0

Here is the hijack log file, please help.

Logfile of HijackThis v1.99.1
Scan saved at 10:15:01 AM, on 9/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sony\USBSircs\usbsircs.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jli\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\ServicePackFiles\i386\svcnut.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126192642765
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gmi.local
O17 - HKLM\Software\..\Telephony: DomainName = gmi.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gmi.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gmi.local
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: svcnut - C:\WINDOWS\ServicePackFiles\i386\svcnut.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe

2
Contributors
9
Replies
10
Views
11 Years
Discussion Span
Last Post by JoshuaSFV
0

Hi,
Open a new file in NotePad, and copy the contents of the below "Quote" box:-

cd %windir%
cd Servic~1
cd i386
attrib -s -r -h svcnut.dll
del svcnut.dll
attrib -s -r -h tuncvs.*
del tuncvs.*

Go to File Menu (in NotePad) > Save As and type the filename as Test.BAT and save it.


Open a new empty file in NotePad, and copy the contents of the below "Quote" box:-

REGEDIT4

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39D2FC9B-041C-470E-AE72-F8C001247626}]

[-HKEY_CLASSES_ROOT\CLSID\{39D2FC9B-041C-470E-AE72-F8C001247626}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}]

[-HKEY_CLASSES_ROOT\CLSID\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBE0D59D-F985-4AC6-8826-FEE957065D42}]

[-HKEY_CLASSES_ROOT\CLSID\{CBE0D59D-F985-4AC6-8826-FEE957065D42}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}]

[-HKEY_CLASSES_ROOT\CLSID\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{827DC836-DD9F-4A68-A602-5812EB50A834}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}]

[-HKEY_CLASSES_ROOT\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7697DB96-5DA3-44F2-BC97-AD35E5F4CEDC}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7697DB96-5DA3-44F2-BC97-AD35E5F4CEDC}]

[-HKEY_CLASSES_ROOT\CLSID\{7697DB96-5DA3-44F2-BC97-AD35E5F4CEDC}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B1DFC7-AAFC-4362-B103-868B0683C697}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}]

[-HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{52B1DFC7-AAFC-4362-B103-868B0683C697}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7697DB96-5DA3-44F2-BC97-AD35E5F4CEDC}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{39D2FC9B-041C-470E-AE72-F8C001247626}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CBE0D59D-F985-4AC6-8826-FEE957065D42}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{827DC836-DD9F-4A68-A602-5812EB50A834}]
"Compatibility Flags"=dword:00000400

Go to File Menu (in NotePad) > Save As and type the filename as Fix.REG and save the file. Exit from NotePad.
-----------------------------------------------------------

Download TrojanHunter and install it.

Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.
-------------------------------------------------------------

Run TrojanHunter, go to Tools > Process Viewer. This opens up the Process Viewer window.

Here, expand the winlogon.exe process by clicking the "+" sign beside it. Here in the expanded list, look for every instances of these files:-

svcnut.dll
tuncvs.dll
tuncvs.bak
tuncvs.ini
tuncvs.*
( <--Any other extension )

If these files are found, then right-click on EACH of them and click "Unload Module".


Next, expand the Explorer.exe process by clicking the "+" sign beside it. Similarly, here also locate EVERY instances of the above mentioned files and Unload them if found.


After this close ProcessViewer. Then in the main window of TrojanHunter, select all the Hard Disk partitions. Click "Full Scan" and remove any trojans it may find.


-----------------------------------------------------------
Next run HijackThis and place a check beside each of the following:-

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\ServicePackFiles\i386\svcnut.dll
O20 - Winlogon Notify: svcnut - C:\WINDOWS\ServicePackFiles\i386\svcnut.dll

Close all other programs, and now click Fix Checked in HijackThis.
-----------------------------------------------------

Double-click on Test.BAT file, a DOS type window should open and close by itself.

Double-click on Fix.REG and click "Yes" to merge it to Registry.

Restart the PC.
------------------------------------------------------

Download WinPFind.ZIP and completely extract it to a folder. Then run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here along with a fresh HijackThis log.

0

Thanks for the help. Here is what I got from the instruction you provided.

First here is the log file generated by winpfind.exe

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP    Current Build: Service Pack 2    Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2                 3/18/2003 8:05:48 PM        2052096    C:\WINDOWS\SYSTEM32\atl71.pdb
PEC2                 3/31/2003 5:00:00 AM        41397      C:\WINDOWS\SYSTEM32\dfrg.msc
PTech                8/29/2005 1:27:12 PM        520968     C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PEC2                 6/17/1998                   8015872    C:\WINDOWS\SYSTEM32\MFC42.PDB
PEC2                 6/17/1998                   3944448    C:\WINDOWS\SYSTEM32\MFC42D.PDB
PEC2                 6/17/1998                   7991296    C:\WINDOWS\SYSTEM32\MFC42U.PDB
PEC2                 6/17/1998                   3952640    C:\WINDOWS\SYSTEM32\MFC42UD.PDB
PEC2                 3/18/2003 10:20:00 PM       10357760   C:\WINDOWS\SYSTEM32\mfc71.pdb
PEC2                 3/18/2003 9:28:40 PM        8252416    C:\WINDOWS\SYSTEM32\MFC71d.pdb
PEC2                 3/18/2003 10:12:12 PM       10333184   C:\WINDOWS\SYSTEM32\mfc71u.pdb
PEC2                 3/18/2003 9:31:58 PM        8293376    C:\WINDOWS\SYSTEM32\mfc71ud.pdb
PEC2                 6/17/1998                   2052096    C:\WINDOWS\SYSTEM32\MFCD42D.PDB
PEC2                 6/17/1998                   2068480    C:\WINDOWS\SYSTEM32\MFCD42UD.PDB
PEC2                 6/17/1998                   1454080    C:\WINDOWS\SYSTEM32\MFCN42D.PDB
PEC2                 6/17/1998                   1462272    C:\WINDOWS\SYSTEM32\MFCN42UD.PDB
PEC2                 6/17/1998                   4395008    C:\WINDOWS\SYSTEM32\MFCO42D.PDB
PEC2                 6/17/1998                   4435968    C:\WINDOWS\SYSTEM32\MFCO42UD.PDB
PECompact2           9/8/2005 8:08:28 PM         1997664    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               9/8/2005 8:08:28 PM         1997664    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               8/4/2004 12:56:36 AM        708096     C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor             8/4/2004 12:56:44 AM        657920     C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync              3/31/2003 5:00:00 AM        1309184    C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech                8/3/2004 10:41:38 PM        1309184    C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
                     9/23/2005 2:47:52 PM      S 2048       C:\WINDOWS\bootstat.dat
                     9/22/2005 11:06:26 PM    H  54156      C:\WINDOWS\QTFont.qfn
                     9/8/2005 8:18:18 PM      H  0          C:\WINDOWS\inf\oem45.inf
                     8/24/2005 6:25:34 PM     HS 26112      C:\WINDOWS\system32\mllmn.dll
                     9/23/2005 2:48:56 PM     H  1024       C:\WINDOWS\system32\config\default.LOG
                     9/23/2005 2:47:54 PM     H  1024       C:\WINDOWS\system32\config\SAM.LOG
                     9/23/2005 2:48:58 PM     H  1024       C:\WINDOWS\system32\config\SECURITY.LOG
                     9/23/2005 2:55:34 PM     H  1024       C:\WINDOWS\system32\config\software.LOG
                     9/23/2005 2:49:12 PM     H  1024       C:\WINDOWS\system32\config\system.LOG
                     9/18/2005 12:30:20 AM    H  1024       C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
                     9/23/2005 2:47:54 PM     H  6          C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
                               7/8/2003 4:13:16 PM         176128     C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        68608      C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        549888     C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        110592     C:\WINDOWS\SYSTEM32\bthprops.cpl
Logitech Inc.                  6/30/2003 8:58:48 PM        135168     C:\WINDOWS\SYSTEM32\CamCpl.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        135168     C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        80384      C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        155136     C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        358400     C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        129536     C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        380416     C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        68608      C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems               8/19/2003 5:23:34 PM        61547      C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          3/31/2003 5:00:00 AM        187904     C:\WINDOWS\SYSTEM32\main.cpl
AvantGo, Inc.                  12/22/2003 7:28:12 AM       69632      C:\WINDOWS\SYSTEM32\MBLLNK.CPL
Microsoft Corporation          8/4/2004 12:56:58 AM        618496     C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation          3/31/2003 5:00:00 AM        35840      C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        25600      C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        257024     C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        32768      C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        114688     C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc.           9/23/2004 7:57:40 PM        323072     C:\WINDOWS\SYSTEM32\QuickTime.cpl
Sony Corporation               8/6/2002 5:00:00 PM         53248      C:\WINDOWS\SYSTEM32\SNSetup.cpl
SigmaTel Inc.                  3/26/2003 4:45:54 PM        81920      C:\WINDOWS\SYSTEM32\stac97.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        298496     C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation          3/31/2003 5:00:00 AM        28160      C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        94208      C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation               10/3/2003 1:24:08 PM        118784     C:\WINDOWS\SYSTEM32\tvtuner.cpl
Sony Corporation               12/4/1999 5:11:30 AM        151552     C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        148480     C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        68608      C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        549888     C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        155136     C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        129536     C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        68608      C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        618496     C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation          3/31/2003 5:00:00 AM        35840      C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        257024     C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        32768      C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        114688     C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        155648     C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        298496     C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation          3/31/2003 5:00:00 AM        28160      C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation          8/4/2004 12:56:58 AM        148480     C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
                     3/22/2005 1:27:26 PM        1824       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
                     10/21/2003 4:35:10 PM    HS 84         C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
                     4/2/2004 7:13:44 PM         1403       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Remocon Driver.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
                     10/21/2003 9:27:26 AM    HS 62         C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
                     9/16/2001 11:15:30 PM    HS 84         C:\Documents and Settings\jli\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
                     10/21/2003 9:27:26 AM    HS 62         C:\Documents and Settings\jli\Application Data\desktop.ini
                     6/10/2004 11:52:52 AM       0          C:\Documents and Settings\jli\Application Data\dm.ini
                     2/22/2005 11:12:54 AM       34720      C:\Documents and Settings\jli\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    SV1  = 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
    {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}   = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
    {BDA77241-42F6-11d0-85E2-00AA001FE28C}   = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
    {EBDF1F20-C829-11D1-8233-FF20AF3E97A9}   = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA}   = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
    {5464D816-CF16-4784-B9F3-75C0DB52B499}   = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin   = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
    {BDA77241-42F6-11d0-85E2-00AA001FE28C}   = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
    {EBDF1F20-C829-11D1-8233-FF20AF3E97A9}   = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA}   = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
    {EBDF1F20-C829-11D1-8233-FF20AF3E97A9}   = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA}   = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
     = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
    UberButton Class = C:\Program Files\Yahoo!\Common\yiesrvc.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}
    YahooTaggedBM Class = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
    Google Toolbar Helper = c:\program files\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
    AcroIEToolbarHelper Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
    Adobe PDF = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    &Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F}   = &Google  : c:\program files\google\googletoolbar2.dll
    {47833539-D0C5-4125-9FA8-0819E2EAAC93}   = Adobe PDF    : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    {EF99BD32-C1FB-11D2-892F-0090271D4F88}   = Yahoo! Toolbar   : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText     = Sun Java Console : 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}
    ButtonText   = Create Mobile Favorite   : 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}
    MenuText     = Create Mobile Favorite...    : C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
    ButtonText   = Yahoo! Services  : 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
    ButtonText   = Research : 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
    ButtonText   = Messenger    : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
     = 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    &Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
    History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
    Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF  : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google    : c:\program files\google\googletoolbar2.dll
    {47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF  : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    HKSERV.EXE  C:\Program Files\Sony\HotKey Utility\HKserv.exe
    vptray  C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    ZTgServerSwitch c:\program files\support.com\client\bin\tgcmd.exe /server
    ezShieldProtector for Px    C:\WINDOWS\system32\ezSP_Px.exe
    gcasServ    "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    QuickTime Task  "C:\Program Files\QuickTime\qttask.exe" -atboottime
    THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL   Installed = 1
    MAPI    Installed = 1
    MSFS    Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    ctfmon.exe  C:\WINDOWS\system32\ctfmon.exe
    Yahoo! Pager    "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    msnmsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    H/PC Connection Agent   "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
    VAIOMediaPlatform-VideoServer-UPnP  3
    VAIOMediaPlatform-VideoServer-HTTP  3
    VAIOMediaPlatform-VideoServer-AppServer 3
    VAIOMediaPlatform-PhotoServer-UPnP  3
    VAIOMediaPlatform-PhotoServer-HTTP  3
    VAIOMediaPlatform-PhotoServer-AppServer 3
    VAIOMediaPlatform-MusicServer-UPnP  3
    VAIOMediaPlatform-MusicServer-HTTP  3
    VAIOMediaPlatform-MusicServer-AppServer 3
    SSScsiSV    3
    SPTISRV 3
    RetroWDSvc  2
    PACSPTISVR  3
    ose 3
    niSvcLoc    2
    nipxirmu    2
    NILM License Manager    3
    nidevldu    2
    MSCSPTISRV  3
    LkTimeSync  2
    LkClassAds  2
    LkCitadelServer 2
    iPodService 3


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Apoint
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    Apoint
    hkey    HKLM
    command C:\Program Files\Apoint\Apoint.exe
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    Apoint
    hkey    HKLM
    command C:\Program Files\Apoint\Apoint.exe
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ezShieldProtector for Px
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    ezSP_Px
    hkey    HKLM
    command C:\WINDOWS\System32\ezSP_Px.exe
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    ezSP_Px
    hkey    HKLM
    command C:\WINDOWS\System32\ezSP_Px.exe
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\googletalk
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    googletalk
    hkey    HKCU
    command "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    googletalk
    hkey    HKCU
    command "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMJPMIG8.1
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    IMJPMIG
    hkey    HKLM
    command "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    IMJPMIG
    hkey    HKLM
    command "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    iTunesHelper
    hkey    HKLM
    command "C:\Program Files\iTunes\iTunesHelper.exe"
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    iTunesHelper
    hkey    HKLM
    command "C:\Program Files\iTunes\iTunesHelper.exe"
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LogitechVideoRepair
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    ISStart
    hkey    HKLM
    command C:\Program Files\Logitech\Video\ISStart.exe
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    ISStart
    hkey    HKLM
    command C:\Program Files\Logitech\Video\ISStart.exe
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LogitechVideoTray
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    LogiTray
    hkey    HKLM
    command C:\Program Files\Logitech\Video\LogiTray.exe
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    LogiTray
    hkey    HKLM
    command C:\Program Files\Logitech\Video\LogiTray.exe
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Mouse Suite 98 Daemon
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    ICO
    hkey    HKLM
    command ICO.EXE
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    ICO
    hkey    HKLM
    command ICO.EXE
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSPY2002
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    ImScInst
    hkey    HKLM
    command C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    ImScInst
    hkey    HKLM
    command C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NIDAQmxDriverStatus
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    nidevldstat
    hkey    HKLM
    command C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevldstat.exe
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    nidevldstat
    hkey    HKLM
    command C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevldstat.exe
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    NvCpl
    hkey    HKLM
    command RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    NvCpl
    hkey    HKLM
    command RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002A
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    TINTSETP
    hkey    HKLM
    command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    TINTSETP
    hkey    HKLM
    command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002ASync
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    TINTSETP
    hkey    HKLM
    command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    TINTSETP
    hkey    HKLM
    command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    qttask
    hkey    HKLM
    command "C:\Program Files\QuickTime\qttask.exe" -atboottime
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    qttask
    hkey    HKLM
    command "C:\Program Files\QuickTime\qttask.exe" -atboottime
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SigmaTel StacMon
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    stacmon
    hkey    HKLM
    command C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    stacmon
    hkey    HKLM
    command C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Skype
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    Skype
    hkey    HKCU
    command "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    Skype
    hkey    HKCU
    command "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SsAAD.exe
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    SsAAD
    hkey    HKLM
    command C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    SsAAD
    hkey    HKLM
    command C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VAIO Recovery
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    PartSeal
    hkey    HKLM
    command C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    PartSeal
    hkey    HKLM
    command C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WD Button Manager
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    WDBtnMgr
    hkey    HKLM
    command WDBtnMgr.exe
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    WDBtnMgr
    hkey    HKLM
    command WDBtnMgr.exe
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
    system.ini  0
    win.ini 0
    bootini 0
    services    2
    startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} = 


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption  
    legalnoticetext 
    shutdownwithoutlogon    1
    undockwithoutlogon  1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun  145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder                {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn                          {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit    = C:\WINDOWS\system32\userinit.exe,
    Shell       = Explorer.exe
    System      = 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
     = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
     = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
     = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
     = C:\WINDOWS\System32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
     = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
     = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
     = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs    


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/23/2005 2:57:43 PM



Here is the new log file from HijackThis.

-------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:05:53 PM, on 9/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sony\USBSircs\usbsircs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jli\Desktop\WinPFind\winpfind.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\jli\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.sony.com/vaiopeople[/url]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126192642765[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gmi.local
O17 - HKLM\Software\..\Telephony: DomainName = gmi.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gmi.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gmi.local
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe

Edited by mike_2000_17: Fixed formatting

0

Hi,
Open a new file in NotePad, and copy the contents of the below "Quote" box to NotePad:-

cd %windir%
cd system32
attrib -s -r -h mllmn.dll
del mllmn.dll

Go to File Menu (in NotePad) and type the filename as Test2.BAT and save the file. Exit from NotePad.
---------------------------------------------------

Run TrojanHunter again, and go to Tools > Process Viewer to open the Process Viewer.

Here, expand the winlogon.exe process by clicking the "+" sign beside it, and then look for the below mentioned file:-

mllmn.dll

If it's found, then right-click on it, and click Unload Module.


Similarly, expand the explorer.exe process and then look for the above mentioned DLL file, if it's found then Unload it.
-------------------------------------------------------

Close the Process Viewer and TrojanHunter, and double-click on the Test2.BAT file, a DOS type window should open and close by itself.
-------------------------------------------------------

Restart the PC, and run HijackThis again to get a new log, and please post the same. Also, post back whether you receive WinFixer related pop-ups or not.

0

There is no mllmn module in winlogon.exe or explorer.exe.
The mllmn.dll file has been deleted from the system32 folder.

I did not get any popups since the first round of the fix yesterday.

Looks like it has fixed. Thanks a bunch.

0

And here is the new log file from Hijackthis.

Logfile of HijackThis v1.99.1
Scan saved at 1:56:20 PM, on 9/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sony\USBSircs\usbsircs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
C:\Documents and Settings\jli\Desktop\HijackThis.exe
C:\PROGRA~1\Logitech\Video\AlbumDB2.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126192642765
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gmi.local
O17 - HKLM\Software\..\Telephony: DomainName = gmi.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gmi.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gmi.local
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe

0

Hi,
Log looks clean :D Good to hear that Panda didnt find anything too! Shall i mark this topic as "Solved"?

0

Hi,
Log looks clean :D Good to hear that Panda didnt find anything too! Shall i mark this topic as "Solved"?

Yes. It is solved. Thanks again. :lol:

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.