Thread: How to remove Email-Worm.Win32.Rays
View Single Post
Old 10-08-2007, 08:38 PM   #1 (permalink)
ahjin
Registered User
 
Join Date: Oct 2007
Posts: 366
OS: xp


How to remove Email-Worm.Win32.Rays
As requested by the previous post (How to remove Email-Worm.Win32.Rays), I create a new post here.

The report of Panda ActiveScan:


Incident Status Location

Adware:adware/webhancer Not disinfected c:\program files\webHancer
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
Virus:W32/Wukill.A.worm Disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007\2007.exe
Hacktool:Exploit/ActiveXComp Not disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007\comment.htt
Virus:W32/Wukill.A.worm Disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Auction\comment.htt
Hacktool:Exploit/ActiveXComp Not disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction Letters\comment.htt
Hacktool:Exploit/ActXComp Not disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction3\comment.htt
Hacktool:Exploit/ActiveXComp Not disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction3A\comment.htt
Virus:Trj/Starter.A Disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction_file\comment.htt
Hacktool:Exploit/ActiveXComp Not disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\comment.htt
Hacktool:Exploit/ActiveXComp Not disinfected C:\Documents and Settings\Administrator\Desktop\SA50\comment.htt
Potentially unwanted tool:Application/Leaktest.A Not disinfected C:\Documents and Settings\betsy\Desktop\backup\Sa50\Library\FREEWARES\AntiVirus & Internet Securities\leaktest.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@ad.yieldmanager[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@ads.addynamix[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@ads.pointroll[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@atwola[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@bs.serving-sys[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@doubleclick[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@go[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@questionmarket[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@serving-sys[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@statse.webtrendslive[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@target[2].txt
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\WTWY\Local Settings\Temporary Internet Files\Content.IE5\T7EQWWB7\whCC-TRAFE7[1].exe





Main.txt:




Deckard's System Scanner v20070905.67
Run by Administrator on 2007-10-09 10:27:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
66: 2007-10-09 02:28:00 UTC - RP343 - Deckard's System Scanner Restore Point
65: 2007-10-08 03:57:21 UTC - RP342 - Installed AVG 7.5
64: 2007-10-08 03:56:35 UTC - RP341 - Removed AVG 7.5
63: 2007-10-08 03:33:37 UTC - RP340 - System Checkpoint
62: 2007-10-04 09:40:09 UTC - RP339 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-07-11 02:56:58 UTC - RP278 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:28:43 AM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\RealPopup\RealPopup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ALLUSE~1\DOCUME~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/defa...=my&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/defa...=my&l=en&s=gen
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [cavUPSDBMaker] "C:\Program Files\Comodo\Comodo AntiVirus\UPSDBMaker.exe"
O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{00431EC9-BD2A-4007-A137-30C5EFA8F171}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{00431EC9-BD2A-4007-A137-30C5EFA8F171}: NameServer = 202.188.0.133,202.188.1.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Abyss Web Server (AbyssWebServer) - Unknown owner - C:\Program Files\Abyss Web Server\abyssws.exe (file missing)
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Cavasm - c:\windows\system32\drivers\cavasm.sys <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Comodo Anti-Virus and Anti-Spyware Service - "c:\program files\comodo\common\cavaspy\cavasm.exe" <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
R2 MySQL - "c:\program files\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\mysql\mysql server 5.0\my.ini" mysql (file missing)

S2 AbyssWebServer (Abyss Web Server) - c:\program files\abyss web server\abyssws.exe --service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-09-09 and 2007-10-09 -----------------------------

2007-10-09 08:46:03 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-09 08:46:01 0 d-------- C:\WINDOWS\LastGood
2007-10-09 08:00:49 0 d-------- C:\Documents and Settings\WTWY\Application Data\Comodo AntiVirus
2007-10-08 11:59:29 73728 --a------ C:\WINDOWS\system32\CavEmLSP.dll <Not Verified; COMODO; Comodo AntiVirus.>
2007-10-08 11:59:23 102400 --a------ C:\WINDOWS\system32\drivers\cavasm.sys <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
2007-10-08 11:59:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-10-08 11:59:19 216576 --a------ C:\WINDOWS\system32\monln.dll <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
2007-10-08 11:59:12 0 d-------- C:\Program Files\Comodo
2007-10-08 11:57:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-05 10:01:11 0 d-------- C:\WINDOWS\system32\NtmsData
2007-10-05 08:17:39 0 d-------- C:\Documents and Settings\WTWY\Application Data\Grisoft
2007-10-04 15:35:39 0 d-------- C:\ERDNT
2007-10-03 09:19:11 0 d-------- C:\Documents and Settings\temp\Application Data\Yahoo!
2007-10-03 09:19:10 0 d-------- C:\Documents and Settings\temp\Application Data\Google
2007-10-03 09:18:20 0 d--h----- C:\Documents and Settings\temp\Templates
2007-10-03 09:18:20 0 dr------- C:\Documents and Settings\temp\Start Menu
2007-10-03 09:18:20 0 dr-h----- C:\Documents and Settings\temp\SendTo
2007-10-03 09:18:20 0 dr-h----- C:\Documents and Settings\temp\Recent
2007-10-03 09:18:20 0 d--h----- C:\Documents and Settings\temp\PrintHood
2007-10-03 09:18:20 0 d--h----- C:\Documents and Settings\temp\NetHood
2007-10-03 09:18:20 0 dr------- C:\Documents and Settings\temp\My Documents
2007-10-03 09:18:20 0 d--h----- C:\Documents and Settings\temp\Local Settings
2007-10-03 09:18:20 0 dr------- C:\Documents and Settings\temp\Favorites
2007-10-03 09:18:20 0 d-------- C:\Documents and Settings\temp\Desktop
2007-10-03 09:18:20 0 d---s---- C:\Documents and Settings\temp\Cookies
2007-10-03 09:18:20 0 dr-h----- C:\Documents and Settings\temp\Application Data
2007-10-03 09:18:20 0 d-------- C:\Documents and Settings\temp\Application Data\Sun
2007-10-03 09:18:20 0 d---s---- C:\Documents and Settings\temp\Application Data\Microsoft
2007-10-03 09:18:20 0 d-------- C:\Documents and Settings\temp\Application Data\Identities
2007-10-03 09:18:20 0 d-------- C:\Documents and Settings\temp\Application Data\Gtek
2007-10-03 09:18:19 618496 --a------ C:\Documents and Settings\temp\NTUSER.DAT
2007-10-02 13:44:21 0 d-------- C:\Documents and Settings\wongis\Application Data\Yahoo!
2007-10-02 13:44:20 0 d-------- C:\Documents and Settings\wongis\Application Data\Google
2007-10-02 13:43:27 0 d-------- C:\Documents and Settings\wongis\Application Data\Identities
2007-10-02 13:43:27 0 d--h----- C:\Documents and Settings\wongis\Application Data\Gtek
2007-10-02 13:43:26 0 d--h----- C:\Documents and Settings\wongis\Templates
2007-10-02 13:43:26 0 dr------- C:\Documents and Settings\wongis\Start Menu
2007-10-02 13:43:26 0 dr-h----- C:\Documents and Settings\wongis\SendTo
2007-10-02 13:43:26 0 dr-h----- C:\Documents and Settings\wongis\Recent
2007-10-02 13:43:26 0 d--h----- C:\Documents and Settings\wongis\PrintHood
2007-10-02 13:43:26 663552 --a------ C:\Documents and Settings\wongis\NTUSER.DAT
2007-10-02 13:43:26 0 d--h----- C:\Documents and Settings\wongis\NetHood
2007-10-02 13:43:26 0 dr------- C:\Documents and Settings\wongis\My Documents
2007-10-02 13:43:26 0 d--h----- C:\Documents and Settings\wongis\Local Settings
2007-10-02 13:43:26 0 dr------- C:\Documents and Settings\wongis\Favorites
2007-10-02 13:43:26 0 d-------- C:\Documents and Settings\wongis\Desktop
2007-10-02 13:43:26 0 d---s---- C:\Documents and Settings\wongis\Cookies
2007-10-02 13:43:26 0 dr-h----- C:\Documents and Settings\wongis\Application Data
2007-10-02 13:43:26 0 d-------- C:\Documents and Settings\wongis\Application Data\Sun
2007-10-02 13:43:26 0 d---s---- C:\Documents and Settings\wongis\Application Data\Microsoft
2007-10-02 08:32:10 0 d-------- C:\WINDOWS\system32\appmgmt
2007-10-01 08:48:34 0 d-------- C:\Program Files\webHancer
2007-10-01 08:48:20 0 d-------- C:\Program Files\Adssite Advanced Toolbar
2007-10-01 08:48:20 0 d-------- C:\Documents and Settings\WTWY\Application Data\Adssite Advanced Toolbar
2007-10-01 08:41:03 0 d-------- C:\Documents and Settings\WTWY\Shared
2007-10-01 08:41:00 0 d-------- C:\Documents and Settings\WTWY\Incomplete
2007-10-01 08:39:46 0 d-------- C:\Documents and Settings\WTWY\Application Data\LimeWire
2007-09-27 09:05:21 0 d-------- C:\Documents and Settings\WTWY\Application Data\PC Tools
2007-09-26 14:53:08 0 d-------- C:\Documents and Settings\Administrator\Application Data\RealPopup
2007-09-26 14:53:05 0 d-------- C:\Program Files\RealPopup
2007-09-26 14:27:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-26 14:13:50 0 d-------- C:\Program Files\Startup Optimizer
2007-09-26 14:13:33 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-26 14:12:44 119568 --a------ C:\WINDOWS\system32\VB6FR.DLL <Not Verified; Microsoft Corporation; Environnement Visual Basic>
2007-09-26 14:12:44 0 d-------- C:\Program Files\ZNsoft Corporation
2007-09-26 13:59:45 0 d---s---- C:\Documents and Settings\Administrator\UserData
2007-09-26 11:30:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-09-26 11:30:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2007-09-26 10:53:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2007-09-26 10:50:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-09-10 09:33:59 0 d-------- C:\Program Files\PNA


-- Find3M Report ---------------------------------------------------------------

2007-10-09 10:09:29 0 d-------- C:\Program Files\Messenger
2007-10-04 11:57:47 0 d-------- C:\Program Files\Google
2007-10-01 08:37:08 0 d-------- C:\Program Files\Java
2007-09-26 14:31:06 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]
"cnfgCav"="C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [10/08/2007 11:59 AM]
"cavUPSDBMaker"="C:\Program Files\Comodo\Comodo AntiVirus\UPSDBMaker.exe" [10/08/2007 11:59 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPopup"="C:\Program Files\RealPopup\RealPopup.exe" [02/24/2005 12:50 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/14/2004 12:24 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
monln.dll 10/08/2007 11:59 AM 216576 C:\WINDOWS\system32\monln.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printer Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Printer Monitor.lnk
backup=C:\WINDOWS\pss\Printer Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^WTWY^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=C:\Documents and Settings\WTWY\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe




-- End of Deckard's System Scanner: finished at 2007-10-09 10:29:25 ------------
Attached Files
File Type: txt extra.txt (7.4 KB, 2 views)
Last edited by ahjin; 10-08-2007 at 08:49 PM.
ahjin is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here