Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Hacker Tools, Spyware


  • This topic is locked This topic is locked
20 replies to this topic

#1 karo

karo

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 20 September 2006 - 04:04 AM

Logfile of HijackThis v1.99.1
Scan saved at 12:59:25, on 20/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.171.184.1:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [PDService.exe] C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
O4 - HKLM\..\Run: [mouseElf] D:\MYDOCU~1\Programs\GNETMOUS.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKLM\..\Run: [bikini] bikini.exe
O4 - HKLM\..\Run: [mstm32.exe] C:\WINDOWS\mstm32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [1bddcfd3.exe] C:\Documents and Settings\Karwan\Local Settings\Application Data\1bddcfd3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142188149532
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: MySql - Unknown owner - C:/MySQL/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\VAIO Entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe

Edited by karo, 20 September 2006 - 04:07 AM.


BC AdBot (Login to Remove)

 


m

#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:09:25 AM

Posted 22 September 2006 - 12:42 PM

Hi karo, you got some infections there.

Please post the full HjiackThis log to here. (this one doesn't have the "Running Processes"-section)

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

NOTE: Do not run any other options from SmitfraudFix until I tell you to do so!
UNITE & ASAP member since 2006
Posted Image
Posted Image

#3 karo

karo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 22 September 2006 - 04:13 PM

Hi
i dont now how to inclode the runing process, every time i scan it ,wont give me the runing process. another thing i acsedentlly clicked on add checked to ignorlist, therfore when i scan it it wont show any thing.

thanks

#4 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:09:25 AM

Posted 23 September 2006 - 01:05 AM

Ok, please follow these instructions.

Open HijackThis.
-> Click "None of the Above, just start the program"
-> Click Config
-> Click Main
-> Click Checkmark the following: Include a list of running processes in logfiles
-> Click Ignorelist
-> Click Delete all

Then run a fresh scan with HijackThis and post its log to here.
Then we'll continue :thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#5 karo

karo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 23 September 2006 - 05:16 AM

thank you this is a log file with running process...
-------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 14:13:50, on 23/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MySQL\bin\mysqld-nt.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
D:\MYDOCU~1\Programs\GNETMOUS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\intell321.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\LVComS.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.171.184.1:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [PDService.exe] C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
O4 - HKLM\..\Run: [mouseElf] D:\MYDOCU~1\Programs\GNETMOUS.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKLM\..\Run: [mstm32.exe] C:\WINDOWS\mstm32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [1bddcfd3.exe] C:\Documents and Settings\Karwan\Local Settings\Application Data\1bddcfd3.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142188149532
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: MySql - Unknown owner - C:/MySQL/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\VAIO Entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe

#6 karo

karo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 23 September 2006 - 05:21 AM

I have runed the smitfraudfix as well, this is a report.

------------------------------------------------------------------

SmitFraudFix v2.98

Scan done at 14:17:16.81, 23/09/2006
Run from C:\Documents and Settings\Karwan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\intell321.exe FOUND !
C:\WINDOWS\system32\oleext.dll FOUND !
C:\WINDOWS\system32\oleext32.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Karwan\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Karwan\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\secure32.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#7 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:09:25 AM

Posted 23 September 2006 - 05:57 AM

Good work, now we'll continue :thumbsup:

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Remove the old version of Ewido via Control Panel -> Add/Remove programs. We'll install the latest version later.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download and install ewido anti-spyware 4.0
  • Open ewido anti-spyware
  • Click on the Update icon at the top of the window
    • Click on the Start update button
    • Wait for the update to download and install
  • Click Guard
  • Click under "resident shield is"
  • Change it from active to inactive
  • Quit the program, well use this later.
Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Then, make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.
Disable Windows Defender's realtime protection, it may interfere with our cleaning
  • Open Windows Defender
  • Click on "Tools"
  • Click on "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on Real-time protection (recommended)"
  • Click "Save"
  • Exit the program.
Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.

intell321.exe
palstart.exe

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKLM\..\Run: [mstm32.exe] C:\WINDOWS\mstm32.exe
O4 - HKCU\..\Run: [1bddcfd3.exe] C:\Documents and Settings\Karwan\Local Settings\Application Data\1bddcfd3.exe
O4 - Global Startup: palstart.exe

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files(if present):
C:\Documents and Settings\Karwan\Local Settings\Application Data\1bddcfd3.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\WINDOWS\system32\1bddcfd3.exe
C:\WINDOWS\mstm32.exe
C:\WINDOWS\system32\intell321.exe

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Restart your computer to the safe mode again.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

NOTE The following will clear all of your cookies, forms and history from FireFox. Feel free to skip this step.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
NOTE: The following will clear all of your cookies, forms and history from Opera. Feel free to skip this step.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now scan your computer with Ewido.
  • Open Ewido
  • Click on the Scanner icon at the top of the window
  • Click on the Settings tab then select Recommended Options and choose Quarantine
  • Click on the Scan tab
  • Select Complete System Scan. Ewido will now begin to scan your system
[*]When the scan has completed, if infections were found, press Apply all actions .
[*]Then click on the Save Scan Report button and save the scan to your Desktop where it can be easily found
[*]Copy and paste the scan results into your next post.
[/list]When you're ready, post the following logs to here:
- Ewido's report
- a fresh HijackThis log
- contents of C:\Rapport.txt

Edited by Mr_JAk3, 23 September 2006 - 05:57 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#8 karo

karo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 23 September 2006 - 08:13 AM

i couldnt find these files.

C:\Documents and Settings\Karwan\Local Settings\Application Data\1bddcfd3.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\WINDOWS\system32\1bddcfd3.exe
C:\WINDOWS\mstm32.exe
C:\WINDOWS\system32\intell321.exe

anyway i have done the rest of your instructions. these are the reports.

------------------------------
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:02:35 23/09/2006

+ Scan result:



C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
:mozilla.90:C:\Documents and Settings\Karwan\Application Data\Mozilla\Firefox\Profiles\gj79uxqh.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.100:C:\Documents and Settings\Karwan\Application Data\Mozilla\Firefox\Profiles\gj79uxqh.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.102:C:\Documents and Settings\Karwan\Application Data\Mozilla\Firefox\Profiles\gj79uxqh.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.103:C:\Documents and Settings\Karwan\Application Data\Mozilla\Firefox\Profiles\gj79uxqh.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.104:C:\Documents and Settings\Karwan\Application Data\Mozilla\Firefox\Profiles\gj79uxqh.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.97:C:\Documents and Settings\Karwan\Application Data\Mozilla\Firefox\Profiles\gj79uxqh.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.32:C:\Documents and Settings\Karwan\Application Data\Mozilla\Firefox\Profiles\gj79uxqh.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\Karwan\Application Data\Mozilla\Firefox\Profiles\gj79uxqh.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).


::Report end

------------------------------------------------

SmitFraudFix v2.98

Scan done at 16:08:39.09, 23/09/2006
Run from C:\Documents and Settings\Karwan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\oleext.dll Deleted
C:\WINDOWS\system32\oleext32.dll Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\Program Files\secure32.html Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 17:05:37, on 23/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MySQL\bin\mysqld-nt.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
D:\MYDOCU~1\Programs\GNETMOUS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.171.184.1:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [PDService.exe] C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
O4 - HKLM\..\Run: [mouseElf] D:\MYDOCU~1\Programs\GNETMOUS.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142188149532
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: MySql - Unknown owner - C:/MySQL/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\VAIO Entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe

#9 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:09:25 AM

Posted 23 September 2006 - 12:01 PM

Hi again, you're looking clean now :thumbsup:
How is the pc running ?

Delete the following folder:
C:\Program Files\Common Files\Real\WeatherBug

Now you can enable WindowsDefender shield again.
  • Open Windows Defender
  • Click on "Tools"
  • Click on "General Settings"
  • Scroll down to "Real-time protection options"
  • Check "Turn on Real-time protection (recommended)"
  • Click "Save"
  • Exit the program.
Now you can clean Ewido's Quarantine:
  • Open Ewido
  • Click Infections
  • Click Quarantine tab
  • Click Select all
  • Click Remove finally
  • Close the program
Now you can make your hidden files hidden again.
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Check "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Clear your system restore
    This will clear the system restore folders from possible malware that was left behind during the cleaning process.
  • Use ATF Cleaner
    Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  • Use Ad-Aware
    Download and install Ad-Aware. Update it and scan your computer regularly with it.
  • Use Ewido
    Update it and scan your computer regularly with it.
  • Use Spybot S&D
    Download and install Spybot S&D. Update it and scan your computer regularly with it.
  • Install SpywareBlaster
    SpywareBlaster will prevent spyware from being installed.
  • Install MVPS Hosts file
    This prevents your computer from connecting to harmful sites.
  • Use Firefox browser
    Firefox is faster, safer and better browser than Internet Explorer.
  • Keep your systen up-to-date
    Visit Windows Update regularly.
  • Keep your antivirus and firewall up-to-date
    Scan your computer regularly with your antivirus.
  • Read this article by TonyKlein
    So how did I get infected in the first place?

UNITE & ASAP member since 2006
Posted Image
Posted Image

#10 karo

karo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 23 September 2006 - 01:39 PM

Hi
thank you mate, but still I got a red cross"widow security alert" icon on the toolbar keep showing the message " your comp. is infected click to repare".

also my system is a bit slow during the booting.

what to do
thanks

#11 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:09:25 AM

Posted 24 September 2006 - 01:14 AM

Ok, we'll continue then...

There is a new version of SmitFraudFix available. Please remove the old version from your computer.

Please download the latest version (v2.99) of SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

NOTE: Do not run any other options from SmitfraudFix until I tell you to do so!

Edited by Mr_JAk3, 24 September 2006 - 01:15 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#12 karo

karo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 24 September 2006 - 07:26 AM

hi again, this is a result.


SmitFraudFix v2.98

Scan done at 16:21:03.33, 24/09/2006
Run from C:\Documents and Settings\Karwan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Karwan\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Karwan\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#13 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:09:25 AM

Posted 24 September 2006 - 08:31 AM

Ok, that was not the latest version of SmitfraudFix (2.99). Please follow the instructions in my last messge again.

Please download WinPFind2.
  • Extract the files to a folder(eg: C:\WinPFind2).
  • Double click WinPFind2.exe to start the program.
  • Click the Select All button in the File Options box of the Configuration tab(this is the tab the program opens up to by default).
  • Click the Run all Scans button.
  • When its finished scanning you will see Scans Complete! at the bottom left of the program.
  • Click the Export to Text button.
  • Notepad will open with the results of the scan and the log will be saved to the folder that you extracted the program to(C:\WinPFind2\WinPFind2.txt)
  • Post the log in your next reply please. You may need to split the log over a couple posts so that it doesn't get cut off. If so please use the [Start Post #1] and [Start Post #2] deliminators in the log to split the log up.
Please post the new SmitfraudFix log too.
UNITE & ASAP member since 2006
Posted Image
Posted Image

#14 karo

karo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 24 September 2006 - 11:37 AM

her is the result of SmitfraudFix (2.99) scan.

SmitFraudFix v2.99

Scan done at 20:04:28.42, 24/09/2006
Run from C:\Documents and Settings\Karwan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Karwan\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Karwan\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Logfile created on: 09/24/2006 20:28
WinPFind2 by OldTimer - Version 1.0.10 Folder = C:\Winpfind2\WinPFind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)


[Start Post #1]

Processes
Image Name---------------ProcessID--Thread Count--Parent ID--Base Priority--
#Full Path
##(Version Info)

apache.exe---------------001608-----0003----------000636-----Normal---------
#c:\program files\apache group\apache\apache.exe
##( [Ver = | Size = 20480 bytes | Date = 10/10/2000 17:56 | Attr = ])

apache.exe---------------001724-----0051----------001608-----Normal---------
#c:\program files\apache group\apache\apache.exe
##( [Ver = | Size = 20480 bytes | Date = 10/10/2000 17:56 | Attr = ])

ati2evxx.exe-------------000788-----0005----------000636-----Normal---------
#c:\windows\system32\ati2evxx.exe
##( [Ver = | Size = 385024 bytes | Date = 07/10/2004 16:35 | Attr = ])

ati2evxx.exe-------------001940-----0005----------000592-----Normal---------
#c:\windows\system32\ati2evxx.exe
##( [Ver = | Size = 385024 bytes | Date = 07/10/2004 16:35 | Attr = ])

ccapp.exe----------------003632-----0036----------002276-----Normal---------
#c:\program files\common files\symantec shared\ccapp.exe
##(Symantec Corporation [Ver = 2.1.10.2 | Size = 71328 bytes | Date = 03/09/2006 11:47 | Attr = ])

ccevtmgr.exe-------------001332-----0026----------000636-----Normal---------
#c:\program files\common files\symantec shared\ccevtmgr.exe
##(Symantec Corporation [Ver = 2.1.10.2 | Size = 255648 bytes | Date = 03/09/2006 11:47 | Attr = ])

ccproxy.exe--------------001640-----0015----------000636-----Normal---------
#c:\program files\common files\symantec shared\ccproxy.exe
##(Symantec Corporation [Ver = 2.1.6.3 | Size = 218736 bytes | Date = 02/28/2005 20:56 | Attr = ])

ccsetmgr.exe-------------001296-----0007----------000636-----Normal---------
#c:\program files\common files\symantec shared\ccsetmgr.exe
##(Symantec Corporation [Ver = 2.1.10.2 | Size = 235168 bytes | Date = 03/09/2006 11:48 | Attr = ])

ewido.exe----------------003656-----0013----------002276-----Normal---------
#c:\program files\ewido anti-spyware 4.0\ewido.exe
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 6283264 bytes | Date = 06/16/2006 18:39 | Attr = ])

gnetmous.exe-------------003620-----0002----------002276-----Normal---------
#d:\mydocu~1\programs\gnetmous.exe
##( [Ver = 1.00.01 | Size = 176128 bytes | Date = 02/12/2003 18:01 | Attr = ])

guard.exe----------------001696-----0008----------000636-----Normal---------
#c:\program files\ewido anti-spyware 4.0\guard.exe
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 172032 bytes | Date = 06/16/2006 18:38 | Attr = ])

hkserv.exe---------------003580-----0007----------002276-----Normal---------
#c:\program files\sony\hotkey utility\hkserv.exe
##(Sony Corporation [Ver = 4, 1, 1, 6290 | Size = 122880 bytes | Date = 06/29/2004 17:49 | Attr = ])

hkwnd.exe----------------002576-----0004----------003580-----Normal---------
#c:\program files\sony\hotkey utility\hkwnd.exe
##(Sony Corporation [Ver = 4, 1, 1, 6260 | Size = 389120 bytes | Date = 06/26/2004 17:48 | Attr = ])

logitray.exe-------------003360-----0002----------002276-----Normal---------
#c:\program files\logitech\imagestudio\logitray.exe
##(Logitech Inc. [Ver = 7.3.0.1113 | Size = 61440 bytes | Date = 12/10/2002 21:31 | Attr = ])

lvcoms.exe---------------000480-----0002----------000804-----Normal---------
#c:\windows\system32\lvcoms.exe
##(Logitech Inc. [Ver = 7.0.0.1221 | Size = 102400 bytes | Date = 06/10/2002 17:21 | Attr = ])

mysqld-nt.exe------------001992-----0007----------000636-----Normal---------
#c:\mysql\bin\mysqld-nt.exe
##( [Ver = | Size = 1081344 bytes | Date = 11/22/2000 19:26 | Attr = ])

navapsvc.exe-------------002380-----0011----------000636-----Normal---------
#c:\program files\norton internet security\norton antivirus\navapsvc.exe
##(Symantec Corporation [Ver = 10.00.2 | Size = 158848 bytes | Date = 04/23/2004 15:04 | Attr = ])

pdservice.exe------------003608-----0003----------002276-----Normal---------
#c:\program files\utimaco\safeguard privatedisk\pdservice.exe
##(Utimaco Safeware AG [Ver = 1.00.6.7 | Size = 40960 bytes | Date = 07/06/2004 17:15 | Attr = R ])

realsched.exe------------003648-----0004----------002276-----Normal---------
#c:\program files\common files\real\update_ob\realsched.exe
##(RealNetworks, Inc. [Ver = 0.1.0.3725 | Size = 185784 bytes | Date = 09/23/2006 14:45 | Attr = ])

savscan.exe--------------000124-----0007----------000636-----Normal---------
#c:\program files\norton internet security\norton antivirus\savscan.exe
##(Symantec Corporation [Ver = | Size = 194272 bytes | Date = 01/25/2005 22:48 | Attr = ])

sndsrvc.exe--------------001308-----0007----------000636-----Normal---------
#c:\program files\common files\symantec shared\sndsrvc.exe
##(Symantec Corporation [Ver = 5.5.1.6 | Size = 206552 bytes | Date = 04/05/2005 12:17 | Attr = ])

spmgr.exe----------------003600-----0004----------002276-----Normal---------
#c:\program files\sony\vaio power management\spmgr.exe
##(Sony Corporation [Ver = 1.3.01.06110 | Size = 180224 bytes | Date = 06/30/2004 00:45 | Attr = ])

sv_httpd.exe-------------001276-----0003----------000636-----Normal---------
#c:\program files\sony\vaio media integrated server\platform\sv_httpd.exe
##(Sony Corporation [Ver = 3.0.00.06160 | Size = 57344 bytes | Date = 06/16/2004 06:42 | Attr = ])

symwsc.exe---------------001136-----0020----------000636-----Normal---------
#c:\program files\common files\symantec shared\security center\symwsc.exe
##(Symantec Corporation [Ver = 2005.1.2.20 | Size = 316544 bytes | Date = 11/02/2004 20:59 | Attr = ])

upnpframework.exe--------002284-----0009----------000636-----Normal---------
#c:\program files\sony\vaio media integrated server\platform\upnpframework.exe
##(Sony Corporation [Ver = 6.0.00.06220 | Size = 733184 bytes | Date = 06/22/2004 14:58 | Attr = ])

vmisrv.exe---------------000404-----0017----------000636-----Normal---------
#c:\program files\sony\vaio media integrated server\vmisrv.exe
##(Sony Corporation [Ver = 3.1.00.07090 | Size = 1826816 bytes | Date = 07/09/2004 20:28 | Attr = ])

vzfw.exe-----------------000388-----0018----------000636-----Normal---------
#c:\program files\common files\sony shared\vaio entertainment\vzcdb\vzfw.exe
##(Sony Corporation [Ver = 1.1.00.07080 | Size = 118877 bytes | Date = 07/09/2004 00:26 | Attr = ])

winpfind2.exe------------001036-----0001----------002276-----Normal---------
#c:\winpfind2\winpfind2\winpfind2.exe
##(OldTimer Tools [Ver = 1.0.10.0 | Size = 392704 bytes | Date = 09/17/2006 11:39 | Attr = ])

ymsgr_tray.exe-----------000564-----0001----------003672-----Normal---------
#c:\program files\yahoo!\messenger\ymsgr_tray.exe
##( [Ver = | Size = 90112 bytes | Date = 08/31/2005 19:12 | Attr = ])


Registry Entries

#Value
##(Version Info)

<<< >> Internet Explorer Settings << >>>

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page
#http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page
#http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL
#http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Search_URL
#http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page
#C:\windows\system32\blank.htm
##

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page
#http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
##

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page
#http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
##

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Search_URL
#http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
##

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page
#C:\windows\system32\blank.htm
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\CustomizeSearch
#http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant
#http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
##

HKCU\Software\Microsoft\Internet Explorer\urlSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
#Microsoft Url Search Hook = %SystemRoot%\system32\shdocvw.dll
##(Microsoft Corporation [Ver = 6.00.2900.2937 (xpsp_sp2_gdr.060623-0002) | Size = 1494016 bytes | Date = 06/23/2006 15:02 | Attr = ])

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable
#0
##

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride
#<local>
##

<<< >> BHO's << >>>

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
#Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
##(Adobe Systems Incorporated [Ver = 7.0.7.2006011200 | Size = 63128 bytes | Date = 01/12/2006 21:38 | Attr = ])

<<< >> Internet Explorer Bars, Toolbars and Extensions << >>>

<<< HKLM-> Internet Explorer Bars >>>

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
#&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
##(Yahoo! Inc. [Ver = 2005, 5, 11, 1 | Size = 316552 bytes | Date = 07/31/2005 12:12 | Attr = ])

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
#&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
##(Microsoft Corporation [Ver = 6.00.2900.2937 (xpsp_sp2_gdr.060623-0002) | Size = 1494016 bytes | Date = 06/23/2006 15:02 | Attr = ])

<<< HKCU-> Internet Explorer Bars >>>

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
#Reg Data missing or invalid = Reg Data missing or invalid
##(File not found)

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
#&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
##(Yahoo! Inc. [Ver = 2005, 5, 11, 1 | Size = 316552 bytes | Date = 07/31/2005 12:12 | Attr = ])

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
#File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
##(Microsoft Corporation [Ver = 6.00.2900.2951 (xpsp_sp2_gdr.060713-0009) | Size = 8453632 bytes | Date = 07/13/2006 17:33 | Attr = ])

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
#Favorites Band = %SystemRoot%\system32\shdocvw.dll
##(Microsoft Corporation [Ver = 6.00.2900.2937 (xpsp_sp2_gdr.060623-0002) | Size = 1494016 bytes | Date = 06/23/2006 15:02 | Attr = ])

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
#History Band = %SystemRoot%\system32\shdocvw.dll
##(Microsoft Corporation [Ver = 6.00.2900.2937 (xpsp_sp2_gdr.060623-0002) | Size = 1494016 bytes | Date = 06/23/2006 15:02 | Attr = ])

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
#Explorer Band = %SystemRoot%\system32\shdocvw.dll
##(Microsoft Corporation [Ver = 6.00.2900.2937 (xpsp_sp2_gdr.060623-0002) | Size = 1494016 bytes | Date = 06/23/2006 15:02 | Attr = ])

<<< HKLM-> Internet Explorer ToolBars >>>

HKLM\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7}
#Web assistant = C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
##(Symantec Corporation [Ver = 7.0.3.8 | Size = 126976 bytes | Date = 12/11/2003 16:31 | Attr = ])

HKLM\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
#Yahoo! Toolbar = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
##(Yahoo! Inc. [Ver = 2005, 8, 4, 2 | Size = 343112 bytes | Date = 08/04/2005 22:54 | Attr = ])

<<< HKCU-> Internet Explorer ToolBars >>>

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
#&Google = c:\program files\google\googletoolbar1.dll
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
#Norton AntiVirus = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383}
#&Address = %SystemRoot%\system32\browseui.dll
##(Microsoft Corporation [Ver = 6.00.2900.2937 (xpsp_sp2_gdr.060623-0002) | Size = 1022976 bytes | Date = 06/23/2006 15:02 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}
#Web assistant = C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
##(Symantec Corporation [Ver = 7.0.3.8 | Size = 126976 bytes | Date = 12/11/2003 16:31 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
#&Links = %SystemRoot%\system32\SHELL32.dll
##(Microsoft Corporation [Ver = 6.00.2900.2951 (xpsp_sp2_gdr.060713-0009) | Size = 8453632 bytes | Date = 07/13/2006 17:33 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
#&Google = c:\program files\google\googletoolbar1.dll
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
#MSN = C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
#Yahoo! Toolbar = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
##(Yahoo! Inc. [Ver = 2005, 8, 4, 2 | Size = 343112 bytes | Date = 08/04/2005 22:54 | Attr = ])

<<< HKCU-> Internet Explorer CmdMapping >>>

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
#8192 - Sun Java Console
##

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
#8193 - Yahoo! Messenger
##

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{653D93AF-C741-4e5e-8C1B-59BA43F93E16}
#8197 - Reg Data missing or invalid
##

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{85d1f590-48f4-11d9-9669-0800200c9a66}
#8196 - Uninstall BitDefender Online Scanner v8
##

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
#8194 - Reg Data missing or invalid
##

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683}
#8195 - Windows Messenger
##

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\NextId
#8198
##

<<< HKLM-> Internet Explorer Extensions >>>

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
#MenuText: Sun Java Console = C:\WINDOWS\system32\msjava.dll
##(Microsoft Corporation [Ver = 5.00.3810 | Size = 947472 bytes | Date = 02/28/2003 22:26 | Attr = ])

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
#ButtonText: Messenger = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{653D93AF-C741-4e5e-8C1B-59BA43F93E16}
#ButtonText: Panda ActiveScan = http://www.pandasoftware.com/activescan
##(File not found)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
#MenuText: Uninstall BitDefender Online Scanner v8 = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
#ButtonText: Research = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
#ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe
##(Microsoft Corporation [Ver = 4.7.3001 | Size = 1694208 bytes | Date = 10/13/2004 20:24 | Attr = ])

<<< HKCU-> Internet Explorer Menu Extensions >>>

HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Google Search
#res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Translate English Word
#res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\Backward Links
#res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\Cached Snapshot of Page
#res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Office Excel
#res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
##(Microsoft Corporation [Ver = 11.0.8033 | Size = 10196752 bytes | Date = 06/23/2006 12:38 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\MenuExt\Similar Pages
#res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\Translate Page into English
#res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
##(File not found)

<<< >> Approved Shell Extensions (Non-Microsoft only) << >>>

<<< HKLM-> Approved Shell Extensions >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
#Autoplay for SlideShow = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
#Taskbar and Start Menu = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{42071714-76d4-11d1-8b24-00a0c9068ff3}
#Display Panning CPL Extension = deskpan.dll
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5464D816-CF16-4784-B9F3-75C0DB52B499}
#Yahoo! Mail = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
##(Yahoo! Inc. [Ver = 2004, 11, 23, 1 | Size = 180848 bytes | Date = 11/23/2004 10:59 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{764BF0E1-F219-11ce-972D-00AA00A14F56}
#Shell extensions for file compression = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{792F0537-F929-4eb7-AC1D-FB6334C71550}
#LG Phone = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7A9D77BD-5403-11d2-8785-2E0420524153}
#User Accounts = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}
#Encryption Context Menu = Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{88895560-9AA2-1069-930E-00AA0030EBC8}
#HyperTerminal Icon Ext = C:\WINDOWS\system32\hticons.dll
##(Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AB77609F-2178-4E6F-9C4B-44AC179D937A}
#a² Context Menu Shell Extension = C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL
##( [Ver = | Size = 404480 bytes | Date = 12/06/2003 16:23 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B41DB860-8EE4-11D2-9906-E49FADC173CA}
#WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll
##( [Ver = | Size = 118784 bytes | Date = 01/15/2003 01:27 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B446400D-0030-457b-8F64-422A19605186}
#Logitech Gallery = C:\Program Files\Logitech\ImageStudio\NameSpc.dll
##(Logitech Inc. [Ver = 7.3.0.1113 | Size = 53248 bytes | Date = 12/10/2002 21:29 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
#Adobe.Acrobat.ContextMenu = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
##(Adobe Systems Inc. [Ver = 6.0.0.2003073000\0 | Size = 643161 bytes | Date = 07/30/2003 05:54 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DEE12703-6333-4D4E-8F34-738C4DCC2E04}
#RecordNow! SendToExt = C:\Program Files\Sonic\RecordNow!\shlext.dll
##( [Ver = 7.0.0.0 | Size = 73728 bytes | Date = 06/22/2004 10:02 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ED58A35B-B554-42AF-A26C-6F3D424200D3}
#Sony Power Management Extensiond = C:\Program Files\Sony\VAIO Power Management\SPMPanel.dll
##(Sony Corporation [Ver = 1.3.01.06110 | Size = 233472 bytes | Date = 06/23/2004 01:12 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
#Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll
##(RealNetworks, Inc. [Ver = 1.0.1.2453 | Size = 54736 bytes | Date = 09/23/2006 14:46 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F6A51CCC-6AA6-46ad-B726-97466F0A38BF}
#SafeGuard® PrivateDisk extension = C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdshell.dll
##(Utimaco Safeware AG [Ver = 1.00.6.7 | Size = 28672 bytes | Date = 07/06/2004 17:16 | Attr = R ])

<<< HKCU-> Approved Shell Extensions >>>

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BDEADF00-C265-11d0-BCED-00A0C90AB50F}
#Web Folders = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
##(Microsoft Corporation [Ver = 11.0.5510.0 | Size = 1292872 bytes | Date = 07/11/2003 06:15 | Attr = ])

<<< >> ContextMenuHandlers (Non-Microsoft only) << >>>

<<< HKLM-> ContextMenuHandlers >>>

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
#{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
##(Adobe Systems Inc. [Ver = 6.0.0.2003073000\0 | Size = 643161 bytes | Date = 07/30/2003 05:54 | Attr = ])

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ewido anti-spyware
#{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 94208 bytes | Date = 06/16/2006 18:38 | Attr = ])

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\SGPDMenu
#{F6A51CCC-6AA6-46ad-B726-97466F0A38BF} = C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdshell.dll
##(Utimaco Safeware AG [Ver = 1.00.6.7 | Size = 28672 bytes | Date = 07/06/2004 17:16 | Attr = R ])

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
#{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
##(File not found)

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\WinRAR
#{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
##( [Ver = | Size = 118784 bytes | Date = 01/15/2003 01:27 | Attr = ])

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Yahoo! Mail
#{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
##(Yahoo! Inc. [Ver = 2004, 11, 23, 1 | Size = 180848 bytes | Date = 11/23/2004 10:59 | Attr = ])

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
#{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 94208 bytes | Date = 06/16/2006 18:38 | Attr = ])

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
#{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
##( [Ver = | Size = 118784 bytes | Date = 01/15/2003 01:27 | Attr = ])

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu
#{AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL
##( [Ver = | Size = 404480 bytes | Date = 12/06/2003 16:23 | Attr = ])

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SGPDMenu
#{F6A51CCC-6AA6-46ad-B726-97466F0A38BF} = C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdshell.dll
##(Utimaco Safeware AG [Ver = 1.00.6.7 | Size = 28672 bytes | Date = 07/06/2004 17:16 | Attr = R ])

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
#{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
##(File not found)

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
#{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
##( [Ver = | Size = 118784 bytes | Date = 01/15/2003 01:27 | Attr = ])

<<< >> ColumnHandlers (Non-Microsoft only) << >>>

<<< HKLM-> ColumnHandlers >>>

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
#PDF Shell Extension = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
##(Adobe Systems, Inc. [Ver = 7.0.0.0 | Size = 110592 bytes | Date = 12/14/2004 03:20 | Attr = ])

<<< >> File Associations Keys << >>>

HKLM\SOFTWARE\Classes\.bat\\''
#batfile
##

HKLM\SOFTWARE\Classes\batfile\shell\open\command\\''
#"%1" %*
##

HKLM\SOFTWARE\Classes\.cmd\\''
#cmdfile
##

HKLM\SOFTWARE\Classes\cmdfile\shell\open\command\\''
#"%1" %*
##

HKLM\SOFTWARE\Classes\.com\\''
#comfile
##

HKLM\SOFTWARE\Classes\comfile\shell\open\command\\''
#"%1" %*
##

HKLM\SOFTWARE\Classes\.exe\\''
#exefile
##

HKLM\SOFTWARE\Classes\exefile\shell\open\command\\''
#"%1" %*
##

HKLM\SOFTWARE\Classes\.hta\\''
#htafile
##

HKLM\SOFTWARE\Classes\htafile\shell\open\command\\''
#C:\WINDOWS\system32\mshta.exe "%1" %*
##

HKLM\SOFTWARE\Classes\.js\\''
#JSFile
##

HKLM\SOFTWARE\Classes\jsfile\shell\open\command\\''
#%SystemRoot%\System32\WScript.exe "%1" %*
##

HKLM\SOFTWARE\Classes\.jse\\''
#JSEFile
##

HKLM\SOFTWARE\Classes\jsefile\shell\open\command\\''
#%SystemRoot%\System32\WScript.exe "%1" %*
##

HKLM\SOFTWARE\Classes\.scr\\''
#scrfile
##

HKLM\SOFTWARE\Classes\scrfile\shell\open\command\\''
#"%1" /S
##

HKLM\SOFTWARE\Classes\.vbe\\''
#VBEFile
##

HKLM\SOFTWARE\Classes\vbefile\shell\open\command\\''
#%SystemRoot%\System32\WScript.exe "%1" %*
##

HKLM\SOFTWARE\Classes\.vbs\\''
#VBSFile
##

HKLM\SOFTWARE\Classes\vbsfile\shell\open\command\\''
#%SystemRoot%\System32\WScript.exe "%1" %*
##

HKLM\SOFTWARE\Classes\.wsf\\''
#WSFFile
##

HKLM\SOFTWARE\Classes\wsffile\shell\open\command\\''
#%SystemRoot%\System32\WScript.exe "%1" %*
##

HKLM\SOFTWARE\Classes\.wsh\\''
#WSHFile
##

HKLM\SOFTWARE\Classes\wshfile\shell\open\command\\''
#%SystemRoot%\System32\WScript.exe "%1" %*
##

HKLM\SOFTWARE\Classes\.txt\\''
#txtfile
##

HKLM\SOFTWARE\Classes\txtfile\shell\open\command\\''
#%SystemRoot%\system32\NOTEPAD.EXE %1
##

<<< >> Registry Run Keys << >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\!ewido
#"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 6283264 bytes | Date = 06/16/2006 18:39 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ccApp
#"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
##(Symantec Corporation [Ver = 2.1.10.2 | Size = 71328 bytes | Date = 03/09/2006 11:47 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\HKSERV.EXE
#C:\Program Files\Sony\HotKey Utility\HKserv.exe
##(Sony Corporation [Ver = 4, 1, 1, 6290 | Size = 122880 bytes | Date = 06/29/2004 17:49 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\IMEKRMIG6.1
#C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
##(Microsoft Corporation [Ver = 6.1.2600.0 | Size = 44032 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\LogitechGalleryRepair
#C:\Program Files\Logitech\ImageStudio\ISStart.exe
##(Logitech Inc. [Ver = 7.3.0.1113 | Size = 155648 bytes | Date = 12/10/2002 21:32 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\LogitechImageStudioTray
#C:\Program Files\Logitech\ImageStudio\LogiTray.exe
##(Logitech Inc. [Ver = 7.3.0.1113 | Size = 61440 bytes | Date = 12/10/2002 21:31 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\mouseElf
#D:\MYDOCU~1\Programs\GNETMOUS.EXE
##( [Ver = 1.00.01 | Size = 176128 bytes | Date = 02/12/2003 18:01 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSPY2002
#C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
##( [Ver = | Size = 59392 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PDService.exe
#C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
##(Utimaco Safeware AG [Ver = 1.00.6.7 | Size = 40960 bytes | Date = 07/06/2004 17:15 | Attr = R ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SonyPowerCfg
#C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
##(Sony Corporation [Ver = 1.3.01.06110 | Size = 180224 bytes | Date = 06/30/2004 00:45 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Symantec NetDriver Monitor
#C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
##(Symantec Corporation [Ver = 5.5.1.6 | Size = 100056 bytes | Date = 10/24/2005 21:32 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\TkBellExe
#"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
##(RealNetworks, Inc. [Ver = 0.1.0.3725 | Size = 185784 bytes | Date = 09/23/2006 14:45 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Windows Defender
#"C:\Program Files\Windows Defender\MSASCui.exe" -hide
##(Microsoft Corporation [Ver = 1.1.1347.0 | Size = 777424 bytes | Date = 04/03/2006 18:12 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
#Installed = 1
##

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
#Installed = 1
##

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
#Installed = 1
##

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ctfmon.exe
#C:\WINDOWS\system32\ctfmon.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 15360 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\msnmsgr
#"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
##(Microsoft Corporation [Ver = 7.5.0324 | Size = 7094272 bytes | Date = 01/24/2006 23:37 | Attr = ])

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Yahoo! Pager
#"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
##( [Ver = | Size = 2437120 bytes | Date = 08/31/2005 19:12 | Attr = ])

<<< >> Miscellaneous Startup Keys << >>>

<<< AppInit DLLs >>>

<<< Image File Execution Options >>>

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
#Debugger = ntsd -d
##

<<< Shell Service Object Delay Load >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\CDBurn
#{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
##(Microsoft Corporation [Ver = 6.00.2900.2951 (xpsp_sp2_gdr.060713-0009) | Size = 8453632 bytes | Date = 07/13/2006 17:33 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\PostBootReminder
#{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
##(Microsoft Corporation [Ver = 6.00.2900.2951 (xpsp_sp2_gdr.060713-0009) | Size = 8453632 bytes | Date = 07/13/2006 17:33 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\SysTray
#{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 121856 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck
#{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
##(Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 276480 bytes | Date = 08/04/2004 16:00 | Attr = ])

<<< Shell Execute Hooks >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}
#Microsoft AntiMalware ShellExecuteHook = C:\PROGRA~1\WIFD1F~1\MpShHook.dll
##(Microsoft Corporation [Ver = 1.1.1347.0 | Size = 81616 bytes | Date = 04/03/2006 18:12 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}
#CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 73728 bytes | Date = 06/16/2006 18:38 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972}
#URL Exec Hook = shell32.dll
##(Microsoft Corporation [Ver = 6.00.2900.2951 (xpsp_sp2_gdr.060713-0009) | Size = 8453632 bytes | Date = 07/13/2006 17:33 | Attr = ])

<<< Shared Task Scheduler >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{438755C2-A8BA-11D1-B96B-00A0C90312E1}
#Browseui preloader = %SystemRoot%\system32\browseui.dll
##(Microsoft Corporation [Ver = 6.00.2900.2937 (xpsp_sp2_gdr.060623-0002) | Size = 1022976 bytes | Date = 06/23/2006 15:02 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{8C7461EF-2B13-11d2-BE35-3078302C2030}
#Component Categories cache daemon = %SystemRoot%\system32\browseui.dll
##(Microsoft Corporation [Ver = 6.00.2900.2937 (xpsp_sp2_gdr.060623-0002) | Size = 1022976 bytes | Date = 06/23/2006 15:02 | Attr = ])

<<< SafeBoot Option >>>

<<< HKLM Command Processor AutoRun >>>

HKLM\SOFTWARE\Microsoft\Command Processor\\AutoRun
#
##

<<< HKCU Command Processor AutoRun >>>

<<< Security Providers >>>

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
#msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
##

<<< BootExecute >>>

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\\BootExecute
#autocheck autochk *;
##

<<< PendingFileRenameOperations >>>

<<< FileRenameOperations >>>

<<< ExcludeFromKnownDlls >>>

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\\ExcludeFromKnownDlls
#
##

<<< >> Disabled MSConfig Items << >>>

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk
#Acrobat Assistant = C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\acrotray.exe
##(Adobe Systems Inc. [Ver = 6.0.0.2003073000 | Size = 217195 bytes | Date = 07/30/2003 05:52 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk
#Adobe Gamma Loader = C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
##(Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Date = 08/06/2002 17:37 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
#Adobe Reader Speed Launch = C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE
##(Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Date = 09/24/2005 10:05 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audio Filter.lnk
#Audio Filter = C:\PROGRA~1\Sony\SONICS~2\AUDIOF~1\SSMSFI~1.EXE
##(Sony Corporation [Ver = 1.1.00.07261 | Size = 2707456 bytes | Date = 07/26/2004 23:32 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk
#GStartup = C:\Program Files\Common Files\GMT\GMT.exe /startup
##(File not found)

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LG SyncManager.lnk
#LG SyncManager = D:\My Documents\Programs\LGSyncManager.exe
##(File not found)

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^palstart.exe
#palstart = C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
##(File not found)

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk
#Picture Package Menu = C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~3\SonyTray.exe
##(Sony Corporation [Ver = 1, 0, 31121, 1 | Size = 151552 bytes | Date = 11/22/2003 01:02 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk
#Picture Package VCD Maker = C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~1\RESIDE~1.EXE -h
##(Sony Corporation. [Ver = 1, 0, 0, 1 | Size = 106496 bytes | Date = 12/17/2003 15:57 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^Karwan^Start Menu^Programs^Startup^Calendar 2000.lnk
#Calendar 2000 = C:\Program Files\Software by Design\Calendar.exe
##(File not found)

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^Karwan^Start Menu^Programs^Startup^Click to DVD Automatic Mode Launcher.lnk
#Click to DVD Automatic Mode Launcher = C:\PROGRA~1\Sony\CLICKT~1\ctdatsvr.exe
##(Sony Corporation [Ver = 2.1.02.07020 | Size = 98304 bytes | Date = 07/02/2004 14:27 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^Karwan^Start Menu^Programs^Startup^PictureGear Studio Media Watcher.lnk
#PictureGear Studio Media Watcher = C:\PROGRA~1\Sony\PICTUR~1\PHOTOC~1\PGSWatch.exe
##(Sony Corporation [Ver = 2, 0, 04,01190 | Size = 81920 bytes | Date = 01/19/2004 14:56 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^Karwan^Start Menu^Programs^Startup^VAIO Launcher.lnk
#VAIO Launcher = C:\PROGRA~1\Sony\VAIOLA~1\Launcher.exe
##(Sony Corporation [Ver = 1.1.00.07280 | Size = 692224 bytes | Date = 07/28/2004 21:07 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^Karwan^Start Menu^Programs^Startup^WinMySQLadmin.lnk
#WinMySQLadmin = C:\MySQL\bin\WINMYS~1.EXE
##(MySQL AB [Ver = 1.0.0.0 | Size = 1176064 bytes | Date = 09/20/2000 02:46 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^Karwan^Start Menu^Programs^Startup^wkcalrem.LNK
#wkcalrem = C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\WkCalRem.exe
##(Microsoft® Corporation [Ver = 7.02.0620.0 | Size = 24651 bytes | Date = 06/21/2002 00:21 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\15.tmp
#15 = C:\DOCUME~1\Karwan\LOCALS~1\Temp\15.tmp.exe
##(File not found)

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\15.tmp.exe
#15 = C:\DOCUME~1\Karwan\LOCALS~1\Temp\15.tmp.exe
##(File not found)

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\16.tmp
#16 = C:\DOCUME~1\Karwan\LOCALS~1\Temp\16.tmp.exe
##(File not found)

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\16.tmp.exe
#16 = C:\DOCUME~1\Karwan\LOCALS~1\Temp\16.tmp.exe
##(File not found)

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\Apoint
#Apoint = C:\Program Files\Apoint\Apoint.exe
##(Alps Electric Co., Ltd. [Ver = 5.5.7.136 | Size = 114688 bytes | Date = 11/07/2003 12:21 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\ATIPTA
#atiptaxx = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
##(ATI Technologies, Inc. [Ver = 6.14.10.5115 | Size = 339968 bytes | Date = 07/11/2004 00:10 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\BearShare
#BearShare = D:\Program Files\BearShare.exe /pause
##(File not found)

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\bikini
#bikini = bikini.exe
##(File not found)

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\ctfmon.exe
#ctfmon = C:\WINDOWS\system32\ctfmon.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 15360 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\IMJPMIG8.1
#IMJPMIG = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
##(Microsoft Corporation [Ver = 8.1.4202.0 | Size = 208952 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\links
#links = links.exe
##(File not found)

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\LVCOMS
#LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
##(Logitech Inc. [Ver = 7.3.0.1113 | Size = 127022 bytes | Date = 12/10/2002 20:54 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\Mouse Suite 98 Daemon
#ICO = ICO.EXE
##(Primax Electronics Ltd. [Ver = 1, 0, 0, 8 | Size = 45056 bytes | Date = 03/14/2002 19:46 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\msnmsgr
#msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
##(Microsoft Corporation [Ver = 7.5.0324 | Size = 7094272 bytes | Date = 01/24/2006 23:37 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\Skype
#Skype = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
##( [Ver = | Size = 20036648 bytes | Date = 07/21/2006 13:06 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\TkBellExe
#realsched = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
##(RealNetworks, Inc. [Ver = 0.1.0.3725 | Size = 185784 bytes | Date = 09/23/2006 14:45 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\URLLSTCK.exe
#UrlLstCk = C:\Program Files\Norton Internet Security\UrlLstCk.exe
##(Symantec Corporation [Ver = 7.0.3.8 | Size = 70800 bytes | Date = 12/11/2003 16:35 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\VAIO Update 2
#VAIOUpdt = "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
##(Sony Corporation [Ver = 2, 1, 0, 6290 | Size = 147456 bytes | Date = 06/29/2004 16:17 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\WebCamRT.exe
# =
##(File not found)

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\winca.exe
#winca = C:\WINDOWS\winca.exe
##(File not found)

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\Yahoo! Pager
#ypager = "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
##( [Ver = | Size = 2437120 bytes | Date = 08/31/2005 19:12 | Attr = ])

<<< >> User Agent Post Platform << >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\\SV1
#
##

<<< >> Winlogon << >>>

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
#C:\WINDOWS\system32\userinit.exe,
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 24576 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
#explorer.exe
##(Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\System
#
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet
#rundll32 shell32,Control_RunDLL "sysdm.cpl"
##

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
#Ati2evxx.dll
##( [Ver = | Size = 86016 bytes | Date = 07/10/2004 16:35 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
#crypt32.dll
##(Microsoft Corporation [Ver = 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 597504 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
#cryptnet.dll
##(Microsoft Corporation [Ver = 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 63488 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
#cscdll.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 101888 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
#wlnotify.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
#wlnotify.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
#sclgntfy.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 20992 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
#WlNotify.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
#wlnotify.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
#WgaLogon.dll
##(Microsoft Corporation [Ver = 1.5.0540.0 | Size = 702768 bytes | Date = 06/19/2006 16:20 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
#wlnotify.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672 bytes | Date = 08/04/2004 16:00 | Attr = ])

<<< >> DNS Name Servers << >>>

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{255AB2A2-0AD4-41A5-8337-6F22B2B68A80}
# (LAN-Express AS IEEE 802.11g miniPCI Adapter)
##

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5EECB81C-80C8-42CE-9BB8-E07D0C52B8C7}
# (1394 Net Adapter)
##

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B229F8D0-F26B-47D3-AC0C-ACEA4F55E3E6}
# ()
##

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EA882025-0ADB-4B64-8D06-15CA5164B270}
# (Realtek RTL8139/810x Family Fast Ethernet NIC)
##

<<< >> All Winsock2 Catalogs << >>>

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
#%SystemRoot%\System32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
#%SystemRoot%\System32\winrnr.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 16896 bytes | Date = 08/04/2004 16:00 | Attr = ])

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
#%SystemRoot%\System32\mswsock.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (x

#15 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:09:25 AM

Posted 25 September 2006 - 07:04 AM

Hi again, sorry for the delay.

Is that warning message still popping up ?
What is the exact content of the message ?

Then we'll clean a few leftovers.

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^palstart.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\15.tmp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\15.tmp.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\16.tmp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\16.tmp.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\bikini]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\links]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\winca.exe]


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
  • Please go HERE to run PandaActiveScan...

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.
Your WinPFind wasn't complete, please post the rest of the log to here too.
UNITE & ASAP member since 2006
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users