Options

No desktop shows when restart

Unknown
edited June 2006 in Spyware & Virus Removal
hi, my friend's pc got infected by some trojan/virus which disables desktop when restart. After i end the explorer process and use run command in win task manager to run explorer again, the desktop will show again, anyone has a solution to it?

Logfile of HijackThis v1.99.1
Scan saved at 8:01:35 AM, on 5/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jacky\Desktop\HijackThis.exe

R3 - URLSearchHook: SrchHook Class - {EED92A43-CFCE-4548-BD73-B0A405470ED5} - C:\PROGRA~1\CNNIC\Cdn\iesrch.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MonitorURL Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\PROGRA~1\DESKAD~1\deskipn.dll (file missing)
O2 - BHO: MyIEHelper Class - {16A770A0-0E87-4278-B748-2460D64A8386} - C:\Documents and Settings\All Users\Application Data\Microsoft\IEHelper\IEHelper_4528.dll
O2 - BHO: IE Browser Helper - {3CE496D1-1746-41CD-9489-3C0B93DF10E2} - C:\WINDOWS\Downlo~1\m6x1jo.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll (file missing)
O2 - BHO: í????ó?ù - {5673A7C0-95CC-4646-BB07-3BD71234CEF9} - C:\WINDOWS\system32\MicrosoftNet.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: QuickBtn - {D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7} - C:\Program Files\CoolWebsite\QuickLink.dll (file missing)
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O8 - Extra context menu item: >> 彩信发送 << - res://C:\Program Files\MMSAssist\Mmsass~1.dll/mms.htm
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 上?到QQ网?硬? - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用影音传送带下载 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 添加到QQ自定?面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信?送??片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 用炫彩图铃发送该图片 - C:\Program Files\CaiShow Tech\CaiShow\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: êμó?í??·μ?o? - {1D901067-2529-4A9B-9B6B-7A1DB3A44CB5} - C:\Program Files\CoolWebsite\QuickLink.dll (file missing)
O9 - Extra button: D?à?UC - {2253922F-1B26-4C74-8B57-E3AEE748DBB8} - C:\Program Files\sina\UC\uc.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: ìú??QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Comments

  • Shaba
    edited May 2006
    Hi crazyeagle.

    Several bad guys there

    Move HjT into own folder -> C:\hjt

    Fix with HjT (do a system scan only, checkmark these and press fix checked):


    R3 - URLSearchHook: SrchHook Class - {EED92A43-CFCE-4548-BD73-B0A405470ED5} - C:\PROGRA~1\CNNIC\Cdn\iesrch.dllO2 - BHO: MonitorURL Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\PROGRA~1\DESKAD~1\deskipn.dll (file missing)
    O2 - BHO: MyIEHelper Class - {16A770A0-0E87-4278-B748-2460D64A8386} - C:\Documents and Settings\All Users\Application Data\Microsoft\IEHelper\IEHelper_4528.dll
    O2 - BHO: IE Browser Helper - {3CE496D1-1746-41CD-9489-3C0B93DF10E2} - C:\WINDOWS\Downlo~1\m6x1jo.dll
    O2 - BHO: í????ó?ù - {5673A7C0-95CC-4646-BB07-3BD71234CEF9} - C:\WINDOWS\system32\MicrosoftNet.dll
    O2 - BHO: QuickBtn - {D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7} - C:\Program Files\CoolWebsite\QuickLink.dll (file missing)
    O8 - Extra context menu item: >> 彩信发送 << - res://C:\Program Files\MMSAssist\Mmsass~1.dll/mms.htm
    O9 - Extra button: êμó?í??·μ?o? - {1D901067-2529-4A9B-9B6B-7A1DB3A44CB5} - C:\Program Files\CoolWebsite\QuickLink.dll (file missing)

    Please download ewido anti-malware it is a free version of the program -> http://www.ewido.net/en/download/

    1. Install ewido anti-malware
    2. When installing, under "Additional Options" uncheck..
    * Install background guard
    * Install scan via context menu
    3. Launch ewido, there should be an icon on your desktop, double-click it.
    4. The program will now open to the main screen.
    5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    6. You will need to update ewido to the latest definition files.
    * On the left hand side of the main screen click update.
    * Then click on Start Update.
    7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")

    If you are having problems with the updater, you can use this link to manually update ewido.
    ewido manual updates -> http://download.ewido.net/ewido-signatures-full-current.exe Make sure to close Ewido before installing the update.

    Once the updates are installed do the following:

    Reboot your computer in SafeMode by doing the following:

    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.

    Delete, if found:

    C:\PROGRA~1\CNNIC
    C:\WINDOWS\system32\cdn
    C:\PROGRA~1\DESKAD~1
    C:\Documents and Settings\All Users\Application Data\Microsoft\IEHelper
    C:\WINDOWS\Downlo~1\m6x1jo.dll
    C:\WINDOWS\system32\MicrosoftNet.dll
    C:\Program Files\CoolWebsite
    C:\Program Files\MMSAssist
    C:\WINDOWS\system32\conime.exe
    C:\WINDOWS\system32\wbem\IRJIT.dll
    C:\WINDOWS\system32\wbem\ocmor.dat
    C:\WINDOWS\system32\nt.sys
    C:\WINDOWS\system32\spted.dll

    Then launch ewido:

    * Click on scanner
    * Click on Complete System Scan and the scan will begin.
    * You will be prompted to clean the first infection.
    * Select "Perform action on all infections", then proceed.
    * Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    * Click Save report.
    * Save the report .txt file to your desktop or a location where you can find it easily.

    Close ewido anti-malware.

    Reboot back to normal mode

    Send ewido report and a fresh HjT log
  • crazyeagle
    edited June 2006
    hjt and ewido log
    Logfile of HijackThis v1.99.1
    Scan saved at 9:01:06 AM, on 6/1/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ACS.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HJT\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: MonitorURL Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\PROGRA~1\DESKAD~1\deskipn.dll (file missing)
    O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll (file missing)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: 上?到QQ网?硬? - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
    O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
    O8 - Extra context menu item: 使用影音传送带下载 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: 使用影音传送带下载全部链接 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: 添加到QQ自定?面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
    O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
    O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
    O8 - Extra context menu item: 用QQ彩信?送??片 - C:\Program Files\Tencent\QQ\SendMMS.htm
    O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
    O8 - Extra context menu item: 用炫彩图铃发送该图片 - C:\Program Files\CaiShow Tech\CaiShow\SendMMS.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: D?à?UC - {2253922F-1B26-4C74-8B57-E3AEE748DBB8} - C:\Program Files\sina\UC\uc.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
    O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
    O9 - Extra 'Tools' menuitem: ìú??QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    ewido anti-malware - Scan report

    + Created on: 8:56:41 AM, 6/1/2006
    + Report-Checksum: 1004DD03

    + Scan result:

    C:\Documents and Settings\jacky\Cookies\jacky@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\jacky\Cookies\jacky@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
    C:\WINDOWS\system32\1116\ntjdo\plugins\__efmfuf_po_sfcppu__bt.emm -> Adware.CFS : Cleaned with backup
    C:\WINDOWS\system32\1116\ntjdo\plugins\__efmfuf_po_sfcppu__cn.emm -> Adware.CFS : Cleaned with backup
    C:\WINDOWS\system32\1116\ntjdo\plugins\__efmfuf_po_sfcppu__ctf.emm -> Adware.CFS : Cleaned with backup
    C:\WINDOWS\system32\1116\ntjdo\plugins\__efmfuf_po_sfcppu__mvq.emm -> Adware.CFS : Cleaned with backup
    C:\WINDOWS\system32\1116\ntjdo\__efmfuf_po_sfcppu__ntjcn.emm -> Adware.AllSum : Cleaned with backup


    ::Report End
  • Shaba
    edited June 2006
    Looks good :)

    Fix with HjT (do a system scan only, checkmark these and press fix checked):

    O2 - BHO: MonitorURL Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\PROGRA~1\DESKAD~1\deskipn.dll (file missing)

    Reboot

    Send a fresh HjT log. Still problems?
  • crazyeagle
    edited June 2006
    The problem still exists, I still have to end process the explorer and run explorer to show desktop. But the start up time has greatly reduced though^^

    Logfile of HijackThis v1.99.1
    Scan saved at 1:33:17 PM, on 6/1/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ACS.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HJT\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: 上?到QQ网?硬? - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
    O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
    O8 - Extra context menu item: 使用影音传送带下载 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: 使用影音传送带下载全部链接 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: 添加到QQ自定?面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
    O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
    O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
    O8 - Extra context menu item: 用QQ彩信?送??片 - C:\Program Files\Tencent\QQ\SendMMS.htm
    O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
    O8 - Extra context menu item: 用炫彩图铃发送该图片 - C:\Program Files\CaiShow Tech\CaiShow\SendMMS.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: D?à?UC - {2253922F-1B26-4C74-8B57-E3AEE748DBB8} - C:\Program Files\sina\UC\uc.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
    O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
    O9 - Extra 'Tools' menuitem: ìú??QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • Shaba
    edited June 2006
    Ok, let's look little deeper:

    Download F-Secure Blacklight and save it to your desktop -> http://www.f-secure.com/blacklight/try.shtml

    Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

    You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

    DON'T choose Rename if something was found!

    Post the contents of fsbl.xxxx.log to here (xxxx= random numbers,blacklight log from your desktop)

    Also do this:

    Follow these instructions -> http://www.bleepingcomputer.com/files/winpfind.php

    and send winpfind log here
  • crazyeagle
    edited June 2006
    here is winpfind log, nothing found using the black light

    WARNING: not all files found b06/01/06 14:32:55 [Info]: BlackLight Engine 1.0.37 initialized
    06/01/06 14:32:55 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    06/01/06 14:32:55 [Note]: 7019 4
    06/01/06 14:32:55 [Note]: 7005 0
    06/01/06 14:32:57 [Note]: 7006 0
    06/01/06 14:32:57 [Note]: 7011 2036
    06/01/06 14:32:58 [Note]: 7026 0
    06/01/06 14:32:58 [Note]: 7026 0
    06/01/06 14:33:07 [Note]: FSRAW library version 1.7.1015
    06/01/06 14:46:39 [Note]: 7007 0
    y this scanner are bad. Consult with a knowledgable person before proceeding.

    If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

    换换换换换换换换?Windows OS and Versions 换换换换换换换换换换换换换换换?
    Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
    Internet Explorer Version: 6.0.2900.2180

    换换换换换换换换?Checking Selected Standard Folders 换换换换换换换换换换

    Checking %SystemDrive% folder...
    qoologic 6/1/2006 2:33:28 PM 204131 C:\WinPFind.zip

    Checking %ProgramFilesDir% folder...

    Checking %WinDir% folder...
    aspack 5/31/2006 12:59:58 AM 722690 C:\WINDOWS\aaa.exe
    UPX! 8/22/2004 6:04:56 PM 69120 C:\WINDOWS\daemon.dll
    UPX! 5/31/2006 12:48:10 AM 404228 C:\WINDOWS\Weather_39.exe
    UPX! 5/26/2006 12:58:12 PM 366852 C:\WINDOWS\xiuxian.exe

    Checking %System% folder...
    PEC2 3/31/2003 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
    PEC2 9/3/2004 2:03:48 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
    PECompact2 9/3/2004 2:03:48 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
    PECompact2 5/4/2006 12:26:22 AM 5996804 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 5/4/2006 12:26:22 AM 5996804 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
    Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
    UPX! 4/26/2006 6:29:58 AM 217348 C:\WINDOWS\SYSTEM32\rudll2.exe
    winsync 3/31/2003 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
    UPX! 4/24/2006 2:25:12 AM 231865085 C:\WINDOWS\SYSTEM32\国语女教师.rmvb

    Checking %System%\Drivers folder and sub-folders...
    PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

    Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


    Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
    6/1/2006 4:02:36 PM S 2048 C:\WINDOWS\bootstat.dat
    6/1/2006 6:27:56 PM H 1024 C:\WINDOWS\system32\config\default.LOG
    6/1/2006 4:02:38 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
    6/1/2006 6:00:36 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
    6/1/2006 6:27:48 PM H 1024 C:\WINDOWS\system32\config\software.LOG
    6/1/2006 7:30:58 PM H 1024 C:\WINDOWS\system32\config\system.LOG
    5/10/2006 3:01:28 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
    5/25/2006 1:59:26 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\56c73cc2-10e8-4401-bda0-3d74239e25e4
    5/25/2006 1:59:26 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
    6/1/2006 4:02:38 PM H 6 C:\WINDOWS\Tasks\SA.DAT

    Checking for CPL files...
    Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
    COMPAL ELECTRONIC INC. 5/20/2004 5:03:58 PM 917504 C:\WINDOWS\SYSTEM32\CoPM.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
    Sun Microsystems 12/2/2003 6:05:26 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
    Microsoft Corporation 3/31/2003 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
    Microsoft Corporation 3/31/2003 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
    Microsoft Corporation 3/31/2003 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
    9/5/2003 5:36:40 PM 495616 C:\WINDOWS\SYSTEM32\TOSCDSPD.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
    Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
    Microsoft Corporation 3/31/2003 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
    Microsoft Corporation 3/31/2003 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
    Microsoft Corporation 3/31/2003 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
    Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
    Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

    换换换换换换换换?Checking Selected Startup Folders 换换换换换换换换换换?

    Checking files in %ALLUSERSPROFILE%\Startup folder...
    12/2/2003 5:08:46 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

    Checking files in %ALLUSERSPROFILE%\Application Data folder...
    12/2/2003 9:00:18 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
    9/10/2004 4:19:50 PM 771 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

    Checking files in %USERPROFILE%\Startup folder...
    12/2/2003 5:08:46 PM HS 84 C:\Documents and Settings\jacky\Start Menu\Programs\Startup\desktop.ini

    Checking files in %USERPROFILE%\Application Data folder...
    12/2/2003 9:00:18 AM HS 62 C:\Documents and Settings\jacky\Application Data\desktop.ini

    换换换换换换换换?Checking Selected Registry Keys 换换换换换换换换换换换?

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    SV1 =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{8C504614-A455-4CBA-81B4-D279644B8A7D}
    = tfaxext.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\粉碎文件
    {C14F7681-33D8-11D3-A09B-00500402F30B} = C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\ywiper.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
    DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping
    MenuText = :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText = Sun Java Console :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2253922F-1B26-4C74-8B57-E3AEE748DBB8}
    ButtonText = 新浪UC : C:\Program Files\sina\UC\uc.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
    ButtonText = AIM : C:\Program Files\AIM\aim.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157b}
    ButtonText = QQ : C:\Program Files\Tencent\QQ\QQ.EXE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
    ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
    =
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    CeEKEY C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    TPNF C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    PadTouch C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    CeEPOWER C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    HP Software Update "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    Apoint C:\Program Files\Apoint2K\Apoint.exe
    CdnCtr

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
    TOSCDSPD C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
    GrayPigeonServer2.0 2


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item
    hkey HKLM
    command
    inimapping 0


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AGRSMMSG
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item AGRSMMSG
    hkey HKLM
    command AGRSMMSG.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item AGRSMMSG
    hkey HKLM
    command AGRSMMSG.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AOL Spyware Protection
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item AOLSP Scheduler
    hkey HKLM
    command "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item AOLSP Scheduler
    hkey HKLM
    command "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AOLDialer
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item AOLDial
    hkey HKLM
    command C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item AOLDial
    hkey HKLM
    command C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dla
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item tfswctrl
    hkey HKLM
    command C:\WINDOWS\system32\dla\tfswctrl.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item tfswctrl
    hkey HKLM
    command C:\WINDOWS\system32\dla\tfswctrl.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HostManager
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item AOLHostManager
    hkey HKLM
    command C:\Program Files\Common Files\AOL\1130650186\ee\AOLHostManager.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item AOLHostManager
    hkey HKLM
    command C:\Program Files\Common Files\AOL\1130650186\ee\AOLHostManager.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Iehelper
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item iehelper
    hkey HKLM
    command C:\WINDOWS\system32\iehelper.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item iehelper
    hkey HKLM
    command C:\WINDOWS\system32\iehelper.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IESAddr
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item Null
    hkey HKLM
    command Null
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item Null
    hkey HKLM
    command Null
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMJPMIG8.1
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item IMJPMIG
    hkey HKLM
    command "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item IMJPMIG
    hkey HKLM
    command "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item dumprep 0 -k
    hkey HKLM
    command %systemroot%\system32\dumprep 0 -k
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item dumprep 0 -k
    hkey HKLM
    command %systemroot%\system32\dumprep 0 -k
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item MsnMsgr
    hkey HKCU
    command "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item MsnMsgr
    hkey HKCU
    command "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSPY2002
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item ImScInst
    hkey HKLM
    command C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item ImScInst
    hkey HKLM
    command C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msq
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item bartest
    hkey HKCU
    command C:\WINDOWS\bartest.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item bartest
    hkey HKCU
    command C:\WINDOWS\bartest.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSService_v1.0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item vfp02
    hkey HKLM
    command C:\WINDOWS\system32\vfp02.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item vfp02
    hkey HKLM
    command C:\WINDOWS\system32\vfp02.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msstart
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item msstart
    hkey HKLM
    command C:\WINDOWS\system32\msstart.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item msstart
    hkey HKLM
    command C:\WINDOWS\system32\msstart.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NMGameX_AutoRun
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item Rundll32
    hkey HKLM
    command C:\WINDOWS\system32\Rundll32.exe NMGameX.dll,LiveProcess /aa
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item Rundll32
    hkey HKLM
    command C:\WINDOWS\system32\Rundll32.exe NMGameX.dll,LiveProcess /aa
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\pbmini
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item PodcastBarMiniStater
    hkey HKLM
    command "C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe" -hide
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item PodcastBarMiniStater
    hkey HKLM
    command "C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe" -hide
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002A
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item TINTSETP
    hkey HKLM
    command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item TINTSETP
    hkey HKLM
    command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002ASync
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item TINTSETP
    hkey HKLM
    command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item TINTSETP
    hkey HKLM
    command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Pinger
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item pinger
    hkey HKLM
    command c:\toshiba\ivp\ism\pinger.exe /run
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item pinger
    hkey HKLM
    command c:\toshiba\ivp\ism\pinger.exe /run
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\res
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item res
    hkey HKLM
    command C:\WINDOWS\system32\res.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item res
    hkey HKLM
    command C:\WINDOWS\system32\res.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\rundll32
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item IEXPLORER
    hkey HKLM
    command C:\WINDOWS\system32\IEXPLORER.EXE
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item IEXPLORER
    hkey HKLM
    command C:\WINDOWS\system32\IEXPLORER.EXE
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\StormCodec_Helper
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item StormSet
    hkey HKLM
    command "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item StormSet
    hkey HKLM
    command "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\System Manager
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item svchost
    hkey HKLM
    command C:\WINDOWS\svchost.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item svchost
    hkey HKLM
    command C:\WINDOWS\svchost.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item realsched
    hkey HKLM
    command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item realsched
    hkey HKLM
    command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Update
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item Update
    hkey HKLM
    command C:\Program Files\Common Files\UPDAT\Update.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item Update
    hkey HKLM
    command C:\Program Files\Common Files\UPDAT\Update.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViewMgr
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item ViewMgr
    hkey HKLM
    command C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item ViewMgr
    hkey HKLM
    command C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WildTangent CDA
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item cdaEngine0500
    hkey HKLM
    command "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item cdaEngine0500
    hkey HKLM
    command "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
    system.ini 0
    win.ini 0
    bootini 0
    services 2
    startup 2


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} =


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption
    legalnoticetext
    shutdownwithoutlogon 1
    undockwithoutlogon 1


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun 145


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,
    Shell = Explorer.exe
    System =

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdnup.exe
    Debugger = C:\WINDOWS\system32\rundll32.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs


    换换换换换换换换换换换换 Scan Complete 换换换换换换换换换换换换换换换换换
    WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
    Scan completed on 6/1/2006 7:33:50 PM
  • Shaba
    edited June 2006
    Yes, there are several bad files

    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
    Files to delete:
    C:\WINDOWS\aaa.exe
    C:\WINDOWS\Weather_39.exe
    C:\WINDOWS\xiuxian.exe
    C:\WINDOWS\SYSTEM32\rudll2.exe
    C:\WINDOWS\system32\iehelper.exe
    C:\WINDOWS\bartest.exe
    C:\WINDOWS\system32\vfp02.exe
    C:\WINDOWS\system32\msstart.exe
    C:\WINDOWS\system32\res.exe
    C:\WINDOWS\system32\IEXPLORER.EXE
    C:\WINDOWS\svchost.exe

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Sign In or Register to comment.