TSPY ALEMOD.A

[lance7]

Hello

Have follwed the first bit of advice in Forum this forum from thread

Help With Virus Tspy_alemod.a, Virus TSPY_ALEMOD.A Options
http://www.cyberanswers.org/forum/index.ph...;\\.a

Here is my log.

Logfile of HijackThis v1.99.1
Scan saved at 08:07:35, on 05/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPFW.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PQSC\PROGRAM\SCTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\TMENTOR\MENTOR FOR WINME\MINITRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SecondChance] C:\PQSC\PROGRAM\SCTRAY.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - Startup: Mentor Tray Icon.lnk = C:\Program Files\tMentor\Mentor for WinMe\minitray.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: Mentor - {3892CA40-9B9A-11d4-8D73-00105A296A2A} - "C:\Program Files\tMentor\Mentor for IE5\IE5Help.chm" (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe...nttracking.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09ac9623cc29a3...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab



Please would somebody advise me what to do next. No obvious problem with PC but suspect there may be soon.

Thanks very much !
Lance

[Mobo]

Hi and welcome Lance:

Download Ewido, install then from within the program check for updates BUT dont scan yet
ewido security suite:
http://download.ewido.net/ewido-setup.exe
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"),

Now run an ewido scan as well as save the logfile created by it and post it here.

[lance7]

<div class='quotetop'>QUOTE(Mobo @ Oct 5 2005, 12:51 PM) Quoted post</div><div class='quotemain'>
Hi and welcome Lance:

Download Ewido, install then from within the program check for updates BUT dont scan yet
ewido security suite:
http://download.ewido.net/ewido-setup.exe
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"),

Now run an ewido scan as well as save the logfile created by it and post it here.
[/b][/quote]

<span style="color:#6666CC">Thank you Mobo

Have tried to install but on set up I am getting a message telling me the ewido security suite needs Windows 2000 and above to be installed. I have Windows ME. What should I do now please?
Cheers!
Lance </span>:smile:

[lance7]

no one has replied to my request for help

struggling!

lance

[Mobo]

<div class='quotetop'>QUOTE(lance7 @ Oct 8 2005, 11:28 AM) Quoted post</div><div class='quotemain'>
no one has replied to my request for help

struggling!

lance
[/b][/quote]
Oh my, im sorry Lance. I was having browser troubles at the time I was trying to post back and I guess I forgot you after that.

Download: eScans mwav (freeware)
http://www.mwti.net/antivirus/free_utilities.asp
• Once installed
• Double-click it to run it, select: all local drives
• Scan all files, press Scan
• When completed, anything suspicious found will be displayed in the lower pane.
• Highlight it, (lower pane) press CTRL + C keys
• Reply to your Topic, right-click and paste it in your next reply.

[lance7]

As requested here's the log - thanks! lance

Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\QUICKT~2.QTX". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\TEMP\_ISTMP1.DIR\_ISTMP0.DIR\FileGrp\M SVCRT10.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Common Files\Real\GToolbar\BarControl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\table30.exe" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\pbrush.exe" refers to invalid object "C:\WINDOWS\SYSTEM\mspaint.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\MRUN32.EXE" refers to invalid object "C:\WINDOWS\MRUN32.EXE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\TinyTrainer" refers to invalid object "C:\Program Files\tMentor\TinyTrainer". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\MoviePlayer.exe" refers to invalid object "C:\PROGRA~1\QUICKT~1\MoviePlayer.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\PictureViewer.exe" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\MsoHtmEd.exe" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\HijackThis.exe" refers to invalid object "C:\WINDOWS\TEMP\TD_0001.DIR\hijackthis.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Ex plorer\FileExts" refers to invalid object ".csv". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "C:\WINDOWS\SYSTEM\disktool.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{56071E0D-C61B-11D3-B41C-00E02927A304}" refers to invalid object "C:\PROGRAM FILES\NTL\NTL NETGUARD\FBHR.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}" refers to invalid object "C:\PROGRAM FILES\NTL\NTL NETGUARD\PKR.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{56336BCA-3D8A-11d6-A00B-0050DA18DE71}" refers to invalid object "C:\WINDOWS\TEMP\INFOWINDOW.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{56071E00-C61B-11D3-B41C-00E02927A304}" refers to invalid object "C:\PROGRAM FILES\NTL\NTL NETGUARD\FBHR.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{8DD0A81E-0AC6-4165-8DE9-786D4E419B2C}" refers to invalid object "C:\PROGRAM FILES\NTL\NTL NETGUARD\PKR.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{7AF322C5-AB43-11D4-A00B-0050DA18DE71}" refers to invalid object "C:\WINDOWS\TEMP\INFOWINDOW.DLL". Action Taken: No Action Taken.
Entry "HKCR\.ppt" refers to invalid object "Powerpoint.Show.7". Action Taken: No Action Taken.
Entry "HKCR\.pot" refers to invalid object "Powerpoint.Template". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.dif\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\MoviePlayer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.dv\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\MoviePlayer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.mac\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.pct\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.pic\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.pict\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.pntg\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.psd\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.qif\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.qti\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.qtif\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTimeImage\shell\open\command" refers to invalid object ""C:\Program Files\QuickTime\PictureViewer.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTimeMovie\shell\open\command" refers to invalid object ""C:\Program Files\QuickTime\MoviePlayer.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\.aw" refers to invalid object "AWFile". Action Taken: No Action Taken.
Entry "HKCR\.col" refers to invalid object "COLFile". Action Taken: No Action Taken.
Entry "HKCR\.elm" refers to invalid object "ELMFile". Action Taken: No Action Taken.
Entry "HKCR\.ffa" refers to invalid object "FFAFile". Action Taken: No Action Taken.
Entry "HKCR\.ffl" refers to invalid object "FFLFile". Action Taken: No Action Taken.
Entry "HKCR\.fft" refers to invalid object "FFTFile". Action Taken: No Action Taken.
Entry "HKCR\.ffx" refers to invalid object "FFXFile". Action Taken: No Action Taken.
Entry "HKCR\.lex" refers to invalid object "LEXFile". Action Taken: No Action Taken.
Entry "HKCR\.opc" refers to invalid object "OPCFile". Action Taken: No Action Taken.
Entry "HKCR\.stf" refers to invalid object "STFFile". Action Taken: No Action Taken.
Entry "HKCR\.tuw" refers to invalid object "TUWFile". Action Taken: No Action Taken.
Entry "HKCR\.wll" refers to invalid object "Word.Addin.8". Action Taken: No Action Taken.

[Mobo]

I dont think the scan finished Lance. That doesn't look like a complete log.

[lance7]

ok mobo will try it again cheers

lance

[lance7]

Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\SYSTEM\QUICKT~2.QTX". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\WINDOWS\TEMP\_ISTMP1.DIR\_ISTMP0.DIR\FileGrp\M SVCRT10.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sh aredDlls" refers to invalid object "C:\Program Files\Common Files\Real\GToolbar\BarControl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\table30.exe" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\pbrush.exe" refers to invalid object "C:\WINDOWS\SYSTEM\mspaint.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\MRUN32.EXE" refers to invalid object "C:\WINDOWS\MRUN32.EXE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\TinyTrainer" refers to invalid object "C:\Program Files\tMentor\TinyTrainer". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\MoviePlayer.exe" refers to invalid object "C:\PROGRA~1\QUICKT~1\MoviePlayer.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\PictureViewer.exe" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\MsoHtmEd.exe" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\HijackThis.exe" refers to invalid object "C:\WINDOWS\TEMP\TD_0001.DIR\hijackthis.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Ex plorer\FileExts" refers to invalid object ".csv". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "C:\WINDOWS\SYSTEM\disktool.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{56071E0D-C61B-11D3-B41C-00E02927A304}" refers to invalid object "C:\PROGRAM FILES\NTL\NTL NETGUARD\FBHR.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}" refers to invalid object "C:\PROGRAM FILES\NTL\NTL NETGUARD\PKR.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{56336BCA-3D8A-11d6-A00B-0050DA18DE71}" refers to invalid object "C:\WINDOWS\TEMP\INFOWINDOW.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{56071E00-C61B-11D3-B41C-00E02927A304}" refers to invalid object "C:\PROGRAM FILES\NTL\NTL NETGUARD\FBHR.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{8DD0A81E-0AC6-4165-8DE9-786D4E419B2C}" refers to invalid object "C:\PROGRAM FILES\NTL\NTL NETGUARD\PKR.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{7AF322C5-AB43-11D4-A00B-0050DA18DE71}" refers to invalid object "C:\WINDOWS\TEMP\INFOWINDOW.DLL". Action Taken: No Action Taken.
Entry "HKCR\.ppt" refers to invalid object "Powerpoint.Show.7". Action Taken: No Action Taken.
Entry "HKCR\.pot" refers to invalid object "Powerpoint.Template". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.dif\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\MoviePlayer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.dv\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\MoviePlayer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.mac\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.pct\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.pic\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.pict\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.pntg\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.psd\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.qif\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.qti\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTime.qtif\shell\open\command" refers to invalid object "C:\PROGRA~1\QUICKT~1\PictureViewer.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTimeImage\shell\open\command" refers to invalid object ""C:\Program Files\QuickTime\PictureViewer.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\QuickTimeMovie\shell\open\command" refers to invalid object ""C:\Program Files\QuickTime\MoviePlayer.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\.aw" refers to invalid object "AWFile". Action Taken: No Action Taken.
Entry "HKCR\.col" refers to invalid object "COLFile". Action Taken: No Action Taken.
Entry "HKCR\.elm" refers to invalid object "ELMFile". Action Taken: No Action Taken.
Entry "HKCR\.ffa" refers to invalid object "FFAFile". Action Taken: No Action Taken.
Entry "HKCR\.ffl" refers to invalid object "FFLFile". Action Taken: No Action Taken.
Entry "HKCR\.fft" refers to invalid object "FFTFile". Action Taken: No Action Taken.
Entry "HKCR\.ffx" refers to invalid object "FFXFile". Action Taken: No Action Taken.
Entry "HKCR\.lex" refers to invalid object "LEXFile". Action Taken: No Action Taken.
Entry "HKCR\.opc" refers to invalid object "OPCFile". Action Taken: No Action Taken.
Entry "HKCR\.stf" refers to invalid object "STFFile". Action Taken: No Action Taken.
Entry "HKCR\.tuw" refers to invalid object "TUWFile". Action Taken: No Action Taken.
Entry "HKCR\.wll" refers to invalid object "Word.Addin.8". Action Taken: No Action Taken.

[Mobo]

Lets do some searching and removal then Lance:


go to start / run / regedit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
If any of the following are present, delete em: 'SaveNow', 'WhenUSave', 'WhenUSearch' or 'VVSN' values

Then follow these keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunServices
In the right pane, delete the value:
"wupd" = "%System%\symcsvc.exe"


Then start / run / cmd
Paste the following code
cd %WinDir%\System ----Then click enter
regsvr32 /u"Program Files\WhenUSearch\search.dll" --then enter again


Now download pocket killbox from here: http://www.downloads.subratam.org/KillBox.zip

Unzip it then open and in the soace provided paste this line:
C:\WINDOWS\TEMP\INFOWINDOW.DLL
Now tick "Delete on reboot". Then click the red x and when prompted to reboot now select no. We must wait to reboot after we have removed all files below as well:
C:\WINDOWS\TEMP\_ISTMP1.DIR\_ISTMP0.DIR\FileGrp\MS VCRT10.DLL
C:\WINDOWS\MRUN32.EXE
C:\WINDOWS\TEMP\INFOWINDOW.DLL

Now delete all temp files as per this article:
http://www.cyberanswers.org/temp_files.php



Now reboot, run a full online scan here http://www.pandasoftware.com/products/activescan.htm
Remove anything it finds. Then post back with those results.