS\system32\vtsqr.dll"
2006-07-31 21:55:40 32208 ( ..SH. ) "C:\Program Files\Common Files\Y1304OU.exe"
2006-07-31 21:54:12 221184 ( A.... ) "C:\WINDOWS\system32\vf1v62x.dll"
2006-07-31 21:54:12 28672 ( A.... ) "C:\WINDOWS\system32\whcixm7.exe"
2006-07-31 21:54:10 45056 ( A.... ) "C:\WINDOWS\system32afdaqd3.exe"
2006-07-31 21:54:10 45056 ( A.... ) "C:\WINDOWS\system32\afdaqd3.exe"
2006-07-31 21:54:10 28672 ( A.... ) "C:\WINDOWS\system32cymmh.exe"
2006-07-31 21:46:14 ( .D... ) "C:\Program Files\ipwins"
2006-07-31 21:43:58 ( .D... ) "C:\Program Files\Common Files\{917BE940-0A64-1033-1106-030416200001}"
2006-07-31 21:43:44 40973 ( ..SH. ) "C:\WINDOWS\system32\opnopmk.dll"
2006-07-31 21:05:56 139264 ( A.... ) "C:\WINDOWS\War3Unin.exe"
2006-07-31 20:56:16 ( .D... ) "C:\Program Files\Warcraft III"
2006-07-29 18:07:20 98304 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2006-07-29 16:52:42 ( .D... ) "C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Application Data\WhenU"
2006-07-29 16:51:48 ( .D... ) "C:\Program Files\DAEMON Tools"
2006-07-29 15:26:16 ( .D... ) "C:\Program Files\Firefly Studios"
2006-07-29 15:25:28 ( .D... ) "C:\Program Files\GameSpy Arcade"
2006-07-28 15:34:12 ( .D... ) "C:\Program Files\Hamachi"
2006-07-28 15:26:58 ( .D... ) "C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Application Data\Hamachi"
2006-07-27 20:43:30 ( .D... ) "C:\Program Files\KONAMI"
2006-07-26 15:59:44 159744 ( A.... ) "C:\WINDOWS\system32\apbzk.exe"
2006-07-26 00:30:56 ( .D... ) "C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Application Data\PCTV4Me"
2006-07-25 23:14:36 ( .D... ) "C:\Program Files\Smart Link"
2006-07-25 18:05:30 ( .D... ) "C:\Program Files\Paltalk Messenger"
2006-07-25 17:33:50 ( .D... ) "C:\Program Files\MSN Messenger"
2006-07-24 15:31:24 1163264 ( A.... ) "C:\WINDOWS\system32\l3jdfs.exe"
2006-07-03 18:37:52 ( .D... ) "C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Application Data\Media Player Classic"
2006-07-02 02:11:00 ( .D... ) "C:\Program Files\EA SPORTS"
2006-07-02 01:55:18 ( .D... ) "C:\Program Files\MagicDisc"
2006-07-02 01:40:04 ( .D... ) "C:\Program Files\Alcohol Soft"
2006-06-28 03:30:50 ( .D... ) "C:\Program Files\PartyGaming.Net"
2006-06-22 00:38:08 2516 ( A.SH. ) "C:\WINDOWS\system32\KGyGaAvL.sys"
2006-06-22 00:38:00 168 ( ..SHR ) "C:\WINDOWS\system32\F290167991.sys"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-18 17:50:10 ( .D... ) "C:\Program Files\VDMSound"
2006-06-17 21:08:08 ( .D... ) "C:\Program Files\msn gaming zone"
2006-06-17 18:50:44 47564 ( A.SHR ) "C:\NTDETECT.COM"
2006-06-16 14:34:44 48936 ( A.... ) "C:\WINDOWS\system32\sirenacm.dll"
2006-06-15 22:51:34 ( .D... ) "C:\Program Files\Skype"
2006-06-09 23:56:18 ( .D... ) "C:\Program Files\Morpheus Toolbar"
2006-06-09 23:55:38 ( .D... ) "C:\Documents and Settings\Owner.ROBERTO-OPCE9I9\Application Data\Morpheus"
2006-05-30 20:38:18 2735616 ( A.... ) "C:\WINDOWS\system32\TopThemesLogonUI.exe"
2006-05-30 20:38:14 2318976 ( A.... ) "C:\WINDOWS\system32\boot.exe"
2006-05-25 01:22:06 53248 ( A.... ) "C:\WINDOWS\bdoscandel.exe"
2006-05-19 08:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 08:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-05-16 19:27:14 14 ( A.... ) "C:\AUTOEXEC.BAT"
2006-05-15 18:26:06 200704 ( A.... ) "C:\WINDOWS\system32\NPRCAS.dll"
2006-05-10 21:09:34 183296 ( A.S.. ) "C:\WINDOWS\NDNuninstall7_22.exe"
2006-05-05 12:31:04 4608 ( A.... ) "C:\WINDOWS\system32\w95inf32.dll"
2006-05-05 12:31:04 2272 ( A.... ) "C:\WINDOWS\system32\w95inf16.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-04 23:13 53,248 C:\WINDOWS\system32\Process.exe
2006-08-04 23:13 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-04 23:13 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-04 23:13 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-08-03 21:53 81,920 C:\WINDOWS\system32\nopdb.dll
2006-08-02 05:15 39,424 C:\WINDOWS\YAXUninst.exe
2006-08-02 05:15 155,136 C:\WINDOWS\system32\oins.exe
2006-08-01 03:27 118,842 C:\WINDOWS\bwUnin-6.3.2.116-4476822L.exe
2006-07-31 22:21 573,492 C:\WINDOWS\system32\vtsqr.dll
2006-07-31 21:54 45,056 C:\WINDOWS\system32afdaqd3.exe
2006-07-31 21:54 45,056 C:\WINDOWS\system32\afdaqd3.exe
2006-07-31 21:54 28,672 C:\WINDOWS\system32cymmh.exe
2006-07-31 21:54 28,672 C:\WINDOWS\system32\whcixm7.exe
2006-07-31 21:54 221,184 C:\WINDOWS\system32\vf1v62x.dll
2006-07-31 21:54 159,744 C:\WINDOWS\system32\apbzk.exe
2006-07-31 21:54 1,163,264 C:\WINDOWS\system32\l3jdfs.exe
2006-07-31 21:53 362 C:\WINDOWS\tyknl.dll
2006-07-31 21:44 2 C:\WINDOWS\system32\wnscpsv.exe
2006-07-31 21:43 40,973 C:\WINDOWS\system32\opnopmk.dll
2006-07-31 20:59 139,264 C:\WINDOWS\War3Unin.exe
2006-07-27 20:45 98,304 C:\WINDOWS\system32\CmdLineExt.dll
2006-07-25 07:22 5,632 C:\WINDOWS\system32\ptpusb.dll
2006-07-25 07:22 159,232 C:\WINDOWS\system32\ptpusd.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"YBrowser"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"
"IPInSightLAN 01"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPClient.exe\" -l"
"IPInSightMonitor 01"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPMon32.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"MCUpdateExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\McUpdate.exe"
"MCAgentExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\McAgent.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"PCchat"="C:\\DOCUME~1\\OWNER~1.ROB\\LOCALS~1\\Temp\\Rar$EX00.516\\PCchat.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"QuickFinder Scheduler"="\"C:\\Program Files\\WordPerfect Office X3\\Programs\\QFSCHD130.EXE\""
"epy9J"="\"C:\\WINDOWS\\system32\\l3jdfs.exe\""
"F-Secure Manager"="\"C:\\Program Files\\F-Secure Internet Security\\Common\\FSM32.EXE\" /splash"
"F-Secure TNB"="\"C:\\Program Files\\F-Secure Internet Security\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
"F-Secure Startup Wizard"="\"C:\\Program Files\\F-Secure Internet Security\\FSGUI\\FSSW.EXE\" /reboot"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\DeskBot]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Yahoo! Pager"="1"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Ousc"="\"C:\\WINDOWS\\WNSXS~1\\chkdsk.exe\" -vt yazr"
"Nxisxbwb"="C:\\DOCUME~1\\OWNER~1.ROB\\MYDOCU~1\\ECURIT~1\\JVAW~1.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{917BE940-0A64-1033-1106-030416200001}"="\"C:\\Program Files\\Common Files\\{917BE940-0A64-1033-1106-030416200001}\\Update.exe\" mc-110-12-0000272"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,44,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hamachi.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\hamachi.lnk"
"backup"="C:\\WINDOWS\\pss\\hamachi.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Hamachi\\hamachi.exe "
"item"="hamachi"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner.ROBERTO-OPCE9I9^Start Menu^Programs^Startup^MagicDisc.lnk]
"path"="C:\\Documents and Settings\\Owner.ROBERTO-OPCE9I9\\Start Menu\\Programs\\Startup\\MagicDisc.lnk"
"backup"="C:\\WINDOWS\\pss\\MagicDisc.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MAGICD~1\\MAGICD~1.EXE "
"item"="MagicDisc"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxpers"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxpers.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\INetBooster]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISpBos"
"hkey"="HKCU"
"command"="C:\\Program Files\\Robust\\Internet Booster\\ISpBos.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 01]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPClient"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPClient.exe\" -l"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPMon32"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPMon32.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="isuspm"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="issch"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAVPersonal50]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kav"
"hkey"="HKLM"
"command"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe /minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McAgent"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\Agent\\McAgent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McUpdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\Agent\\McUpdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NEWDOT~2"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCchat]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCchat"
"hkey"="HKLM"
"command"="C:\\DOCUME~1\\OWNER~1.ROB\\LOCALS~1\\Temp\\Rar$EX00.516\\PCchat.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QFSCHD130"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WordPerfect Office X3\\Programs\\QFSCHD130.EXE\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TXP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="txp"
"hkey"="HKLM"
"command"="c:\\program files\\topthemesxp\\txp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Save"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Save\\Save.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSearch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Search"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WhenUSearch\\Search.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSearchWHSE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whse"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WhenUSearch\\whse.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="1"
"hkey"="HKCU"
"command"="1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ybrwicon"
"hkey"="HKLM"
"command"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"kavsvc"=dword:00000002
"iPodService"=dword:00000003
"IDriverT"=dword:00000003

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableTaskMgr REG_DWORD 0 (0x0)
NoColorChoice REG_DWORD 0 (0x0)
NoSizeChoice REG_DWORD 0 (0x0)
NoDispScrSavPage REG_DWORD 0 (0x0)
NoDispCPL REG_DWORD 0 (0x0)
NoVisualStyleChoice REG_DWORD 0 (0x0)
NoDispSettingsPage REG_DWORD 0 (0x0)
NoDispAppearancePage REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Scheduled scanning task.job

Completion time: Sat 08/05/2006 21:51:58.85
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-05.215122.txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users