Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had a Trojan and Sogou. They may be gone, but IE still hijacked


  • Please log in to reply
14 replies to this topic

#1 destro

destro

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 23 August 2009 - 05:01 PM

Hi all.

I always keep my computers locked because it never fails that when someone else uses them, they get infected. Last night I had some friends over, and stepped out of the room for no more than 4 or 5 minutes, and when I got back a browser window was open with pop ups going off like crazy. I have been working on this all day, and I normally would have just reinstalled the OS by this point, but it's my work PC and I don't have all the software handy to get this back to where I need it.

After I saw what was going on with my PC, I closed every open window. I didn't immediately see any indications of an infection. Then I saw that when I tried to go to one of my search results from Google, I would get redirected to one of a number of shopping sites.

Spyware Terminator scans showed a few Trojans (Trojan.W32.Tib.GRIMM or something?) and Sogou. I immediately ran HiJackThis, and it runs for a few seconds then disappears. I am then unable to run or even delete it. I have had a number of problems. I have been unable to access the registry, and access is being denied for things left and right.

I found that csrss.exe and lsass.exe were being run from the user temp directory as well as the system directory. So, I went into safe mode and deleted the files that were running from temp. I then was able to track the Trojan down to tajf83ikdmf.dll which was in the System32 directory. I couldn't delete it in safe mode, so I used Security Task Manager to stop and delete it.

No virus or spyware scans can find anything left, but when I use google from IE and click on a search result link, I get this same original problem.

HijackThis closes when I try to run it as do some other apps, which leads me to believe that this issue is not isolated to just IE. Firefox does work properly with no problems so far.

I need to use this PC for work and am apprehensive to put it on their network in its current state.

Thanks for any help!

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 PM

Posted 23 August 2009 - 05:51 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#3 destro

destro
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 23 August 2009 - 08:57 PM

No luck with that. I renamed the file before it was downloaded, and renamed the mbam.exe file as well. The app ran for 3 seconds and disappeared.

Funny thing I noticed was that my folder options were returned to default at some point since this started. I could no longer see file extensions either. So, I decided to change that back. I went into explorer to go to Tools>Folder Options, but 'Folder Options' was missing. I suspect this is in order to try to keep me from finding hidden files.

Edited by destro, 23 August 2009 - 09:03 PM.


#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 PM

Posted 23 August 2009 - 09:08 PM

Ok, rootrepeal time:

Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.

*Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the FILES tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High


Note 2: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
Computer Pro

#5 destro

destro
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 23 August 2009 - 10:24 PM

This also crashes. I tried changing the filename using the methods from earlier and also tried to run it from safe mode. I forgot to mention that I do have McAfee running and cannot shut it off. This is a corporate machine and they have me locked out from disabling it. I wasn't able to disable it through services even in safe mode. I am not sure if that will have an impact on this apps or not. Nothing is jumping out at me from eventvwr either.

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 PM

Posted 24 August 2009 - 07:07 PM

Ok, lets try Dr. Web.

Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr. Web Cureit as follows:
Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
Now put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Computer Pro

#7 destro

destro
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 27 August 2009 - 07:59 AM

The Express scan completed and found nothing. When I ran the complete scan, it ran for maybe about a minute, and that crashed on me as well.

I also noticed that I don't have permission to create directories on the root of my hard drive. This is new. I can't find any policies or user/group permissions that are preventing this within windows.

#8 destro

destro
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 27 August 2009 - 03:06 PM

I am running the Kaspersky online scanner and it has found trojan-downloader.win32.agent.cnhi. I cannot find any information about it.

#9 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 PM

Posted 27 August 2009 - 04:51 PM

Can you post the Kaspersky log?

Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Computer Pro

#10 destro

destro
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 27 August 2009 - 04:58 PM

Sure will. It's still running and I have some errands to run so I will post it when I get back home.

Thanks for the help thus far!

#11 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 PM

Posted 27 August 2009 - 05:14 PM

Ok, your welcome
Computer Pro

#12 destro

destro
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 28 August 2009 - 08:58 AM

I went ahead and ran critical areas scan as well as my computer scan. They both came back with the same results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, August 28, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, August 27, 2009 20:39:15
Records in database: 2692678
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
H:\
I:\
K:\

Scan statistics:
Objects scanned: 104811
Threats found: 3
Infected objects found: 5
Suspicious objects found: 0
Scan duration: 02:29:19


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\SecTaskMan\tajf83ikdmf.dll.q_Quarantine_8043A98_q Infected: Trojan-Downloader.Win32.Agent.cnhi 1
C:\Documents and Settings\CHANGED\Local Settings\Temporary Internet Files\Content.IE5\FFL9TV8T\Install[1].exe Infected: Trojan-Downloader.Win32.FraudLoad.fim 1
C:\Program Files\Radmin\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 1
C:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 1
C:\WINDOWS\system32\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 1

Selected area has been scanned.

I changed the reference to my user in one of the above paths. That's why you will see 'CHANGED'.

After this ran I went into safe mode/command prompt and deleted the .dll and .exe referenced above. I am still unable to run any sort of virus scans, however as they all crash. Even Spyware Terminator now crashes though it didn't crash when this all started.

Also, I got this using the script from www.silentrunners.org

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Yahoo! Pager" = ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet" ["Yahoo! Inc."]
"SpywareTerminatorUpdate" = ""C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"" ["Crawler.com"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CoolSwitch" = "C:\WINDOWS\System32\taskswitch.exe" [null data]
"PTHOSTTR" = "C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start" ["Hewlett-Packard Development Company, L.P."]
"QlbCtrl" = "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start"
"CognizanceTS" = "rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule" [MS]
"CgaHelper" = "C:\PROGRA~1\CYBERG~1\cgahelp.exe -check" ["InfoExpress"]
"CgaViewer" = "C:\PROGRA~1\CYBERG~1\cgav.exe -check" ["InfoExpress Inc."]
"ShStatEXE" = ""C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE" ["McAfee, Inc."]
"McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey" ["McAfee, Inc."]
"DoroServer" = "C:\Program Files\DoroPDFWriter\DoroServer.exe" ["CompSoft"]
"QPMEnroll" = "C:\WINDOWS\system32\QPMEnroll.exe" ["Quest Software, Inc."]
"PDDM" = "c:\Program Files\PatchLink\Update Agent\pddm.exe" ["PatchLink Corporation"]
"Pointsec Tray" = "C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe" ["Check Point Software Tech Ltd"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"GettingStartedPopUp" = ""c:\Program Files\Common Files\RSA Shared\RSA Security Center\GettingStartedPopup.exe"" [null data]
"RSAnotificationIcon" = ""c:\Program Files\Common Files\RSA Shared\RSA Security Center\RsaNotificationIcon.exe"" [null data]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"BHR" = "C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe" ["Zamaan's Software"]
"SpywareTerminator" = ""C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"" ["Crawler.com"]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\(Default) = "scriptproxy"
-> {HKLM...CLSID} = "scriptproxy"
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll" ["McAfee, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\phototoys.dll" [MS]
"{efb97cb8-a4a4-4357-a261-002ffaed0267}" = "CD Slideshow Powertoy"
-> {HKLM...CLSID} = "CD Burn Slideshow Hook"
\InProcServer32\(Default) = "C:\WINDOWS\System32\slideshow.dll" [MS]
"{709C6E11-538F-4759-86AC-6ACB302AA0DE}" = "Desktop Manager"
-> {HKLM...CLSID} = "Desktop Manager"
\InProcServer32\(Default) = "C:\WINDOWS\System32\msvdm.dll" [null data]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{B94E2601-D7A1-11d4-A1EE-444553540000}" = "PNAgent IconH"
-> {HKLM...CLSID} = "DesktopPortal Icon Handler"
\InProcServer32\(Default) = "C:\Program Files\Citrix\ICA Client\dpihand.dll" ["Citrix Systems, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{666C7831-A9B6-4AB4-94ED-DC238C81E925}" = "Document Manager (Context Menu)"
-> {HKLM...CLSID} = "Document Manager (Shell Context Menu)"
\InProcServer32\(Default) = "C:\Program Files\HPQ\IAM\Bin\SFSShell.dll" ["Cognizance Corporation"]
"{666C7832-A9B6-4AB4-94ED-DC238C81E925}" = "Document Manager (File Properties)"
-> {HKLM...CLSID} = "Document Manager (Shell File Properties)"
\InProcServer32\(Default) = "C:\Program Files\HPQ\IAM\Bin\SFSShell.dll" ["Cognizance Corporation"]
"{666C7835-A9B6-4AB4-94ED-DC238C81E925}" = "Document Manager (Drive Properties)"
-> {HKLM...CLSID} = "Document Manager (Shell Drive Properties)"
\InProcServer32\(Default) = "C:\Program Files\HPQ\IAM\Bin\SFSShell.dll" ["Cognizance Corporation"]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {HKLM...CLSID} = "ImageExtractorShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {HKLM...CLSID} = "CInfoTipShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{8903F6C9-25E3-40AC-A98F-E6D35CD0469C}" = "PSPad"
-> {HKLM...CLSID} = "PSPad"
\InProcServer32\(Default) = "C:\PROGRA~1\PSPADE~1\PSPADS~1.DLL" [null data]
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"
-> {HKLM...CLSID} = "JetFlExt Class"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["COWON America"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{98DD0781-8AD9-11D2-B0AA-00104B458FC2}" = "RSA Passage File Signing Shell Extension"
-> {HKLM...CLSID} = "RSA Passage File Signing Shell Extension"
\InProcServer32\(Default) = "FileSign.dll" [file not found]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{BD88A479-9623-4897-8546-BC62B9628F44}" = "SPTHandler"
-> {HKLM...CLSID} = "SPTHandler"
\InProcServer32\(Default) = "C:\Program Files\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}" = "ghya673gidh87we9inkff"
-> {HKLM...CLSID} = "C:\WINDOWS\system32\tajf83ikdmf.dll"
\InProcServer32\(Default) = "C:\WINDOWS\system32\tajf83ikdmf.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "GinaDLL" = "pssogina.dll" ["Check Point Software Tech Ltd"]
<<!>> "Userinit" = "C:\WINDOWS\system32\userinit.exe,c:\Program Files\RSA Security\RSA Authenticator Utility\NTNotify.exe" [MS], [file not found], [file not found], [file not found], [file not found], [file not found]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Notification Packages" = "scecli"|"AsWlnPkg"

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"| [file not found]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> 3gProp\DLLName = "c:\Program Files\RSA Security\RSA Authenticator Utility\3gProp.dll" ["RSA Security Inc"]
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> NotifyP11Svc\DLLName = "c:\Program Files\RSA Security\RSA Authenticator Utility\NotifyP11Svc.dll" ["RSA Security Inc"]
<<!>> OdysseyClient\DLLName = "odyEvent.dll" ["Funk Software, Inc."]
<<!>> OneCard\DLLName = "C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll" ["Cognizance Corporation"]
<<!>> PAStates\DLLName = "PAStates.dll" [null data]
<<!>> SOMCredMgr\DLLName = "c:\Program Files\RSA Security\RSA Authenticator Utility\CredMgr.dll" ["RSA Security Inc"]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon\0\
DisplayName = "SCIDomain_Standard_Desktop_Settings"
0\ -> launches: "\\sci.local\netlogon\StdDesktopStartup.vbs" [file not found]
DisplayName = "SCIDomain_Standard_Desktop_Settings"
1\ -> launches: "\\sci.local\netlogon\SCIDomain_User.Bat" [file not found]
DisplayName = "SCIDomain_Standard_Desktop_Settings"
2\ -> launches: "\\sci.local\NETLOGON\SCIRegEdits.vbs" [file not found]
DisplayName = "SCIDomain_Standard_Desktop_Settings"
3\ -> launches: "\\sci.local\NETLOGON\PLAgentInst.vbs" [file not found]
DisplayName = "SCIDomain_Standard_Desktop_Settings"
4\ -> launches: "\\sci.local\NETLOGON\SW_Packages\RSA\RSAInst.vbs" [file not found]
DisplayName = "SCIDomain_Standard_Desktop_Settings"
5\ -> launches: "\\sci.local\netlogon\SW_Packages\LSO\LSO_IE_SETTINGS.VBS" [file not found]
DisplayName = "SCIDomain_Standard_Desktop_Settings"
6\ -> launches: "\\sci.local\netlogon\SW_Packages\REMOTE CONTROL\ALLOW_REMOTE_CONNECTIONS.VBS" [file not found]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Document Manager\(Default) = "{666C7831-A9B6-4AB4-94ED-DC238C81E925}"
-> {HKLM...CLSID} = "Document Manager (Shell Context Menu)"
\InProcServer32\(Default) = "C:\Program Files\HPQ\IAM\Bin\SFSShell.dll" ["Cognizance Corporation"]
FileSign\(Default) = "{98DD0781-8AD9-11D2-B0AA-00104B458FC2}"
-> {HKLM...CLSID} = "RSA Passage File Signing Shell Extension"
\InProcServer32\(Default) = "FileSign.dll" [file not found]
LavasoftShellExt\(Default) = "{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F}"
-> {HKLM...CLSID} = "Lavasoft Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll" [file not found]
PSPad\(Default) = "{8903F6C9-25E3-40AC-A98F-E6D35CD0469C}"
-> {HKLM...CLSID} = "PSPad"
\InProcServer32\(Default) = "C:\PROGRA~1\PSPADE~1\PSPADS~1.DLL" [null data]
SPTContMenu\(Default) = "{BD88A479-9623-4897-8546-BC62B9628F44}"
-> {HKLM...CLSID} = "SPTHandler"
\InProcServer32\(Default) = "C:\Program Files\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]
UltraEdit-32\(Default) = "{b5eedee0-c06e-11cf-8c56-444553540000}"
-> {HKLM...CLSID} = "UltraEdit-32"
\InProcServer32\(Default) = "C:\PROGRA~1\ULTRAE~1\ue32ctmn.dll" [empty string]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan Enterprise\shext.dll" ["McAfee, Inc."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
Document Manager\(Default) = "{666C7831-A9B6-4AB4-94ED-DC238C81E925}"
-> {HKLM...CLSID} = "Document Manager (Shell Context Menu)"
\InProcServer32\(Default) = "C:\Program Files\HPQ\IAM\Bin\SFSShell.dll" ["Cognizance Corporation"]
jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt Class"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["COWON America"]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan Enterprise\shext.dll" ["McAfee, Inc."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt Class"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["COWON America"]
LavasoftShellExt\(Default) = "{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F}"
-> {HKLM...CLSID} = "Lavasoft Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll" [file not found]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\1Malwre\mbamext.dll" ["Malwarebytes Corporation"]
SPTContMenu\(Default) = "{BD88A479-9623-4897-8546-BC62B9628F44}"
-> {HKLM...CLSID} = "SPTHandler"
\InProcServer32\(Default) = "C:\Program Files\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan Enterprise\shext.dll" ["McAfee, Inc."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\1Malwre\mbamext.dll" ["Malwarebytes Corporation"]
SPTContMenu\(Default) = "{BD88A479-9623-4897-8546-BC62B9628F44}"
-> {HKLM...CLSID} = "SPTHandler"
\InProcServer32\(Default) = "C:\Program Files\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\

"LowRiskFileTypes" = (REG_SZ) zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav
{unrecognized setting}

"SaveZoneInformation" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoFolderOptions" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Removes the Folder Options menu item from the Tools menu}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKCU\Software\Policies\Microsoft\Windows\System\

"DisableCMD" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Disable the command prompt}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"disablecad" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\

"DisableSR" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Administrative Templates|System|System Restore|
Turn off System Restore}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

IviDVDEventHandler\
"Provider" = "InterVideo WinDVD"
"InvokeProgID" = "Ivi.MediaFile"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1" ["InterVideo Inc."]

JABurnCDAudioOnArrival\
"Provider" = "jetAudio"
"InvokeProgID" = "jetAudio.MediaHandler"
"InvokeVerb" = "burncd"
HKLM\SOFTWARE\Classes\jetAudio.MediaHandler\shell\burncd\command\(Default) = ""C:\Program Files\JetAudio\jetAudio.exe" /burncd "%1"" ["COWON America, Inc."]

JACreateAlbumOnArrival\
"Provider" = "jetAudio"
"InvokeProgID" = "jetAudio.MediaHandler"
"InvokeVerb" = "createalbum"
HKLM\SOFTWARE\Classes\jetAudio.MediaHandler\shell\createalbum\command\(Default) = ""C:\Program Files\JetAudio\jetAudio.exe" /createalbum "%1"" ["COWON America, Inc."]

JAPlayCDAudioOnArrival\
"Provider" = "jetAudio"
"InvokeProgID" = "jetAudio.MediaHandler"
"InvokeVerb" = "playcd"
HKLM\SOFTWARE\Classes\jetAudio.MediaHandler\shell\playcd\command\(Default) = ""C:\Program Files\JetAudio\jetAudio.exe" /playcd "%1"" ["COWON America, Inc."]

JAPlayDVDMovieOnArrival\
"Provider" = "jetAudio"
"InvokeProgID" = "jetAudio.MediaHandler"
"InvokeVerb" = "playdvd"
HKLM\SOFTWARE\Classes\jetAudio.MediaHandler\shell\playdvd\command\(Default) = ""C:\Program Files\JetAudio\jetAudio.exe" /playdvd "%1"" ["COWON America, Inc."]

JAPlayMediaOnArrival\
"Provider" = "jetAudio"
"InvokeProgID" = "jetAudio.MediaHandler"
"InvokeVerb" = "playmedia"
HKLM\SOFTWARE\Classes\jetAudio.MediaHandler\shell\playmedia\DropTarget\CLSID = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt Class"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["COWON America"]

JAPlaySVCDMovieOnArrival\
"Provider" = "jetAudio"
"InvokeProgID" = "jetAudio.MediaHandler"
"InvokeVerb" = "playvcd"
HKLM\SOFTWARE\Classes\jetAudio.MediaHandler\shell\playvcd\command\(Default) = ""C:\Program Files\JetAudio\jetAudio.exe" /playvcd "%1"" ["COWON America, Inc."]

JAPlayVCDMovieOnArrival\
"Provider" = "jetAudio"
"InvokeProgID" = "jetAudio.MediaHandler"
"InvokeVerb" = "playvcd"
HKLM\SOFTWARE\Classes\jetAudio.MediaHandler\shell\playvcd\command\(Default) = ""C:\Program Files\JetAudio\jetAudio.exe" /playvcd "%1"" ["COWON America, Inc."]

JARipCDAudioOnArrival\
"Provider" = "jetAudio"
"InvokeProgID" = "jetAudio.MediaHandler"
"InvokeVerb" = "ripcd"
HKLM\SOFTWARE\Classes\jetAudio.MediaHandler\shell\ripcd\command\(Default) = ""C:\Program Files\JetAudio\jetAudio.exe" /ripcd "%1"" ["COWON America, Inc."]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

NapsterMTPHandler\
"Provider" = "@C:\Program Files\Napster\napster.exe,-101"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Napster\napster.exe" /devicesync"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NapsterPlayCDHandler\
"Provider" = "@C:\Program Files\Napster\napster.exe,-101"
"InvokeProgID" = "Napster.AutoplayHandler"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Napster.AutoplayHandler\shell\open\command\(Default) = ""C:\Program Files\Napster\napster.exe" /playcd "%L"" ["Napster"]

RhapsodyCDBurningOnArrival\
"Provider" = "Rhapsody"
"InvokeProgID" = "Rhapsody.CDBurn.3"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Rhapsody.CDBurn.3\shell\open\command\(Default) = "C:\PROGRA~1\Rhapsody\\rhapsody.exe /burn "%1"" ["RealNetworks, Inc."]

RhapsodyDeviceOnArrival\
"Provider" = "Rhapsody"
"ProgID" = "Rhapsody.HWEventHandler"
HKLM\SOFTWARE\Classes\Rhapsody.HWEventHandler\CLSID\(Default) = "{5717E2AC-8A5C-47b7-BFE5-50BAD65AB904}"
-> {HKLM...CLSID} = "Rhapsody Helper"
\LocalServer32\(Default) = ""C:\PROGRA~1\Rhapsody\rhaphlpr.exe"" ["RealNetworks, Inc."]

RhapsodyMusicDevice\
"Provider" = "Rhapsody"
"InvokeProgID" = "Rhapsody.MusicDevice.3"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Rhapsody.MusicDevice.3\shell\open\command\(Default) = "C:\PROGRA~1\Rhapsody\\rhapsody.exe /device: "%1"" ["RealNetworks, Inc."]

RhapsodyPlayCDAudioOnArrival\
"Provider" = "Rhapsody"
"InvokeProgID" = "Rhapsody.AudioCD.3"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\Rhapsody.AudioCD.3\shell\play\command\(Default) = "C:\PROGRA~1\Rhapsody\\rhapsody.exe /play "%1"" ["RealNetworks, Inc."]

RhapsodyRipCDAudioOnArrival\
"Provider" = "Rhapsody"
"InvokeProgID" = "Rhapsody.AudioCDRip.3"
"InvokeVerb" = "rip"
HKLM\SOFTWARE\Classes\Rhapsody.AudioCDRip.3\shell\rip\command\(Default) = "C:\PROGRA~1\Rhapsody\\rhapsody.exe /rip "%1"" ["RealNetworks, Inc."]

RoxioSelectOnArrival\
"Provider" = "Roxio Easy CD & DVD Creator"
"InvokeProgID" = "Projselector"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Projselector\shell\open\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\Project Selector\ProjSelector.exe" -x" ["Roxio"]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]

ZunePlayCDAudioOnArrival\
"Provider" = "@c:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
"InvokeProgID" = "Microsoft.Zune.2.AudioCD"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Microsoft.Zune.2.AudioCD\shell\Play\Command\(Default) = ""c:\Program Files\Zune\Zune.exe" /PlayCD:"%L"" [MS]

ZunePlayMediaOnArrival\
"Provider" = "@c:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
"InvokeProgID" = "Microsoft.Zune.2.PlayMedia"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Microsoft.Zune.2.PlayMedia\shell\Play\Command\(Default) = ""c:\Program Files\Zune\Zune.exe" /PlayMedia:"%L"" [MS]

ZuneRipCDAudioOnArrival\
"Provider" = "@c:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
"InvokeProgID" = "Microsoft.Zune.2.RipCD"
"InvokeVerb" = "Rip"
HKLM\SOFTWARE\Classes\Microsoft.Zune.2.RipCD\shell\Rip\Command\(Default) = ""c:\Program Files\Zune\Zune.exe" /RipCD:"%L"" [MS]


Enabled Scheduled Tasks:
------------------------

"Ad-Aware Update (Weekly).job" -- insufficient permission to read this file!


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{77BF5300-1474-4EC7-9980-D32B190E9B07}\
"ButtonText" = "Skype"
"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"
-> {HKLM...CLSID} = "Skype add-on (button)"
\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "NavigationFailure" = "res://shdoclc.dll/navcancl.htm" [MS]
<<H>> "DesktopItemNavigationFailure" = "res://shdoclc.dll/navcancl.htm" [MS]
<<H>> "NavigationCanceled" = "res://shdoclc.dll/navcancl.htm" [MS]
<<H>> "OfflineInformation" = "res://shdoclc.dll/offcancl.htm" [MS]
<<H>> "PostNotCached" = "res://mshtml.dll/repost.htm" [MS]
<<H>> "Tabs" = "tbr:res?id=tabs&rep=1" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."]
Cisco Posture Server Daemon, ctapsd, ""C:\Program Files\Cisco Systems\CiscoTrustAgent\ctapsd.exe"" ["Cisco Systems, Inc."]
Cisco Systems, Inc. CTA Posture State Daemon, ctatransapt, ""C:\Program Files\Cisco Systems\CiscoTrustAgent\ctatransapt.exe"" [null data]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
Cisco Trust Agent EOU Daemon, CtaEoU, ""C:\Program Files\Cisco Systems\CiscoTrustAgent\CtaEoU.exe"" ["Cisco Systems, Inc."]
Cisco Trust Agent Logger Daemon, ctalogd, ""C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe"" ["Cisco Systems, Inc."]
CyberGatekeeper Agent, CGAgent, "C:\PROGRA~1\CYBERG~1\cgasvc.exe" ["InfoExpress"]
hpqwmiex, hpqwmiex, "C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe" ["Hewlett-Packard Development Company, L.P."]
iPCAgent, iPCAgent, "C:\Program Files\iPass\iPassConnect\iPCAgent.exe" ["iPass, Inc."]
Local Communication Channel, ASChannel, "C:\WINDOWS\System32\svchost.exe -k Cognizance" {"C:\Program Files\HPQ\IAM\Bin\ASChnl.dll" ["Cognizance Corporation"]}
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
McAfee Framework Service, McAfeeFramework, ""C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart" ["McAfee, Inc."]
McAfee McShield, McShield, ""C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe"" ["McAfee, Inc."]
McAfee Task Manager, McTaskManager, ""C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe"" ["McAfee, Inc."]
PatchLink Update, PatchLink Update, ""c:\Program Files\PatchLink\Update Agent\GravitixService.exe"" ["PatchLink Corporation"]
Pointsec Service Start, Pointsec_start, "C:\WINDOWS\system32\pstartSr.exe" [null data]
RSA Authenticator Utility 1.0 P11 Service, RsaP11Svc, ""c:\Program Files\RSA Security\RSA Authenticator Utility\RsaP11Svc.exe"" ["RSA Security Inc"]
Spyware Terminator Realtime Shield Service, sp_rssrv, ""C:\Program Files\Spyware Terminator\sp_rsser.exe"" ["Crawler.com"]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}
Windows Media Player Network Sharing Service, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation."]
Canon BJ Language Monitor MP160\Driver = "CNMLM83.DLL" ["CANON INC."]
Canon BJ Language Monitor MP480 series\Driver = "CNMLM9F.DLL" ["CANON INC."]
Doro PDF Writer Port\Driver = "C:\Program Files\DoroPDFWriter\Doro.dll" ["CompSoft"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2009-08-27 15:57:02)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 70 seconds, including 15 seconds for message boxes)

Notice the 1 next to the registry settings disabling the registry editor and folder options.

Thanks!

#13 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 PM

Posted 28 August 2009 - 05:08 PM

Please try to run Malwarebytes again
Computer Pro

#14 destro

destro
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 28 August 2009 - 06:58 PM

I had uninstalled it previously, and it is now telling me that I need to be an administrator to install it.

#15 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 PM

Posted 28 August 2009 - 08:13 PM

Even from Safe Mode?
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users