Help - Search - Members - Calendar
Full Version: Annoying exclamation that can't be removed
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
infini
Sep 19 2005, 11:27 AM
When i am connected to the internet , after a while an exclamation appears inside a yellow triangle in the taskbar and i get this message "Your computer is slowing down, your internet connection is slowing down, other people may see your files, download spyware". This messsage gives me two options, "ok" and "cancel" but when i try to choose one of these nothing happens.Today i got anothr message "Your computer is infected with iworm attck". I have scanned with Adaware, found nothing, Kaspersky found a trojan named Puper. I deleted all the registry entries and the suspicious files related to it but my problem still exists.


Logfile of HijackThis v1.99.1
Scan saved at 3:42:25 πμ, on 19/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing Driver\HPBMOBIL.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\eleni\Desktop\System Cleaner\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/homepage-o
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HP Mobile Printing Driver] C:\Program Files\Hewlett-Packard\HP Mobile Printing Driver\HPBMOBIL.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab36385.cab
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
LoPhatPhuud
Sep 20 2005, 12:07 AM
THis is probably the offending program, but the log does show where it is loading from. We will look for it in a bit.

First, make sure you are using the Extended Databases with Kaspersky. They will catch a lot of adware/spyware/malware. To use them, if you are not already, open KAV, select the 'Settings' tab. Select 'Threats and Exclusions'. In the middle is a pulldown menu. Use it to select 'Extended Databases'



Download 'Autoruns' from here:
http://www.sysinternals.com/Utilities/Autoruns.html

Unzip to a folder and the double click on autoruns.exe

Wait until the program has finished running (the status line will show 'Ready')
Under the 'Options' menu, make sure that 'Include Empty Sections' is checked.
Wait again until ready.

Be sure the 'Everything' tab is selected.
Select 'File -> Save' and save the output file.

Copy the contents of the Autoruns text file and post its contents in this thread.
infini
Sep 20 2005, 06:17 AM
I have already selected extended databases in Kaspersky. As soon as i get back home, i will send the autoruns file. Thanks!
infini
Sep 20 2005, 02:29 PM
Here are the contents of the autoruns.txt


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+ C:\WINDOWS\System32\Userinit.exe Userinit Logon Application Microsoft Windows Publisher c:\windows\system32\userinit.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
+ explorer.exe Windows Explorer Microsoft Windows Publisher c:\windows\explorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ CARPService carpserv Microsoft Windows Hardware Compatibility Publisher c:\windows\system32\carpserv.exe
+ HP Component Manager HP Framework Component Manager Service (Not verified) Hewlett-Packard Company c:\program files\hp\hpcoretech\hpcmpmgr.exe
+ HP Mobile Printing Driver HP Mobile Printing Driver - NT/2K/XP (Not verified) Hewlett-Packard Company c:\program files\hewlett-packard\hp mobile printing driver\hpbmobil.exe
+ KAVPersonal50 Kaspersky Anti-Virus GUI Part (Not verified) Kaspersky Lab c:\program files\kaspersky lab\kaspersky anti-virus personal\kav.exe
+ SpeedTouch USB Diagnostics SpeedTouch Statistics (Not verified) THOMSON Telecom Belgium c:\program files\thomson\speedtouch usb\dragdiag.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ AutoCAD Startup Accelerator.lnk AutoCAD Startup Accelerator Autodesk, Inc c:\program files\common files\autodesk shared\acstart16.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+ winlogon.exe c:\windows\system32\msole32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ CTFMON.EXE CTF Loader Microsoft Windows Publisher c:\windows\system32\ctfmon.exe
+ MSMSGS Windows Messenger Microsoft Windows Publisher c:\program files\messenger\msmsgs.exe
HKLM\System\CurrentControlSet\Services
+ AudioSrv Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ Browser Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ CryptSvc Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ DcomLaunch Provides launch functionality for DCOM services. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ Dhcp Manages network configuration by registering and updating IP addresses and DNS names. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ dmserver Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ Dnscache Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ ERSvc Allows error reporting for services and applictions running in non-standard environments. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ Eventlog Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. Microsoft Windows Publisher c:\windows\system32\services.exe
+ helpsvc Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ HPConfig HPConfig Module (Not verified) Hewlett-Packard c:\windows\system32\hpconfig.exe
+ HpRfDev Wireless button device controller (Not verified) Hewlett-Packard c:\windows\system32\hprfdev.exe
+ Irmon Supports infrared devices installed on the computer and detects other devices that are in range. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ kavsvc Kaspersky Anti-Virus Service (Not verified) Kaspersky Lab c:\program files\kaspersky lab\kaspersky anti-virus personal\kavsvc.exe
+ lanmanserver Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ lanmanworkstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ LmHosts Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Microsoft Windows Publisher c:\windows\system32\services.exe
+ PolicyAgent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Microsoft Windows Publisher c:\windows\system32\lsass.exe
+ ProtectedStorage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Microsoft Windows Publisher c:\windows\system32\lsass.exe
+ RemoteRegistry Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ RpcSs Provides the endpoint mapper and other miscellaneous RPC services. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ SamSs Stores security information for local user accounts. Microsoft Windows Publisher c:\windows\system32\lsass.exe
+ Schedule Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ seclogon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ SENS Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ SharedAccess Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ ShellHWDetection Generic Host Process for Win32 Services Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ Spooler Loads files to memory for later printing. Microsoft Windows Publisher c:\windows\system32\spoolsv.exe
+ srservice Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ stisvc Provides image acquisition services for scanners and cameras. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ Themes Provides user experience theme management. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ TrkWks Maintains links between NTFS files within a computer or across computers in a network domain. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ W32Time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ winmgmt Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ wscsvc Monitors system security settings and configurations. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ wuauserv Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. Microsoft Windows Publisher c:\windows\system32\svchost.exe
+ WZCSVC Provides automatic configuration for the 802.11 adapters Microsoft Windows Publisher c:\windows\system32\svchost.exe
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ Address Book 5 Outlook Express Setup Library Microsoft Windows Publisher c:\program files\outlook express\setup50.exe
+ Browser Customizations Microsoft Internet Explorer Customization DLL Microsoft Windows Publisher c:\windows\system32\iedkcs32.dll
+ CRLUpdate UPDCRL (Not verified) Microsoft Corporation c:\windows\system32\updcrl.exe
+ Internet Explorer Windows NT User Data Migration Tool Microsoft Windows Publisher c:\windows\system32\shmgrate.exe
+ Internet Explorer Windows Setup API Microsoft Windows Publisher c:\windows\system32\setupapi.dll
+ Internet Explorer 6 IE 5.0 Per-User Install Utility Microsoft Windows Publisher c:\windows\system32\ie4uinit.exe
+ Microsoft Outlook Express 6 Outlook Express Setup Library Microsoft Windows Publisher c:\program files\outlook express\setup50.exe
+ Microsoft Windows Media Player ADVPACK Microsoft Windows Publisher c:\windows\system32\advpack.dll
+ NetMeeting 3.01 ADVPACK Microsoft Windows Publisher c:\windows\system32\advpack.dll
+ Outlook Express Windows NT User Data Migration Tool Microsoft Windows Publisher c:\windows\system32\shmgrate.exe
+ Themes Setup Microsoft© Register Server Microsoft Windows Publisher c:\windows\system32\regsvr32.exe
+ Windows Desktop Update Microsoft© Register Server Microsoft Windows Publisher c:\windows\system32\regsvr32.exe
+ Windows Media Player Microsoft Windows Media Player Setup Utility Microsoft Windows Publisher c:\windows\inf\unregmp2.exe
+ Windows Messenger 4.7 ADVPACK Microsoft Windows Publisher c:\windows\system32\advpack.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
+ Browseui preloader Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Component Categories cache daemon Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+ CDBurn Windows Shell Common Dll Microsoft Windows Publisher c:\windows\system32\shell32.dll
+ PostBootReminder Windows Shell Common Dll Microsoft Windows Publisher c:\windows\system32\shell32.dll
+ SysTray Systray shell service object Microsoft Windows Publisher c:\windows\system32\stobject.dll
+ WebCheck Web Site Monitor Microsoft Windows Publisher c:\windows\system32\webcheck.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ shell32.dll Windows Shell Common Dll Microsoft Windows Publisher c:\windows\system32\shell32.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ %DESC_PublishDropTarget% Photo Printing Wizard Microsoft Windows Publisher c:\windows\system32\photowiz.dll
+ &Address Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ .CAB file viewer Cabinet File Viewer Shell Extension Microsoft Windows Publisher c:\windows\system32\cabview.dll
+ Accessible Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ ActiveX Cache Folder Object Control Viewer Microsoft Windows Publisher c:\windows\system32\occache.dll
+ Address Bar Parser Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Address EditBox Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Administrative Tools Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Audio Media Properties Handler Media File Property Extractor Shell Extension Microsoft Windows Publisher c:\windows\system32\shmedia.dll
+ Augmented Shell Folder Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Augmented Shell Folder 2 Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Auto Update Property Sheet Extension Automatic Updates Control Panel Microsoft Windows XP Publisher c:\windows\system32\wuaucpl.cpl
+ AutoCAD Digital Signatures Icon Overlay Handler AcSignIcon Module Autodesk, Inc c:\windows\system32\acsignicon.dll
+ Autodesk Drawing Preview AcThumbnail Module Autodesk, Inc c:\program files\common files\autodesk shared\thumbnail\acthumbnail16.dll
+ Autodesk DWF Preview AcThumbnail Module Autodesk, Inc c:\program files\common files\autodesk shared\thumbnail\acdwfthmbprxy16.dll
+ Avi Properties Handler Media File Property Extractor Shell Extension Microsoft Windows Publisher c:\windows\system32\shmedia.dll
+ BandProxy Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Briefcase Windows Briefcase Microsoft Windows Publisher c:\windows\system32\syncui.dll
+ CDF Extension Copy Hook Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Channel File Channel Definition File Viewer Microsoft Windows Publisher c:\windows\system32\cdfview.dll
+ Channel Handler Object Channel Definition File Viewer Microsoft Windows Publisher c:\windows\system32\cdfview.dll
+ Channel Menu Channel Definition File Viewer Microsoft Windows Publisher c:\windows\system32\cdfview.dll
+ Channel Properties Channel Definition File Viewer Microsoft Windows Publisher c:\windows\system32\cdfview.dll
+ Channel Shortcut Channel Definition File Viewer Microsoft Windows Publisher c:\windows\system32\cdfview.dll
+ Code Download Agent Web Site Monitor Microsoft Windows Publisher c:\windows\system32\webcheck.dll
+ Compatibility Page Compatibility Tab Shell Extension DLL Microsoft Windows Publisher c:\windows\system32\slayerxp.dll
+ Compressed (zipped) Folder Compressed (zipped) Folders Microsoft Windows Publisher c:\windows\system32\zipfldr.dll
+ Compressed (zipped) Folder Right Drag Handler Compressed (zipped) Folders Microsoft Windows Publisher c:\windows\system32\zipfldr.dll
+ Compressed (zipped) Folder SendTo Target Compressed (zipped) Folders Microsoft Windows Publisher c:\windows\system32\zipfldr.dll
+ ConnectionAgent Web Site Monitor Microsoft Windows Publisher c:\windows\system32\webcheck.dll
+ Crypto PKO Extension Crypto Shell Extensions Microsoft Windows Publisher c:\windows\system32\cryptext.dll
+ Crypto Sign Extension Crypto Shell Extensions Microsoft Windows Publisher c:\windows\system32\cryptext.dll
+ Custom MRU AutoCompleted List Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Darwin App Publisher Shell Application Manager Microsoft Windows Publisher c:\windows\system32\appwiz.cpl
+ DfsShell Distributed File System shell extension Microsoft Windows Publisher c:\windows\system32\dfsshlex.dll
+ Directory Context Menu Verbs Directory Service Common UI Microsoft Windows Publisher c:\windows\system32\dsuiext.dll
+ Directory Object Find Directory Service Find Microsoft Windows Publisher c:\windows\system32\dsquery.dll
+ Directory Property UI Directory Service Common UI Microsoft Windows Publisher c:\windows\system32\dsuiext.dll
+ Directory Query UI Directory Service Find Microsoft Windows Publisher c:\windows\system32\dsquery.dll
+ Directory Start/Search Find Directory Service Find Microsoft Windows Publisher c:\windows\system32\dsquery.dll
+ Disk Copy Extension Windows DiskCopy Microsoft Windows Publisher c:\windows\system32\diskcopy.dll
+ Disk Quota UI Windows Shell Disk Quota UI DLL Microsoft Windows Publisher c:\windows\system32\dskquoui.dll
+ Display Adapter CPL Extension Advanced display adapter properties Microsoft Windows Publisher c:\windows\system32\deskadp.dll
+ Display Monitor CPL Extension Advanced display monitor properties Microsoft Windows Publisher c:\windows\system32\deskmon.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ Display TroubleShoot CPL Extension Advanced display performance properties Microsoft Windows Publisher c:\windows\system32\deskperf.dll
+ Download Status Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ DS Security Page Directory Service Security UI Microsoft Windows Publisher c:\windows\system32\dssec.dll
+ E-mail Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Explorer Band Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Extensions Manager Folder Extensions Manager Microsoft Windows Publisher c:\windows\system32\extmgr.dll
+ Favorites Band Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Fonts Windows Font Folder Microsoft Windows Publisher c:\windows\system32\fontext.dll
+ Fonts Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ For &People... Find People Microsoft Windows Publisher c:\program files\outlook express\wabfind.dll
+ FTP Folders Webview Microsoft Internet Explorer FTP Folder Shell Extension Microsoft Windows Publisher c:\windows\system32\msieftp.dll
+ Fusion Cache Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ GDI+ file thumbnail extractor Windows Picture and Fax Viewer Microsoft Windows Publisher c:\windows\system32\shimgvw.dll
+ Get a Passport Wizard Map Network Drives/Network Places Wizard Microsoft Windows Publisher c:\windows\system32\netplwiz.dll
+ Global Folder Settings Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Help and Support Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Help and Support Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ History Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ HP Notebook Utilities HP Notebook Utilities (Not verified) Hewlett-Packard Co. c:\program files\hewlett-packard\hp notebook utilities\hpnbcpex.dll
+ HTML Thumbnail Extractor Windows Picture and Fax Viewer Microsoft Windows Publisher c:\windows\system32\shimgvw.dll
+ HyperTerminal Icon Ext HyperTerminal Applet Library Microsoft Windows Publisher c:\windows\system32\hticons.dll
+ ICC Profile Microsoft Color Matching System User Interface DLL Microsoft Windows Publisher c:\windows\system32\icmui.dll
+ ICM Monitor Management Microsoft Color Matching System User Interface DLL Microsoft Windows Publisher c:\windows\system32\icmui.dll
+ ICM Printer Management Microsoft Color Matching System User Interface DLL Microsoft Windows Publisher c:\windows\system32\icmui.dll
+ ICM Scanner Management Microsoft Color Matching System User Interface DLL Microsoft Windows Publisher c:\windows\system32\icmui.dll
+ IE4 Suite Splash Screen Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ In-pane search Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Installed Apps Enumerator Shell Application Manager Microsoft Windows Publisher c:\windows\system32\appwiz.cpl
+ Internet Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Internet Name Space Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ InternetShortcut Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ ISFBand OC Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Microsoft Agent Character Property Sheet Handler Microsoft Agent Property Sheet Handler Microsoft Windows Publisher c:\windows\msagent\agentpsh.dll
+ Microsoft AutoComplete Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Microsoft Browser Architecture Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Microsoft BrowserBand Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Microsoft Data Link Microsoft Data Access - OLE DB Core Services Microsoft Windows Publisher c:\program files\common files\system\ole db\oledb32.dll
+ Microsoft DocProp Inplace Calendar Control Microsoft DocProp Shell Ext Microsoft Windows Publisher c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace Droplist Combo Control Microsoft DocProp Shell Ext Microsoft Windows Publisher c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace Edit Box Control Microsoft DocProp Shell Ext Microsoft Windows Publisher c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace ML Edit Box Control Microsoft DocProp Shell Ext Microsoft Windows Publisher c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace Time Control Microsoft DocProp Shell Ext Microsoft Windows Publisher c:\windows\system32\docprop2.dll
+ Microsoft DocProp Shell Ext Microsoft DocProp Shell Ext Microsoft Windows Publisher c:\windows\system32\docprop2.dll
+ Microsoft History AutoComplete List Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Microsoft Internet Toolbar Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Microsoft Multiple AutoComplete List Container Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Microsoft Office HTML Icon Handler Microsoft Office 2003 component Microsoft Corporation c:\program files\microsoft office\office11\msohev.dll
+ Microsoft Office Outlook Custom Icon Handler Outlook Shell Hook for Start/Find Microsoft Corporation c:\program files\microsoft office\office11\olkfstub.dll
+ Microsoft Office Outlook Desktop Icon Handler Microsoft Shell Extension Library Microsoft Corporation c:\program files\microsoft office\office11\mlshext.dll
+ Microsoft Shell Folder AutoComplete List Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Microsoft Url History Service Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Microsoft Url Search Hook Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Midi Properties Handler Media File Property Extractor Shell Extension Microsoft Windows Publisher c:\windows\system32\shmedia.dll
+ MMC Icon Handler MMC Shell Extension DLL Microsoft Windows Publisher c:\windows\system32\mmcshext.dll
+ MRU AutoComplete List Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Multimedia File Property Sheet Control Panel Drivers Applet Microsoft Windows Publisher c:\windows\system32\mmsys.cpl
+ MyDocs Copy Hook My Documents Folder UI Microsoft Windows Publisher c:\windows\system32\mydocs.dll
+ MyDocs Drop Target My Documents Folder UI Microsoft Windows Publisher c:\windows\system32\mydocs.dll
+ MyDocs Properties My Documents Folder UI Microsoft Windows Publisher c:\windows\system32\mydocs.dll
+ Network Connections Network Connections Shell Microsoft Windows Publisher c:\windows\system32\netshell.dll
+ Network Connections Network Connections Shell Microsoft Windows Publisher c:\windows\system32\netshell.dll
+ NTFS Security Page Security Shell Extension Microsoft Windows Publisher c:\windows\system32\rshx32.dll
+ Offline Files Folder Client Side Caching UI Microsoft Windows Publisher c:\windows\system32\cscui.dll
+ Offline Files Folder Options Client Side Caching UI Microsoft Windows Publisher c:\windows\system32\cscui.dll
+ Offline Files Menu Client Side Caching UI Microsoft Windows Publisher c:\windows\system32\cscui.dll
+ OLE Docfile Property Page OLE DocFile Property Page Microsoft Windows Publisher c:\windows\system32\docprop.dll
+ PlusPack CPL Extension Windows Theme API Microsoft Windows Publisher c:\windows\system32\themeui.dll
+ PostAgent Web Site Monitor Microsoft Windows Publisher c:\windows\system32\webcheck.dll
+ Previous Versions Previous Versions property page Microsoft Windows Publisher c:\windows\system32\twext.dll
+ Previous Versions Property Page Previous Versions property page Microsoft Windows Publisher c:\windows\system32\twext.dll
+ Print Ordering via the Web Map Network Drives/Network Places Wizard Microsoft Windows Publisher c:\windows\system32\netplwiz.dll
+ Printers Security Page Security Shell Extension Microsoft Windows Publisher c:\windows\system32\rshx32.dll
+ Registry Tree Options Utility Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Remote Sessions CPL Extension Remote Sessions CPL Extension Microsoft Windows Publisher c:\windows\system32\remotepg.dll
+ Run... Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Windows Publisher c:\windows\system32\wiashext.dll
+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Windows Publisher c:\windows\system32\wiashext.dll
+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Windows Publisher c:\windows\system32\wiashext.dll
+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Windows Publisher c:\windows\system32\wiashext.dll
+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Windows Publisher c:\windows\system32\wiashext.dll
+ Scheduled Tasks Task Scheduler interface DLL Microsoft Windows Publisher c:\windows\system32\mstask.dll
+ Search Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Search Assistant OC Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Search Band Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Sendmail service Send Mail Microsoft Windows Publisher c:\windows\system32\sendmail.dll
+ Sendmail service Send Mail Microsoft Windows Publisher c:\windows\system32\sendmail.dll
+ Set Program Access and Defaults Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Shell Application Manager Shell Application Manager Microsoft Windows Publisher c:\windows\system32\appwiz.cpl
+ Shell Automation Inproc Service Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Shell Band Site Menu Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Shell DeskBar Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Shell DeskBarApp Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Shell DocObject Viewer Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Shell extensions for Microsoft Windows Network objects Network object shell UI Microsoft Windows Publisher c:\windows\system32\ntlanui2.dll
+ Shell extensions for sharing Shell extensions for sharing Microsoft Windows Publisher c:\windows\system32\ntshrui.dll
+ Shell extensions for sharing Shell extensions for sharing Microsoft Windows Publisher c:\windows\system32\ntshrui.dll
+ Shell extensions for Windows Script Host Microsoft ® Shell Extension for Windows Script Host Microsoft Windows Publisher c:\windows\system32\wshext.dll
+ Shell Image Data Factory Windows Picture and Fax Viewer Microsoft Windows Publisher c:\windows\system32\shimgvw.dll
+ Shell Image Property Handler Windows Picture and Fax Viewer Microsoft Windows Publisher c:\windows\system32\shimgvw.dll
+ Shell Image Verbs Windows Picture and Fax Viewer Microsoft Windows Publisher c:\windows\system32\shimgvw.dll
+ Shell properties for a DS object Directory Service Find Microsoft Windows Publisher c:\windows\system32\dsquery.dll
+ Shell Publishing Wizard Object Map Network Drives/Network Places Wizard Microsoft Windows Publisher c:\windows\system32\netplwiz.dll
+ Shell Rebar BandSite Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Shell Scrap DataHandler Shell scrap object handler Microsoft Windows Publisher c:\windows\system32\shscrap.dll
+ Subscription Folder Web Site Monitor Microsoft Windows Publisher c:\windows\system32\webcheck.dll
+ Subscription Mgr Web Site Monitor Microsoft Windows Publisher c:\windows\system32\webcheck.dll
+ Summary Info Thumbnail handler (DOCFILES) Windows Picture and Fax Viewer Microsoft Windows Publisher c:\windows\system32\shimgvw.dll
+ Taskbar and Start Menu Windows Shell Common Dll Microsoft Windows Publisher c:\windows\system32\shell32.dll
+ Tasks Folder Icon Handler Task Scheduler interface DLL Microsoft Windows Publisher c:\windows\system32\mstask.dll
+ Tasks Folder Shell Extension Task Scheduler interface DLL Microsoft Windows Publisher c:\windows\system32\mstask.dll
+ Temporary Internet Files Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Temporary Internet Files Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ The Internet Shell Doc Object and Control Library Microsoft Windows Publisher c:\windows\system32\shdocvw.dll
+ Track Popup Bar Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ TrayAgent Web Site Monitor Microsoft Windows Publisher c:\windows\system32\webcheck.dll
+ TridentImageExtractor Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ User Accounts Map Network Drives/Network Places Wizard Microsoft Windows Publisher c:\windows\system32\netplwiz.dll
+ User Assist Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ Video Media Properties Handler Media File Property Extractor Shell Extension Microsoft Windows Publisher c:\windows\system32\shmedia.dll
+ Video Thumbnail Extractor Media File Property Extractor Shell Extension Microsoft Windows Publisher c:\windows\system32\shmedia.dll
+ Wav Properties Handler Media File Property Extractor Shell Extension Microsoft Windows Publisher c:\windows\system32\shmedia.dll
+ Web Folders Microsoft Web Folders Microsoft Corporation c:\program files\common files\microsoft shared\web folders\mson-- The nicest hobby on Earth ;) --t.dll
+ Web Printer Shell Extension Print UI DLL Microsoft Windows Publisher c:\windows\system32\printui.dll
+ Web Publishing Wizard Map Network Drives/Network Places Wizard Microsoft Windows Publisher c:\windows\system32\netplwiz.dll
+ Web Search Shell Browser UI Library Microsoft Windows Publisher c:\windows\system32\browseui.dll
+ WebCheck Web Site Monitor Microsoft Windows Publisher c:\windows\system32\webcheck.dll
+ WebCheck SyncMgr Handler Web Site Monitor Microsoft Windows Publisher c:\windows\system32\webcheck.dll
+ WebCheckChannelAgent Web Site Monitor Microsoft Windows Publisher c:\windows\system32\webcheck.dll
+ WebCheckWebCrawler Web Site Monitor Microsoft Windows Publisher c:\windows\system32\webcheck.dll
+ Windows Media Player Add to Playlist Context Menu Handler Windows Media Player Launcher Microsoft Windows Publisher c:\windows\system32\wmpshell.dll
+ Windows Media Player Burn Audio CD Context Menu Handler Windows Media Player Launcher Microsoft Windows Publisher c:\windows\system32\wmpshell.dll
+ Windows Media Player Play as Playlist Context Menu Handler Windows Media Player Launcher Microsoft Windows Publisher c:\windows\system32\wmpshell.dll
+ {506F4668-F13E-4AA1-BB04-B43203AB3CC0} Microsoft Corporation c:\program files\microsoft office\visio11\visshe.dll
+ {D66DC78C-4F61-447F-942B-3FB6980118CF} Microsoft Corporation c:\program files\microsoft office\visio11\visshe.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ AcroIEHlprObj Class AcroIEHelper Module Adobe Systems, Incorporated c:\program files\adobe\acrobat 5.0\reader\activex\acroiehelper.ocx
HKLM\Software\Microsoft\Internet Explorer\Extensions
+ Windows Messenger Windows Messenger Microsoft Windows Publisher c:\program files\messenger\msmsgs.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ autocheck autochk * Auto Check Utility Microsoft Windows Publisher c:\windows\system32\autochk.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
+ Your Image File Name Here without a path Symbolic Debugger for Windows 2000 Microsoft Windows Publisher c:\windows\system32\ntsd.exe
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
+ advapi32 Advanced Windows 32 Base API Microsoft Windows Publisher c:\windows\system32\advapi32.dll
+ comdlg32 Common Dialogs DLL Microsoft Windows Publisher c:\windows\system32\comdlg32.dll
+ DllDirectory c:\windows\system32
+ gdi32 GDI Client DLL Microsoft Windows Publisher c:\windows\system32\gdi32.dll
+ imagehlp Windows NT Image Helper Microsoft Windows Publisher c:\windows\system32\imagehlp.dll
+ kernel32 Windows NT BASE API Client DLL Microsoft Windows Publisher c:\windows\system32\kernel32.dll
+ lz32 LZ Expand/Compress API DLL Microsoft Windows Publisher c:\windows\system32\lz32.dll
+ ole32 Microsoft OLE for Windows Microsoft Windows Publisher c:\windows\system32\ole32.dll
+ oleaut32 Microsoft Windows Publisher c:\windows\system32\oleaut32.dll
+ olecli32 Object Linking and Embedding Client Library Microsoft Windows Publisher c:\windows\system32\olecli32.dll
+ olecnv32 Microsoft OLE for Windows Microsoft Windows Publisher c:\windows\system32\olecnv32.dll
+ olesvr32 Object Linking and Embedding Server Library Microsoft Windows Publisher c:\windows\system32\olesvr32.dll
+ olethk32 Microsoft OLE for Windows Microsoft Windows Publisher c:\windows\system32\olethk32.dll
+ rpcrt4 Remote Procedure Call Runtime Microsoft Windows Publisher c:\windows\system32\rpcrt4.dll
+ shell32 Windows Shell Common Dll Microsoft Windows Publisher c:\windows\system32\shell32.dll
+ url Internet Shortcut Shell Extension DLL Microsoft Windows Publisher c:\windows\system32\url.dll
+ urlmon OLE32 Extensions for Win32 Microsoft Windows Publisher c:\windows\system32\urlmon.dll
+ user32 Windows XP USER API Client DLL Microsoft Windows Publisher c:\windows\system32\user32.dll
+ version Version Checking and File Installation Libraries Microsoft Windows Publisher c:\windows\system32\version.dll
+ wininet Internet Extensions for Win32 Microsoft Windows Publisher c:\windows\system32\wininet.dll
+ wldap32 Win32 LDAP API DLL Microsoft Windows Publisher c:\windows\system32\wldap32.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ cscdll Offline Network Agent Microsoft Windows Publisher c:\windows\system32\cscdll.dll
+ ScCertProp Common DLL to receive Winlogon notifications Microsoft Windows Publisher c:\windows\system32\wlnotify.dll
+ Schedule Common DLL to receive Winlogon notifications Microsoft Windows Publisher c:\windows\system32\wlnotify.dll
+ SensLogn Common DLL to receive Winlogon notifications Microsoft Windows Publisher c:\windows\system32\wlnotify.dll
+ termsrv Common DLL to receive Winlogon notifications Microsoft Windows Publisher c:\windows\system32\wlnotify.dll
+ wlballoon Common DLL to receive Winlogon notifications Microsoft Windows Publisher c:\windows\system32\wlnotify.dll
HKCU\Control Panel\Desktop\Scrnsave.exe
+ C:\WINDOWS\system32\logon.scr Logon Screen Saver Microsoft Windows Publisher c:\windows\system32\logon.scr
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
+ MSAFD Irda [IrDA] Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{0DC937D6-AC0A-4F50-941E-5E5BB5B06142}] DATAGRAM 1 Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{0DC937D6-AC0A-4F50-941E-5E5BB5B06142}] SEQPACKET 1 Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{427B96F5-498D-4A3A-9137-4C56938EFC4D}] DATAGRAM 2 Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{427B96F5-498D-4A3A-9137-4C56938EFC4D}] SEQPACKET 2 Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{57594CD5-4CD8-4BED-8131-2B085D995C21}] DATAGRAM 4 Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{57594CD5-4CD8-4BED-8131-2B085D995C21}] SEQPACKET 4 Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{64F8E283-2536-4031-8805-F1C1C2CCDF9D}] DATAGRAM 0 Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{64F8E283-2536-4031-8805-F1C1C2CCDF9D}] SEQPACKET 0 Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{8411DCC7-EB12-4FF1-8E32-AF437F3B3A38}] DATAGRAM 6 Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{8411DCC7-EB12-4FF1-8E32-AF437F3B3A38}] SEQPACKET 6 Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9CC7081-621A-430E-BEB8-98DE48203B9D}] DATAGRAM 3 Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9CC7081-621A-430E-BEB8-98DE48203B9D}] SEQPACKET 3 Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [RAW/IP] Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [TCP/IP] Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [UDP/IP] Microsoft Windows Sockets 2.0 Service Provider Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ RSVP TCP Service Provider Microsoft Windows Rsvp 1.0 Service Provider Microsoft Windows Publisher c:\windows\system32\rsvpsp.dll
+ RSVP UDP Service Provider Microsoft Windows Rsvp 1.0 Service Provider Microsoft Windows Publisher c:\windows\system32\rsvpsp.dll
LoPhatPhuud
Sep 20 2005, 03:57 PM
First:
Launch Notepad, and copy/paste in the box below to a new text file.
Save it on your Desktop as fixme.reg

CODE
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"winlogon.exe"=-

Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".


Second:
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

Close all windows except HijackThis and click Fix checked.


While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be located in C:\Windows\ or C:\Windows\System32\)
C:\WINDOWS\system32\msole32.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.
infini
Sep 21 2005, 05:36 AM
What do you mean by writing "R* items"?
LoPhatPhuud
Sep 21 2005, 05:55 AM
In the event I specified R0, R1, etc., items for removal in Safe Mode and they do not appear, you can try again in Normal mode after finishing the current step(s).

Since there are no R* items specified in my instructions, you can ignore this instruction, at this time.
infini
Sep 29 2005, 05:28 AM
Sorry for replying so late, i was away an i didn't have access to the PC. Here is the new HijackThis Log


Logfile of HijackThis v1.99.1
Scan saved at 7:51:08 πμ, on 28/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing Driver\HPBMOBIL.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\eleni\Desktop\System Cleaner\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/homepage-o
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HP Mobile Printing Driver] C:\Program Files\Hewlett-Packard\HP Mobile Printing Driver\HPBMOBIL.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab36385.cab
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
LoPhatPhuud
Sep 29 2005, 06:11 AM
That last log was clean.

Are there any issues?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.