The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

Windows police pro

Posted 10/18/2009 7:18 PM
#78442
User avatar

barryjohnkerr Member

Date Joined Nov 2016
Total Posts: 3
This has ruined my machine


anyone that can help would be great



can't open .exe files run in safe mode ect
Posted 10/20/2009 12:35 AM
#78452
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
Welcome to BG forums barryjohnkerr,


We will have to try a few different measures, then see what you can use for a scan to post info back here.


Click here or here and download Win32kDiag.exe directly to your C drive folder, so it then is C:\Win32kDiag.exe.


Go to Start - Run, type cmd (and press OK). At the prompt type or copy/paste the following, pressing Enter after each:

cd\

win32kdiag -r -f


Once that completes press any key to finish the scan. Post the new Win32kDiag.txt log with your next reply (it should be located on the desktop).

------------------

Also Also Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your protective software queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. Here are guidelines for using Silent Runners.
Posted 10/20/2009 7:20 PM
#78539
User avatar

barryjohnkerr Member

Date Joined Nov 2016
Total Posts: 3
Hello thanks for getting back to me, right i tryed the first thing your suggested and this is what i got in the log

Running from: WIN32KDIAG

Log file at : C:\Documents and Settings\Barry kerr\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\security.config.cch.3488.161869437

Attempting to restore permissions of : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\security.config.cch.3488.161869437

Then i message poped up and said that:

file of directory

\WINDOWS\prefetch\logonui.exe-312beibf.pf is corrupt and unreadable

I also downloaded the silent runners program and this is the log that it produced

"Silent Runners.vbs", revision 59, https://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"swg" = ""C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"" ["Google Inc."]
"MsnMsgr" = ""C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background" [file not found]
"PhotoShow Deluxe Media Manager" = "C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe" [file not found]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"scheduler_monitor" = "C:\Program Files\ReaConverter 5.5 Pro\init_scheduler.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"LaunchApp" = "(empty string)" [file not found]
"AzMixerSel" = "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" ["Realtek Semiconductor Corp."]
"Acer ePresentation HPD" = "C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [null data]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"ePower_DMC" = "C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [null data]
"Boot" = "C:\Acer\Empowering Technology\ePower\Boot.exe" [null data]
"LManager" = "C:\PROGRA~1\LAUNCH~1\LManager.exe" ["Dritek System Inc."]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"" [null data]
"eRecoveryService" = "C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" ["Acer Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"Monitor" = "C:\WINDOWS\PixArt\PAC207\Monitor.exe" ["PixArt Imaging Incorporation"]
"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Sony Ericsson PC Suite" = ""C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions" [null data]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"KTPWare" = "C:\Program Files\Elantech\ktp.exe" ["ELANTECH Devices Corp."]
"GrooveMonitor" = ""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]
"ISTray" = ""C:\Program Files\Spyware Doctor\pctsTray.exe"" ["PC Tools"]
"DWQueuedReporting" = ""C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}\(Default) = "Browser Defender BHO"
-> {HKLM...CLSID} = "PC Tools Browser Guard BHO"
\InProcServer32\(Default) = "C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll" ["Threat Expert Ltd."]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"
-> {HKLM...CLSID} = "AVG Safe Search"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgssie.dll" ["AVG Technologies CZ, s.r.o."]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
{77DC0B63-ff35-4ba9-8BE8-aa9EB676FA02}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ADC PlugIn"
\InProcServer32\(Default) = "C:\WINDOWS\system32\plugie.dll" ["ASC - AntiSpyware"]
{a1b2f3fa-dd1d-470b-a23e-a133b2f8ef60}\(Default) = (no title provided)
-> {HKLM...CLSID} = "thechatterbox.cc Toolbar"
\InProcServer32\(Default) = "C:\Program Files\bigmaq\tbbig1.dll" ["Conduit Ltd."]
{A3BC75A2-1F87-4686-AA43-5347D756017C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AVG Security Toolbar BHO"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll" [null data]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll" ["Google Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll" ["Google Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}\(Default) = "Google Dictionary Compression sdch"
-> {HKLM...CLSID} = "Google Dictionary Compression sdch"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}" = "EPM-PO Shell Extension"
-> {HKLM...CLSID} = "EPM-PO Shell Extensions"
\InProcServer32\(Default) = "epm-po.dll" ["Acer Labs USA"]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell"
-> {HKLM...CLSID} = "Studio.Project"
\InProcServer32\(Default) = "C:\Program Files\Pinnacle\Studio 10\programs\BlueShellExt.dll" [file not found]
"{2F5AC606-70CF-461C-BFE1-6063670C3484}" = "Mouse CPL Extension"
-> {HKLM...CLSID} = "MouseCplExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\MousePage.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {HKLM...CLSID} = "ImageExtractorShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {HKLM...CLSID} = "CInfoTipShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
"{03DAACC5-10BA-4E3E-9D54-2A569F6B4B87}" = "Sony Ericsson File Manager"
-> {HKLM...CLSID} = "Sony Ericsson File Manager"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]
"{738D66C6-0149-4D40-84E4-A7BB2D0CE949}" = "Sony Ericsson File Manager"
-> {HKLM...CLSID} = "Sony Ericsson File Manager"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]
"{DF00DBF0-2C54-4564-838B-11B50DB0B2DD}" = "ReaConverter Shell Extension"
-> {HKLM...CLSID} = "ReaConverter Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\REACON~1.5PR\context.dll" [null data]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search"
-> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{E81FFB23-40E2-431C-A041-76AEA0E4B04C}" = "Nameext"
-> {HKLM...CLSID} = "Enterprise Projects"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\NAMEEXT.DLL" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
<> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<> avgrsstarter\DLLName = "avgrsstx.dll" ["AVG Technologies CZ, s.r.o."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "c:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
CnvShell\(Default) = "{A118FEA0-1D1B-4165-BC37-88F95B250E7A}"
-> {HKLM...CLSID} = "CnvShellATL Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cnvshell.dll" [file not found]
ReaConverter\(Default) = "{DF00DBF0-2C54-4564-838B-11B50DB0B2DD}"
-> {HKLM...CLSID} = "ReaConverter Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\REACON~1.5PR\context.dll" [null data]
SDContextExt\(Default) = "{70F8E90E-353A-47AB-B297-C576345EE693}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spyware Doctor\SDContextExt32.dll" ["PC Tools"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
CnvShell\(Default) = "{A118FEA0-1D1B-4165-BC37-88F95B250E7A}"
-> {HKLM...CLSID} = "CnvShellATL Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cnvshell.dll" [file not found]
ReaConverter\(Default) = "{DF00DBF0-2C54-4564-838B-11B50DB0B2DD}"
-> {HKLM...CLSID} = "ReaConverter Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\REACON~1.5PR\context.dll" [null data]
SDContextExt\(Default) = "{70F8E90E-353A-47AB-B297-C576345EE693}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spyware Doctor\SDContextExt32.dll" ["PC Tools"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]


Default executables:
--------------------

<> HKLM\SOFTWARE\Classes\.exe\(Default) = ".exe"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Barry kerr\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

ASHAshampoo_Burning_Studio_6_FREEBURNONARRIVAL\
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-burn"
HKLM\SOFTWARE\Classes\Ashampoo.BurningStudio6FREE\shell\autoplay-burn\Command\(Default) = ""C:\Program Files\Ashampoo\Ashampoo Burning Studio 6\burningstudio.exe" -autoplay -selectdrive "%l"" ["ashampoo Technology GmbH & Co. KG"]

ASHAshampoo_Burning_Studio_6_FREECOPYONARRIVAL\
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-copy"
HKLM\SOFTWARE\Classes\Ashampoo.BurningStudio6FREE\shell\autoplay-copy\Command\(Default) = "C:\Program Files\Ashampoo\Ashampoo Burning Studio 6\burningstudio.exe" -autoplay -selectdrive "%l" -copy" [file not found]

ASHAshampoo_Burning_Studio_6_FREERIPONARRIVAL\
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-rip"
HKLM\SOFTWARE\Classes\Ashampoo.BurningStudio6FREE\shell\autoplay-rip\Command\(Default) = ""C:\Program Files\Ashampoo\Ashampoo Burning Studio 6\burningstudio.exe" -autoplay -selectdrive "%l" -rip" ["ashampoo Technology GmbH & Co. KG"]

EHomeMusicDropTarget\
"Provider" = "Media Center"
"InvokeProgID" = "EHomeDropTarget.EHomeMusicDropTarget"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeMusicDropTarget\shell\play\DropTarget\CLSID = "{ED87EFF3-FF22-404E-B2BD-BC3841BDCB2C}"
-> {HKLM...CLSID} = "EHomeMusicDropTarget Class"
\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

EHomePhotosHandler\
"Provider" = "Media Center"
"InvokeProgID" = "EHomeDropTarget.EHomePhotosHandler"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomePhotosHandler\shell\play\DropTarget\CLSID = "{4b7601c1-d292-4902-89f4-583a5ce0c535}"
-> {HKLM...CLSID} = "EHomePhotosHandler Class"
\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

EHomeVideoDropTarget\
"Provider" = "Media Center"
"InvokeProgID" = "EHomeDropTarget.EHomeVideoDropTarget"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideoDropTarget\shell\play\DropTarget\CLSID = "{A48E70A4-8E15-4465-9D85-CCE9E63F8AAB}"
-> {HKLM...CLSID} = "EHomeVideoDropTarget Class"
\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

EHomeVideosHandler\
"Provider" = "Media Center"
"InvokeProgID" = "EHomeDropTarget.EHomeVideosHandler"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideosHandler\shell\play\DropTarget\CLSID = "{4f61ec50-acef-4ae7-b4c6-b19bddc0f745}"
-> {HKLM...CLSID} = "EHomeVideosHandler Class"
\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

MSVideoCameraArrival\
"Provider" = "@C:\Program Files\Movie Maker\1046\wmm2res.dll,-100"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Movie Maker\moviemk.exe" /RECORD"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

NeroAutoPlay2PlayAudioCD\
"Provider" = "Nero Media Player"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayMusicFilesOnArrival_PlayAudioCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayMusicFilesOnArrival_PlayAudioCD\command\(Default) = "C:\Program Files\Ahead\NeroMediaPlayer\NeroMediaPlayer.exe /Play %L" [file not found]

PDVDPlayCDAudioOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "AudioCD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%L"" ["CyberLink Corp."]

PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%L"" ["CyberLink Corp."]

PDVDPlayVCDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "VCD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."]


Startup items in "Barry kerr" & "All Users" startup folders:
------------------------------------------------------------

C:\Documents and Settings\Barry kerr\Start Menu\Programs\Startup
"Cyber-shot Viewer Media Check Tool" -> shortcut to: "C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe" ["Sony Corporation"]
"OneNote 2007 Screen Clipper and Launcher" -> shortcut to: "C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE /tsr" [MS]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Acer Empowering Technology" -> shortcut to: "C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe" [null data]
"OfficeWebCenter" -> shortcut to: "C:\Program Files\Office-Web\Office-Web Center\panel.exe" [null data]
"Extender Resource Monitor" -> shortcut to: "C:\WINDOWS\ehome\RMSysTry.exe" [MS]


Enabled Scheduled Tasks:
------------------------

"Check Updates for Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "Google Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
"{A1B2F3FA-DD1D-470B-A23E-A133B2F8EF60}"
-> {HKLM...CLSID} = "thechatterbox.cc Toolbar"
\InProcServer32\(Default) = "C:\Program Files\bigmaq\tbbig1.dll" ["Conduit Ltd."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "Google Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
"{A1B2F3FA-DD1D-470B-A23E-A133B2F8EF60}"
-> {HKLM...CLSID} = "thechatterbox.cc Toolbar"
\InProcServer32\(Default) = "C:\Program Files\bigmaq\tbbig1.dll" ["Conduit Ltd."]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"
-> {HKLM...CLSID} = "AVG Security Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll" [null data]
"{472734EA-242A-422B-ADF8-83D1E48CC825}"
-> {HKLM...CLSID} = "PC Tools Browser Guard"
\InProcServer32\(Default) = "C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll" ["Threat Expert Ltd."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
"{A1B2F3FA-DD1D-470B-A23E-A133B2F8EF60}" = "thechatterbox.cc Toolbar"
-> {HKLM...CLSID} = "thechatterbox.cc Toolbar"
\InProcServer32\(Default) = "C:\Program Files\bigmaq\tbbig1.dll" ["Conduit Ltd."]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" = "AVG Security Toolbar"
-> {HKLM...CLSID} = "AVG Security Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll" [null data]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll" ["Google Inc."]
"{472734EA-242A-422B-ADF8-83D1E48CC825}" = "PC Tools Browser Guard"
-> {HKLM...CLSID} = "PC Tools Browser Guard"
\InProcServer32\(Default) = "C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll" ["Threat Expert Ltd."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{1711AC79-9474-4BC4-8762-DD618305CA10}\(Default) = "thechatterbox.cc Findbar"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\Program Files\bigmaq\tbbig1.dll" ["Conduit Ltd."]

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]

{0E17D5B7-9F5D-4FEE-9DF6-CA6EE38B68A8}\
"ButtonText" = "ieSpell"
"MenuText" = "ieSpell"
"Script" = "res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM" ["Red Egg Software"]

{1606D6F9-9D3B-4AEA-A025-ED5B2FD488E7}\
"MenuText" = "ieSpell Options"
"Script" = "res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM" ["Red Egg Software"]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Send to OneNote"
"MenuText" = "S&end to OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="https://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
[Strings]: MS_START_PAGE_URL="https://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<> "{A3BC75A2-1F87-4686-AA43-5347D756017C}" = (no title provided)
-> {HKLM...CLSID} = "AVG Security Toolbar BHO"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll" [null data]

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]
Browser Defender Update Service, Browser Defender Update Service, ""C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe"" ["Threat Expert Ltd."]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
Media Center Extender Resource Monitor, RMSvc, "C:\WINDOWS\ehome\RMSvc.exe" [MS]
Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\McrdSvc.exe" [MS]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
Memory Check Service, AcerMemUsageCheckService, "C:\Acer\Empowering Technology\ePerformance\MemCheck.exe" [null data]
PC Tools Auxiliary Service, sdAuxService, "C:\Program Files\Spyware Doctor\pctsAuxs.exe" ["PC Tools"]
PC Tools Security Service, sdCoreService, "C:\Program Files\Spyware Doctor\pctsSvc.exe" ["PC Tools"]
ScsiAccess, ScsiAccess, "C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe" [null data]
WDefend, WDefend, "C:\WINDOWS\svohost.exe" [null data]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}


Keyboard Driver Filters:
------------------------

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <> "PCTCore" ["PC Tools"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2009-10-20 20:02:06)
<>: Suspicious data at a malware launch point.
<>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 83 seconds, including 18 seconds for message boxes)


Thanks for having a look at this for me

Barry
Posted 10/20/2009 11:31 PM
#78585
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
That shows the executable file change. Let's do some repairs then scan/repair as well.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Go here and download and unzip Doug Knox's EXE File Association Fix. In the folder created move the xp_exe_fix.reg directly to your desktop (Important!).

Then open Task Manager (press Ctrl - Alt - Delete). Click "File", and then while pressing and holding the Ctrl key click "New Task". This will open the command window.

Once that opens, at the prompt type the following, Enter after each:

cd %userprofile%\desktop
xp_exe_fix.reg


Be sure to agree to the warning to merge the reg file with the Registry. Then type exit and press Enter to close that command window.

----------------

Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 456out.com, then click the renamed 456out.com to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
Posted 10/26/2009 9:01 PM
#78888
User avatar

barryjohnkerr Member

Date Joined Nov 2016
Total Posts: 3
Sorry for delay in getting back to you, just been having a bit of hastle actually getting on to the internet over the last few days.

i have done all that you have sugested in the last post here, all my icons on the desk top, itunes, word etc etc have all came back and seem to be working again

here is the log that was created


ComboFix 09-10-25.02 - Barry kerr 26/10/2009 20:29.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.508 [GMT 0:00]
Running from: c:\documents and settings\Barry kerr\Desktop\456out.com
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Barry kerr\Start Menu\Programs\Windows Police Pro
c:\documents and settings\Barry kerr\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\program files\Windows Police Pro
c:\windows\Downloaded Program Files\poPCaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\kb913800.exe
c:\windows\regedit.com
c:\windows\svohost.exe
c:\windows\system32\bincd32.dat
c:\windows\system32\nuar.old
c:\windows\system32\pump.exe
c:\windows\system32\setup.exe.tmp
c:\windows\system32\skynet.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WDefend
-------\Service_WDefend


((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.

2009-10-20 21:06 . 2009-10-20 21:06 -------- d-----w- C:\FOUND.003
2009-10-20 19:44 . 2009-10-20 19:44 47104 ----a-w- C:\Win32kDiag.exe
2009-10-18 18:18 . 2009-10-18 18:18 -------- d-----w- C:\FOUND.002
2009-10-18 16:53 . 2004-08-10 20:00 146432 ----a-w- c:\windows\reggedit.com
2009-10-18 00:34 . 2009-10-18 00:34 -------- d-----w- c:\documents and settings\Barry kerr\Local Settings\Application Data\Threat Expert
2009-10-18 00:21 . 2009-10-08 11:31 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-18 00:21 . 2009-10-08 11:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-18 00:21 . 2009-10-02 14:19 1152470 ----a-w- c:\windows\UDB.zip
2009-10-18 00:21 . 2008-11-26 12:08 131 ----a-w- c:\windows\IDB.zip
2009-10-18 00:20 . 2009-10-08 11:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-18 00:20 . 2009-10-08 11:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-18 00:14 . 2009-09-24 08:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-18 00:14 . 2009-10-06 16:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-18 00:14 . 2009-09-23 16:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-18 00:13 . 2009-09-03 09:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-18 00:13 . 2009-10-18 00:13 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-18 00:13 . 2009-10-18 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-18 00:13 . 2009-10-18 00:13 -------- d-----w- c:\program files\Spyware Doctor
2009-10-18 00:13 . 2009-10-18 00:13 -------- d-----w- c:\documents and settings\Barry kerr\Application Data\PC Tools
2009-10-17 22:06 . 2009-10-18 22:05 571392 ----a-w- c:\windows\system32\plugie.dll
2009-10-03 14:22 . 2009-10-03 14:22 -------- d-----w- C:\FOUND.001

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 20:01 . 2006-06-01 17:59 96888 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 03:20 . 2009-10-18 00:14 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-15 06:20 . 2009-10-18 00:13 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-09-15 02:12 . 2009-10-18 00:14 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-09-15 01:01 . 2009-10-18 00:14 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-09-11 15:33 . 2008-07-20 23:21 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 19:44 . 2009-09-07 19:44 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:45 . 2008-07-20 23:22 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 09:08 . 2006-01-09 11:02 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 09:16 . 2008-07-20 23:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 23:33 . 2009-08-17 23:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-05 10:11 . 2008-07-20 23:22 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:58 . 2008-07-20 23:21 2136064 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:13 . 2008-07-20 23:21 2015744 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-03-14 09:42 . 2008-03-14 09:42 251 ----a-w- c:\program files\wt3d.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77DC0B63-ff35-4ba9-8BE8-aa9EB676FA02}]
2009-10-18 22:05 571392 ----a-w- c:\windows\system32\plugie.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 16:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]
"{472734EA-242A-422B-ADF8-83D1E48CC825}"= "c:\program files\Spyware Doctor\BDT\PCTBrowserDefender.dll" [2009-10-08 395216]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{472734ea-242a-422b-adf8-83d1e48cc825}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{175B7885-28AB-4D18-8773-7A13A99980A4}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]
"{472734EA-242A-422B-ADF8-83D1E48CC825}"= "c:\program files\Spyware Doctor\BDT\PCTBrowserDefender.dll" [2009-10-08 395216]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{472734ea-242a-422b-adf8-83d1e48cc825}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{175B7885-28AB-4D18-8773-7A13A99980A4}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-21 1510640]
"scheduler_monitor"="c:\program files\ReaConverter 5.5 Pro\init_scheduler.exe" [2007-06-15 27136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-14 53248]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 204800]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-23 602112]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"KTPWare"="c:\program files\Elantech\ktp.exe" [2006-03-28 512000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-06-27 16248320]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

c:\documents and settings\Barry kerr\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2006-12-26 155648]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-3-27 45056]
OfficeWebCenter.lnk - c:\program files\Office-Web\Office-Web Center\panel.exe [2007-4-17 163840]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-25 19:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\REALPLAY.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Documents\\spotify.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [18/10/2009 00:14 207280]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/05/2008 20:43 327688]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [29/02/2008 16:03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [29/02/2008 16:03 55024]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [25/06/2009 19:55 298776]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [18/10/2009 00:21 112592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 16:51 4096]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [20/07/2008 23:21 14336]
S3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [09/09/2008 15:41 27904]
S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [30/11/2007 12:27 558592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [18/10/2009 00:13 358600]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyServer = 192.168.3.199:8080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - https://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKCU-Run-PhotoShow Deluxe Media Manager - c:\progra~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
HKLM-Run-LaunchApp - (no file)
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-10-26 20:48
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3132735057-4008277594-3461846323-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E904ADCF-11BD-839E-0F92-F7D78211BDAB}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eajfflffga"=hex:66,61,70,68,63,6c,6d,6f,6e,6f,68,65,00,31
"daehokio"=hex:64,62,66,6a,6e,65,6d,68,68,62,6d,64,67,6d,6e,70,65,68,64,6f,6e,
70,61,6e,67,63,6b,61,6f,70,65,6e,68,6b,61,6a,65,6e,6a,63,00,00
"iabjineplippdnoopm"=hex:6a,61,6b,64,6a,6e,62,63,64,63,70,67,6a,6f,67,6b,6e,66,
65,68,00,00
"hahhbdfpocobncki"=hex:6a,61,6b,64,6a,6e,62,63,64,63,70,67,6a,6f,67,6b,6e,66,
65,68,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3328)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\Hook.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\456out\CF6348.exe
c:\windows\eHome\ehRecvr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\ehome\RMSvc.exe
c:\windows\ehome\McrdSvc.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\dllhost.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\progra~1\COMMON~1\MICROS~1\DW\DW20.EXE
c:\456out\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-26 20:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-26 20:56

Pre-Run: 10,828,546,048 bytes free
Post-Run: 11,817,320,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - C172EF11AE3A8C708166FADA28B53C3C
Posted 10/26/2009 11:20 PM
#78891
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
Very good. Some additional changes and then another scan.


Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

[code]File::
c:\windows\system32\plugie.dll
c:\windows\reggedit.com
Folder::
C:\FOUND.003
C:\FOUND.002
Registry::
[-HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77DC0B63-ff35-4ba9-8BE8-aa9EB676FA02}]
Regnull::
[HKEY_USERS\S-1-5-21-3132735057-4008277594-3461846323-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E904ADCF-11BD-839E-0F92-F7D78211BDAB}*][/code]

Save this to your desktop as CFScript.txt


You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

---------------

Download Malwarebytes' Anti-Malware from Here or Here.

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform quick scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

---------------------

Post the C:\ComboFix.txt log along with the Malwarebytes log please.
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Monday, July 4, 2022, 7:10 AM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,684 registered members. Please welcome our newest member, james44.
41 Guest(s), 0 Registered Member(s) are currently online.