Deleted old installation of Vundo fix, and downloaded fresh via your link. Ran it in normal mode, then downloaded and installed WinPFind on desktop. Rebooted into Safe Mode and ran WinPFind.
Logs follow:
Logfile of HijackThis v1.99.1
Scan saved at 8:06:12 AM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.comcast.net/home.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.comcast.net/home.htmlO2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\ddcca.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoft...free/asinst.cabO20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Jean\Desktop\Virus stuff\CWShredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------
Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------
killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt
--------------------------------------------------------------------------------------
Filepaths entered
--------------------------------------------------------------------------------------
The filepath entered was C:\WINDOWS\system32\ddcca.dll
The second filepath entered was C:\WINDOWS\system32\accdd.*
--------------------------------------------------------------------------------------
Log from Process
--------------------------------------------------------------------------------------
Killing PID 444 'smss.exe'
Error 0x6 : The handle is invalid.
Killing PID 1216 'explorer.exe'
Killing PID 516 'winlogon.exe'
Error 0x6 : The handle is invalid.
--------------------------------------------------------------------------------------
Could not delete C:\WINDOWS\system32\ddcca.dll.
C:\WINDOWS\system32\accdd.* Deleted sucessfully.
Fixing Registry
--------------------------------------------------------------------------------------
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
UPX! 10/13/2005 11:01:46 AM 218112 C:\Program Files\HijackThis.exe
Checking %WinDir% folder...
PEC2 2/27/2003 3:53:18 AM 340480 C:\WINDOWS\DOTEST.EXE
PECompact2 6/7/2005 1:39:02 AM 15103997 C:\WINDOWS\LPT$VPN.671
qoologic 6/7/2005 1:39:02 AM 15103997 C:\WINDOWS\LPT$VPN.671
SAHAgent 6/7/2005 1:39:02 AM 15103997 C:\WINDOWS\LPT$VPN.671
PEC2 5/19/2001 6:08:44 PM 6656 C:\WINDOWS\pcboot.exe
PEC2 3/15/2003 11:46:14 PM 168448 C:\WINDOWS\realtime.exe
UPX! 6/7/2005 1:39:04 AM 170053 C:\WINDOWS\tsc.exe
PECompact2 6/7/2005 1:39:02 AM 15103997 C:\WINDOWS\VPTNFILE.671
qoologic 6/7/2005 1:39:02 AM 15103997 C:\WINDOWS\VPTNFILE.671
SAHAgent 6/7/2005 1:39:02 AM 15103997 C:\WINDOWS\VPTNFILE.671
UPX! 6/7/2005 1:39:02 AM 1044560 C:\WINDOWS\vsapi32.dll
aspack 6/7/2005 1:39:02 AM 1044560 C:\WINDOWS\vsapi32.dll
Checking %System% folder...
PEC2 8/23/2001 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 7/12/2005 5:50:44 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
aspack 8/4/2004 12:56:38 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 12:56:46 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/17/2005 7:40:08 AM S 2048 C:\WINDOWS\bootstat.dat
10/17/2005 7:36:10 AM HS 347194 C:\WINDOWS\system32\accdd.bak1
10/17/2005 7:45:32 AM HS 348084 C:\WINDOWS\system32\accdd.ini
10/4/2005 8:17:40 PM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 11:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
9/9/2005 7:15:08 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
8/29/2005 9:25:44 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB904706.cat
8/22/2005 1:48:28 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905414.cat
8/22/2005 9:03:36 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905749.cat
10/17/2005 7:40:02 AM H 8192 C:\WINDOWS\system32\config\default.LOG
10/17/2005 7:40:20 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/17/2005 7:40:08 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
10/17/2005 7:41:50 AM H 1024 C:\WINDOWS\system32\config\software.LOG
10/17/2005 7:40:32 AM H 1024 C:\WINDOWS\system32\config\system.LOG
10/15/2005 6:37:50 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
10/16/2005 7:32:16 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1BT69E7T\desktop.ini
10/16/2005 7:32:16 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5FSTFRC6\desktop.ini
10/16/2005 7:32:16 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ODMJG12V\desktop.ini
10/16/2005 7:32:16 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PN4TPV2E\desktop.ini
Checking for CPL files...
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
10/9/1998 4:01:00 PM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
CANON INC. 7/21/1999 10:07:46 AM R 13824 C:\WINDOWS\SYSTEM32\FB63Ucpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 1/18/2005 9:26:26 AM 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 6/15/2005 5:20:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
SiSoftware 1/29/2005 6:10:02 PM 53248 C:\WINDOWS\SYSTEM32\SanCpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
NVIDIA Corporation 8/30/2002 2:06:00 AM R 118784 C:\WINDOWS\SYSTEM32\ReinstallBackups\0008\DriverFiles\nvtuicpl.cpl
NVIDIA Corporation 10/6/2003 3:16:00 PM 73728 C:\WINDOWS\SYSTEM32\ReinstallBackups\0011\DriverFiles\nvtuicpl.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
6/19/2003 12:33:44 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/4/2002 6:04:12 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
6/19/2003 12:33:44 PM HS 84 C:\Documents and Settings\Jean\Start Menu\Programs\Startup\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
4/4/2002 6:04:12 AM HS 62 C:\Documents and Settings\Jean\Application Data\desktop.ini
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mqmmtqyt
{058f3bc9-8905-4b8b-bc0b-f1cabf941662} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{B95057E0-44DB-11CE-A5D1-00608C83BD3F}
= shellwp.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0002-C0E1-C0E1C0E1C0E1} = C:\PROGRA~1\Corel\WORDPE~1\programs\pfse90.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DBF02DA-4360-4A7E-BEA1-347B87816327}
MSEvents Object = C:\WINDOWS\system32\ddcca.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
{4E7BD74F-2B8D-469E-8AA5-A930F887B531} = :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
MCVSRte 2
mcupdmgr.exe 2
McShield 2
SandraTheSrv 3
SandraDataSrv 3
wuauserv 2
WmdmPmSN 3
Themes 3
NtLmSsp 3
helpsvc 2
Avg7UpdSvc 2
Avg7Alrt 2
NVSvc 3
ose 3
McTskshd.exe 2
McDetect.exe 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup C:\WINDOWS\pss\SpySubtract.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\INTERM~1\SPYSUB~1\SpySub.exe -autostart
item SpySubtract
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AutoUpdater
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AutoUpdate
hkey HKLM
command "C:\Program Files\AutoUpdate\AutoUpdate.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AutoUpdate
hkey HKLM
command "C:\Program Files\AutoUpdate\AutoUpdate.exe"
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_CC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgcc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgcc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_EMC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgemc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgemc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CleanUp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcappins
hkey HKLM
command C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcappins
hkey HKLM
command C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CTHELPER
hkey HKLM
command CTHELPER.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CTHELPER
hkey HKLM
command CTHELPER.EXE
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Fgscskie
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item d?xplore
hkey HKCU
command C:\WINDOWS\system32\d?xplore.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item d?xplore
hkey HKCU
command C:\WINDOWS\system32\d?xplore.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\FlaCPY
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item flacpy
hkey HKLM
command "C:\Program Files\Common Files\Java\flacpy.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item flacpy
hkey HKLM
command "C:\Program Files\Common Files\Java\flacpy.exe"
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gcasServ
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item gcasServ
hkey HKLM
command "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item gcasServ
hkey HKLM
command "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCAgentExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McAgent
hkey HKLM
command C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McAgent
hkey HKLM
command C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCUpdateExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcupdate
hkey HKLM
command c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcupdate
hkey HKLM
command c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Media Access
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MediaAccK
hkey HKLM
command C:\Program Files\Media Access\MediaAccK.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MediaAccK
hkey HKLM
command C:\Program Files\Media Access\MediaAccK.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Net-It Launcher
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NILaunch
hkey HKLM
command C:\WINDOWS\System32\NILaunch.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NILaunch
hkey HKLM
command C:\WINDOWS\System32\NILaunch.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvCpl
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvCpl
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvMediaCenter
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvMcTray
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvMcTray
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nwiz
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nwiz
hkey HKLM
command nwiz.exe /install
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nwiz
hkey HKLM
command nwiz.exe /install
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\OASClnt
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item oasclnt
hkey HKLM
command C:\Program Files\McAfee.com\VSO\oasclnt.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item oasclnt
hkey HKLM
command C:\Program Files\McAfee.com\VSO\oasclnt.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PCDRealtime
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realtime
hkey HKLM
command C:\WINDOWS\realtime.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realtime
hkey HKLM
command C:\WINDOWS\realtime.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PS1
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ps1
hkey HKLM
command C:\WINDOWS\system32\ps1.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ps1
hkey HKLM
command C:\WINDOWS\system32\ps1.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\qfihdll
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qfihdll
hkey HKLM
command C:\WINDOWS\qfihdll.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qfihdll
hkey HKLM
command C:\WINDOWS\qfihdll.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\qfihenc
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qfihenc
hkey HKLM
command C:\WINDOWS\qfihenc.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qfihenc
hkey HKLM
command C:\WINDOWS\qfihenc.EXE
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\regsync
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item regsync
hkey HKLM
command C:\WINDOWS\system32\regsync.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item regsync
hkey HKLM
command C:\WINDOWS\system32\regsync.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\tsvcin
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item n20050308
hkey HKLM
command C:\WINDOWS\system32\n20050308.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item n20050308
hkey HKLM
command C:\WINDOWS\system32\n20050308.EXE
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\tvs_b
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tvs_b
hkey HKLM
command C:\program files\tvs\tvs_b.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tvs_b
hkey HKLM
command C:\program files\tvs\tvs_b.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Uato
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mdei
hkey HKCU
command C:\Program Files\oeha\mdei.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mdei
hkey HKCU
command C:\Program Files\oeha\mdei.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Ulubione
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item syschoj
hkey HKLM
command C:\WINDOWS\System32\syschoj.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item syschoj
hkey HKLM
command C:\WINDOWS\System32\syschoj.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VirusScan Online
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command C:\Program Files\McAfee.com\VSO\mcvsshld.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command C:\Program Files\McAfee.com\VSO\mcvsshld.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VSOCheckTask
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcmnhdlr
hkey HKLM
command "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcmnhdlr
hkey HKLM
command "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Z0u4RVJsR
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item advsrv32
hkey HKCU
command advsrv32.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item advsrv32
hkey HKCU
command advsrv32.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 1
startup 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
mjbl.exe C:\WINDOWS\system\mjbl.exe
dpnclo C:\WINDOWS\system32\dpnclo.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcca
= C:\WINDOWS\system32\ddcca.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/17/2005 7:47:35 AM