Jump to content

Can't can't winscenter.exe and wscntfy.exe!!


Recommended Posts

After removing "spyware guard 2008" and lots of other malware from my daughter's computer, I am still infected with winscenter.exe and another process called wscntfy.exe that pops fake "Windows Security Center" notices that look like the legit "Windows Security Alerts" message.

I ran MWbytes 6 times (it ran clean after the 3rd try) then Spybot, HJT and Panda (logs below). Each one of these seemed to find additional malware but none seem to clean these last two.

The Panda scan turned up another copy of spyware guard 2008 in:

C:\Documents and Settings\Chichick\Local Settings\Temporary Internet Files\Content.IE5\OVI2MZPL\SpywareGuard2008[1].exe

that I can't find because neither Windows Explorer (with hiddens viewable) nor a cmd DOS window sees.

While looking for this Panda detected "Spyware Guard 2008.exe[1]" file I did find a suspicious file called "fbk.sts" in the "C:\Documents and Settings\Chichick\Local Settings\Temporary Internet Files" user directory but only detectable with a cmd DOS window.

I have posted 3 consecutive AM 1.31 logs to show the incremental progress and then the Panda and HJT logs.

Any help would be appreciated.

Malwarebytes' Anti-Malware 1.31

Database version: 1456

Windows 5.1.2600 Service Pack 2

12/25/2008 5:25:45 PM

mbam-log-2008-12-25 (17-25-45).txt

Scan type: Full Scan (C:\|)

Objects scanned: 95009

Time elapsed: 1 hour(s), 3 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 19

Registry Values Infected: 2

Registry Data Items Infected: 2

Folders Infected: 6

Files Infected: 24

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\fcccbbaw.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90a14e0d-d9c6-46b1-9467-e6dc0c155870} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{90a14e0d-d9c6-46b1-9467-e6dc0c155870} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\wmpdxm.video (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{48d78be5-cfb9-4b66-9ac4-96d4cf21de06} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{f757b0a0-e8ca-4cc3-bff5-decd70dfeeda} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{74d46bba-5638-473a-83b6-97e7804a7411} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{f757b0a0-e8ca-4cc3-bff5-decd70dfeeda} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\wmpdxm.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\spyware guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\94953c7d (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NI.GSCNS (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fcccbbaw -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fcccbbaw -> Delete on reboot.

Folders Infected:

C:\Program Files\Antivirus 2009 (Rogue.Antivirus 2009) -> Quarantined and deleted successfully.

C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chichick\Local Settings\Temp\snapsnet (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chichick\Application Data\NI.GSCNS (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chichick\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\fcccbbaw.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\wabbcccf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wabbcccf.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\iqwovdsv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vsdvowqi.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uibdmxcv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vcxmdbiu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chichick\Local Settings\Temp\snapsnet\dPI191065.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chichick\Local Settings\Temporary Internet Files\Content.IE5\FV8IGYR6\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chichick\Local Settings\Temporary Internet Files\Content.IE5\QUIKHOGM\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chichick\Application Data\NI.GSCNS\dl.ini (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chichick\Application Data\NI.GSCNS\settings.ini (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chichick\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\fccbAQgG.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\sysexplorer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\reged.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\WINDOWS\spoolsystem.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\WINDOWS\sys.com (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\WINDOWS\syscert.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\WINDOWS\vmreg.dll (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chichick\MoveMediaPlayer_win_mozilla_07076007.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.31

Database version: 1456

Windows 5.1.2600 Service Pack 2

12/25/2008 6:36:48 PM

mbam-log-2008-12-25 (18-36-48).txt

Scan type: Full Scan (C:\|)

Objects scanned: 95117

Time elapsed: 1 hour(s), 3 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90a14e0d-d9c6-46b1-9467-e6dc0c155870} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{90a14e0d-d9c6-46b1-9467-e6dc0c155870} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Malwarebytes' Anti-Malware 1.31

Database version: 1456

Windows 5.1.2600 Service Pack 2

12/25/2008 8:06:26 PM

mbam-log-2008-12-25 (20-06-26).txt

Scan type: Full Scan (C:\|)

Objects scanned: 95492

Time elapsed: 1 hour(s), 11 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f757b0a0-e8ca-4cc3-bff5-decd70dfeeda} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpeedRunner (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19950704330957315175141318093637 (Rogue.Antivirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

This is the PANDA ActiveScan log

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-28 13:12:25

PROTECTIONS: 1

MALWARE: 11

SUSPECTS: 7

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

avast! antivirus 4.8.1296 [VPS 081228-0] 4.8.1296 Yes Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Chichick\Cookies\chichick@com[1].txt

00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Chichick\Cookies\chichick@xiti[1].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Chichick\Cookies\chichick@www.burstbeacon[1].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Chichick\Cookies\chichick@server.iad.liveperson[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Chichick\Cookies\chichick@ads.pointroll[1].txt

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Chichick\Cookies\chichick@searchportal.information[1].txt

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Chichick\Cookies\chichick@did-it[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Chichick\Cookies\chichick@atwola[1].txt

02897073 Cookie/Revenue TrackingCookie No 0 Yes No C:\Documents and Settings\Chichick\Cookies\chichick@adsrevenue[2].txt

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\jxsrxskntp.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\jxsrxskntp.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Alwil Software\Avast4\DATA\chest\ucuuiwwuik

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Alwil Software\Avast4\DATA\chest\vdzbgoutyhdll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Alwil Software\Avast4\DATA\chest\vtnjacgkcb.dll

04454058 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A542ED31-A2F1-4E88-A19B-37A7758980D6}\RP124\A0040548.dll

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

No C:\WINDOWS\system32\winscenter.exe

No C:\Documents and Settings\All Users\Application Data\svhost.exe

No C:\Documents and Settings\Chichick\Local Settings\Temporary Internet Files\Content.IE5\OVI2MZPL\SpywareGuard2008[1].exe

No C:\Program Files\Alwil Software\Avast4\DATA\chest\0000winscenter

No C:\RECYCLER\S-1-5-21-57989841-1897051121-682003330-1003\Dc5.exe

No C:\RECYCLER\S-1-5-21-57989841-1897051121-682003330-1003\Dc6.exe

No C:\WINDOWS\system32\winscenter.exe

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:12:18 AM, on 12/27/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

C:\Program Files\Maxtor\Utils\SyncServices.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Maxtor\ManagerApp\Onetouch.exe

C:\WINDOWS\system32\winscenter.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Chichick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\taskmgr.exe

C:\antimwaretemp\hjkthi\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [iTudouAutoStart] C:\Program Files\Tudou\iTudou\iTudou.exe -AutoStart

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chichick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: ʹ

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.