Hi,
I am sorry for the delay in getting these logs.
Combifix did not run on my pc for all these days, I had to get someone to do that for me.
DSS, only gave me one txt file. Please tell me if I did something wrong. Here are the logs
Combifix.txt
ComboFix 08-04-07.3 - Bullet Mehta 2008-04-16 10:20:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.399 [GMT 5.5:30]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\g2mdlhlpx.exe
C:\WINDOWS\msettings.ini
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\TXC38.sys
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASC3550O
-------\Legacy_CCEVTSVC
-------\Legacy_MSUPDATE
-------\Legacy_SYSLIBRARY
-------\Legacy_TXC38
-------\Service_asc3550o
-------\Service_CcEvtSvc
-------\Service_msupdate
-------\Service_SysLibrary
-------\Service_Txc38
-------\Service_TXC38
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.
2008-04-14 14:50 . 2008-04-14 14:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-11 15:43 . 2008-04-11 15:43 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-03-28 18:03 . 2008-03-28 18:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-27 14:22 . 2008-03-27 14:22 <DIR> d-------- C:\Program Files\Avanquest update
2008-03-27 14:22 . 2008-03-27 14:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 13:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-03-27 08:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-27 08:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-03-20 06:18 --------- d-----w C:\Program Files\Java
2008-03-13 08:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-03-11 07:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg8
2008-03-06 04:02 --------- d-----w C:\Program Files\Common Files\L&H
2008-03-06 04:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-06 03:59 --------- d-----w C:\Program Files\Microsoft Works
2008-03-01 11:09 --------- d-----w C:\Program Files\Google
2008-03-01 11:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-01 11:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-01 11:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 11:04 --------- d-----w C:\Program Files\AVG
2008-03-01 07:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-29 11:21 --------- d-----w C:\Program Files\AdminMagic Service
2008-02-16 10:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\NUnit
2008-02-16 09:48 --------- d-----w C:\Program Files\NUnit 2.4.6
2007-06-26 11:55 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-06-26 11:55 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-06-26 11:55 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-06-26 11:55 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-06-26 11:55 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-06-26 11:55 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-06-26 11:55 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-06-26 11:55 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-06-26 11:55 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 17:30 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^My Marketing Manager.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\My Marketing Manager.lnk
backup=C:\WINDOWS\pss\My Marketing Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pandion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Pandion.lnk
backup=C:\WINDOWS\pss\Pandion.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 17:30 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C45 Series]
--a------ 2004-01-14 14:30 99840 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3700 Series]
--a------ 2007-07-10 17:18 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3700 Series on wian80 (from WIAN96)]
--a------ 2007-07-10 17:18 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3700 Series on wian91 (from WIAN96)]
--a------ 2007-07-10 17:18 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 2005-04-25 07:59 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--a------ 2005-04-10 18:43 2904660 D:\Program Files\ICQLite\ICQLite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 2005-04-25 08:02 94208 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-20 01:24 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
-ra------ 2005-04-25 08:02 114688 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-09-26 21:10 155648 D:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spark]
--a------ 2006-04-14 04:39 163328 E:\Program Files\Spark\Spark.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-04-13 02:31 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DefWatch"=2 (0x2)
"SavRoam"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"TlntSvr"=3 (0x3)
"Spooler"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\Program Files\\Spark\\Spark.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"E:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"D:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"E:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
S2 AdminMagic;AdminMagic Service ((44185,1114));C:\Program Files\AdminMagic Service\RepSvc.exe []
S3 FXDRV;FXDRV;F:\Fxdrv.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13ee2923-68d6-11dc-9e45-00016ccdb3a6}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16b60f7a-91b8-11dc-9e80-00016ccdb3a6}]
\Shell\Auto\command - sal.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56740012-0474-11dd-9f1e-00016ccdb3a6}]
\Shell\AutoRun\command - wscript.exe VirusRemoval.vbs
\Shell\open\Command - wscript.exe VirusRemoval.vbs
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-04-16 10:26:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
.
**************************************************************************
.
Completion time: 2008-04-16 10:27:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-16 04:57:50
Pre-Run: 5,155,921,920 bytes free
Post-Run: 5,632,163,840 bytes free
.
2007-10-25 07:35:49 --- E O F ---
DSS - Main.txt
Deckard's System Scanner v20071014.68
Run by Bullet Mehta on 2008-04-16 10:29:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Bullet Mehta.exe) ----------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:09 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\BULLET~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.wiantech.com
O17 - HKLM\Software\..\Telephony: DomainName = domain.wiantech.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFC63297-5C08-4882-96E8-4DEC98786D44}: NameServer = 59.144.127.16,202.254.1.18,59.144.127.17,203.197.12.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.wiantech.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.wiantech.com
O23 - Service: AdminMagic Service ((44185,1114)) (AdminMagic) - Unknown owner - C:\Program Files\AdminMagic Service\RepSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
--
End of file - 2266 bytes
-- Files created between 2008-03-16 and 2008-04-16 -----------------------------
2008-04-16 10:28:03 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-16 10:19:06 68096 --a------ C:\WINDOWS\zip.exe
2008-04-16 10:19:06 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-16 10:19:06 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-16 10:19:06 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-16 10:19:06 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-16 10:19:06 98816 --a------ C:\WINDOWS\sed.exe
2008-04-16 10:19:06 80412 --a------ C:\WINDOWS\grep.exe
2008-04-16 10:19:06 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-14 14:50:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-11 15:43:28 0 d-------- C:\Program Files\ReflexiveArcade
2008-03-28 18:03:10 0 d-------- C:\Program Files\Trend Micro
2008-03-27 14:22:40 0 d-------- C:\Program Files\Avanquest update
2008-03-27 14:22:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
-- Find3M Report ---------------------------------------------------------------
2008-04-15 18:34:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Skype
2008-03-27 14:22:38 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-20 11:48:51 0 d-------- C:\Program Files\Java
2008-03-13 13:40:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-03-13 13:09:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-03-06 09:32:32 0 d-------- C:\Program Files\Common Files\L&H
2008-03-06 09:31:36 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-06 09:29:56 0 d-------- C:\Program Files\Common Files
2008-03-06 09:29:37 0 d-------- C:\Program Files\Microsoft Works
2008-03-01 16:39:58 0 d-------- C:\Program Files\Google
2008-03-01 16:39:57 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-01 16:37:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 16:34:47 0 d-------- C:\Program Files\AVG
2008-03-01 12:52:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-29 16:51:07 0 d-------- C:\Program Files\AdminMagic Service
2008-02-23 12:49:07 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-16 16:10:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\NUnit
2008-02-16 15:18:03 0 d-------- C:\Program Files\NUnit 2.4.6
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 05:30 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^My Marketing Manager.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\My Marketing Manager.lnk
backup=C:\WINDOWS\pss\My Marketing Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pandion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Pandion.lnk
backup=C:\WINDOWS\pss\Pandion.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C45 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3700 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /F "C:\WINDOWS\TEMP\E_SAB.tmp" /EF "HKLM"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3700 Series on wian80 (from WIAN96)]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /F "C:\WINDOWS\TEMP\E_S7.tmp" /EF "HKLM"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3700 Series on wian91 (from WIAN96)]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /F "C:\WINDOWS\TEMP\E_S32.tmp" /EF "HKLM"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
D:\Program Files\ICQLite\ICQLite.exe -minimize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spark]
E:\Program Files\Spark\Spark.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DefWatch"=2 (0x2)
"SavRoam"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"TlntSvr"=3 (0x3)
"Spooler"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13ee2923-68d6-11dc-9e45-00016ccdb3a6}]
AutoRun\command- H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16b60f7a-91b8-11dc-9e80-00016ccdb3a6}]
Auto\command- sal.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56740012-0474-11dd-9f1e-00016ccdb3a6}]
AutoRun\command- wscript.exe VirusRemoval.vbs
open\Command- wscript.exe VirusRemoval.vbs
-- End of Deckard's System Scanner: finished at 2008-04-16 10:29:44 ------------
Looking forward to your reply.
Mitesh