Author Topic: Winsupdater.exe and my Hijackthis log, Please help (Read 1994 times)

xNicolaUKx · « **on:** September 27, 2005, 04:41:58 AM »

Ive had winsupdater.exe and worm 32.p2 for ages now and have tried to get rid of them but i can't. Heres my HiJack log, PLEASE someone help me...

Logfile of HijackThis v1.99.1
Scan saved at 10:36:43, on 27/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.msn.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: infowin - C:\WINDOWS\system\infowin.dll (file missing)
O20 - Winlogon Notify: playcab - C:\WINDOWS\Fonts\playcab.dll (file missing)
O20 - Winlogon Notify: web - C:\WINDOWS\system\web.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Thanks to anyone who replies, i appreciate it

xNicolaUKx · « **Reply #1 on:** September 29, 2005, 04:27:16 AM »

Bump! Someone please help..

Cretemonster · « **Reply #2 on:** September 29, 2005, 05:14:08 AM »

Hey xNicolaUKx,

Sorry for your wait but it appears you have leftovers of the Vundo infection!

Lets have a closer look!

Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O20 - Winlogon Notify: infowin - C:\WINDOWS\system\infowin.dll (file missing)

O20 - Winlogon Notify: playcab - C:\WINDOWS\Fonts\playcab.dll (file missing)

O20 - Winlogon Notify: web - C:\WINDOWS\system\web.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

Restart Normal and Please do an online scan with [color=\"#3333FF\"]Kaspersky WebScanner[/color]

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:

[color=\"#009900\"]Extended (if available otherwise Standard)[/color]
[/list]

Scan Options:

[color=\"#009900\"]Scan Archives
Scan Mail Bases[/color]
[/list]

Click OK
Now under select a target to scan:
My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:

Save the file to your desktop.
Copy and paste that information in your next post.

I Would also uninstall one of the Antivirus programs you have,2 can only cause problems!

Post back with a fresh HijackThis log and the results of WinPFind and Kasperskys Scan!

xNicolaUKx · « **Reply #3 on:** September 30, 2005, 06:28:16 AM »

Cretemonster, thankyou so much for your help.

Here are the results of the scans,

WinPFIND:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 04/08/2004 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PECompact2 09/09/2005 04:08:28 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 09/09/2005 04:08:28 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04/08/2004 13:00:00 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04/08/2004 13:00:00 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 04/08/2004 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 12/04/2004 01:35:22 1301080 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1   abetterinternet.com
127.0.0.1   www.abetterinternet.com
127.0.0.1   belt.abetterinternet.com
127.0.0.1   www.belt.abetterinternet.com
127.0.0.1   c.abetterinternet.com
127.0.0.1   www.c.abetterinternet.com
127.0.0.1   download.abetterinternet.com
127.0.0.1   www.download.abetterinternet.com
127.0.0.1   download2.abetterinternet.com
127.0.0.1   www.download2.abetterinternet.com
127.0.0.1   s.abetterinternet.com
127.0.0.1   www.s.abetterinternet.com
127.0.0.1   thinstall.abetterinternet.com
127.0.0.1   www.thinstall.abetterinternet.com
127.0.0.1   www.abetterinternet.com
127.0.0.1   abetterinternet.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
30/09/2005 11:16:46 S 2048 C:\WINDOWS\bootstat.dat
23/09/2005 10:13:44 H 54156 C:\WINDOWS\QTFont.qfn
30/09/2005 11:16:38 H 8192 C:\WINDOWS\system32\config\default.LOG
30/09/2005 11:17:02 H 1024 C:\WINDOWS\system32\config\SAM.LOG
30/09/2005 11:16:48 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
30/09/2005 11:17:02 H 65536 C:\WINDOWS\system32\config\software.LOG
30/09/2005 11:16:46 H 1011712 C:\WINDOWS\system32\config\system.LOG
14/09/2005 11:23:22 H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
30/09/2005 11:15:46 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 04/08/2004 13:00:00 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 05/05/2004 10:05:08 309760 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 04/08/2004 13:00:00 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Broadcom Corporation. 10/12/2004 11:29:00 266299 C:\WINDOWS\SYSTEM32\btcpl.cpl
Microsoft Corporation 04/08/2004 13:00:00 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04/08/2004 13:00:00 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04/08/2004 13:00:00 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04/08/2004 13:00:00 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 07/06/2004 02:43:28 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 04/08/2004 13:00:00 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04/08/2004 13:00:00 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 13:00:00 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 13:00:00 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 02/09/2004 04:03:56 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 04/08/2004 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04/08/2004 13:00:00 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 04/08/2004 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Ahead Software AG 09/10/2002 19:36:12 57344 C:\WINDOWS\SYSTEM32\NeroBurnRights.cpl
Microsoft Corporation 04/08/2004 13:00:00 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04/08/2004 13:00:00 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 04/08/2004 13:00:00 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04/08/2004 13:00:00 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 02/09/2004 03:57:20 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 06/01/2004 23:02:36 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
29/03/2004 00:42:52 454656 C:\WINDOWS\SYSTEM32\slcpappl.cpl
Microsoft Corporation 04/08/2004 13:00:00 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 04/08/2004 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 13:00:00 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 13:00:00 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
02/09/2004 03:43:16 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
07/10/2001 20:11:30 R 143360 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VTAgentReboot.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...
02/09/2004 04:35:56 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
02/09/2004 03:43:16 HS 84 C:\Documents and Settings\Nicola!\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
02/09/2004 04:35:56 HS 62 C:\Documents and Settings\Nicola!\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
   SV1    =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
       =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AntiVir/Win
   {a7cda720-84ee-11d0-b5c0-00001b3ca278}    = C:\Program Files\AVPersonal\AVShlExt.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AntiVir/Win
   {a7cda720-84ee-11d0-b5c0-00001b3ca278}    = C:\Program Files\AVPersonal\AVShlExt.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
   AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}
    =
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
   PCTools Site Guard = C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}
   PCTools Browser Monitor = C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
    =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
   Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
   ButtonText    = Spyware Doctor   :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
   ButtonText    = AIM   : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CCA281CA-C863-46ef-9331-5C8D4460577F}
   ButtonText    = @btrez.dll,-4015   :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
   ButtonText    = Real.com   :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
   ButtonText    = Messenger   : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
   Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll
   {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} =    :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   QuickTime Task   "C:\Program Files\QuickTime\qttask.exe" -atboottime
   AVGCtrl   "C:\Program Files\AVPersonal\AVGNT.EXE" /min
   BluetoothAuthenticationAgent   rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
   gcasServ   "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
   MSConfig   C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   AIM   C:\Program Files\AIM\aim.exe -cnetwait.odl
   MSMSGS   "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
   backup   C:\WINDOWS\pss\BigFix.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\BigFix\BigFix.exe /atstartup
   item   BigFix
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
   backup   C:\WINDOWS\pss\BigFix.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\BigFix\BigFix.exe /atstartup
   item   BigFix

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VTAgentReboot.exe
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VTAgentReboot.exe
   backup   C:\WINDOWS\pss\VTAgentReboot.exeCommon Startup
   location   Common Startup
   command   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VTAgentReboot.exe
   item   VTAgentReboot
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VTAgentReboot.exe
   backup   C:\WINDOWS\pss\VTAgentReboot.exeCommon Startup
   location   Common Startup
   command   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VTAgentReboot.exe
   item   VTAgentReboot

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   winlog
   hkey   HKLM
   command   winlog.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Admanager Controller
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   AdManCtl
   hkey   HKLM
   command   C:\Program Files\Admanager Controller\AdManCtl.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   AdManCtl
   hkey   HKLM
   command   C:\Program Files\Admanager Controller\AdManCtl.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   aim
   hkey   HKCU
   command   C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   aim
   hkey   HKCU
   command   C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AlcWzrd
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ALCWZRD
   hkey   HKLM
   command   ALCWZRD.EXE
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ALCWZRD
   hkey   HKLM
   command   ALCWZRD.EXE
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_CC
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   avgcc
   hkey   HKLM
   command   C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   avgcc
   hkey   HKLM
   command   C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_EMC
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   avgemc
   hkey   HKLM
   command   C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   avgemc
   hkey   HKLM
   command   C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVGCtrl
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   AVGNT
   hkey   HKLM
   command   C:\Program Files\AVPersonal\AVGNT.EXE /min
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   AVGNT
   hkey   HKLM
   command   C:\Program Files\AVPersonal\AVGNT.EXE /min
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BJCFD
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   CFD
   hkey   HKLM
   command   C:\Program Files\BroadJump\Client Foundation\CFD.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   CFD
   hkey   HKLM
   command   C:\Program Files\BroadJump\Client Foundation\CFD.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CHotkey
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   zHotkey
   hkey   HKLM
   command   zHotkey.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   zHotkey
   hkey   HKLM
   command   zHotkey.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\High Definition Audio Property Page Shortcut
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   HDAudPropShortcut
   hkey   HKLM
   command   HDAudPropShortcut.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   HDAudPropShortcut
   hkey   HKLM
   command   HDAudPropShortcut.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IgfxTray
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   igfxtray
   hkey   HKLM
   command   C:\WINDOWS\system32\igfxtray.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   igfxtray
   hkey   HKLM
   command   C:\WINDOWS\system32\igfxtray.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Lexmark X1100 Series
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   lxbkbmgr
   hkey   HKLM
   command   "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   lxbkbmgr
   hkey   HKLM
   command   "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LVCOMS
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   LVCOMS
   hkey   HKLM
   command   C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   LVCOMS
   hkey   HKLM
   command   C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MessengerPlus3
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   " /WinStart
   hkey   HKCU
   command   "\" /WinStart
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   " /WinStart
   hkey   HKCU
   command   "\" /WinStart
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   msmsgs
   hkey   HKCU
   command   "C:\Program Files\Messenger\msmsgs.exe" /background
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   msmsgs
   hkey   HKCU
   command   "C:\Program Files\Messenger\msmsgs.exe" /background
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   NeroCheck
   hkey   HKLM
   command   C:\WINDOWS\system32\NeroCheck.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   NeroCheck
   hkey   HKLM
   command   C:\WINDOWS\system32\NeroCheck.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   qttask
   hkey   HKLM
   command   "C:\Program Files\QuickTime\qttask.exe" -atboottime
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   qttask
   hkey   HKLM
   command   "C:\Program Files\QuickTime\qttask.exe" -atboottime
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\REGSHAVE
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   REGSHAVE
   hkey   HKLM
   command   C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   REGSHAVE
   hkey   HKLM
   command   C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   PDVDServ
   hkey   HKLM
   command   "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   PDVDServ
   hkey   HKLM
   command   "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ShowWnd
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ShowWnd
   hkey   HKLM
   command   ShowWnd.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ShowWnd
   hkey   HKLM
   command   ShowWnd.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SNPT513
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   vsnpt513
   hkey   HKLM
   command   C:\WINDOWS\vsnpt513.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   vsnpt513
   hkey   HKLM
   command   C:\WINDOWS\vsnpt513.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SoundMan
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   SOUNDMAN
   hkey   HKLM
   command   SOUNDMAN.EXE
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   SOUNDMAN
   hkey   HKLM
   command   SOUNDMAN.EXE
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpySweeper
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   SpySweeper
   hkey   HKCU
   command   "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   SpySweeper
   hkey   HKCU
   command   "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunKistEM
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   shwiconem
   hkey   HKLM
   command   C:\Program Files\Digital Media Reader\shwiconem.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   shwiconem
   hkey   HKLM
   command   C:\Program Files\Digital Media Reader\shwiconem.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   SNDMon
   hkey   HKLM
   command   C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   SNDMon
   hkey   HKLM
   command   C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsupdater
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   winsupdater
   hkey   HKLM
   command   C:\Program Files\winsupdater\winsupdater.exe /auto
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   winsupdater
   hkey   HKLM
   command   C:\Program Files\winsupdater\winsupdater.exe /auto
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   bootini   2
   services   0
   startup   2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
    = igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\infowin
    = C:\WINDOWS\system\infowin.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\playcab
    = C:\WINDOWS\Fonts\playcab.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\web
    = C:\WINDOWS\system\web.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 30/09/2005 11:23:27

Kaspersky Webscanner Results:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, September 30, 2005 12:21:46
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 30/09/2005
Kaspersky Anti-Virus database records: 151817
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: extended
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   C:\
   D:\
   E:\
   F:\
   G:\
   H:\

Scan Statistics:
   Total number of scanned objects: 82333
   Number of viruses found: 5
   Number of infected objects: 8
   Number of suspicious objects: 0
   Duration of the scan process: 2577 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Laura!\Local Settings\Temp\res201.tmp   Infected: not-a-virus:AdWare.Win32.180Solutions.g
C:\Program Files\Microsoft AntiSpyware\Quarantine\58B3FC3E-6BA3-4F32-81AF-66D7F0\1A4C318A-2CEC-4425-B093-908354   Infected: not-a-virus:AdWare.Win32.180Solutions
C:\Program Files\Microsoft AntiSpyware\Quarantine\5AE587B6-249E-4A6D-8736-5F8B7B\BECC2ECC-6C01-4F1F-A0F0-5FCEC1   Infected: not-a-virus:AdWare.Win32.180Solutions.e
C:\Program Files\winsupdater\a.tmp   Infected: Worm.Win32.VB.an
C:\Program Files\winsupdater\a.zip/Setup.exe   Infected: Worm.Win32.VB.an
C:\Program Files\winsupdater\a.zip   Infected: Worm.Win32.VB.an
C:\Program Files\winsupdater\winsupdater.exe   Infected: Worm.Win32.VB.an
C:\WINDOWS\system32\drivers\etc\hosts   Infected: Trojan.Win32.Qhost.r

Scan process completed.

Fresh Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:22:13, on 30/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Nicola!\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.msn.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Thanks again!

Cretemonster · « **Reply #4 on:** September 30, 2005, 12:12:20 PM »

Lets get rid of some trash!

Download and Install
[color=\"purple\"]CleanUp![/color][/url]
Dont use it yet!

Restart in Safe Mode and Configure Windows to Show Hidden Files
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp

Locate and Delete if found

C:\WINDOWS\SYSTEM32\winlog.exe<- File

C:\Program Files\Admanager Controller<- Folder

C:\Program Files\winsupdater<- Folder

Now run the Cleanup! program and allow it to clean out all the temp files it finds,when it prompts you to Log Off,Click NO!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

Save the Report it generates!

Download the Hoster from here:
http://www.funkytoad.com/download/hoster.zip

Press "Restore Original Hosts" and press "OK"!

Exit Program!

Post back with a fresh HijackThis log and the report from Panda!

TheTechGuide Forum

News:

Author Topic: Winsupdater.exe and my Hijackthis log, Please help (Read 1994 times)

xNicolaUKx

Winsupdater.exe and my Hijackthis log, Please help

xNicolaUKx

Winsupdater.exe and my Hijackthis log, Please help

Cretemonster

Winsupdater.exe and my Hijackthis log, Please help

xNicolaUKx

Winsupdater.exe and my Hijackthis log, Please help

Cretemonster

Winsupdater.exe and my Hijackthis log, Please help