Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Total Takeover, This Is The Motherload Of Them All! Help Asap!


  • This topic is locked This topic is locked
58 replies to this topic

#1 sec

sec

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 23 December 2007 - 06:24 AM

Good afternoon members of bleeping computer

first of all thank you for your outstanding website and thanks to google for bringing me here in the first place, it seems like you have some background information about many of the so called malware worms.
Mine is a little diffrent ofcourse....take in mind that i already spent 2 whole days simply researching and reading on diffrent forums and trying to get rid of it myself as i have a past with other less violent worms/trojans. I also have a simple technical background so im not a complete noob.

This is how it started, i was surfing for underwater sports : freediving photos thru google's live search bar. I got a hit and i pressed the link
BOOM there it was, many files were copied over to my system in a blink of an eye i couldnt even press the cancel button in time, then some services were shutdown and my computer needed a force restart wich was all caused by this virus, on restart i didnt hasitate so i pressed F8 to quickly goto safe mode so that i could at least stop the virus from doing whatever it was going to do. I managed to end some processes and and deleted some files as well like : medichi.exe and medichi2.exe. Back then my NOD32 antivirus was still working. I restarted becouse i booted safe mode without networking and i needed the internet, i booted up in normal mode and it hit my pc bad. Background changed black and there was a little writing on the bottom right saying my pc is infected and i needed to press there to download a program that helpes me, ofcourse i didnt. Many other popups came out as well, and i also had a red X on the far right side of the start meny, next to volume wich kept poping up with alerts about my pc beeing infected, and also every now and then another program popped asking me if i wanted to install a certain program, i tend to leave it alone not pressing yes / no couse i thought either button will further spread this infection. I lost admin rights even if i loginto admin mode, i have only one account and i dont have alot of permissions, i lost control panel, start meny isnt visible anymore, no internet access, DHCP and System Restore both are disabled and i cant re-enable them becouse they are " locked to another process, or another process cant load correctly "
My computer and Network Places gone as well. I managed to go online thru a laptop and i found a couple of fixes and programs that i uses, since i didnt have admin rights on the infected pc i wasnt able to instal some program, some programs i could install like Hijackthis and others i didnt have permission to install
These are the following progs and fixes wich helped med ragain the startmenu, and control panel back, but stil i cannot use windows task manager.
Here is the list : '

FixPolicies - wich overwrote the registry and gained me back control panel, it was only temporarly until the virus took over again.
SmitFraudFIX - worked in the beginning and enabled me to remove some infected files, but after each restart the files came back
Microsoft Windows Malicious Software Removal Tool Dec 2007 - i ran a quick scan, and another complete scan wich took a whole night to complete since the pc is extremely slow and this program takes couple of hours of scanning as well. This one deleted some trojans and worms but i still cant have admin rights.
Autoruns " www.sysinternals.com " a program wich showed starup programs, services, registry entries wich i could edit, i checked a couple of suspicious files and didnt seem to do much.
AVG Antivirus 7.5 - managed to install after runnin smittfraudfix in safe mode, but the avg couldnt start up nor scan as well as my pre installed NOD32 becouse they were sort of " blocked " from the virus.
I tried CCleaner....not much help
Regcleaner - not diffrence
Spybot search&destroy - was able to install but cant run, not even in safe mode.
Spywareblaster - installed but cant run
Spywareguard - installed and working but its not finding any threats so i dont trust it.
And lastly a registry entry called : sysrestoreenable.reg wich was supposed to help me gain back system restore so i could restore to an earlier state, but had no effect.

I would like to at least be able to restore to an earlier point wich i saved a month back when everything was 100% fine, so please anybody ?
My pc is a Packard Dell Winxp Media Center i dont have the specs for it becouse i cant use system under control panel becouse of admin rights,
here is the hijack log newly taken :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:36:18, on 24.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Packard Bell\SrvCDEject.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\shovth.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\dllgh8jkd1q2.exe
C:\WINDOWS\system32\dllgh8jkd1q6.exe
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\DOCUME~1\Hamze\LOCALS~1\Temp\Rar$EX00.469\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKLM\..\Run: [Medichi] medichi.exe
O4 - HKLM\..\Run: [Medichi2] medichi2.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "d:\games\counter strike source\steam.exe" -silent
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [HijackThis startup scan] C:\DOCUME~1\Hamze\LOCALS~1\Temp\Rar$EX00.218\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [Steam] "d:\games\counter strike source\steam.exe" -silent (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [HijackThis startup scan] C:\DOCUME~1\Hamze\LOCALS~1\Temp\Rar$EX00.218\HijackThis.exe /startupscan (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-391518563-3017603296-3343825356-1005 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Bluetooth Manager.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: murka.dat
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SrvCDEject - Unknown owner - C:\Program Files\Packard Bell\SrvCDEject.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7842 bytes


Help needed with this one as i got stuck, thank you in advance.

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:32 AM

Posted 23 December 2007 - 08:07 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
It sounds like you got something nasty there, but let's see what we can do.



Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 sec

sec
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 23 December 2007 - 07:02 PM

hello

well i booted up in normal mode, double clicked the program but it didnt start up....i thought since my pc is slow it would take some time...15 mins later still nothing, i cant access windows task manager so i cant tell if this program was running under process. So i booted up in safe mode and right after log on i pressed ctrl+alt+del to get access to windows task manager before the virus fully loaded...it worked! so i ran my external drive " G: " wich i have combofix.exe on and started the prog....nothing it didnt show up under process either. I cant copy it to desktop, doesnt give me a reason why not, i tried to make a shortcut to the desktop and run it from there nothing....i was sure not to use the mouse incase combofix was running, but no results. i tried to run Microsoft Windows Malicious Software Removal Tool Dec 2007 incase i could regain some more access...the program removed to trojans one beeing a download trojam of some sort...then i tried again but no results. Also sometimes i get the shell.exe error that there is something wrong with it or its missing something like that, it hasnt appeard for some time so im not sure what i says. Anywho i managed to launch this program Autoruns " www.sysinternals.com
and it prodused a log wich i will post here....this is the best i could do.

I hope this one helps


HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
+ rdpclip RDP Clip Monitor Microsoft Corporation c:\windows\system32\rdpclip.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+ C:\WINDOWS\system32\userinit.exe Userinit Logon Application Microsoft Corporation c:\windows\system32\userinit.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
+ explorer.exe Windows Explorer Microsoft Corporation c:\windows\explorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ !AVG Anti-Spyware AVG Anti-Spyware GRISOFT s.r.o. c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe
+ BluetoothAuthenticationAgent Bluetooth Control Panel Applet Microsoft Corporation c:\windows\system32\bthprops.cpl
+ ISUSPM Startup File not found: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
+ ISUSScheduler File not found: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
+ Medichi File not found: medichi.exe
+ Medichi2 c:\windows\medichi2.exe
+ Medichi2 c:\windows\medichi2.exe
+ MsgCenterExe File not found: C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
+ NBKeyScan Nero BackItUp Nero AG c:\program files\nero\nero8\nero backitup\nbkeyscan.exe
+ NeroFilterCheck NeroCheck Nero AG c:\program files\common files\nero\lib\nerocheck.exe
+ nod32kui NOD32 Control Center GUI Eset c:\program files\eset\nod32kui.exe
+ PHIME2002A ???????? 2002a Microsoft Corporation c:\windows\system32\ime\tintlgnt\tintsetp.exe
+ PHIME2002ASync ???????? 2002a Microsoft Corporation c:\windows\system32\ime\tintlgnt\tintsetp.exe
+ QuickTime Task Apple Computer, Inc. c:\program files\quicktime\qttask.exe
+ sis32 c:\windows\system32\winsos.exe
+ sis32 c:\windows\system32\winsos.exe
+ StartCCC c:\program files\ati technologies\ati.ace\core-static\clistart.exe
+ SunJavaUpdateSched Java™ Platform SE binary Sun Microsystems, Inc. c:\program files\java\jre1.6.0_03\bin\jusched.exe
+ System c:\windows\system32\kernelwind32.exe
+ SystemSv12 c:\windows\system32\newmaxxsv234.exe
+ winroot c:\windows\system32\winsn.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ Bluetooth Manager.lnk c:\program files\toshiba\bluetooth toshiba stack\tosbtmng1.exe
+ PC-søk i Windows.lnk Windows Desktop Search Tool Tray Admin Microsoft Corporation c:\program files\windows desktop search\windowssearch.exe
C:\Documents and Settings\Hamze\Start Menu\Programs\Startup
+ SpywareGuard.lnk SpywareGuard c:\program files\spywareguard\sgmain.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} Nero Home Nero AG c:\program files\common files\nero\lib\nmbgmonitor.exe
+ DAEMON Tools Virtual DAEMON Manager DT Soft Ltd. c:\program files\daemon tools\daemon.exe
+ HijackThis startup scan File not found: C:\DOCUME~1\Hamze\LOCALS~1\Temp\Rar$EX00.218\HijackThis.exe
+ MsnMsgr Messenger Microsoft Corporation c:\program files\msn messenger\msnmsgr.exe
+ SpybotSD TeaTimer System settings protector Safer Networking Limited c:\program files\spybot - search & destroy\teatimer.exe
+ Steam Steam Valve Corporation d:\games\counter strike source\steam.exe
+ swg GoogleToolbarNotifier Google Inc. c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
+ Windows update loader c:\windows\xpupdate.exe
HKLM\SOFTWARE\Classes\Protocols\Filter
+ application/octet-stream Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-complus Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-msdownload Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll
+ Class Install Handler OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ deflate OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ gzip OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ lzdhtml OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ text/webviewhtml Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
HKLM\SOFTWARE\Classes\Protocols\Handler
+ about Microsoft ® HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ cdl OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ dvd ActiveX control for streaming video Microsoft Corporation c:\windows\system32\msvidctl.dll
+ file OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ ftp OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ gopher OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ http OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ https OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ its Microsoft® InfoTech Storage System Library Microsoft Corporation c:\windows\system32\itss.dll
+ javascript Microsoft ® HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ livecall MSN Messenger Protocol Handler Microsoft Corporation c:\program files\msn messenger\msgrapp.8.1.0178.00.dll
+ local OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ mailto Microsoft ® HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ mhtml Microsoft Internet Messaging API Microsoft Corporation c:\windows\system32\inetcomm.dll
+ mk OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ ms-its Microsoft® InfoTech Storage System Library Microsoft Corporation c:\windows\system32\itss.dll
+ msnim MSN Messenger Protocol Handler Microsoft Corporation c:\program files\msn messenger\msgrapp.8.1.0178.00.dll
+ res Microsoft ® HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ sysimage Microsoft ® HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ tv ActiveX control for streaming video Microsoft Corporation c:\windows\system32\msvidctl.dll
+ vbscript Microsoft ® HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ wia WIA Scripting Layer Microsoft Corporation c:\windows\system32\wiascr.dll
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
+ 0 File not found: About:Home
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ Address Book 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe
+ Browser Customizations Microsoft Internet Explorer Customization DLL Microsoft Corporation c:\windows\system32\iedkcs32.dll
+ Internet Explorer Windows NT User Data Migration Tool Microsoft Corporation c:\windows\system32\shmgrate.exe
+ Internet Explorer Windows Setup API Microsoft Corporation c:\windows\system32\setupapi.dll
+ Internet Explorer 6 IE 5.0 Per-User Install Utility Microsoft Corporation c:\windows\system32\ie4uinit.exe
+ KB910393 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
+ Media Center Windows Setup API Microsoft Corporation c:\windows\system32\setupapi.dll
+ Microsoft Outlook Express 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe
+ Microsoft Windows Media Player Microsoft Windows Media Player Setup Utility Microsoft Corporation c:\windows\inf\unregmp2.exe
+ Microsoft Windows Media Player ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
+ n/a Microsoft .NET IE SECURITY REGISTRATION Microsoft Corporation c:\windows\system32\mscories.dll
+ NetMeeting 3.01 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
+ Outlook Express Windows NT User Data Migration Tool Microsoft Corporation c:\windows\system32\shmgrate.exe
+ Themes Setup Microsoft© Register Server Microsoft Corporation c:\windows\system32\regsvr32.exe
+ Windows Desktop Update Microsoft© Register Server Microsoft Corporation c:\windows\system32\regsvr32.exe
+ Windows Messenger 4.7 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
+ Browseui preloader Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Component Categories cache daemon Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+ CDBurn Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ PostBootReminder Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ SysTray Systray shell service object Microsoft Corporation c:\windows\system32\stobject.dll
+ WebCheck Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ AVG Anti-Spyware 7.5 AVG Anti-Spyware shellexecutehook GRISOFT s.r.o. c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
+ SpywareGuard.Handler SpywareGuard Protection c:\program files\spywareguard\spywareguard.dll
+ URL Exec Hook Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ Windows Desktop Search Namespace Manager Windows Desktop Search Namespace Manager Microsoft Corporation c:\program files\windows desktop search\msnlnamespacemgr.dll
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
+ CContextScan Object Context-Menu (Shell Extension) GRISOFT s.r.o. c:\program files\grisoft\avg anti-spyware 7.5\context.dll
+ Encryption Context Menu Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ NeroCoverEdContextMenu Class Cover Designer Nero AG c:\program files\nero\nero8\nero coverdesigner\coveredextension.dll
+ NOD32 Context Menu Shell Extension c:\program files\eset\nodshex.dll
+ Offline Files Menu Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
+ Open With Context Menu Handler Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ WinRAR c:\program files\winrar\rarext.dll
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
+ Microsoft SendTo Service Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ PDF Shell Extension PDF Shell Extension Adobe Systems, Inc. c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
+ {0D2E74C4-3C34-11d2-A27E-00C04FC30871} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ {24F14F01-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ {24F14F02-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ {66742402-F9B9-11D1-A202-0000F81FEDEE} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
+ Offline Files Menu Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ %DESC_PublishDropTarget% Photo Printing Wizard Microsoft Corporation c:\windows\system32\photowiz.dll
+ &Address Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ .CAB file viewer Cabinet File Viewer Shell Extension Microsoft Corporation c:\windows\system32\cabview.dll
+ Accessible Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ ActiveX Cache Folder Object Control Viewer Microsoft Corporation c:\windows\system32\occache.dll
+ Address EditBox Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Administrative Tools Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Audio Media Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll
+ Augmented Shell Folder Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Augmented Shell Folder 2 Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Auto Update Property Sheet Extension Automatic Updates Control Panel Microsoft Corporation c:\windows\system32\wuaucpl.cpl
+ Avi Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll
+ BandProxy Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Briefcase Windows Briefcase Microsoft Corporation c:\windows\system32\syncui.dll
+ Catalyst Context Menu extension ACE Context Menu c:\program files\ati technologies\ati.ace\core-static\atiacmxx.dll
+ CDF Extension Copy Hook Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Channel File Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll
+ Channel Handler Object Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll
+ Channel Menu Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll
+ Channel Properties Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll
+ Channel Shortcut Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll
+ Code Download Agent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ Compatibility Page Compatibility Tab Shell Extension DLL Microsoft Corporation c:\windows\system32\slayerxp.dll
+ Compressed (zipped) Folder Compressed (zipped) Folders Microsoft Corporation c:\windows\system32\zipfldr.dll
+ Compressed (zipped) Folder Right Drag Handler Compressed (zipped) Folders Microsoft Corporation c:\windows\system32\zipfldr.dll
+ Compressed (zipped) Folder SendTo Target Compressed (zipped) Folders Microsoft Corporation c:\windows\system32\zipfldr.dll
+ ConnectionAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ Crypto PKO Extension Crypto Shell Extensions Microsoft Corporation c:\windows\system32\cryptext.dll
+ Crypto Sign Extension Crypto Shell Extensions Microsoft Corporation c:\windows\system32\cryptext.dll
+ Custom MRU AutoCompleted List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Darwin App Publisher Shell Application Manager Microsoft Corporation c:\windows\system32\appwiz.cpl
+ DfsShell Distributed File System shell extension Microsoft Corporation c:\windows\system32\dfsshlex.dll
+ Directory Context Menu Verbs Directory Service Common UI Microsoft Corporation c:\windows\system32\dsuiext.dll
+ Directory Object Find Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll
+ Directory Property UI Directory Service Common UI Microsoft Corporation c:\windows\system32\dsuiext.dll
+ Directory Query UI Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll
+ Directory Start/Search Find Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll
+ Disk Copy Extension Windows DiskCopy Microsoft Corporation c:\windows\system32\diskcopy.dll
+ Disk Quota UI Windows Shell Disk Quota UI DLL Microsoft Corporation c:\windows\system32\dskquoui.dll
+ Display Adapter CPL Extension Advanced display adapter properties Microsoft Corporation c:\windows\system32\deskadp.dll
+ Display Monitor CPL Extension Advanced display monitor properties Microsoft Corporation c:\windows\system32\deskmon.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ Display TroubleShoot CPL Extension Advanced display performance properties Microsoft Corporation c:\windows\system32\deskperf.dll
+ Download Status Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ DS Security Page Directory Service Security UI Microsoft Corporation c:\windows\system32\dssec.dll
+ E-mail Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Explorer Band Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Extensions Manager Folder Extensions Manager Microsoft Corporation c:\windows\system32\extmgr.dll
+ Favorites Band Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Fonts Windows Font Folder Microsoft Corporation c:\windows\system32\fontext.dll
+ Fonts Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ For &People... Find People Microsoft Corporation c:\program files\outlook express\wabfind.dll
+ FTP Folders Webview Microsoft Internet Explorer FTP Folder Shell Extension Microsoft Corporation c:\windows\system32\msieftp.dll
+ Fusion Cache Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll
+ GDI+ file thumbnail extractor Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll
+ Get a Passport Wizard Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll
+ Global Folder Settings Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Help and Support Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Help and Support Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ History Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ HTML Thumbnail Extractor Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll
+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\windows\system32\hticons.dll
+ ICC Profile Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll
+ ICM Monitor Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll
+ ICM Printer Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll
+ ICM Scanner Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll
+ IE4 Suite Splash Screen Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ In-pane search Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Installed Apps Enumerator Shell Application Manager Microsoft Corporation c:\windows\system32\appwiz.cpl
+ Internet Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Internet Name Space Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ InternetShortcut Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ ISFBand OC Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Messenger Sharing Folders Messenger File Sharing Shell Extensions Microsoft Corporation c:\program files\msn messenger\fsshext.8.1.0178.00.dll
+ Microsoft Agent Character Property Sheet Handler Microsoft Agent Property Sheet Handler Microsoft Corporation c:\windows\msagent\agentpsh.dll
+ Microsoft AutoComplete Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Browser Architecture Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Microsoft BrowserBand Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Data Link Microsoft Data Access - OLE DB Core Services Microsoft Corporation c:\program files\common files\system\ole db\oledb32.dll
+ Microsoft DocProp Inplace Calendar Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace Droplist Combo Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace Edit Box Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace ML Edit Box Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace Time Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft DocProp Shell Ext Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft History AutoComplete List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Internet Toolbar Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Multiple AutoComplete List Container Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Shell Folder AutoComplete List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Url History Service Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Microsoft Url Search Hook Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Midi Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll
+ MMC Icon Handler MMC Shell Extension DLL Microsoft Corporation c:\windows\system32\mmcshext.dll
+ MRU AutoComplete List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Multimedia File Property Sheet Control Panel Drivers Applet Microsoft Corporation c:\windows\system32\mmsys.cpl
+ MyDocs Copy Hook My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll
+ MyDocs Drop Target My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll
+ MyDocs Properties My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll
+ NeroCoverEd Live Icons Cover Designer Nero AG c:\program files\nero\nero8\nero coverdesigner\coveredextension.dll
+ Network Connections Network Connections Shell Microsoft Corporation c:\windows\system32\netshell.dll
+ Network Connections Network Connections Shell Microsoft Corporation c:\windows\system32\netshell.dll
+ NOD32 Context Menu Shell Extension c:\program files\eset\nodshex.dll
+ NTFS Security Page Security Shell Extension Microsoft Corporation c:\windows\system32\rshx32.dll
+ Offline Files Folder Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
+ Offline Files Folder Options Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
+ Offline Files Menu Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
+ OLE Docfile Property Page OLE DocFile Property Page Microsoft Corporation c:\windows\system32\docprop.dll
+ PlusPack CPL Extension Windows Theme API Microsoft Corporation c:\windows\system32\themeui.dll
+ Portable Media Devices Portable Media Devices Shell Extension Microsoft Corporation c:\windows\system32\audiodev.dll
+ Portable Media Devices Menu Portable Media Devices Shell Extension Microsoft Corporation c:\windows\system32\audiodev.dll
+ PostAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ Previous Versions Previous Versions property page Microsoft Corporation c:\windows\system32\twext.dll
+ Previous Versions Property Page Previous Versions property page Microsoft Corporation c:\windows\system32\twext.dll
+ Print Ordering via the Web Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll
+ Printers Security Page Security Shell Extension Microsoft Corporation c:\windows\system32\rshx32.dll
+ Registry Tree Options Utility Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Remote Sessions CPL Extension Remote Sessions CPL Extension Microsoft Corporation c:\windows\system32\remotepg.dll
+ Run... Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll
+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll
+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll
+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll
+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll
+ Scheduled Tasks Task Scheduler interface DLL Microsoft Corporation c:\windows\system32\mstask.dll
+ Search Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Search Assistant OC Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Search Band Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Sendmail service Send Mail Microsoft Corporation c:\windows\system32\sendmail.dll
+ Sendmail service Send Mail Microsoft Corporation c:\windows\system32\sendmail.dll
+ Set Program Access and Defaults Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Shell Application Manager Shell Application Manager Microsoft Corporation c:\windows\system32\appwiz.cpl
+ Shell Automation Inproc Service Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Shell Band Site Menu Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Shell DeskBar Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Shell DeskBarApp Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Shell DocObject Viewer Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Shell extensions for Microsoft Windows Network objects Network object shell UI Microsoft Corporation c:\windows\system32\ntlanui2.dll
+ Shell extensions for sharing Shell extensions for sharing Microsoft Corporation c:\windows\system32\ntshrui.dll
+ Shell extensions for sharing Shell extensions for sharing Microsoft Corporation c:\windows\system32\ntshrui.dll
+ Shell extensions for Windows Script Host Microsoft ® Shell Extension for Windows Script Host Microsoft Corporation c:\windows\system32\wshext.dll
+ Shell Icon Handler for Application References Application Deployment Support Library Microsoft Corporation c:\windows\system32\dfshim.dll
+ Shell Image Data Factory Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll
+ Shell Image Property Handler Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll
+ Shell Image Verbs Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll
+ Shell properties for a DS object Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll
+ Shell Publishing Wizard Object Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll
+ Shell Rebar BandSite Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Shell Scrap DataHandler Shell scrap object handler Microsoft Corporation c:\windows\system32\shscrap.dll
+ Shell Search Band Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ ShellLink for Application References Application Deployment Support Library Microsoft Corporation c:\windows\system32\dfshim.dll
+ SpywareGuard.Handler SpywareGuard Protection c:\program files\spywareguard\spywareguard.dll
+ Subscription Folder Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ Subscription Mgr Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ Summary Info Thumbnail handler (DOCFILES) Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll
+ Taskbar and Start Menu Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ Tasks Folder Icon Handler Task Scheduler interface DLL Microsoft Corporation c:\windows\system32\mstask.dll
+ Tasks Folder Shell Extension Task Scheduler interface DLL Microsoft Corporation c:\windows\system32\mstask.dll
+ Temporary Internet Files Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Temporary Internet Files Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ The Internet Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Track Popup Bar Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ TrayAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ TridentImageExtractor Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ User Accounts Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll
+ User Assist Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Video Media Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll
+ Video Thumbnail Extractor Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll
+ Wav Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll
+ Web Printer Shell Extension Print UI DLL Microsoft Corporation c:\windows\system32\printui.dll
+ Web Publishing Wizard Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll
+ Web Search Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ WebCheck Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ WebCheck SyncMgr Handler Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ WebCheckChannelAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ WebCheckWebCrawler Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ Windows Deskbar Windows Desktop Search Deskbar Microsoft Corporation c:\program files\windows desktop search\deskbar.dll
+ Windows Desktop Search Windows Desktop Search Results View Microsoft Corporation c:\program files\windows desktop search\msnlext.dll
+ Windows Desktop Search Outlook Express ISearchFolder Class Windows Desktop Search Outlook Express Protocol Handler Microsoft Corporation c:\program files\windows desktop search\oeph.dll
+ Windows Media Player Add to Playlist Context Menu Handler Windows Media Player Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll
+ Windows Media Player Burn Audio CD Context Menu Handler Windows Media Player Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll
+ Windows Media Player Play as Playlist Context Menu Handler Windows Media Player Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll
+ WinRAR shell extension c:\program files\winrar\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ AcroIEHlprObj Class Adobe Acrobat IE Helper Version 7.0 for ActiveX Adobe Systems Incorporated c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll
+ Google Toolbar Helper Google-verktøylinjen i Internet Explorer-klient Google Inc. c:\program files\google\googletoolbar1.dll
+ Google Toolbar Notifier BHO GoogleToolbarNotifier Google Inc. c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
+ SpywareGuardDLBLOCK.CBrowserHelper SpywareGuard Download Protection c:\program files\spywareguard\dlprotect.dll
+ SSVHelper Class Java™ Platform SE binary Sun Microsystems, Inc. c:\program files\java\jre1.6.0_03\bin\ssv.dll
+ {53707962-6F74-2D53-2644-206D7942484F} Bad download blocker Safer Networking Limited c:\program files\spybot - search & destroy\sdhelper.dll
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
+ Microsoft Url Search Hook Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ &Google Google-verktøylinjen i Internet Explorer-klient Google Inc. c:\program files\google\googletoolbar1.dll
HKLM\Software\Microsoft\Internet Explorer\Extensions
+ Windows Messenger Windows Messenger Microsoft Corporation c:\program files\messenger\msmsgs.exe
Task Scheduler
+ Se etter oppdateringer for Windows Live Toolbar.job MSN Search Toolbar Scheduled Update Utility Microsoft Corporation c:\program files\windows live toolbar\msntbup.exe
HKLM\System\CurrentControlSet\Services
+ Ati HotKey Poller ATI External Event Utility EXE Module ATI Technologies Inc. c:\windows\system32\ati2evxx.exe
+ ATI Smart ATI Smart c:\windows\system32\ati2sgag.exe
+ AudioSrv Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\audiosrv.dll
+ Browser Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\browser.dll
+ BthServ Bluetooth Support Service Microsoft Corporation c:\windows\system32\bthserv.dll
+ CryptSvc Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\cryptsvc.dll
+ DcomLaunch Provides launch functionality for DCOM services. Microsoft Corporation c:\windows\system32\rpcss.dll
+ Dhcp Manages network configuration by registering and updating IP addresses and DNS names. Microsoft Corporation c:\windows\system32\dhcpcsvc.dll
+ dmserver Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corp. c:\windows\system32\dmserver.dll
+ Dnscache Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\dnsrslvr.dll
+ ehRecvr Media Center-tjeneste for TV- og FM-kringkastingsmottak Microsoft Corporation c:\windows\ehome\ehrecvr.exe
+ ehSched Media Center Scheduler Service Microsoft Corporation c:\windows\ehome\ehsched.exe
+ ERSvc Allows error reporting for services and applictions running in non-standard environments. Microsoft Corporation c:\windows\system32\ersvc.dll
+ Eventlog Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. Microsoft Corporation c:\windows\system32\services.exe
+ FFI File not found: C:\WINDOWS\system32\svchost.exe:exm.exe
+ helpsvc Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\pchealth\helpctr\binaries\pchsvc.dll
+ HidServ Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\hidserv.dll
+ lanmanserver Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\srvsvc.dll
+ lanmanworkstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\wkssvc.dll
+ LmHosts Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Microsoft Corporation c:\windows\system32\lmhsvc.dll
+ McrdSvc MCRD Device Service Microsoft Corporation c:\windows\ehome\mcrdsvc.exe
+ Nero BackItUp Scheduler 3 Nero BackItUp Scheduler 3 is responsible to control all jobs created using Nero BackItUp 3. These jobs can create backups of selected files/folders/partitions or complete hard disk to hard disk, network drive, disc or FTP. Nero AG c:\program files\nero\nero8\nero backitup\nbservice.exe
+ NOD32krn NOD32 Kernel Service Eset c:\program files\eset\nod32krn.exe
+ PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Microsoft Corporation c:\windows\system32\services.exe
+ Pml Driver HPZ12 PML Driver HP c:\windows\system32\hpzipm12.exe
+ PolicyAgent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Microsoft Corporation c:\windows\system32\lsass.exe
+ ProtectedStorage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Microsoft Corporation c:\windows\system32\lsass.exe
+ RemoteRegistry Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\regsvc.dll
+ RpcSs Provides the endpoint mapper and other miscellaneous RPC services. Microsoft Corporation c:\windows\system32\rpcss.dll
+ SamSs Stores security information for local user accounts. Microsoft Corporation c:\windows\system32\lsass.exe
+ SamSs Stores security information for local user accounts. Microsoft Corporation c:\windows\system32\lsass.exe
+ Schedule Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\schedsvc.dll
+ seclogon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\seclogon.dll
+ SENS Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Microsoft Corporation c:\windows\system32\sens.dll
+ ShellHWDetection Provides notifications for AutoPlay hardware events. Microsoft Corporation c:\windows\system32\shsvcs.dll
+ Spooler Loads files to memory for later printing. Microsoft Corporation c:\windows\system32\spoolsv.exe
+ srservice Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties Microsoft Corporation c:\windows\system32\srsvc.dll
+ SrvCDEject c:\program files\packard bell\srvcdeject.exe
+ SSDPSRV Enables discovery of UPnP devices on your home network. Microsoft Corporation c:\windows\system32\ssdpsrv.dll
+ stisvc Provides image acquisition services for scanners and cameras. Microsoft Corporation c:\windows\system32\wiaservc.dll
+ Themes Provides user experience theme management. Microsoft Corporation c:\windows\system32\shsvcs.dll
+ TrkWks Maintains links between NTFS files within a computer or across computers in a network domain. Microsoft Corporation c:\windows\system32\trkwks.dll
+ UleadBurningHelper ULCDRSvr Ulead Systems, Inc. c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe
+ W32Time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\w32time.dll
+ WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\webclnt.dll
+ winmgmt Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\wbem\wmisvc.dll
HKLM\System\CurrentControlSet\Services
+ abp480n5 AdvanSys SCSI Controller Driver Microsoft Corporation c:\windows\system32\drivers\abp480n5.sys
+ ACPI ACPI Driver for NT Microsoft Corporation c:\windows\system32\drivers\acpi.sys
+ adpu160m Adaptec Ultra160 SCSI miniport Microsoft Corporation c:\windows\system32\drivers\adpu160m.sys
+ aec Microsoft Acoustic Echo Canceller Microsoft Corporation c:\windows\system32\drivers\aec.sys
+ AFD AFD Networking Support Environment Microsoft Corporation c:\windows\system32\drivers\afd.sys
+ agp440 440 NT AGP Filter Microsoft Corporation c:\windows\system32\drivers\agp440.sys
+ agpCPQ CompatNT AGP Filter Microsoft Corporation c:\windows\system32\drivers\agpcpq.sys
+ Aha154x Adaptec AHA-154x series SCSI miniport Microsoft Corporation c:\windows\system32\drivers\aha154x.sys
+ aic78u2 Adaptec Ultra2 SCSI miniport Microsoft Corporation c:\windows\system32\drivers\aic78u2.sys
+ aic78xx Adaptec Ultra SCSI miniport Microsoft Corporation c:\windows\system32\drivers\aic78xx.sys
+ AliIde ALi mini IDE Driver Acer Laboratories Inc. c:\windows\system32\drivers\aliide.sys
+ alim1541 ALi M1541 NT AGP Filter Microsoft Corporation c:\windows\system32\drivers\alim1541.sys
+ amdagp AMD Win2000 AGP Filter Advanced Micro Devices, Inc. c:\windows\system32\drivers\amdagp.sys
+ AMON Amon monitor Eset c:\windows\system32\drivers\amon.sys
+ amsint AMD SCSI/NET Controller Microsoft Corporation c:\windows\system32\drivers\amsint.sys
+ Arp1394 1394 ARP Client Protocol Microsoft Corporation c:\windows\system32\drivers\arp1394.sys
+ asc AdvanSys SCSI Controller Driver Advanced System Products, Inc. c:\windows\system32\drivers\asc.sys
+ asc3350p AdvanSys SCSI Card Driver Microsoft Corporation c:\windows\system32\drivers\asc3350p.sys
+ asc3550 AdvanSys Ultra-Wide PCI SCSI Driver Advanced System Products, Inc. c:\windows\system32\drivers\asc3550.sys
+ asc3550p File not found: C:\WINDOWS\System32\Drivers\asc3550p.sys
+ AsyncMac RAS Asynchronous Media Driver Microsoft Corporation c:\windows\system32\drivers\asyncmac.sys
+ atapi IDE/ATAPI Port Driver Microsoft Corporation c:\windows\system32\drivers\atapi.sys
+ ati2mtag ATI Radeon WindowsNT Miniport Driver ATI Technologies Inc. c:\windows\system32\drivers\ati2mtag.sys
+ Atmarpc ATM ARP Client Protocol Microsoft Corporation c:\windows\system32\drivers\atmarpc.sys
+ audstub AudStub Driver Microsoft Corporation c:\windows\system32\drivers\audstub.sys
+ Beep c:\windows\system32\drivers\beep.sys
+ BthEnum Bluetooth Bus Extender Microsoft Corporation c:\windows\system32\drivers\bthenum.sys
+ BthPan Bluetooth Device (Personal Area Network) Microsoft Corporation c:\windows\system32\drivers\bthpan.sys
+ BTHPORT Bluetooth Bus Driver Microsoft Corporation c:\windows\system32\drivers\bthport.sys
+ BTHUSB Bluetooth Miniport Driver Microsoft Corporation c:\windows\system32\drivers\bthusb.sys
+ cbidf CardBus/PCMCIA IDE Miniport Driver Microsoft Corporation c:\windows\system32\drivers\cbidf2k.sys
+ CCDECODE WDM Closed Caption VBI Codec Microsoft Corporation c:\windows\system32\drivers\ccdecode.sys
+ cd20xrnt IBM Portable CD-ROM Drive Miniport Microsoft Corporation c:\windows\system32\drivers\cd20xrnt.sys
+ Cdaudio CD-ROM Audio Filter Driver Microsoft Corporation c:\windows\system32\drivers\cdaudio.sys
+ Cdrom SCSI CD-ROM Driver Microsoft Corporation c:\windows\system32\drivers\cdrom.sys
+ Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys
+ CmdIde CMD PCI IDE Bus Driver CMD Technology, Inc. c:\windows\system32\drivers\cmdide.sys
+ Cpqarray Compaq Drive Array Controllers SCSI Miniport Driver Microsoft Corporation c:\windows\system32\drivers\cpqarray.sys
+ dac2w2k Mylex Disk Array Controller Driver Mylex Corporation c:\windows\system32\drivers\dac2w2k.sys
+ dac960nt Mylex Disk Array Controller Driver Microsoft Corporation c:\windows\system32\drivers\dac960nt.sys
+ Disk PnP Disk Driver Microsoft Corporation c:\windows\system32\drivers\disk.sys
+ dmio NT Disk Manager I/O Driver Microsoft Corp., Veritas Software c:\windows\system32\drivers\dmio.sys
+ dmload NT Disk Manager Startup Driver Microsoft Corp., Veritas Software. c:\windows\system32\drivers\dmload.sys
+ DMusic Microsoft Kernel DLS Synthesizer Microsoft Corporation c:\windows\system32\drivers\dmusic.sys
+ dpti2o DPT SmartRAID miniport Microsoft Corporation c:\windows\system32\drivers\dpti2o.sys
+ drmkaud Microsoft Kernel DRM Audio Descrambler Filter Microsoft Corporation c:\windows\system32\drivers\drmkaud.sys
+ DrvSnSht DrvSnSht Drive Snap Shot driver R-TT Inc. c:\program files\r-drive image\drvsnsht.sys
+ Fdc Floppy Disk Controller Driver Microsoft Corporation c:\windows\system32\drivers\fdc.sys
+ FETND5BV NDIS 5.0 miniport driver VIA Technologies, Inc. c:\windows\system32\drivers\fetnd5bv.sys
+ Fips FIPS Crypto Driver Microsoft Corporation c:\windows\system32\drivers\fips.sys
+ Flpydisk Floppy Driver Microsoft Corporation c:\windows\system32\drivers\flpydisk.sys
+ FltMgr File System Filter Manager Driver Microsoft Corporation c:\windows\system32\drivers\fltmgr.sys
+ Ftdisk FT Disk Driver Microsoft Corporation c:\windows\system32\drivers\ftdisk.sys
+ Gpc Generic Packet Classifier Microsoft Corporation c:\windows\system32\drivers\msgpc.sys
+ HDAudBus High Definition Audio Bus Driver v1.0a Windows ® Server 2003 DDK provider c:\windows\system32\drivers\hdaudbus.sys
+ HidUsb USB Miniport Driver for Input Devices Microsoft Corporation c:\windows\system32\drivers\hidusb.sys
+ hpn NetRAID-4M Miniport Driver Microsoft Corporation c:\windows\system32\drivers\hpn.sys
+ HPZid412 IEEE-1284.4-1999 Driver (Windows 2000) HP c:\windows\system32\drivers\hpzid412.sys
+ HPZipr12 IEEE-1284.4-1999 Print Class Driver HP c:\windows\system32\drivers\hpzipr12.sys
+ HPZius12 1284.4<->Usb Datalink Driver (Windows 2000) HP c:\windows\system32\drivers\hpzius12.sys
+ HTTP This service implements the hypertext transfer protocol (HTTP). If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\drivers\http.sys
+ i2omgmt I2O Utility Filter Microsoft Corporation c:\windows\system32\drivers\i2omgmt.sys
+ i2omp I2O Miniport Driver Microsoft Corporation c:\windows\system32\drivers\i2omp.sys
+ i8042prt i8042 Port Driver Microsoft Corporation c:\windows\system32\drivers\i8042prt.sys
+ ICAM8USB Universal Serial Bus Camera Driver Intel Corporation c:\windows\system32\drivers\icm8d2.sys
+ Imapi IMAPI Kernel Driver Microsoft Corporation c:\windows\system32\drivers\imapi.sys
+ ini910u INITIO ini910u SCSI miniport Microsoft Corporation c:\windows\system32\drivers\ini910u.sys
+ IntcAzAudAddService Realtek® High Definition Audio Function Driver Realtek Semiconductor Corp. c:\windows\system32\drivers\rtkhdaud.sys
+ IntelIde Intel PCI IDE Driver Microsoft Corporation c:\windows\system32\drivers\intelide.sys
+ intelppm Processor Device Driver Microsoft Corporation c:\windows\system32\drivers\intelppm.sys
+ Ip6Fw Provides intrusion prevention service for a home or small office network. Microsoft Corporation c:\windows\system32\drivers\ip6fw.sys
+ IpFilterDriver IP Traffic Filter Driver Microsoft Corporation c:\windows\system32\drivers\ipfltdrv.sys
+ IpInIp IP in IP Tunnel Driver Microsoft Corporation c:\windows\system32\drivers\ipinip.sys
+ IpNat IP Network Address Translator Microsoft Corporation c:\windows\system32\drivers\ipnat.sys
+ IPSec IPSEC driver Microsoft Corporation c:\windows\system32\drivers\ipsec.sys
+ IRENUM Infra-Red Bus Enumerator Microsoft Corporation c:\windows\system32\drivers\irenum.sys
+ isapnp PNP ISA Bus Driver Microsoft Corporation c:\windows\system32\drivers\isapnp.sys
+ Kbdclass Keyboard Class Driver Microsoft Corporation c:\windows\system32\drivers\kbdclass.sys
+ kbdhid HID Mouse Filter Driver Microsoft Corporation c:\windows\system32\drivers\kbdhid.sys
+ kmixer Kernel Mode Audio Mixer Microsoft Corporation c:\windows\system32\drivers\kmixer.sys
+ KSecDD Kernel Security Support Provider Interface Microsoft Corporation c:\windows\system32\drivers\ksecdd.sys
+ lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys
+ MHNDRV Multimedia Home Network component driver Microsoft Corporation c:\windows\system32\drivers\mhndrv.sys
+ mnmdd Frame buffer simulator Microsoft Corporation c:\windows\system32\drivers\mnmdd.sys
+ Modem Modem Device Driver Microsoft Corporation c:\windows\system32\drivers\modem.sys
+ Mouclass Mouse Class Driver Microsoft Corporation c:\windows\system32\drivers\mouclass.sys
+ mouhid HID Mouse Filter Driver Microsoft Corporation c:\windows\system32\drivers\mouhid.sys
+ MountMgr Mount Manager Microsoft Corporation c:\windows\system32\drivers\mountmgr.sys
+ mraid35x MegaRAID RAID Controller Driver for Windows Whistler 32 American Megatrends Inc. c:\windows\system32\drivers\mraid35x.sys
+ MRxDAV WebDav Client Redirector Microsoft Corporation c:\windows\system32\drivers\mrxdav.sys
+ MRxSmb MRXSMB Microsoft Corporation c:\windows\system32\drivers\mrxsmb.sys
+ Msfs Mailslot driver Microsoft Corporation c:\windows\system32\drivers\msfs.sys
+ MSKSSRV MS KS Server Microsoft Corporation c:\windows\system32\drivers\mskssrv.sys
+ MSPCLOCK MS Proxy Clock Microsoft Corporation c:\windows\system32\drivers\mspclock.sys
+ MSPQM MS Proxy Quality Manager Microsoft Corporation c:\windows\system32\drivers\mspqm.sys
+ mssmbios System Management BIOS Driver Microsoft Corporation c:\windows\system32\drivers\mssmbios.sys
+ MSTEE WDM Tee/Communication Transform Filter Microsoft Corporation c:\windows\system32\drivers\mstee.sys
+ Mup Multiple UNC Provider driver Microsoft Corporation c:\windows\system32\drivers\mup.sys
+ MxlW2k MusicMatch Access Layer KMD MusicMatch, Inc. c:\windows\system32\drivers\mxlw2k.sys
+ NABTSFEC WDM NABTS/FEC VBI Codec Microsoft Corporation c:\windows\system32\drivers\nabtsfec.sys
+ NDIS NDIS 5.1 wrapper driver Microsoft Corporation c:\windows\system32\drivers\ndis.sys
+ NdisIP Microsoft IP Driver Microsoft Corporation c:\windows\system32\drivers\ndisip.sys
+ NdisTapi Remote Access NDIS TAPI Driver Microsoft Corporation c:\windows\system32\drivers\ndistapi.sys
+ Ndisuio NDIS Usermode I/O Protocol Microsoft Corporation c:\windows\system32\drivers\ndisuio.sys
+ NdisWan Remote Access NDIS WAN Driver Microsoft Corporation c:\windows\system32\drivers\ndiswan.sys
+ NDProxy NDIS Proxy Microsoft Corporation c:\windows\system32\drivers\ndproxy.sys
+ NetBIOS NetBIOS Interface Microsoft Corporation c:\windows\system32\drivers\netbios.sys
+ NetBT NetBios over Tcpip Microsoft Corporation c:\windows\system32\drivers\netbt.sys
+ NIC1394 IEEE1394 Ndis Miniport and Call Manager Microsoft Corporation c:\windows\system32\drivers\nic1394.sys
+ Npfs NPFS Driver Microsoft Corporation c:\windows\system32\drivers\npfs.sys
+ Null NULL Driver Microsoft Corporation c:\windows\system32\drivers\null.sys
+ NwlnkFlt IPX Traffic Filter Driver Microsoft Corporation c:\windows\system32\drivers\nwlnkflt.sys
+ NwlnkFwd IPX Traffic Forwarder Driver Microsoft Corporation c:\windows\system32\drivers\nwlnkfwd.sys
+ ohci1394 1394 OpenHCI Port Driver Microsoft Corporation c:\windows\system32\drivers\ohci1394.sys
+ Parport Parallel Port Driver Microsoft Corporation c:\windows\system32\drivers\parport.sys
+ PartMgr Partition Manager Microsoft Corporation c:\windows\system32\drivers\partmgr.sys
+ PCI NT Plug and Play PCI Enumerator Microsoft Corporation c:\windows\system32\drivers\pci.sys
+ PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
+ PCIIde Generic PCI IDE Bus Driver Microsoft Corporation c:\windows\system32\drivers\pciide.sys
+ PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys
+ PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys
+ PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys
+ PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys
+ perc2 PERC 2 Miniport Driver Microsoft Corporation c:\windows\system32\drivers\perc2.sys
+ perc2hib PERC 2 Hibernate Driver Microsoft Corporation c:\windows\system32\drivers\perc2hib.sys
+ PptpMiniport WAN Miniport (PPTP) Microsoft Corporation c:\windows\system32\drivers\raspptp.sys
+ Processor Processor Device Driver Microsoft Corporation c:\windows\system32\drivers\processr.sys
+ PSched QoS Packet Scheduler Microsoft Corporation c:\windows\system32\drivers\psched.sys
+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\windows\system32\drivers\ptilink.sys
+ PxHelp20 Px Engine Device Driver for Windows 2000/XP Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys
+ ql1080 Miniport Driver for QLogic ISP PCI Adapters QLogic Corporation c:\windows\system32\drivers\ql1080.sys
+ Ql10wnt Miniport Driver for QLogic ISP PCI Adapters Microsoft Corporation c:\windows\system32\drivers\ql10wnt.sys
+ ql12160 Miniport Driver for QLogic ISP PCI Adapters QLogic Corporation c:\windows\system32\drivers\ql12160.sys
+ ql1240 QLogic ISP PCI Adapters Microsoft Corporation c:\windows\system32\drivers\ql1240.sys
+ ql1280 Miniport Driver for QLogic ISP PCI Adapters QLogic Corporation c:\windows\system32\drivers\ql1280.sys
+ RasAcd Remote Access Auto Connection Driver Microsoft Corporation c:\windows\system32\drivers\rasacd.sys
+ Rasl2tp WAN Miniport (L2TP) Microsoft Corporation c:\windows\system32\drivers\rasl2tp.sys
+ RasPppoe Remote Access PPPOE Driver Microsoft Corporation c:\windows\system32\drivers\raspppoe.sys
+ Raspti Direct Parallel Microsoft Corporation c:\windows\system32\drivers\raspti.sys
+ Rdbss Rdbss Microsoft Corporation c:\windows\system32\drivers\rdbss.sys
+ RDPCDD RDP Miniport Microsoft Corporation c:\windows\system32\drivers\rdpcdd.sys
+ rdpdr Microsoft RDP Device redirector Microsoft Corporation c:\windows\system32\drivers\rdpdr.sys
+ RDPWD RDP Terminal Stack Driver (US/Canada Only, Not for Export) Microsoft Corporation c:\windows\system32\drivers\rdpwd.sys
+ redbook Redbook Audio Filter Driver Microsoft Corporation c:\windows\system32\drivers\redbook.sys
+ RFCOMM Bluetooth Device (RFCOMM Protocol TDI) Microsoft Corporation c:\windows\system32\drivers\rfcomm.sys
+ RTSTOR Realtek USB Mass Storage Driver for 2K/XP Realtek Semiconductor Corp. c:\windows\system32\drivers\rtstor.sys
+ Secdrv SafeDisc driver Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. c:\windows\system32\drivers\secdrv.sys
+ Serial Serial Device Driver Microsoft Corporation c:\windows\system32\drivers\serial.sys
+ Sfloppy SCSI Floppy Driver Microsoft Corporation c:\windows\system32\drivers\sfloppy.sys
+ sisagp SiS NT AGP Filter Silicon Integrated Systems Corporation c:\windows\system32\drivers\sisagp.sys
+ SLIP Microsoft Slip Deframing Filter Minidriver Microsoft Corporation c:\windows\system32\drivers\slip.sys
+ Sparrow Adaptec AIC-6x60 series SCSI miniport Adaptec, Inc. c:\windows\system32\drivers\sparrow.sys
+ splitter Microsoft Kernel Audio Splitter Microsoft Corporation c:\windows\system32\drivers\splitter.sys
+ sptd c:\windows\system32\drivers\sptd.sys
+ sr System Restore Filesystem Filter Driver Microsoft Corporation c:\windows\system32\drivers\sr.sys
+ Srv Srv Microsoft Corporation c:\windows\system32\drivers\srv.sys
+ StMp3Rec Recovery Mode Driver Generic c:\windows\system32\drivers\stmp3rec.sys
+ streamip Microsoft IP Test Driver Microsoft Corporation c:\windows\system32\drivers\streamip.sys
+ swenum Plug and Play Software Device Enumerator Microsoft Corporation c:\windows\system32\drivers\swenum.sys
+ swmidi Microsoft GS Wavetable Synthesizer Microsoft Corporation c:\windows\system32\drivers\swmidi.sys
+ sym_hi Symbios Hi-Perf SCSI Miniport Driver LSI Logic c:\windows\system32\drivers\sym_hi.sys
+ sym_u3 Symbios Ultra3 SCSI Miniport Driver LSI Logic c:\windows\system32\drivers\sym_u3.sys
+ symc810 Symbios Logic Inc. SCSI Miniport Driver Symbios Logic Inc. c:\windows\system32\drivers\symc810.sys
+ symc8xx Symbios 8XX SCSI Miniport Driver LSI Logic c:\windows\system32\drivers\symc8xx.sys
+ sysaudio System Audio WDM Filter Microsoft Corporation c:\windows\system32\drivers\sysaudio.sys
+ Tcpip TCP/IP Protocol Driver Microsoft Corporation c:\windows\system32\drivers\tcpip.sys
+ TDPIPE Named Pipe Transport Driver Microsoft Corporation c:\windows\system32\drivers\tdpipe.sys
+ TDTCP TCP Transport Driver Microsoft Corporation c:\windows\system32\drivers\tdtcp.sys
+ TermDD Terminal Server Driver Microsoft Corporation c:\windows\system32\drivers\termdd.sys
+ toshidpt Toshiba Bluetooth HID mini port driver TOSHIBA Corporation. c:\windows\system32\drivers\toshidpt.sys
+ TosIde Toshiba PCI IDE Controller Microsoft Corporation c:\windows\system32\drivers\toside.sys
+ tosporte TOSHIBA Bluetooth Port Emulation Driver TOSHIBA Corporation c:\windows\system32\drivers\tosporte.sys
+ Tosrfbd Bluetooth RF Bus Driver TOSHIBA CORPORATION c:\windows\system32\drivers\tosrfbd.sys
+ Tosrfbnp Bluetooth RFBNEP Driver TOSHIBA Corporation c:\windows\system32\drivers\tosrfbnp.sys
+ Tosrfcom Bluetooth RFCOMM Driver TOSHIBA Corporation c:\windows\system32\drivers\tosrfcom.sys
+ Tosrfhid Bluetooth HID Driver from TOSHIBA TOSHIBA Corporation. c:\windows\system32\drivers\tosrfhid.sys
+ tosrfnds Bluetooth BNEP Driver TOSHIBA Corporation. c:\windows\system32\drivers\tosrfnds.sys
+ TosRfSnd Bluetooth Audio Driver (WDM) TOSHIBA Corporation c:\windows\system32\drivers\tosrfsnd.sys
+ Tosrfusb Bluetooth USB Miniport Driver TOSHIBA CORPORATION c:\windows\system32\drivers\tosrfusb.sys
+ ultra Promise Ultra66 Miniport Driver Promise Technology, Inc. c:\windows\system32\drivers\ultra.sys
+ Update Update Driver Microsoft Corporation c:\windows\system32\drivers\update.sys
+ usbccgp USB Common Class Generic Parent Driver Microsoft Corporation c:\windows\system32\drivers\usbccgp.sys
+ usbehci EHCI eUSB Miniport Driver Microsoft Corporation c:\windows\system32\drivers\usbehci.sys
+ usbhub Default Hub Driver for USB Microsoft Corporation c:\windows\system32\drivers\usbhub.sys
+ usbohci OHCI USB Miniport Driver Microsoft Corporation c:\windows\system32\drivers\usbohci.sys
+ usbprint USB Printer driver Microsoft Corporation c:\windows\system32\drivers\usbprint.sys
+ usbscan USB Scanner Driver Microsoft Corporation c:\windows\system32\drivers\usbscan.sys
+ USBSTOR USB Mass Storage Class Driver Microsoft Corporation c:\windows\system32\drivers\usbstor.sys
+ usbuhci UHCI USB Miniport Driver Microsoft Corporation c:\windows\system32\drivers\usbuhci.sys
+ Vcs c:\windows\system32\drivers\vcs.sys
+ VgaSave VGA/Super VGA Video Driver Microsoft Corporation c:\windows\system32\drivers\vga.sys
+ viaagp VIA NT AGP Filter Microsoft Corporation c:\windows\system32\drivers\viaagp.sys
+ ViaIde VIA Generic PCI IDE Bus Driver VIA Technologies, Inc. c:\windows\system32\drivers\viaidexp.sys
+ viamraid VIA Technologies inc,.ltd c:\windows\system32\drivers\viamraid.sys
+ VolSnap Volume Shadow Copy Driver Microsoft Corporation c:\windows\system32\drivers\volsnap.sys
+ Wanarp Remote Access IP ARP Driver Microsoft Corporation c:\windows\system32\drivers\wanarp.sys
+ WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys
+ wdmaud MMSYSTEM Wave/Midi API mapper Microsoft Corporation c:\windows\system32\drivers\wdmaud.sys
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ autocheck autochk * Auto Check Utility Microsoft Corporation c:\windows\system32\autochk.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
+ Your Image File Name Here without a path Symbolic Debugger for Windows 2000 Microsoft Corporation c:\windows\system32\ntsd.exe
HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)
+ C:\WINDOWS\trayicons.exe c:\windows\trayicons.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
+ murka.dat c:\windows\murka.dat
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
+ advapi32 Advanced Windows 32 Base API Microsoft Corporation c:\windows\system32\advapi32.dll
+ comdlg32 Common Dialogs DLL Microsoft Corporation c:\windows\system32\comdlg32.dll
+ gdi32 GDI Client DLL Microsoft Corporation c:\windows\system32\gdi32.dll
+ imagehlp Windows NT Image Helper Microsoft Corporation c:\windows\system32\imagehlp.dll
+ kernel32 Windows NT BASE API Client DLL Microsoft Corporation c:\windows\system32\kernel32.dll
+ lz32 LZ Expand/Compress API DLL Microsoft Corporation c:\windows\system32\lz32.dll
+ ole32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\ole32.dll
+ oleaut32 Microsoft Corporation c:\windows\system32\oleaut32.dll
+ olecli32 Object Linking and Embedding Client Library Microsoft Corporation c:\windows\system32\olecli32.dll
+ olecnv32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\olecnv32.dll
+ olesvr32 Object Linking and Embedding Server Library Microsoft Corporation c:\windows\system32\olesvr32.dll
+ olethk32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\olethk32.dll
+ rpcrt4 Remote Procedure Call Runtime Microsoft Corporation c:\windows\system32\rpcrt4.dll
+ shell32 Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ url Internet Shortcut Shell Extension DLL Microsoft Corporation c:\windows\system32\url.dll
+ urlmon OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ user32 Windows XP USER API Client DLL Microsoft Corporation c:\windows\system32\user32.dll
+ version Version Checking and File Installation Libraries Microsoft Corporation c:\windows\system32\version.dll
+ wininet Internet Extensions for Win32 Microsoft Corporation c:\windows\system32\wininet.dll
+ wldap32 Win32 LDAP API DLL Microsoft Corporation c:\windows\system32\wldap32.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
+ logonui.exe Windows Logon UI Microsoft Corporation c:\windows\system32\logonui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ AtiExtEvent ATI External Event Utility DLL Module ATI Technologies Inc. c:\windows\system32\ati2evxx.dll
+ botreg c:\documents and settings\all users\documents\settings\bot.dll
+ crypt32chain Crypto API32 Microsoft Corporation c:\windows\system32\crypt32.dll
+ cryptnet Crypto Network Related API Microsoft Corporation c:\windows\system32\cryptnet.dll
+ cscdll Offline Network Agent Microsoft Corporation c:\windows\system32\cscdll.dll
+ ScCertProp Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ Schedule Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ sclgntfy Secondary Logon Service Notification DLL Microsoft Corporation c:\windows\system32\sclgntfy.dll
+ SensLogn Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ termsrv Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ WB fLoad Stardock c:\program files\alienguise\fastload.dll
+ wlballoon Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{209078AF-4AD3-49AF-9920-5A1D95EEF295}] DATAGRAM 1 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{209078AF-4AD3-49AF-9920-5A1D95EEF295}] SEQPACKET 1 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{3191665C-4C93-4660-AF98-E01C2DF78FBE}] DATAGRAM 2 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{3191665C-4C93-4660-AF98-E01C2DF78FBE}] SEQPACKET 2 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{8806677F-9CB6-429C-AEBF-B9288D4D3DF3}] DATAGRAM 4 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{8806677F-9CB6-429C-AEBF-B9288D4D3DF3}] SEQPACKET 4 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{A15DD723-C0F8-41BC-AF51-D8AAC9F00EFE}] DATAGRAM 0 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{A15DD723-C0F8-41BC-AF51-D8AAC9F00EFE}] SEQPACKET 0 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{A80249F8-AFE5-49B7-8458-1E155BEE28E3}] DATAGRAM 3 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{A80249F8-AFE5-49B7-8458-1E155BEE28E3}] SEQPACKET 3 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7E5719E-C2D6-4105-A3B9-A3F18E8B80B6}] DATAGRAM 6 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7E5719E-C2D6-4105-A3B9-A3F18E8B80B6}] SEQPACKET 6 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{E66E8814-C964-4856-A504-5FCC95BE85CA}] DATAGRAM 5 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{E66E8814-C964-4856-A504-5FCC95BE85CA}] SEQPACKET 5 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD RfComm [Bluetooth] Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [RAW/IP] Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [TCP/IP] Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [UDP/IP] Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ RSVP TCP Service Provider Microsoft Windows Rsvp 1.0 Service Provider Microsoft Corporation c:\windows\system32\rsvpsp.dll
+ RSVP UDP Service Provider Microsoft Windows Rsvp 1.0 Service Provider Microsoft Corporation c:\windows\system32\rsvpsp.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ BJ Language Monitor Langage Monitor for Canon Bubble-Jet Printer Microsoft Corporation c:\windows\system32\cnbjmon.dll
+ LIDIL hpzll43a LanguageMonitor Hewlett-Packard Company c:\windows\system32\hpzll43a.dll
+ Local Port Local Spooler DLL Microsoft Corporation c:\windows\system32\localspl.dll
+ PJL Language Monitor PJL Language monitor Microsoft Corporation c:\windows\system32\pjlmon.dll
+ Standard TCP/IP Port Standard TCP/IP Port Monitor DLL Microsoft Corporation c:\windows\system32\tcpmon.dll
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
+ digest.dll Digest SSPI Authentication Package Microsoft Corporation c:\windows\system32\digest.dll
+ msapsspc.dll DPA Client for 32 bit platforms Microsoft Corporation c:\windows\system32\msapsspc.dll
+ msnsspc.dll MSN Internet Access Microsoft Corporation c:\windows\system32\msnsspc.dll
+ schannel.dll TLS / SSL Security Provider Microsoft Corporation c:\windows\system32\schannel.dll
+ wowfx.dll c:\windows\system32\wowfx.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
+ msv1_0 Microsoft Authentication Package v1.0 Microsoft Corporation c:\windows\system32\msv1_0.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
+ scecli Windows Security Configuration Editor Client Engine Microsoft Corporation c:\windows\system32\scecli.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
+ kerberos Kerberos Security Package Microsoft Corporation c:\windows\system32\kerberos.dll
+ msv1_0 Microsoft Authentication Package v1.0 Microsoft Corporation c:\windows\system32\msv1_0.dll
+ schannel TLS / SSL Security Provider Microsoft Corporation c:\windows\system32\schannel.dll
+ wdigest Microsoft Digest Access Microsoft Corporation c:\windows\system32\wdigest.dll
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
+ LanmanWorkstation Microsoft Windows Network Microsoft Corporation c:\windows\system32\ntlanman.dll
+ RDPNP Microsoft Terminal Services Microsoft Corporation c:\windows\system32\drprov.dll
+ WebClient Web Client Network Microsoft Corporation c:\windows\system32\davclnt.dll

#4 sec

sec
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 23 December 2007 - 07:09 PM

also under process there is this iexplorer.exe wich kept running in the background and if i selected it, it managed to move my selection so i couldnt reach END PROCESS in time, when i finally made it i got this error : operation failed, operation does not apply for this process....im translating from norwegian to english so i might have mischosen some words in the error, but i think you know wich one i mean.
thx

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:32 AM

Posted 24 December 2007 - 09:10 AM

First of all you did a great job of explaining what's going on and getting me the information that you did. I know how frustrating it is and what you've given me will be very helpful. So now let's see if we can get rid of some of the files that are causing the bulk of your problems and we'll see if we can get things a bit more stable for you.



Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    c:\windows\medichi2.exe
    c:\windows\medichi.exe
    c:\windows\system32\winsos.exe
    c:\windows\system32\kernelwind32.exe
    c:\windows\system32\newmaxxsv234.exe
    c:\windows\system32\winsn.exe
    c:\windows\xpupdate.exe
    c:\windows\murka.dat
    C:\WINDOWS\system32\shovth.exe
    C:\WINDOWS\system32\dllgh8jkd1q2.exe
    C:\WINDOWS\system32\dllgh8jkd1q6.exe
    C:\WINDOWS\system32\dllgh8jkd1q7.exe



  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
  • Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.
In that case, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log (where "********_******" is the "date_time")



If this allows you to regain some functionality, please attempt to run Combofix once again and post that log for me in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 sec

sec
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 24 December 2007 - 11:24 AM

hello again
marry christmas by the way :thumbsup:

i could not copy the file over to the desktop of te infected pc but i was able to run it nicely from my external G: drive
it copy/pasted the lines and ran it, here are the results :


c:\windows\medichi2.exe moved successfully.
c:\windows\medichi.exe moved successfully.
c:\windows\system32\winsos.exe moved successfully.
File/Folder c:\windows\system32\kernelwind32.exe not found.
c:\windows\system32\newmaxxsv234.exe moved successfully.
c:\windows\system32\winsn.exe moved successfully.
c:\windows\xpupdate.exe moved successfully.
c:\windows\murka.dat moved successfully.
C:\WINDOWS\system32\shovth.exe moved successfully.
C:\WINDOWS\system32\dllgh8jkd1q2.exe moved successfully.
C:\WINDOWS\system32\dllgh8jkd1q6.exe moved successfully.
C:\WINDOWS\system32\dllgh8jkd1q7.exe moved successfully.

Created on 12.25.2007 09:33:17

i did all this under normal mode not safe mode. Right after i exist the program i tried to run combofix but no such luck.

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:32 AM

Posted 24 December 2007 - 11:32 AM

We'll have to get Combofix onto the infected drive in order to run it successfully.
Can you get me a new hijackthis log?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 sec

sec
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 24 December 2007 - 11:37 AM

i booted up in safe mode just to see if something diffrent happend, but still no admin rights....control panel lost again...been lost for some time back, just restored it temp.
anyway here are the diffrent results from the safe mode :



c:\windows\medichi2.exe moved successfully.
c:\windows\medichi.exe moved successfully.
c:\windows\system32\winsos.exe moved successfully.
c:\windows\system32\kernelwind32.exe moved successfully.
File/Folder c:\windows\system32\newmaxxsv234.exe not found.
c:\windows\system32\winsn.exe moved successfully.
c:\windows\xpupdate.exe moved successfully.
c:\windows\murka.dat moved successfully.
C:\WINDOWS\system32\shovth.exe moved successfully.
File/Folder C:\WINDOWS\system32\dllgh8jkd1q2.exe not found.
C:\WINDOWS\system32\dllgh8jkd1q6.exe moved successfully.
C:\WINDOWS\system32\dllgh8jkd1q7.exe moved successfully.

Created on 12.25.2007 09:44:59


this time arround it found kernelwind32.exe but newmax was gone this time, anyway still couldnt run combofix after this program, also smitfraudfix wont start either.
i guess im cornered out for the time beeing...what is your responce ?

hijack log coming right up

#9 sec

sec
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 24 December 2007 - 11:40 AM

here is a fresh hijack log under safe mode :



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:53:33, on 25.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\shovth.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Hamze\LOCALS~1\Temp\Rar$EX00.297\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [Medichi] medichi.exe
O4 - HKLM\..\Run: [Medichi2] medichi2.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "d:\games\counter strike source\steam.exe" -silent
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [HijackThis startup scan] C:\DOCUME~1\Hamze\LOCALS~1\Temp\Rar$EX00.218\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [HijackThis startup scan] C:\DOCUME~1\Hamze\LOCALS~1\Temp\Rar$EX00.218\HijackThis.exe /startupscan (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-391518563-3017603296-3343825356-1005 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Bluetooth Manager.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: murka.dat
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SrvCDEject - Unknown owner - C:\Program Files\Packard Bell\SrvCDEject.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7343 bytes



ps : i will try to copy the combofix over to desktop using CMD command line.

Edited by sec, 24 December 2007 - 11:43 AM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:32 AM

Posted 24 December 2007 - 11:48 AM

Let's see what we can do with Hijackthis for starters.

Do this in safe mode.


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKLM\..\Run: [Medichi] medichi.exe
O4 - HKLM\..\Run: [Medichi2] medichi2.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User '?')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: murka.dat
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll



===============


Run Hijackthis and click on the Open Misc Tools section.
  • Go to Delete a file on Reboot
  • Select this file:

    C:\WINDOWS\system32\shovth.exe

  • Click Open and Yes to confirm.
  • Reboot your computer.


Post a new hijackthis log and let me know if you notice any changes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 sec

sec
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 24 December 2007 - 11:50 AM

i ran cmd and i succesfully copied over combofix.exe to c: on my infected pc
i tried to copy it to desktop but it gave me a syntax error
then i tried to run combifix from c: but it didnt start up like earlier.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:32 AM

Posted 24 December 2007 - 12:03 PM

Have you had a chance to run through my other instructions yet?
Try combofix again after that. And try to stay in safe mode while doing all of this.

Another thought - try renaming combofix.exe to cf.exe
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 sec

sec
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 24 December 2007 - 12:18 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:36, on 25.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\shovth.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Hamze\LOCALS~1\Temp\Rar$EX00.750\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [Medichi] medichi.exe
O4 - HKLM\..\Run: [Medichi2] medichi2.exe
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "d:\games\counter strike source\steam.exe" -silent
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [HijackThis startup scan] C:\DOCUME~1\Hamze\LOCALS~1\Temp\Rar$EX00.218\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [HijackThis startup scan] C:\DOCUME~1\Hamze\LOCALS~1\Temp\Rar$EX00.218\HijackThis.exe /startupscan (User '?')
O4 - HKUS\S-1-5-21-391518563-3017603296-3343825356-1005\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-391518563-3017603296-3343825356-1005 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Bluetooth Manager.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: murka.dat
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SrvCDEject - Unknown owner - C:\Program Files\Packard Bell\SrvCDEject.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 6839 bytes

after restart i ran microsoft malware removal tool and this is what it found and removed :

TrojanDownloader:Win32/Renos.gen!A
VirTool:WinNT/Tibs.gen!A


after i ran ur last instructions with hijack, i was able to do it completely altho i got an admin error : regediting has been disabled by the admin, but the rest worked fine. yes i am maintaining the safe mode until further notice. After restart the same...nothing changed, i will now change the combofix.exe name to sf.exe and reply

i changed combofix to sf.exe and ran it from c: on the infected pc and it worked :thumbsup:
its at stage 10 now, i will wait for it til its done....is there a log produced from it ? so i can post here after its done

Edited by sec, 24 December 2007 - 12:24 PM.


#14 sec

sec
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 24 December 2007 - 12:36 PM

here is the combofix log FINALLYYYY!!!!!!


ComboFix 07-12-21.4 - Hamze 2007-12-25 10:35:56.1 - NTFSx86 MINIMAL
Running from: C:\cf.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.exe
C:\Documents and Settings\All Users.\documents\settings\bot.dll
C:\Documents and Settings\Hamze\Application Data.\Ultimate Cleaner
C:\Documents and Settings\Hamze\Application Data.\Ultimate Cleaner\settings.dat
C:\Documents and Settings\Hamze\Application Data\antivirus.exe
C:\Documents and Settings\Hamze\Application Data\install.dat
C:\Documents and Settings\Hamze\Application Data\microsoft\internet explorer\Desktop.htt
C:\Documents and Settings\Hamze\Application Data\Ultimate Cleaner\settings.dat
C:\Documents and Settings\Hamze\Desktop\bravesentry.lnk
C:\Documents and Settings\Hamze\Start Menu\Programs\Brave-Sentry
C:\Documents and Settings\Hamze\Start Menu\Programs\Brave-Sentry\BraveSentry.lnk
C:\Documents and Settings\Hamze\Start Menu\Programs\Brave-Sentry\Uninstall.lnk
C:\WINDOWS\Resources\1033\1033.exe
C:\WINDOWS\system32\1033\1033.exe
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\Nwr58.sys
C:\WINDOWS\system32\drivers\RYJ48.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\m1ax1d1213216143v.exe
C:\WINDOWS\system32\max1d11643v.exe
C:\WINDOWS\system32\restore\restore.exe
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\system32.exe
C:\WINDOWS\system32\vedxg3am1et3.exe
C:\WINDOWS\system32\vedxg4am1et2.exe
C:\WINDOWS\system32\vedxg6ame4.exe
C:\WINDOWS\system32\vedxga1me4t1.exe
C:\WINDOWS\system32\vedxga3me2.exe
C:\WINDOWS\system32\vedxga4me1.exe
C:\WINDOWS\system32\vedxga5me3.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\Temp\151625.exe
C:\WINDOWS\windows.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DRIVER
-------\LEGACY_RYJ48
-------\LEGACY_SYMAVC32


((((((((((((((((((((((((( Files Created from 2007-11-25 to 2007-12-25 )))))))))))))))))))))))))))))))
.

2007-12-25 10:42 . 2007-12-25 10:42 5,632 --a------ C:\WINDOWS\medichi.exe
2007-12-25 10:25 . 2007-12-22 04:56 89,088 ---hs---- C:\WINDOWS\system32\shovth.exe
2007-12-25 10:10 . 2007-12-25 10:42 8,192 --a------ C:\WINDOWS\medichi2.exe
2007-12-25 10:10 . 2007-12-25 10:42 6,144 --a------ C:\WINDOWS\murka.dat
2007-12-25 10:00 . 2007-12-24 02:05 1,478,778 --a------ C:\cf.exe
2007-12-25 09:53 . 2007-12-22 04:56 89,088 ---hs---- C:\WINDOWS\system32\winsn.exe
2007-12-25 09:53 . 2007-12-25 10:33 28,929 --a------ C:\WINDOWS\system32\winsos.exe
2007-12-23 19:44 . 2007-12-22 04:56 89,088 ---h----- C:\WINDOWS\system32\drivers\drivers.exe
2007-12-23 19:43 . 2007-12-22 04:56 89,088 ---h----- C:\WINDOWS\system32\config\systemprofile\systemprofile.exe
2007-12-23 19:29 . 2007-12-22 04:56 89,088 ---h----- C:\WINDOWS\system\system.exe
2007-12-23 16:34 . 2007-12-23 17:18 <DIR> d-------- C:\Program Files\RegCleaner
2007-12-23 16:32 . 2007-12-23 16:33 <DIR> d-------- C:\Program Files\SpywareGuard
2007-12-23 16:32 . 2007-12-23 16:32 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 16:32 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-12-23 16:31 . 2007-12-23 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-23 16:30 . 2007-12-23 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-23 16:22 . 2007-12-23 16:34 <DIR> d-------- C:\Program Files\CCleaner
2007-12-23 00:50 . 2007-12-22 04:56 89,088 ---hs---- C:\0047F358.exe
2007-12-23 00:49 . 2007-12-23 00:49 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-22 20:12 . 2007-12-23 01:21 <DIR> d-------- C:\PerfLogs
2007-12-22 19:56 . 2007-12-22 19:56 29 --a------ C:\WINDOWS\system32\eiteofgo.tmp
2007-12-22 19:55 . 2007-12-22 19:55 32,997 --a------ C:\lich.exe
2007-12-22 19:55 . 2007-12-23 15:25 8,576 --a------ C:\lich.sys
2007-12-22 19:55 . 2007-12-22 19:55 0 --a------ C:\WINDOWS\system32\lich.dat
2007-12-22 19:54 . 2007-12-22 19:54 29,184 --a------ C:\WINDOWS\wsystmp_yiw.exe
2007-12-22 19:54 . 2007-12-22 19:54 16,758 --a------ C:\WINDOWS\system32\dllgh8jkd1q5.exe
2007-12-22 19:54 . 2004-08-10 15:00 14,336 --a------ C:\WINDOWS\system32\svchost.exe.tmp
2007-12-22 19:54 . 2004-08-10 15:00 14,336 --a------ C:\WINDOWS\system32\svchost.exe
2007-12-22 19:54 . 2004-08-10 15:00 14,336 --a------ C:\WINDOWS\system32\dllcache\svchost.exe
2007-12-22 19:54 . 2007-12-22 19:54 11,638 --a------ C:\WINDOWS\system32\dllgh8jkd1q1.exe
2007-12-22 19:54 . 2007-12-25 09:29 0 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2007-12-22 13:55 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-22 13:55 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-22 13:55 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-22 13:55 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-22 13:55 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-22 13:55 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-22 13:30 . 2007-12-22 23:24 4,120 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-22 04:56 . 2007-12-22 04:56 89,088 --a------ C:\WINDOWS\wsystmp_oah.exe
2007-12-22 04:56 . 2007-12-22 04:56 93 -r-hs---- C:\autorun.inf
2007-12-22 04:55 . 2007-12-22 04:55 <DIR> d-------- C:\Program Files\EliteProtector
2007-12-22 04:50 . 2007-12-25 09:29 6,144 --a------ C:\WINDOWS\system32\user32.dat
2007-12-22 04:48 . 2007-12-22 04:48 35,840 --a------ C:\WINDOWS\wsystmp_wmh.exe
2007-12-22 04:47 . 2007-12-22 04:47 15,872 --a------ C:\WINDOWS\windisk.dll
2007-12-22 04:29 . 2007-12-22 04:29 28,929 --a------ C:\WINDOWS\trayicons.exe
2007-12-07 15:38 . 2007-12-07 15:38 <DIR> d-------- C:\Program Files\R-Drive Image
2007-11-30 19:06 . 2007-11-30 19:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-30 19:06 . 2007-11-30 19:06 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-30 18:48 . 2007-12-07 15:24 <DIR> d-------- C:\Program Files\EASEUS
2007-11-30 17:31 . 2007-12-07 16:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-30 17:30 . 2007-11-30 17:31 <DIR> d-------- C:\Program Files\Active Data Recovery Software
2007-11-30 15:29 . 2007-11-30 15:29 <DIR> d-------- C:\Program Files\Restorer2000 Pro
2007-11-29 13:20 . 2007-11-29 13:20 <DIR> d-------- C:\Program Files\FILERECOVERY PRO
2007-11-29 13:20 . 2007-11-29 13:20 286,720 --a------ C:\WINDOWS\iun507.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 16:00 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-23 16:00 --------- d-----w C:\Program Files\Windows Desktop Search
2007-12-23 00:22 37,888 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2007-12-22 03:56 89,088 ---h--w C:\WINDOWS\AppPatch\MUI\0414\0414.exe
2007-12-22 03:56 89,088 ---h--w C:\WINDOWS\AppPatch\AppPatch.exe
2007-12-21 20:55 --------- d-----w C:\Program Files\Azureus
2007-12-21 20:55 --------- d-----w C:\Documents and Settings\Hamze\Application Data\Azureus
2007-12-20 20:46 --------- d-----w C:\Program Files\Java
2007-12-07 14:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-03 21:51 --------- d-----w C:\Program Files\Hurrican
2007-12-03 21:48 --------- d-----w C:\Documents and Settings\Hamze\Application Data\Hoyle Casino
2007-12-03 21:47 --------- d-----w C:\Documents and Settings\Hamze\Application Data\Bioshock
2007-11-28 17:23 --------- d-----w C:\Program Files\DC++
2007-11-24 19:21 --------- d-----w C:\Program Files\Activision
2007-11-17 13:29 --------- d-----w C:\Program Files\DivX
2007-11-15 17:01 --------- d-----w C:\Program Files\Google
2007-11-15 02:01 --------- d-----w C:\Program Files\MSXML 4.0
2007-11-14 00:13 --------- d-----w C:\Documents and Settings\Hamze\Application Data\Nero
2007-11-14 00:12 --------- d-----w C:\Program Files\Common Files\Nero
2007-11-14 00:11 --------- d-----w C:\Program Files\Nero
2007-11-14 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-11-13 22:42 --------- d-----w C:\Program Files\Electronic Arts
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 16:06 --------- d-----w C:\Program Files\Sierra Entertainment
2007-11-12 16:04 --------- d-----w C:\Documents and Settings\Hamze\Application Data\InstallShield
2007-11-11 16:00 --------- d-----w C:\Program Files\Easy GIF Animator
2007-11-10 04:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 04:24 --------- d-----w C:\Program Files\AGEIA Technologies
2007-11-10 04:00 --------- d-----w C:\Program Files\Colin McRae Rally 2005
2007-11-08 19:38 --------- d-----w C:\Program Files\AV Vcs 5.5 DIAMOND
2007-11-08 02:42 --------- d-----w C:\Program Files\AV Vcs 6.0 DIAMOND
2007-11-06 17:05 --------- d-----w C:\Program Files\AlienGUIse
2007-11-06 17:01 --------- d-----w C:\Program Files\Common Files\Stardock
2007-11-05 02:29 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-11-05 02:27 --------- d-----w C:\Program Files\HP
2007-10-31 23:04 --------- d-----w C:\Program Files\U_KwonHoOnline
2007-10-31 20:13 --------- d--h--r C:\Documents and Settings\Hamze\Application Data\SecuROM
2007-10-31 19:38 --------- d-----w C:\Program Files\Speedco
2007-10-31 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-10-31 19:27 --------- d-----w C:\Program Files\Monster Truck Fury
2007-10-31 18:55 --------- d-----w C:\Program Files\Oberon Media
2007-10-31 18:55 --------- d-----w C:\Program Files\Common Files\Oberon Media
2007-10-31 15:56 --------- d-----w C:\Program Files\eGames
2007-10-30 22:21 --------- d-----w C:\Documents and Settings\Hamze\Application Data\Activision
2007-10-30 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Activision
2007-10-30 22:01 --------- d-----w C:\Program Files\EA SPORTS
2007-10-30 21:30 --------- d-----w C:\Documents and Settings\Hamze\Application Data\Hoyle FaceCreator
2007-10-30 21:13 --------- d-----w C:\Program Files\Encore
2007-10-30 17:33 --------- d-----w C:\Program Files\Smart Projects
2007-10-30 17:27 --------- d-----w C:\Program Files\id Software
2007-10-30 17:22 --------- d-----w C:\Program Files\DAEMON Tools
2007-10-30 17:16 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-10-27 16:47 --------- d-----w C:\Documents and Settings\Hamze\Application Data\CyberLink
2007-10-27 16:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-10-27 08:56 --------- d-----w C:\Documents and Settings\Hamze\Application Data\ATI
2007-10-27 08:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-10-27 08:54 --------- d-----w C:\Program Files\ATI Technologies
2007-10-27 08:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ATI
2007-10-26 04:48 --------- d-----w C:\Program Files\Admiresoft
2007-10-25 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-25 01:07 --------- d-----w C:\Documents and Settings\Hamze\Application Data\Media Player Classic
2007-10-25 01:06 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-10-25 01:04 --------- d-----w C:\Program Files\Common Files\Real
2007-10-25 00:24 --------- d-----w C:\Program Files\AVI MPEG WMV RM to MP3 Converter
2007-10-23 13:20 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-10-22 07:51 972,072 ----a-w C:\WINDOWS\UNRecode.exe
.
Infected C:\WINDOWS\system32\svchost.exe hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Steam"="d:\games\counter strike source\steam.exe" [2007-11-30 08:19]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 10:36]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 15:16]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 14:18]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 15:00 C:\WINDOWS\system32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-30 18:29]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-04-19 21:41]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" []
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" []
"Medichi2"="medichi2.exe" [2007-12-25 10:42 C:\WINDOWS\medichi2.exe]
"sis32"="C:\WINDOWS\system32\winsos.exe" [2007-12-25 10:33]
"winroot"="C:\WINDOWS\system32\winsn.exe" [2007-12-22 04:56]
"Medichi"="medichi.exe" [2007-12-25 10:42 C:\WINDOWS\medichi.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 15:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-10 15:00 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Hamze\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-21 20:42:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll

S0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2006-05-29 13:03]
S2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2007-09-20 08:51]
S2 SrvCDEject;SrvCDEject;C:\Program Files\Packard Bell\SrvCDEject.exe [2006-07-25 10:48]
S2 Vcs;Vcs support;C:\WINDOWS\system32\Drivers\Vcs.sys [2004-11-14 13:01]
S3 DrvSnSht;DrvSnSht;C:\Program Files\R-Drive Image\DrvSnSht.sys [2007-11-11 13:17]
S3 ICAM8USB;Intel® PC Camera CS120;C:\WINDOWS\system32\Drivers\Icm8D2.SYS [2001-07-12 12:23]
S3 RTSTOR;USB Mass Stroage Device;C:\WINDOWS\system32\drivers\RTSTOR.SYS [2005-12-21 22:27]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2007-02-15 13:14]
S3 ZZZdrv_lich;ZZZdrv_lich;C:\lich.sys [2007-12-23 15:25]
S4 FFI;FFI;C:\WINDOWS\system32\svchost.exe:exm.exe []
S4 ZZZsvc_lich;ZZZsvc_lich;C:\lich.exe [2007-12-22 19:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\
\Shell\open\Command - C:\0047F358.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\
\Shell\open\Command - D:\708FDE68.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\
\Shell\open\Command - G:\C0361F71.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-22 03:36:00 C:\WINDOWS\Tasks\Se etter oppdateringer for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-25 10:44:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\FFI]
"ImagePath"="C:\WINDOWS\system32\svchost.exe:exm.exe"
.
Completion time: 2007-12-25 10:45:38 - machine was rebooted
.
2007-12-21 15:03:50 --- E O F ---


when safe mode booted up this time it asked me " as usual " if i wanted to pursue safe mode or access system restore...i cliked NO to see if system restore would come up and it did
also i can launch windows task manager now and control panel is back.

#15 sec

sec
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 24 December 2007 - 12:51 PM

can i safely use system restore and restore it to an earlier stage ? should i do this in safe mode or normal mode ?
but i guess i should dl some antivirus and antimalware progs and run a scan first incase there are leftovers....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users