Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > new malware.j

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

new malware.j

Reply to Message Icon

Name: sakai111
Date: January 10, 2008 at 17:55:59 Pacific
OS: Win XP
CPU/Ram: dual core and 1G
Product: dell
Comment:

hi,i am having problem with malware.Macfee keeps showing that svchost32.exe is infected with New malware.j trojan and it cannot be cleaned.taskmanager and run is disabled and I can not run the safe mode. everytime I select the safe mode and run. after 5 second, my PC will be restarted again.pls help



Sponsored Link
Ads by Google

Response Number 1
Name: jabuck
Date: January 10, 2008 at 18:39:00 Pacific
Reply:

Go to the this link http://wiki.castlecops.com/Malware_... Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please download ComboFix to the desktop from this link: ComboFix

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.


0

Response Number 2
Name: sakai111
Date: January 10, 2008 at 21:34:59 Pacific
Reply:

Hi,

the website u gave to me is not exist

http://wiki.castlecops.com/Malware_...


0

Response Number 3
Name: jabuck
Date: January 11, 2008 at 03:36:02 Pacific
Reply:
0

Response Number 4
Name: sakai111
Date: January 12, 2008 at 07:45:14 Pacific
Reply:

hi jabuck,

I can access the TaskManager now after run the ComboFix.

This is my hijackthis and combofix log file.

Hijackthis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 02:50:46, on 2008/1/9
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\StormII\stormliv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\program files\internet explorer\IEXPLORE.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inf\svchosts.exe
C:\WINDOWS\system32\inf\svch0st.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\Documents and Settings\kevinwong\Desktop\New Folder\HiJack.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" /IMEName
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
O4 - HKLM\..\Run: [TBMonEx] C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe
O4 - HKLM\..\Run: [inudhya] C:\WINDOWS\Fonts\44-45-53-54-42-00\system\soundma.exe
O4 - HKLM\..\Run: [WSockx2_32] C:\WINDOWS\zpebbb.exe
O4 - HKLM\..\Run: [XiaoiDesktop] "C:\Program Files\Incesoft\XiaoiAlerts\XiaoiUpdater.exe" /hide
O4 - HKLM\..\Run: [Vmlist] regsvr32 /s apphelps.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [Userinit] C:\WINDOWS\system32\inf\svchosts.exe C:\WINDOWS\system32\lwisys16_080109.dll start
O4 - HKLM\..\Policies\Explorer\Run: [zuoyue] C:\WINDOWS\system32\inf\svch0st.exe C:\WINDOWS\system32\lwizysys16_080109.dll start
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'Default user')
O4 - Global Startup: mspaint.lnk = C:\WINDOWS\system\zyxpRes080109.exe
O4 - Global Startup: office.lnk = C:\WINDOWS\system\sslxpes080109.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴?网?科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Perfor and Alell (NetworkDDEDSDMQ) - Unknown owner - C:\WINDOWS\system32\Networkk.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8895 bytes

Combofix log file:
ComboFix 08-01-09.2 - kevinwong 2005-01-12 2:11:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1033.18.524 [GMT 8:00]
Running from: C:\Documents and Settings\kevinwong\Desktop\New Folder\ComboFix.exe
* Created a new restore point
.
[color=purple]The following files were disabled during the run:[/color]
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\inudhya.dll
C:\WINDOWS\system32\nauhgnem.dll
C:\WINDOWS\system32\auhad.dll
C:\WINDOWS\system32\ijougiemnaw.dll
C:\WINDOWS\system32\gnaixnauhuoyizqq.dll
C:\WINDOWS\system32\gnaixnauhqq.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\DFD1919250.bat
C:\DFD1922906.bat
C:\Documents and Settings\kevinwong\smss.exe
C:\Program Files\Common Files\cpush
C:\Program Files\Common Files\cpush\cpush.dll
C:\Program Files\Common Files\cpush\Uninst.exe
C:\Program Files\Incesoft\XiaoiAlerts
C:\Program Files\Incesoft\XiaoiAlerts\Capture.dll
C:\Program Files\Incesoft\XiaoiAlerts\MSNMessengerLib.dll
C:\Program Files\Incesoft\XiaoiAlerts\MSNPlugin.dll
C:\Program Files\Incesoft\XiaoiAlerts\Uninstall.exe
C:\Program Files\Incesoft\XiaoiAlerts\XiaoiDesktop.exe
C:\Program Files\Incesoft\XiaoiAlerts\XiaoiUpdater.exe
C:\Program Files\Internet Explorer\PLUGINS\Sy_Win7k.Jmp
C:\Program Files\internet explorer\plugins\wn_sys8x.sys
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\DbgHlp32.exe
C:\WINDOWS\fn00321.log
C:\WINDOWS\Fonts\ardasbse.fon
C:\WINDOWS\Fonts\avzxnin.dll
C:\WINDOWS\Fonts\chqibur.fon
C:\WINDOWS\Fonts\chtibur.fon
C:\WINDOWS\Fonts\enpobfx.fon
C:\WINDOWS\Fonts\enwebfx.fon
C:\WINDOWS\Fonts\gejibnd.fon
C:\WINDOWS\Fonts\gjcsdss.dll
C:\WINDOWS\Fonts\gjcubxw.fon
C:\WINDOWS\Fonts\kapjics.dll
C:\WINDOWS\Fonts\kawdjcs.dll
C:\WINDOWS\Fonts\kvdxsocf.dll
C:\WINDOWS\Fonts\mszhbsda.fon
C:\WINDOWS\Fonts\raqjmni.dll
C:\WINDOWS\Fonts\ratbuni.dll
C:\WINDOWS\Fonts\rsjzbfg.dll
C:\WINDOWS\Fonts\swjqdcs.dll
C:\WINDOWS\Fonts\swrcgcs.dll
C:\WINDOWS\Fonts\wijibfw.fon
C:\WINDOWS\Fonts\wirebfw.fon
C:\WINDOWS\Fonts\wsmsfcj.dll
C:\WINDOWS\Fonts\wszjdcjb.dll
C:\WINDOWS\Fonts\wymobfz.fon
C:\WINDOWS\Fonts\wyzubfz.fon
C:\WINDOWS\kvsc3.exe
C:\WINDOWS\lotushlp.exe
C:\WINDOWS\msimms32.exe
C:\WINDOWS\msprint32d.exe
C:\WINDOWS\PTSShell.exe
C:\WINDOWS\SHAProc.exe
C:\WINDOWS\system\dvl
C:\WINDOWS\system\lvl
C:\WINDOWS\system32\catclogd.dll
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\drivers\eract.sys
C:\WINDOWS\system32\drivers\m4d4waq.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\ptykxk63.sys
C:\WINDOWS\system32\drivers\scvhost.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\grgyok78.dllmmc.pkm
C:\WINDOWS\system32\inf\scrsys080109.scr
C:\WINDOWS\system32\inf\scrsys16_080109.dll
C:\WINDOWS\system32\inf\scrsyszy080109.scr
C:\WINDOWS\system32\inf\svch0st.exe
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\kryfqxewl.dll
C:\WINDOWS\system32\krygqxszx.dll
C:\WINDOWS\system32\kvsc3.dll
C:\WINDOWS\system32\LotusHlp.dll
C:\WINDOWS\system32\lwisys16_080109.dll
C:\WINDOWS\system32\mshtmll.dll
C:\WINDOWS\system32\msimms32.dll
C:\WINDOWS\system32\MsPrint32D.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pgbwkg19.dllmmc.pkm
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\PTSShell.dll
C:\WINDOWS\system32\ptykxk63.dll
C:\WINDOWS\system32\ptykxk63.dllmmc.pkm
C:\WINDOWS\system32\SALTDMT.exe
C:\WINDOWS\system32\SHAProc.dll
C:\WINDOWS\system32\uajqahowow.dll
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wdkscjqwm.dll
C:\WINDOWS\system32\winform.dll
C:\WINDOWS\system32\winmdj35.dllmmc.pkm
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\tempaq
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\winform.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ERACT
-------\LEGACY_NPF
-------\LEGACY_PTYKXK63
-------\LEGACY_RPCS
-------\LEGACY_SVCHOST
-------\eract
-------\NPF
-------\ptykxk63
-------\RpcS
-------\svchost


((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))
.

2008-01-08 12:29 . 2008-01-08 12:29 217,088 --a------ C:\WINDOWS\system32\tvt.exe
2008-01-02 17:25 . 2008-01-02 17:25 49,152 --a------ C:\WINDOWS\system32\6to4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 18:14 13,063 ----a-w C:\WINDOWS\system32\drivers\JPYGPXHNUAGNWD.DAT
2008-01-08 18:12 --------- d-----w C:\Program Files\Incesoft
2007-12-17 10:34 15,360 ----a-w C:\WINDOWS\system32\pgbwkg19.dll
2007-12-17 10:34 15,360 ----a-w C:\WINDOWS\system32\grgyok78.dll
2007-12-04 02:48 172,032 ----a-w C:\WINDOWS\system32\ticw.exe
2007-11-13 07:03 106,496 ----a-w C:\WINDOWS\system32\abskey.dll
2005-01-11 18:06 95,744 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\inudhya.dll.vir
2005-01-10 17:12 49,152 ----a-w C:\Program Files\ctfmonj.exe
2005-01-10 17:12 33,929 ----a-w C:\Program Files\ctfmona.exe
2005-01-10 17:12 176,821 ----a-w C:\Program Files\ctfmonk.exe
2005-01-10 16:35 400,040 ----a-w C:\WINDOWS\Fonts\kvdxsoma.dll
2005-01-10 16:35 254,552 ----a-w C:\WINDOWS\Fonts\swrcgzc.dll
2005-01-10 16:35 223,160 ----a-w C:\WINDOWS\Fonts\wsmsfzx.dll
2005-01-10 16:35 220,088 ----a-w C:\WINDOWS\Fonts\swjqdzc.dll
2005-01-10 16:35 154,552 ----a-w C:\WINDOWS\Fonts\ratbupi.dll
2005-01-10 16:35 123,136 ----a-w C:\WINDOWS\Fonts\avzxnmn.dll
2005-01-10 16:35 110,088 ----a-w C:\WINDOWS\Fonts\raqjmpi.dll
2005-01-10 16:34 33,935 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0025.exe
2005-01-10 16:34 17,272 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0022.exe
2005-01-10 16:34 16,998 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0008.exe
2005-01-10 16:34 16,698 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0017.exe
2005-01-10 16:34 16,214 ----a-w C:\WINDOWS\Fonts\kawdjaz.exe
2005-01-10 16:34 16,120 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0007.exe
2005-01-10 16:34 16,106 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0021.exe
2005-01-10 16:34 16,042 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\jz.exe
2005-01-10 16:34 15,906 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0018.exe
2005-01-10 16:34 15,774 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0010.exe
2005-01-10 16:34 15,607 ----a-w C:\WINDOWS\Fonts\gjcsdzc.exe
2005-01-10 16:34 15,479 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0004.exe
2005-01-10 16:34 15,324 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0005.exe
2005-01-10 16:34 15,167 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0011.exe
2005-01-10 16:33 14,644 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\lmmy.exe
2005-01-10 16:33 14,533 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\lmmh.exe
2005-01-10 16:33 14,368 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdlm.exe
2005-01-10 16:00 9,373 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\fbd.exe
2005-01-10 16:00 8,163 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\dd.exe
2005-01-10 16:00 335,106 --sh--w C:\Documents and Settings\kevinwong\motou.exe
2005-01-10 16:00 162,562 --sh--w C:\Documents and Settings\kevinwong\smss.com
2005-01-10 15:59 16,998 ----a-w C:\WINDOWS\Fonts\wsmsfax.exe
2005-01-10 15:59 16,698 ----a-w C:\WINDOWS\Fonts\avzxnst.exe
2005-01-10 15:59 16,120 ----a-w C:\WINDOWS\Fonts\swjqdac.exe
2005-01-10 15:59 16,106 ----a-w C:\WINDOWS\Fonts\kapjiaz.exe
2005-01-10 15:59 16,042 ----a-w C:\WINDOWS\Fonts\rsjzbsp.exe
2005-01-10 15:59 15,906 ----a-w C:\WINDOWS\Fonts\raqjmtl.exe
2005-01-10 15:59 15,774 ----a-w C:\WINDOWS\Fonts\swrcgac.exe
2005-01-10 15:59 15,167 ----a-w C:\WINDOWS\Fonts\ratbutl.exe
2005-01-10 15:58 19,440 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0023.exe
2005-01-10 15:58 15,479 ----a-w C:\WINDOWS\Fonts\kvdxsois.exe
2005-01-10 15:56 51,042 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\soundma.exe
2005-01-10 15:56 135,680 ----a-w C:\WINDOWS\inf\dotnetfc.exe
2004-08-04 16:34 526,934 --sh--w C:\WINDOWS\Fonts\kawdjzy.dll
2004-08-04 16:34 525,394 --sh--w C:\WINDOWS\Fonts\gjcsdyc.dll
2004-08-04 16:01 526,444 --sh--w C:\WINDOWS\Fonts\rsjzbpm.dll
2004-08-04 16:01 525,912 --sh--w C:\WINDOWS\Fonts\kapjizy.dll
2004-08-03 16:56 19,491 --sh--w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe
2005-01-10 17:12 29,537 --sh--w C:\WINDOWS\124327M.exe
2004-08-04 16:34 525,394 --sh--w C:\WINDOWS\Fonts\gjcsdyc.dll
2004-08-04 16:01 525,912 --sh--w C:\WINDOWS\Fonts\kapjizy.dll
2004-08-04 16:34 526,934 --sh--w C:\WINDOWS\Fonts\kawdjzy.dll
2004-08-04 16:01 526,444 --sh--w C:\WINDOWS\Fonts\rsjzbpm.dll
2004-08-03 16:56 19,491 --sh--w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe
2005-01-10 16:45 79,156 --sh--r C:\WINDOWS\system32\mycc080110.exe
2005-01-10 16:55 35,840 --sh--w C:\WINDOWS\system32\Networkk.exe
1990-01-01 20:01 78,336 --sh--w C:\WINDOWS\system32\WebClientt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56 602182]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 17:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 17:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 17:45 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-06-29 12:13 1032192]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:22 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-08-26 14:26 212992]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 17:52 999424]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 18:06 110592]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 19:05 1117184]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2005-07-26 14:49 294912]
"TBMonEx"="C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe" [2004-08-04 00:56 19491]
"inudhya"="C:\WINDOWS\Fonts\44-45-53-54-42-00\system\soundma.exe" [2005-01-10 23:56 51042]
"WSockx2_32"="C:\WINDOWS\WSockx2_32.exe" [2005-01-11 01:11 18534]
"XiaoiDesktop"="C:\Program Files\Incesoft\XiaoiAlerts\XiaoiUpdater.exe" [ ]
"Vmlist"="regsvr32 /s apphelps.dll" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.exe" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
mspaint.lnk - C:\WINDOWS\system\zyxpRes080109.exe [2005-01-10 23:56:17]
office.lnk - C:\WINDOWS\system\sslxpes080109.exe [2005-01-10 23:56:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableWindowsUpdateAccess"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Userinit"= C:\WINDOWS\system32\inf\svchosts.exe C:\WINDOWS\system32\lwisys16_080109.dll start
"zuoyue"= C:\WINDOWS\system32\inf\svch0st.exe C:\WINDOWS\system32\lwizysys16_080109.dll start

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A8907901-1416-3389-9981-37217856998A}"= C:\WINDOWS\Fonts\kawdjzy.dll [2004-08-05 00:34 526934]
"{4FA10261-B890-F432-A453-69F1023513F4}"= C:\WINDOWS\Fonts\gjcsdyc.dll [2004-08-05 00:34 525394]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rpt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Safe.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ackwin32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adam.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ADVXDWIN]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AgentSvr.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\alertsvc.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ALOGSERV]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\amon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AMON9X]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\anti - trojan.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ANTI-TROJAN.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\antivir]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ANTS]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AppSvc32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\apvxdwin.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arvmon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\asktao.mod]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ATCON]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ati2evxx.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ATUPDATER]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ATWATCH]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autodown.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoGuarder.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autoruns.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoTrace]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avconsol.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ave32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVGCC32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgctrl.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgrssvc.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvgServ]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVGSERV9]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVGW]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avkpop]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvkServ]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avkserv.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avkservice]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avkwctl9]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvMonitor.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Avnt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.com]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avpcc.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avpdos32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avpm.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avpmon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avpnt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avptc32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avpupd.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Avrep32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avsched32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avsynmgr.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avwin95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVWINNT]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avwupd32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVXMONITOR9X]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVXMONITORNT]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVXQUAR]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVXW]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\blackd.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\blackice.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\BullGuard]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCAPP.EXE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccSvcHst.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfgWiz]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfiadmin.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfiaudit.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfind.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfinet.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfinet32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\claw95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Claw95cf.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\claw95ct.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cleaner.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cleaner3.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\clrav.com]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CMGRDIAN]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CONNECTIONMONITOR]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CPDClnt]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CTRL]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\defalert]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\defscangui]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DEFWATCH]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DOORS]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dv95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dv95_o.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dvp95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Dvp95_0.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ecengine.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EFINET32.EXE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EFPEADM]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EGHOST.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\esafe.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\espwatch.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ETRUSTCIPE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EVPN]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EXPERT]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EXPWATCH.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\f - agnt95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\f - prot.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\f - prot95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\f - stopw.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\F-AGNT95.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\F-PROT.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\F-PROT95.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\F-STOPW.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fameh32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fch32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FESCUE.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fih32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FileDsty.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\filemon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\findt2005.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\findviru.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fnrb32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fp - win.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FP-WIN.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fprot.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPROT95.EXE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\frw.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsaa]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsav32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsgk32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsm32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsma32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsmb32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FTCleanerShell.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\gbmenu]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GBPOLL]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GENERICS]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GUARD]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HijackThis.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iamapp.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iamserv.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IAMSTATS]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IBMASN.EXE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ibmavsp.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\icload95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\icloadnt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\icmon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\icmoon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\icssuppnt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\icsupp95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Icsuppnt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iface.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iomon98.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iparmo.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Iparmor.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IsHelp.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\isPwdSvc.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ISRV95]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\jed.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Jedi.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kabaload.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KaScrScn.SCR]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASMain.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASTask.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAV32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVDX.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPFW.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVSetup.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVStart.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVsvc.exe]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVSvcUI.exe]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\killhidepid.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KISLnchr.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KMailMon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KMFilter.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kpf.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32X.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFWSvc.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRepair.COM]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KsLoader.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVCenter.kxp]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvDetect.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvfw.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVFW.exe.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvfwMcl.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.exe]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.kxp]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP_1.kxp]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvol.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvolself.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvReport.kxp]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVScan.kxp]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVSrvXP.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVStub.kxp]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvupload.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvwsc.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvXP.kxp]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvXP_1.kxp]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatch.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatch9x.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatchUI.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatchX.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\LDPROMENU]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\LDSCAN]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\loaddll.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\lockdown2000.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\lockdownadvanced.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Logo1_.exe]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Logo_1.exe]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\lookout.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\luall.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\lucomserver.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\LUSPT]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MagicSet.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MAILMON.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcafee]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCAGENT]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcconsol.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCMNHDLR]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCTOOL]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCUPDATE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCVSRTE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCVSSHLD]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MGHTML]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MINILOG]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmqczj.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Monitor.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\moolive.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MPFSERVICE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mpftray.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\msconfig.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MWATCH]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\my.exe]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\lmmh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\n32scan.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\N32scanw.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navapsvc.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navapw32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVENGNAVEX15]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navlu32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navnt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navrunr.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navsched.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSetup.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navw.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navw32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navwnt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ndd32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NeoWatchLog]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\netutils]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nisserv.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nisum.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nmain.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32kui.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\normist.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\notstart.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\npscheck]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\npssvc]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nsched32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nspclean.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ntrtscan]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NTVDM]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NTXconfig]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nupgrade.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nvc95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NVSVC32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NWService]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NWTOOL16]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\offguard.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\outpost.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PADMIN]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\padmin.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pav.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pavcl.exe]
Debugger=C:\


0

Response Number 5
Name: jabuck
Date: January 13, 2008 at 08:23:20 Pacific
Reply:

You are infected with a chinese virus that may contain a rootkit, so if may take a so effort to remove it.

Go to start> control panel> administrative tools> services> scroll down to "Perfor and Alell " may look like this(NetworkDDEDSDMQ)" and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply> ok.

Exit administrative tools.

Run Hijack This again, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":

O4 - HKLM\..\Run: [TBMonEx] C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

O4 - HKLM\..\Run: [inudhya] C:\WINDOWS\Fonts\44-45-53-54-42-00\system\soundma.exe

O4 - HKLM\..\Run: [WSockx2_32] C:\WINDOWS\zpebbb.exe

O4 - HKLM\..\Run: [XiaoiDesktop] "C:\Program Files\Incesoft\XiaoiAlerts\XiaoiUpdater.exe" /hide

O4 - HKLM\..\Run: [Vmlist] regsvr32 /s apphelps.dll

O4 - HKLM\..\Policies\Explorer\Run: [Userinit] C:\WINDOWS\system32\inf\svchosts.exe C:\WINDOWS\system32\lwisys16_080109.dll start

O4 - HKLM\..\Policies\Explorer\Run: [zuoyue] C:\WINDOWS\system32\inf\svch0st.exe C:\WINDOWS\system32\lwizysys16_080109.dll start

O4 - Global Startup: mspaint.lnk = C:\WINDOWS\system\zyxpRes080109.exe

O4 - Global Startup: office.lnk = C:\WINDOWS\system\sslxpes080109.exe

O23 - Service: Perfor and Alell (NetworkDDEDSDMQ) - Unknown owner - C:\WINDOWS\system32\Networkk.exe

Exit Hijack This.

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\inf\svchosts.exe
C:\WINDOWS\system32\inf\svch0st.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\soundma.exe
C:\WINDOWS\zpebbb.exe
C:\Program Files\Incesoft\XiaoiAlerts\XiaoiUpdater.exe
C:\WINDOWS\apphelps.dll
C:\WINDOWS\system32\lwisys16_080109.dll
C:\WINDOWS\system32\lwizysys16_080109.dll
C:\WINDOWS\system\zyxpRes080109.exe
C:\WINDOWS\system\sslxpes080109.exe
C:\WINDOWS\system32\6to4.dll
C:\WINDOWS\system32\drivers\JPYGPXHNUAGNWD.DAT
C:\WINDOWS\system32\pgbwkg19.dll
C:\WINDOWS\system32\grgyok78.dll
C:\WINDOWS\system32\ticw.exe
C:\WINDOWS\system32\abskey.dll
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\inudhya.dll.vir
C:\Program Files\ctfmonj.exe
C:\Program Files\ctfmona.exe
C:\Program Files\ctfmonk.exe
C:\WINDOWS\Fonts\kvdxsoma.dll
C:\WINDOWS\Fonts\swrcgzc.dll
C:\WINDOWS\Fonts\wsmsfzx.dll
C:\WINDOWS\Fonts\swjqdzc.dll
C:\WINDOWS\Fonts\ratbupi.dll
C:\WINDOWS\Fonts\avzxnmn.dll
C:\WINDOWS\Fonts\raqjmpi.dll
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0025.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0022.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0008.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0017.exe
C:\WINDOWS\Fonts\kawdjaz.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0007.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0021.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\jz.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0018.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0010.exe
C:\WINDOWS\Fonts\gjcsdzc.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0004.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0005.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0011.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\lmmy.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\lmmh.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdlm.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\fbd.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\dd.exe
C:\Documents and Settings\kevinwong\motou.exe
C:\Documents and Settings\kevinwong\smss.com
C:\WINDOWS\Fonts\wsmsfax.exe
C:\WINDOWS\Fonts\avzxnst.exe
C:\WINDOWS\Fonts\swjqdac.exe
C:\WINDOWS\Fonts\kapjiaz.exe
C:\WINDOWS\Fonts\rsjzbsp.exe
C:\WINDOWS\Fonts\raqjmtl.exe
C:\WINDOWS\Fonts\swrcgac.exe
C:\WINDOWS\Fonts\ratbutl.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0023.exe
C:\WINDOWS\Fonts\kvdxsois.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\soundma.exe
C:\WINDOWS\inf\dotnetfc.exe
C:\WINDOWS\Fonts\kawdjzy.dll
C:\WINDOWS\Fonts\gjcsdyc.dll
C:\WINDOWS\Fonts\rsjzbpm.dll
C:\WINDOWS\Fonts\kapjizy.dll
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe
C:\WINDOWS\124327M.exe
C:\WINDOWS\Fonts\gjcsdyc.dll
C:\WINDOWS\Fonts\kapjizy.dll
C:\WINDOWS\Fonts\kawdjzy.dll
C:\WINDOWS\Fonts\rsjzbpm.dll
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe
C:\WINDOWS\system32\mycc080110.exe
C:\WINDOWS\system32\Networkk.exe
C:\WINDOWS\system32\WebClientt.exe

Folder::
C:\Program Files\Incesoft

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBMonEx"=-
"inudhya"=-
"WSockx2_32"=-
"XiaoiDesktop"=-
"Vmlist"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Userinit"=-
"zuoyue"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A8907901-1416-3389-9981-37217856998A}"=-"{4FA10261-B890-F432-A453-69F1023513F4}"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Download ATF Cleaner from this link:
ATF Cleaner

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Post a new Hijack This log and a new Combofix log please.


0

Related Posts

See More



Response Number 6
Name: sakai111
Date: January 14, 2008 at 18:32:56 Pacific
Reply:

Hi,

I got a new Hijack and comboFix log file

Hijack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at ¤W¤È 07:59:22, on 2008/1/15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\StormII\stormliv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Documents and Settings\kevinwong\Desktop\New Folder\HiJack.exe

O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" /IMEName
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'Default user')
O4 - Global Startup: mspaint.lnk = C:\QooBox\Quarantine\C\WINDOWS\system\zyxpRes080109.exe.vir
O4 - Global Startup: office.lnk = C:\QooBox\Quarantine\C\WINDOWS\system\sslxpes080109.exe.vir
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...
O23 - Service: Contrl Center of Storm Media (ccosm) - ¥_¨Ê¼É?ÊI?¬ì§Þ¦³­­¤½¥q - C:\Program Files\StormII\stormliv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7572 bytes

ComboFix:
ComboFix 08-01-09.2 - kevinwong 2008-01-15 1:10:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1033.18.256 [GMT 8:00]
Running from: C:\Documents and Settings\kevinwong\Desktop\New Folder\ComboFix.exe
Command switches used :: C:\Documents and Settings\kevinwong\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\kevinwong\motou.exe
C:\Documents and Settings\kevinwong\smss.com
C:\Program Files\ctfmona.exe
C:\Program Files\ctfmonj.exe
C:\Program Files\ctfmonk.exe
C:\Program Files\Incesoft\XiaoiAlerts\XiaoiUpdater.exe
C:\WINDOWS\124327M.exe
C:\WINDOWS\apphelps.dll
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0004.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0005.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0007.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0008.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0010.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0011.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0017.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0018.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0021.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0022.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0023.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0025.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\dd.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\fbd.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\inudhya.dll.vir
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\jz.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\lmmh.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\lmmy.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\soundma.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdlm.exe
C:\WINDOWS\Fonts\avzxnmn.dll
C:\WINDOWS\Fonts\avzxnst.exe
C:\WINDOWS\Fonts\gjcsdyc.dll
C:\WINDOWS\Fonts\gjcsdzc.exe
C:\WINDOWS\Fonts\kapjiaz.exe
C:\WINDOWS\Fonts\kapjizy.dll
C:\WINDOWS\Fonts\kawdjaz.exe
C:\WINDOWS\Fonts\kawdjzy.dll
C:\WINDOWS\Fonts\kvdxsois.exe
C:\WINDOWS\Fonts\kvdxsoma.dll
C:\WINDOWS\Fonts\raqjmpi.dll
C:\WINDOWS\Fonts\raqjmtl.exe
C:\WINDOWS\Fonts\ratbupi.dll
C:\WINDOWS\Fonts\ratbutl.exe
C:\WINDOWS\Fonts\rsjzbpm.dll
C:\WINDOWS\Fonts\rsjzbsp.exe
C:\WINDOWS\Fonts\swjqdac.exe
C:\WINDOWS\Fonts\swjqdzc.dll
C:\WINDOWS\Fonts\swrcgac.exe
C:\WINDOWS\Fonts\swrcgzc.dll
C:\WINDOWS\Fonts\wsmsfax.exe
C:\WINDOWS\Fonts\wsmsfzx.dll
C:\WINDOWS\inf\dotnetfc.exe
C:\WINDOWS\system\sslxpes080109.exe
C:\WINDOWS\system\zyxpRes080109.exe
C:\WINDOWS\system32\6to4.dll
C:\WINDOWS\system32\abskey.dll
C:\WINDOWS\system32\drivers\JPYGPXHNUAGNWD.DAT
C:\WINDOWS\system32\grgyok78.dll
C:\WINDOWS\system32\inf\svch0st.exe
C:\WINDOWS\system32\inf\svchosts.exe
C:\WINDOWS\system32\lwisys16_080109.dll
C:\WINDOWS\system32\lwizysys16_080109.dll
C:\WINDOWS\system32\mycc080110.exe
C:\WINDOWS\system32\Networkk.exe
C:\WINDOWS\system32\pgbwkg19.dll
C:\WINDOWS\system32\ticw.exe
C:\WINDOWS\system32\WebClientt.exe
C:\WINDOWS\zpebbb.exe
.
[color=purple]The following files were disabled during the run:[/color]
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\inudhya.dll
C:\WINDOWS\system32\nauhgnem.dll
C:\WINDOWS\system32\auhad.dll
C:\WINDOWS\system32\ijougiemnaw.dll
C:\WINDOWS\system32\gnaixnauhuoyizqq.dll
C:\WINDOWS\system32\gnaixnauhqq.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\kevinwong\motou.exe
C:\Documents and Settings\kevinwong\smss.com
C:\Program Files\ctfmona.exe
C:\Program Files\ctfmonj.exe
C:\Program Files\ctfmonk.exe
C:\Program Files\Incesoft
C:\WINDOWS\124327M.exe
C:\WINDOWS\FLQWDIPVBIOTZF.DLL
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\dd.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\fbd.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\inudhya.dll.vir
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\jz.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\lmmh.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\lmmy.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\soundma.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdlm.exe
C:\WINDOWS\Fonts\avzxnmn.dll
C:\WINDOWS\Fonts\avzxnst.exe
C:\WINDOWS\Fonts\gjcsdss.dll
C:\WINDOWS\Fonts\gjcsdyc.dll
C:\WINDOWS\Fonts\gjcsdzc.exe
C:\WINDOWS\Fonts\kapjiaz.exe
C:\WINDOWS\Fonts\kapjizy.dll
C:\WINDOWS\Fonts\kawdjaz.exe
C:\WINDOWS\Fonts\kawdjcs.dll
C:\WINDOWS\Fonts\kawdjzy.dll
C:\WINDOWS\Fonts\kvdxsois.exe
C:\WINDOWS\Fonts\kvdxsoma.dll
C:\WINDOWS\Fonts\raqjmpi.dll
C:\WINDOWS\Fonts\raqjmtl.exe
C:\WINDOWS\Fonts\ratbupi.dll
C:\WINDOWS\Fonts\ratbutl.exe
C:\WINDOWS\Fonts\rsjzbpm.dll
C:\WINDOWS\Fonts\rsjzbsp.exe
C:\WINDOWS\Fonts\swjqdac.exe
C:\WINDOWS\Fonts\swjqdzc.dll
C:\WINDOWS\Fonts\swrcgac.exe
C:\WINDOWS\Fonts\swrcgzc.dll
C:\WINDOWS\Fonts\wsmsfax.exe
C:\WINDOWS\Fonts\wsmsfzx.dll
C:\WINDOWS\inf\dotnetfc.exe
C:\WINDOWS\JRYFM.DLL
C:\WINDOWS\system\sslxpes080109.exe
C:\WINDOWS\system\zyxpRes080109.exe
C:\WINDOWS\system32\6to4.dll
C:\WINDOWS\system32\abskey.dll
C:\WINDOWS\system32\drivers\JPYGPXHNUAGNWD.DAT
C:\WINDOWS\system32\grgyok78.dll
C:\WINDOWS\system32\inf\scrsys080109.scr
C:\WINDOWS\system32\inf\scrsys16_080109.dll
C:\WINDOWS\system32\inf\scrsyszy080109.scr
C:\WINDOWS\system32\inf\svch0st.exe
C:\WINDOWS\system32\inf\svchosts.exe
C:\WINDOWS\system32\lwisys16_080109.dll
C:\WINDOWS\system32\lwizysys16_080109.dll
C:\WINDOWS\system32\mycc080110.exe
C:\WINDOWS\system32\Networkk.exe
C:\WINDOWS\system32\pgbwkg19.dll
C:\WINDOWS\system32\ticw.exe
C:\WINDOWS\system32\WebClientt.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-15 02:08 . 2008-01-15 02:09 0 --a------ C:\WINDOWS\system\DVL
2008-01-12 00:02 . 2005-01-11 01:11 18,534 --a------ C:\WINDOWS\eiltga.exe
2008-01-09 02:30 . 2008-01-15 00:43 0 --a------ C:\WINDOWS\UBHOVCIPU.DAT.tmp
2008-01-09 02:15 . 2008-01-15 02:24 10,752 --a------ C:\WINDOWS\system32\drivers\msacpe.sys
2008-01-08 12:29 . 2008-01-08 12:29 217,088 --a------ C:\WINDOWS\system32\tvt.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 16:02 209,920 ----a-w C:\WINDOWS\system32\mwisys32_080109.dll
2008-01-11 16:02 200,704 ----a-w C:\WINDOWS\system32\mwiszyys32_080109.dll
2008-01-11 16:02 134,144 ----a-w C:\WINDOWS\system32\WSockx2_32.dll
2005-01-10 16:34 33,935 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0025.exe
2005-01-10 16:34 17,272 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0022.exe
2005-01-10 16:34 16,998 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0008.exe
2005-01-10 16:34 16,698 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0017.exe
2005-01-10 16:34 16,120 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0007.exe
2005-01-10 16:34 16,106 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0021.exe
2005-01-10 16:34 15,906 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0018.exe
2005-01-10 16:34 15,774 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0010.exe
2005-01-10 16:34 15,479 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0004.exe
2005-01-10 16:34 15,324 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0005.exe
2005-01-10 16:34 15,167 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0011.exe
2005-01-10 15:58 19,440 ----a-w C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0023.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-09_ 2.15.30.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-01-11 18:10:53 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-14 16:51:29 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2005-01-11 18:10:53 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-14 16:51:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2005-01-11 18:10:53 860,160 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-01-14 16:51:30 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
- 2005-01-11 18:10:53 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-14 16:51:31 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2005-01-11 18:10:53 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-14 16:51:32 872,448 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2005-01-11 18:10:53 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-14 16:51:33 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
- 2005-01-11 18:10:48 40,326 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-11 16:06:27 40,326 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2005-01-11 18:10:48 311,938 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-11 16:06:27 311,938 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-14 18:24:00 16,384 ----a-w C:\WINDOWS\TEMP\Cookies\index.dat
+ 2008-01-14 18:24:00 16,384 ----a-w C:\WINDOWS\TEMP\History\History.IE5\index.dat
+ 2008-01-14 18:24:26 32,768 ----a-w C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56 602182]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 17:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 17:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 17:45 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-06-29 12:13 1032192]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:22 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-08-26 14:26 212992]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 17:52 999424]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 18:06 110592]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 19:05 1117184]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2005-07-26 14:49 294912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.exe" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
mspaint.lnk - C:\QooBox\Quarantine\C\WINDOWS\system\zyxpRes080109.exe.vir [2005-01-10 23:56:17]
office.lnk - C:\QooBox\Quarantine\C\WINDOWS\system\sslxpes080109.exe.vir [2005-01-10 23:56:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableWindowsUpdateAccess"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A8907901-1416-3389-9981-37217856998A}"= C:\WINDOWS\Fonts\kawdjzy.dll [ ]
"{4FA10261-B890-F432-A453-69F1023513F4}"= C:\WINDOWS\Fonts\gjcsdyc.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ackwin32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ADVXDWIN]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\alertsvc.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ALOGSERV]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\amon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AMON9X]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\anti - trojan.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ANTI-TROJAN.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\antivir]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ANTS]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\apvxdwin.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arvmon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\asktao.mod]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ATCON]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ati2evxx.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ATUPDATER]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ATWATCH]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autodown.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoGuarder.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoTrace]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ave32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVGCC32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgctrl.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvgServ]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVGSERV9]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVGW]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avkpop]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvkServ]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avkserv.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avkservice]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avkwctl9]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Avnt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avpcc.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avpdos32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avpm.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avpmon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avpnt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avptc32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avpupd.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Avrep32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avsched32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avsynmgr.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avwin95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVWINNT]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avwupd32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVXMONITOR9X]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVXMONITORNT]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVXQUAR]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVXW]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\blackd.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\blackice.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\BullGuard]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCAPP.EXE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfgWiz]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfiadmin.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfiaudit.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfind.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfinet.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfinet32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\claw95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Claw95cf.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\claw95ct.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cleaner.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cleaner3.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\clrav.com]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CMGRDIAN]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CONNECTIONMONITOR]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CPDClnt]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CTRL]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\defalert]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\defscangui]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DEFWATCH]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DOORS]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dv95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dv95_o.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dvp95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Dvp95_0.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ecengine.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EFINET32.EXE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EFPEADM]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\esafe.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\espwatch.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ETRUSTCIPE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EVPN]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EXPERT]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EXPWATCH.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\f - agnt95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\f - prot.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\f - prot95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\f - stopw.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\F-AGNT95.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\F-PROT.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\F-PROT95.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\F-STOPW.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fameh32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fch32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FESCUE.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fih32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\filemon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\findt2005.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\findviru.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fnrb32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fp - win.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FP-WIN.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fprot.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPROT95.EXE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\frw.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsaa]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsav32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsgk32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsm32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsma32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsmb32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\gbmenu]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GBPOLL]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GENERICS]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GUARD]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iamapp.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iamserv.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IAMSTATS]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IBMASN.EXE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ibmavsp.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\icload95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\icloadnt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\icmon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\icmoon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\icssuppnt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\icsupp95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Icsuppnt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iface.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iomon98.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IsHelp.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ISRV95]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\jed.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Jedi.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVsvc.exe]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVSvcUI.exe]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\killhidepid.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kpf.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvfw.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVFW.exe.exe]
Debugger=C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.exe]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatchUI.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\LDPROMENU]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\LDSCAN]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\lockdown2000.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\lockdownadvanced.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Logo1_.exe]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Logo_1.exe]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\lookout.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\luall.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\lucomserver.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\LUSPT]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MAILMON.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcafee]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCAGENT]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCMNHDLR]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCTOOL]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCUPDATE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCVSRTE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCVSSHLD]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MGHTML]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MINILOG]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Monitor.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\moolive.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MPFSERVICE]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mpftray.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MWATCH]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\my.exe]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\lmmh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\n32scan.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\N32scanw.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVENGNAVEX15]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navlu32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navnt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navrunr.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navsched.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSetup.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navw.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navw32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navwnt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ndd32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NeoWatchLog]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\netutils]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nisserv.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nisum.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nmain.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\normist.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\notstart.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\npscheck]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\npssvc]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nsched32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nspclean.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ntrtscan]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NTVDM]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NTXconfig]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nupgrade.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nvc95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NVSVC32]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NWService]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NWTOOL16]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\offguard.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\outpost.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PADMIN]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\padmin.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pav.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pavcl.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pavmail.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pavproxy]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Pavsched.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Pavw.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pcciomon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pccmain.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pccwin97]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pccwin98.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pcfwallicon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pcntmon]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pcscan]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\per.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\perd.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\persfw.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pertsk.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\perupd.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pervac.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pervacd.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pfwagent.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pfwcon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Play.exe]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\lmmy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\POP3TRAP]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\POPROXY]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PORTMONITOR]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pqremove.com]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PROCESSMONITOR]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\procexp]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PROGRAMAUDITOR]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pview95]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pview95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rapapp.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rav7.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rav7win.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavCopy.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStore.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ravt08.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAVtimer.exe]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\REALMON]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedt32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regmon.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rescue.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwolusr.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rising.exe]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RTVSCN95]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RULAUNCH]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safeweb.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sbserv]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\scan95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\scanpm.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\scrscan.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\serv95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sfc.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\smartassistant.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\smc.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sphinx.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SPYXX]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREngPS.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SS3EDIT]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sweep95.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SweepNet]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SWNETSUP]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SymProxySvc]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SYMTRAY]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\syscheck.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Syscheck2.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TAUMON]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\tbscan.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\tca.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TCM]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TDS - 3 ]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\tds2 - 98.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\tds2 - nt.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TDS2-98.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TDS2-NT.EXE]
Debugger=C:\WINDOWS\Fonts\44-45-53-54-42-00\system\wdfmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TFAK]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\th.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\th32.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\th32upd.exe]
Debugger=C:\WINDOWS\system32\WebClientt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows


0

Response Number 7
Name: jabuck
Date: January 15, 2008 at 15:40:14 Pacific
Reply:

Sorry for the delay.

Please go to Virus Total and upload the following file for analysis:

C:\WINDOWS\eiltga.exe

C:\WINDOWS\system32\drivers\msacpe.sys


C:\WINDOWS\system32\tvt.exe


Post the results in your reply.


0

Response Number 8
Name: sakai111
Date: January 16, 2008 at 16:59:18 Pacific
Reply:

Hi,

There are the three file analysis result:
eiltga.exe:

File eiltga.exe received on 01.17.2008 01:51:13 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 27/32 (84.38%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 54 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.17.10 2008.01.16 Win-Trojan/KorGameHack.18534
AntiVir 7.6.0.48 2008.01.16 TR/Dropper.Gen
Authentium 4.93.8 2008.01.16 -
Avast 4.7.1098.0 2008.01.16 Win32:OnLineGames-BMZ
AVG 7.5.0.516 2008.01.16 PSW.OnlineGames.AADO
BitDefender 7.2 2008.01.17 Generic.PWS.Games.4.60D0239C
CAT-QuickHeal 9.00 2008.01.16 TrojanPSW.OnLineGames.mes
ClamAV 0.91.2 2008.01.16 PUA.Packed.UPack-1
DrWeb 4.44.0.09170 2008.01.16 Trojan.PWS.Wsgame.origin
eSafe 7.0.15.0 2008.01.16 suspicious Trojan/Worm
eTrust-Vet 31.3.5464 2008.01.17 Win32/Frethog!generic
Ewido 4.0 2008.01.16 -
FileAdvisor 1 2008.01.17 -
Fortinet 3.14.0.0 2008.01.16 -
F-Prot 4.4.2.54 2008.01.16 W32/Heuristic-162!Eldorado
F-Secure 6.70.13260.0 2008.01.17 Trojan-PSW.Win32.OnLineGames.mes
Ikarus T3.1.1.20 2008.01.17 Trojan-Spy.Win32.Agent.hz
Kaspersky 7.0.0.125 2008.01.17 Trojan-PSW.Win32.OnLineGames.mes
McAfee 5209 2008.01.16 -
Microsoft 1.3109 2008.01.17 PWS:Win32/Lmir.BMQ
NOD32v2 2799 2008.01.16 a variant of Win32/PSW.OnLineGames.NFL
Norman 5.80.02 2008.01.16 W32/Viking.EQ
Panda 9.0.0.4 2008.01.16 Suspicious file
Prevx1 V2 2008.01.17 Heuristic: Suspicious File With Anti-Debug Technology
Rising 20.27.22.00 2008.01.16 Trojan.PSW.Win32.GameOL.gnj
Sophos 4.24.0 2008.01.17 Mal/Packer
Sunbelt 2.2.907.0 2008.01.15 VIPRE.Suspicious
Symantec 10 2008.01.17 Infostealer.Gampass
TheHacker 6.2.9.188 2008.01.16 Trojan/PSW.OnLineGames.mes
VBA32 3.12.2.5 2008.01.15 MalwareScope.Trojan-PSW.Game.3
VirusBuster 4.3.26:9 2008.01.16 Packed/Upack
Webwasher-Gateway 6.6.2 2008.01.16 Trojan.Dropper.Gen
Additional information
File size: 18534 bytes
MD5: 8f748efbe90451436ae6bcea18cc4078
SHA1: bc581c19447b156cdbfcd6406a49a15c98317847
PEiD: Upack 0.24 - 0.27 beta / 0.28 alpha -> Dwing
packers: Upack
packers: UPack
packers: UPack
Prevx info: http://info.prevx.com/aboutprogramt...
msacpe.sys:

File msacpe.sys received on 01.17.2008 01:39:36 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 20/32 (62.5%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 44 and 63 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.17.10 2008.01.16 -
AntiVir 7.6.0.48 2008.01.16 TR/Rootkit.Gen
Authentium 4.93.8 2008.01.16 -
Avast 4.7.1098.0 2008.01.16 -
AVG 7.5.0.516 2008.01.16 PSW.OnlineGames.AAIN
BitDefender 7.2 2008.01.17 Trojan.PWS.OnlineGames.NYB
CAT-QuickHeal 9.00 2008.01.16 TrojanPSW.OnLineGames.njy
ClamAV 0.91.2 2008.01.16 Trojan.Mono-9
DrWeb 4.44.0.09170 2008.01.16 Trojan.PWS.Gamania.6768
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5464 2008.01.17 -
Ewido 4.0 2008.01.16 -
FileAdvisor 1 2008.01.17 -
Fortinet 3.14.0.0 2008.01.16 W32/OnLineGames.NJY!tr.pws
F-Prot 4.4.2.54 2008.01.16 W32/Onlinegames.AXY
F-Secure 6.70.13260.0 2008.01.17 Trojan-PSW.Win32.OnLineGames.njy
Ikarus T3.1.1.20 2008.01.17 Trojan-PWS.Win32.OnLineGames.njy
Kaspersky 7.0.0.125 2008.01.17 Trojan-PSW.Win32.OnLineGames.njy
McAfee 5209 2008.01.16 PWS-Mmorpg.gen
Microsoft 1.3109 2008.01.17 -
NOD32v2 2799 2008.01.16 Win32/PSW.OnLineGames.NLF
Norman 5.80.02 2008.01.16 W32/OnLineGames.AEJE
Panda 9.0.0.4 2008.01.16 W32/Lineage.GZN.worm
Prevx1 V2 2008.01.17 Heuristic: Suspicious File With Bad Parent Associations
Rising 20.27.22.00 2008.01.16 RootKit.Win32.Undef.ae
Sophos 4.24.0 2008.01.17 -
Sunbelt 2.2.907.0 2008.01.15 -
Symantec 10 2008.01.17 -
TheHacker 6.2.9.188 2008.01.16 Trojan/PSW.OnLineGames.njy
VBA32 3.12.2.5 2008.01.15 Trojan-PSW.Win32.OnLineGames.njy
VirusBuster 4.3.26:9 2008.01.16 -
Webwasher-Gateway 6.6.2 2008.01.16 Trojan.Rootkit.Gen
Additional information
File size: 10624 bytes
MD5: 27b31bd22f8597eb79f950e141a140c1
SHA1: 572f46808e00ea5cbdadb9786775c3cb705d87fd
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramt...
tvt.exe:

File tvt.exe received on 01.17.2008 01:44:56 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 1/32 (3.13%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 44 and 63 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.17.10 2008.01.16 -
AntiVir 7.6.0.48 2008.01.16 -
Authentium 4.93.8 2008.01.16 -
Avast 4.7.1098.0 2008.01.16 -
AVG 7.5.0.516 2008.01.16 -
BitDefender 7.2 2008.01.17 -
CAT-QuickHeal 9.00 2008.01.16 -
ClamAV 0.91.2 2008.01.16 -
DrWeb 4.44.0.09170 2008.01.16 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5464 2008.01.17 -
Ewido 4.0 2008.01.16 -
FileAdvisor 1 2008.01.17 -
Fortinet 3.14.0.0 2008.01.16 -
F-Prot 4.4.2.54 2008.01.16 -
F-Secure 6.70.13260.0 2008.01.17 -
Ikarus T3.1.1.20 2008.01.17 -
Kaspersky 7.0.0.125 2008.01.17 -
McAfee 5209 2008.01.16 -
Microsoft 1.3109 2008.01.17 -
NOD32v2 2799 2008.01.16 -
Norman 5.80.02 2008.01.16 -
Panda 9.0.0.4 2008.01.16 Adware/BaiduBar
Prevx1 V2 2008.01.17 -
Rising 20.27.22.00 2008.01.16 -
Sophos 4.24.0 2008.01.17 -
Sunbelt 2.2.907.0 2008.01.15 -
Symantec 10 2008.01.17 -
TheHacker 6.2.9.188 2008.01.16 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.16 -
Webwasher-Gateway 6.6.2 2008.01.16 -
Additional information
File size: 217088 bytes
MD5: e524aeb7724d17dd8881cbd7faa75af6
SHA1: 6e4df1714428dd44d55a9d9a95b682773f159953
PEiD: Armadillo v1.71

Thanks


0

Response Number 9
Name: jabuck
Date: January 16, 2008 at 19:35:40 Pacific
Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\eiltga.exe
C:\WINDOWS\UBHOVCIPU.DAT.tmp
C:\WINDOWS\system32\drivers\msacpe.sys
C:\WINDOWS\system32\tvt.exe
C:\WINDOWS\system32\mwisys32_080109.dll
C:\WINDOWS\system32\mwiszyys32_080109.dll
C:\WINDOWS\system32\WSockx2_32.dll
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0025.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0022.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0008.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0017.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0007.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0021.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0018.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0010.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0004.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0005.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0011.exe
C:\WINDOWS\Fonts\44-45-53-54-42-00\system\[u]0[/u]0023.exe
C:\WINDOWS\Fonts\kawdjzy.dll
C:\WINDOWS\Fonts\gjcsdyc.dll

Folder::
C:\WINDOWS\Fonts\44-45-53-54-42-00\system
C:\WINDOWS\Fonts\44-45-53-54-42-00
C:\QooBox

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A8907901-1416-3389-9981-37217856998A}"=-
"{4FA10261-B890-F432-A453-69F1023513F4}"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Post a new Combofix scan.

Is StormII something you installed?



0

Response Number 10
Name: sakai111
Date: January 21, 2008 at 07:09:17 Pacific
Reply:

Hi,

Sorry about the late. I can not use the ComboFix because the software is expiry. Where can I download again?

The Storm II is installed by the virus.

Thanks,


0

Response Number 11
Name: sakai111
Date: January 24, 2008 at 05:53:51 Pacific
Reply:

Hi,
Sorry about the late. I can not use the ComboFix because the software is expiry. Where can I download again?

The Storm II is installed by the virus.

Thanks,


0

Sponsored Link
Ads by Google
Reply to Message Icon



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: new malware.j
new malware.j www.computing.net/answers/security/new-malwarej/20633.html

new malware.j www.computing.net/answers/security/new-malwarej/19788.html

New Malware.j www.computing.net/answers/security/new-malwarej-/21047.html