Jump to content


Photo

Leftover problems


  • Please log in to reply
21 replies to this topic

#1 synth

synth

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 23 July 2006 - 04:16 AM

Hi

A while ago I had a trojan infect my system but managed to get rid of it with some great help.
There are still some problems left over however. My desktop has been replaced by "C:\Desktop", I have no right-click on the desktop that is in use and, although the menu comes up, if I try to use any of the options in the right-click for things such as 'My Computer' I get no response. Does anyone know how I can repair these problems? I have posted a hijack this log below if it helps.
Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 11:10:52, on 23/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\SMBE\afaagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Adaptec\SMBE\iomgr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Adaptec\SMBE\arcpd.exe
C:\Program Files\Adaptec\SMBE\notify.exe
C:\Program Files\RAM Idle\RAM_XP.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Desktop\DESKTOP\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPremier AG Utility] C:\Program Files\D-Link\AirPremier AG Utility\AirPMCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PartMetBackup.lnk = C:\Program Files\Java\j2re1.4.2_04\bin\javaw.exe
O4 - Startup: winupdate56163252[1].exe
O4 - Global Startup: MacName.lnk.disabled
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSN Messenger\msgrapp.dll" (file missing)
O23 - Service: Adaptec RAID Remote Services Agent (AAC_AGENT) - Adaptec, Inc. - C:\Program Files\Adaptec\SMBE\afaagent.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Adaptec Web Server (ARCPD) - Unknown owner - C:\Program Files\Adaptec\SMBE\arcpd.exe
O23 - Service: Adaptec Storage Manager Notifier (ASMBENotify) - Unknown owner - C:\Program Files\Adaptec\SMBE\notify.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adaptec I/O Manager Server (IOManager) - Unknown owner - C:\Program Files\Adaptec\SMBE\iomgr.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 25 July 2006 - 05:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please post a link to your log in Not getting help with your log?.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 29 July 2006 - 08:30 PM

Download haxfix.exe
and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
  • Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)


#4 synth

synth

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 30 July 2006 - 07:22 AM

Thanks jw50

Heres the log file:

HAXFIX logfile - by Marckie
______________
version 4.01
30/07/2006 14:21:21.50
running from: C:\Program Files\HaxFix

checking for haxdoor
--------------------
checking for a3d files....
a3d files not found

checking for matching notify keys....
no matching notify keys found

checking for matching services....
matching services found
ASPI32

checking for matching safeboot services....
no matching safeboot services found


Checking for goldun
-------------------
checking for notify keys....
no notify keys found

checking for services....
no services found


Finished

#5 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 30 July 2006 - 03:22 PM

Hi synth,

First, download HSFix from here
After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.

Run Ewido and check for updates, after you update it close Ewido.

Go to Add/Remove Programs on the Control Panel and remove all versions of Java that are older than J2SE Runtime Environment 5.0 Update 6. After the fixes are done you can download the latest version of Java from here:
http://www.java.com/...load/manual.jsp


Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run HijackThis and place a check beside this item:
O4 - Startup: winupdate56163252[1].exe

Close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
A log will be produced which you can close out of.

Run a full system scan with Ewido.

Reboot in Normal mode.


Please download SilentRunners from here:
http://www.silentrun...ent Runners.vbs
Save it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.

Run HijackThis and post a new log along with the HSFix log and the SilentRunners log.

#6 synth

synth

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 01 August 2006 - 10:01 PM

Ok, things didn't go quite as planned (do they ever? :rolleyes: )
After the java removal the comp was blue screening for 24hrs, but its mysteriously back again now.
I followed your instructions, but the SilentRunners script just kept giving me an error:
Posted Image

Anyway, I ran HijackThis again, here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 04:53:11, on 02/08/2006
Platform: Windows XP SP1 (WinNT 5.01.

2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.

2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\SMBE\afaagent

.exe
C:\PROGRA~1\Grisoft\AVGFRE~1

\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1

\avgupsvc.exe
C:\Program Files\ewido anti-

malware\ewidoctrl.exe
C:\Program Files\Adaptec\SMBE\iomgr.

exe
C:\Program Files\Alias\Maya7.0

\docs\wrapper.exe
C:\Program Files\Spyware Doctor\sdhelp

.exe
C:\Program Files\Alias\Maya7.0

\docs\jre\bin\java.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Adaptec\SMBE\arcpd.

exe
C:\Program Files\Adaptec\SMBE\notify.

exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RAM Idle\RAM_XP.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.

exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc

.exe
C:\Program Files\Muiltmedia keyboard

utility\1.3\KbdAp32A.exe
C:\WINDOWS\System32

\spool\DRIVERS\W32X86\3\E_FATI9YE.

EXE
C:\Program Files\ANI\ANIWZCS2

Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.5.0_06

\bin\jusched.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wbem\wmiprvse

.exe
C:\Desktop\DESKTOP\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E

9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:

\Program Files\Adobe\Acrobat 5.0

\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A

36-3DB1-42A4-A3CB-D426709BBFEB} - C:

\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB

-D6F0-462C-B6EB-D4DAF1D92D43} - C:

\Program Files\Java\jre1.5.0_06\bin\ssv.

dll
O2 - BHO: PCTools Browser Monitor - {B

56A7D7D-6927-48C8-A975-17DF180C71

AC} - C:\PROGRA~1\SPYWAR~1

\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-

11D2-876E-00A0C9082467} - C:

\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RAM Idle Professional]

C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [SmcService] C:

\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [FLMK08KB] C:

\Program Files\Muiltmedia keyboard

utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:

\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:

\PROGRA~1\Grisoft\AVGFRE~1\avgemc.

exe
O4 - HKLM\..\Run: [EPSON Stylus Photo

R800] C:\WINDOWS\System32

\spool\DRIVERS\W32X86\3\E_FATI9YE.

EXE /P23 "EPSON Stylus Photo R800" /O6

"USB001" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [QuickTime Task] "C:

\Program Files\QuickTime\qttask.exe" -

atboottime
O4 - HKLM\..\Run: [D-Link AirPremier AG

Utility] C:\Program Files\D-Link\AirPremier

AG Utility\AirPMCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C

:\Program Files\ANI\ANIWZCS2

Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:

\Program Files\REGSHAVE\REGSHAVE.EXE

/AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched]

C:\Program Files\Java\jre1.5.0_06

\bin\jusched.exe
O4 - HKCU\..\Run: [Skype] "C:\Program

Files\Skype\Phone\Skype.exe" /nosplash

/minimized
O4 - Startup: Adobe Gamma.lnk = C:

\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma

Loader.exe
O4 - Startup: PartMetBackup.lnk = C:

\Program Files\Java\j2re1.4.2_04

\bin\javaw.exe
O4 - Global Startup: MacName.lnk.

disabled
O8 - Extra context menu item: Download

all with Free Download Manager - file://C

:\Program Files\Free Download

Manager\dlall.htm
O8 - Extra context menu item: Download

selected with Free Download Manager -

file://C:\Program Files\Free Download

Manager\dlselected.htm
O8 - Extra context menu item: Download

web site with Free Download Manager -

file://C:\Program Files\Free Download

Manager\dlpage.htm
O8 - Extra context menu item: Download

with Free Download Manager - file://C:

\Program Files\Free Download

Manager\dllink.htm
O8 - Extra context menu item: Sothink

SWF Catcher - C:\Program Files\Common

Files\SourceTec\SWF

Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C

0-4FCB-11CF-AAA5-00401C608501} - C:

\Program Files\Java\jre1.5.0_06

\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java

Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D

663D1A-8670-49D9-A1A5-4C56B4E14E84}

- C:\PROGRA~1\SPYWAR~1\tools\iesdpb

.dll
O9 - Extra button: Real.com - {CD67F990

-D8E9-11d2-98FE-00C0F0318AFE} - C:

\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: SWF Catcher - {E19

ADC6E-3909-43E4-9A89-B7B676377EE3} -

C:\Program Files\Common

Files\SourceTec\SWF

Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF

Catcher - {E19ADC6E-3909-43E4-9A89-B

7B676377EE3} - C:\Program

Files\Common Files\SourceTec\SWF

Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F

1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.

EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F

795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O16 - DPF: {556DDE35-E955-11D0-A707-

000000521957} - http://www.xblock.com

/download/xclean_micro.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-

4EB7002E68AE} (Trend Micro ActiveX

Scan Agent 6.5) - http://housecall65.

trendmicro.com/housecall/applet/html/

native/x86/win32/activex/hcImpl.cab
O18 - Protocol: msnim - {828030A1-22C1

-4009-854F-8E305202313F} - "C:

\PROGRA~1\MSN Messenger\msgrapp.dll"

(file missing)
O23 - Service: Adaptec RAID Remote

Services Agent (AAC_AGENT) - Adaptec,

Inc. - C:\Program

Files\Adaptec\SMBE\afaagent.exe
O23 - Service: Adobe LM Service - Adobe

Systems - C:\Program Files\Common

Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (

ANIWZCSdService) - Alpha Networks Inc.

- C:\Program Files\ANI\ANIWZCS2

Service\ANIWZCSdS.exe
O23 - Service: Adaptec Web Server (

ARCPD) - Unknown owner - C:\Program

Files\Adaptec\SMBE\arcpd.exe
O23 - Service: Adaptec Storage Manager

Notifier (ASMBENotify) - Unknown owner -

C:\Program Files\Adaptec\SMBE\notify.

exe
O23 - Service: ATI Smart - Unknown

owner - C:\WINDOWS\SYSTEM32\ati2

sgag.exe
O23 - Service: AVG7 Alert Manager

Server (Avg7Alrt) - GRISOFT, s.r.o. - C:

\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr

.exe
O23 - Service: AVG7 Update Service (

Avg7UpdSvc) - GRISOFT, s.r.o. - C:

\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc

.exe
O23 - Service: ewido security suite control

- ewido networks - C:\Program

Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table

Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32

\IDriverT.exe
O23 - Service: Adaptec I/O Manager

Server (IOManager) - Unknown owner -

C:\Program Files\Adaptec\SMBE\iomgr.

exe
O23 - Service: Maya 7.0 Documentation

Server (maya70docserver) - Unknown

owner - C:\Program Files\Alias\Maya7.0

\docs\wrapper.exe" -s "C:\Program

Files\Alias\Maya7.0\docs\Wrapper.conf (

file missing)
O23 - Service: Intel® NMS (NMSSvc) -

Intel Corporation - C:\WINDOWS\System

32\NMSSvc.exe
O23 - Service: PC Tools Spyware Doctor

(SDhelper) - PC Tools Research Pty Ltd -

C:\Program Files\Spyware Doctor\sdhelp

.exe
O23 - Service: Sygate Personal Firewall

(SmcService) - Sygate Technologies, Inc.

- C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TabletService - Wacom

Technology, Corp. - C:

\WINDOWS\System32\Tablet.exe


And here's the HSFix log:


Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-
(note: I had to run it again as I forgot to save it after the winupdate removal. That one showed winupdate removed.)

Thanks.

#7 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 02 August 2006 - 03:11 PM

Hi synth,

Run HijackThis and place a check beside this item:
O4 - Startup: PartMetBackup.lnk = C:\Program Files\Java\j2re1.4.2_04\bin\javaw.exe

Close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

Reboot your computer.

Run HijackThis and post a new log.

#8 synth

synth

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 12 August 2006 - 01:21 PM

Sorry - been away.
Ok, heres the new log...

Logfile of HijackThis v1.99.1
Scan saved at 20:19:50, on 12/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\SMBE\afaagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Adaptec\SMBE\iomgr.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Adaptec\SMBE\arcpd.exe
C:\Program Files\Adaptec\SMBE\notify.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RAM Idle\RAM_XP.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE
C:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\D-Link\AirPremier AG Utility\AirPMCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Desktop\DESKTOP\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPremier AG Utility] C:\Program Files\D-Link\AirPremier AG Utility\AirPMCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MacName.lnk.disabled
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSN Messenger\msgrapp.dll" (file missing)
O23 - Service: Adaptec RAID Remote Services Agent (AAC_AGENT) - Adaptec, Inc. - C:\Program Files\Adaptec\SMBE\afaagent.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Adaptec Web Server (ARCPD) - Unknown owner - C:\Program Files\Adaptec\SMBE\arcpd.exe
O23 - Service: Adaptec Storage Manager Notifier (ASMBENotify) - Unknown owner - C:\Program Files\Adaptec\SMBE\notify.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Adaptec I/O Manager Server (IOManager) - Unknown owner - C:\Program Files\Adaptec\SMBE\iomgr.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

#9 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 12 August 2006 - 08:16 PM

Hi synth,

Your log looks fine now :thumbsup:

Are you still having any problems?


These are some recommendations that will significantly decrease the chances that you will have problems with malware in the future:

1) Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Windows Defender

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Keeping these programs up-to-date and running them regularly can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.o...oducts/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. A good free firewall is ZoneAlarm.
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: So how did I get infected in the first place?

#10 synth

synth

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 14 August 2006 - 06:14 AM

Hi synth,

Your log looks fine now :thumbsup:

Are you still having any problems?


Thanks jw, but I still have the wrong desktop in use and I still have the right-click problem. i.e. if I right-click on a shortcut or if I right-click My Computer and select Properties nothing happens.

Thanks for the advice - all good. I've been an advocator of Firefox for a few years and have had most of the security progs you list for a while now! Although I use Kerio Personal Firewall & AVG. I got infected because I was running some tests for a remote server connection problem and had the firewall & antivirus off for about 5mins(!)

Any idea on sorting the problems still there? Or shall I just reinstall Windows?

#11 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 14 August 2006 - 02:37 PM

Hi synth,

You will not need to reinstall Windows, we will get those problems fixed.


Please download SilentRunners from here:
http://www.silentrun...ent Runners.vbs
Save it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.

#12 synth

synth

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 15 August 2006 - 07:33 AM

Kudos for the determination jw! :cool:

Heres the log file from silentrunners:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RAM Idle Professional" = "C:\Program Files\RAM Idle\RAM_XP.exe" [null data]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"FLMK08KB" = "C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE" [empty string]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"RegistryMechanic" = (empty string)
"EPSON Stylus Photo R800" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"" ["SEIKO EPSON CORPORATION"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"D-Link AirPremier AG Utility" = "C:\Program Files\D-Link\AirPremier AG Utility\AirPMCFG.exe" ["D-Link"]
"ANIWZCS2Service" = "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" ["Alpha Networks Inc."]
"REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PCTools Site Guard"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PCTools Browser Monitor"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{68B60101-A3FD-11CE-B193-00400143068B}" = "MacOpener ShellExtension Format Menu"
-> {HKLM...CLSID} = "MacOpener ShellExtension Format Menu"
\InProcServer32\(Default) = "C:\Program Files\MacOpener\MACOPEN.DLL" ["DataViz Inc."]
"{68B60201-A3FD-11CE-B193-00400143068B}" = "MacOpener ShellExtension Common Property Sheet"
-> {HKLM...CLSID} = "MacOpener ShellExtension Common Property Sheet"
\InProcServer32\(Default) = "C:\Program Files\MacOpener\MACOPEN.DLL" ["DataViz Inc."]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Wireless Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Wheel Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Activities Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Buttons Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{AC0B5D2E-B691-4E12-A4F9-CA88492579A2}" = "Zinio Shell Extension"
-> {HKLM...CLSID} = "Zinio Magazine"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZSHExt.dll" ["Zinio Systems, Inc."]
"{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}" = "Zinio Magazine Column Provider"
-> {HKLM...CLSID} = "MyMagazinesColumn Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZSHExt.dll" ["Zinio Systems, Inc."]
"{091D66CD-24B7-4210-A790-78463B1B3D7A}" = "Zinio Shell Extension UI Object"
-> {HKLM...CLSID} = "UIObject Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZSHExt.dll" ["Zinio Systems, Inc."]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "aČ Context Menu Shell Extension"
-> {HKLM...CLSID} = "aČ Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL" [null data]
"{2C537739-793D-4214-9CF6-1371C4F1B1EB}" = "DSShellExtension"
-> {HKLM...CLSID} = "DSShellExtension Class"
\InProcServer32\(Default) = "C:\Program Files\Deskshare\Digital Media Converter\DSShellExtHandler.dll" ["DeskShare"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}\(Default) = "Zinio Magazine Column Provider"
-> {HKLM...CLSID} = "MyMagazinesColumn Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZSHExt.dll" ["Zinio Systems, Inc."]
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
StuffIt Compress Menu\(Default) = "{3FBFD0B0-EB46-4797-9101-615610E87DA6}"
-> {HKLM...CLSID} = "StuffIt Compress Menu"
\InProcServer32\(Default) = "C:\Program Files\Allume Systems\StuffIt\CompressMenu.dll" ["Allume Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\WS_FTP\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {HKLM...CLSID} = "aČ Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL" [null data]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
FineReader\(Default) = "{AC0DD14A-8F29-4F88-BE1D-0F0ED1B06C9F}"
-> {HKLM...CLSID} = "FineReaderExplorerContextMenuHandler"
\InProcServer32\(Default) = "C:\Program Files\ABBYY\FineReader 6.0\FECMenu.dll" ["ABBYY (BIT Software)"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
StuffIt Compress Menu\(Default) = "{3FBFD0B0-EB46-4797-9101-615610E87DA6}"
-> {HKLM...CLSID} = "StuffIt Compress Menu"
\InProcServer32\(Default) = "C:\Program Files\Allume Systems\StuffIt\CompressMenu.dll" ["Allume Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\WS_FTP\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


I can see a few things in there I should clean up, but nothing related to the problem. Thanks jw.

Edited by synth, 15 August 2006 - 07:37 AM.


#13 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 15 August 2006 - 02:40 PM

Hi synth,

You stopped SilentRunners before it had completed its scan. Would you please run it again and wait until it completes the scan this time.


Also try these fixes for the desktop:

Click on Start, Control Panel, Display. Click on the Desktop tab, then click on the Customize Desktop button. In the Desktop Items window click on the Web tab. Uncheck and then delete all entries under Web pages. Click on OK to close the windows.



If that one doesn't work try this:

Open a new notepad window and paste the following text into it

REGEDIT4

[-HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Policies\System]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

Then change the "save as type" to "all files" and save it as unlock.reg

Double click on the file, and click yes when it asks you if you want to merge the information with the registry.

#14 synth

synth

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 16 August 2006 - 05:39 PM

Did the registry change.
Heres the latest silentrunners log:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RAM Idle Professional" = "C:\Program Files\RAM Idle\RAM_XP.exe" [null data]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"FLMK08KB" = "C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE" [empty string]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"RegistryMechanic" = (empty string)
"EPSON Stylus Photo R800" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"" ["SEIKO EPSON CORPORATION"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"D-Link AirPremier AG Utility" = "C:\Program Files\D-Link\AirPremier AG Utility\AirPMCFG.exe" ["D-Link"]
"ANIWZCS2Service" = "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" ["Alpha Networks Inc."]
"REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PCTools Site Guard"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PCTools Browser Monitor"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{68B60101-A3FD-11CE-B193-00400143068B}" = "MacOpener ShellExtension Format Menu"
-> {HKLM...CLSID} = "MacOpener ShellExtension Format Menu"
\InProcServer32\(Default) = "C:\Program Files\MacOpener\MACOPEN.DLL" ["DataViz Inc."]
"{68B60201-A3FD-11CE-B193-00400143068B}" = "MacOpener ShellExtension Common Property Sheet"
-> {HKLM...CLSID} = "MacOpener ShellExtension Common Property Sheet"
\InProcServer32\(Default) = "C:\Program Files\MacOpener\MACOPEN.DLL" ["DataViz Inc."]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Wireless Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Wheel Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Activities Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Buttons Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{AC0B5D2E-B691-4E12-A4F9-CA88492579A2}" = "Zinio Shell Extension"
-> {HKLM...CLSID} = "Zinio Magazine"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZSHExt.dll" ["Zinio Systems, Inc."]
"{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}" = "Zinio Magazine Column Provider"
-> {HKLM...CLSID} = "MyMagazinesColumn Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZSHExt.dll" ["Zinio Systems, Inc."]
"{091D66CD-24B7-4210-A790-78463B1B3D7A}" = "Zinio Shell Extension UI Object"
-> {HKLM...CLSID} = "UIObject Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZSHExt.dll" ["Zinio Systems, Inc."]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "aČ Context Menu Shell Extension"
-> {HKLM...CLSID} = "aČ Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL" [null data]
"{2C537739-793D-4214-9CF6-1371C4F1B1EB}" = "DSShellExtension"
-> {HKLM...CLSID} = "DSShellExtension Class"
\InProcServer32\(Default) = "C:\Program Files\Deskshare\Digital Media Converter\DSShellExtHandler.dll" ["DeskShare"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}\(Default) = "Zinio Magazine Column Provider"
-> {HKLM...CLSID} = "MyMagazinesColumn Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZSHExt.dll" ["Zinio Systems, Inc."]
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
StuffIt Compress Menu\(Default) = "{3FBFD0B0-EB46-4797-9101-615610E87DA6}"
-> {HKLM...CLSID} = "StuffIt Compress Menu"
\InProcServer32\(Default) = "C:\Program Files\Allume Systems\StuffIt\CompressMenu.dll" ["Allume Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\WS_FTP\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {HKLM...CLSID} = "aČ Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL" [null data]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
FineReader\(Default) = "{AC0DD14A-8F29-4F88-BE1D-0F0ED1B06C9F}"
-> {HKLM...CLSID} = "FineReaderExplorerContextMenuHandler"
\InProcServer32\(Default) = "C:\Program Files\ABBYY\FineReader 6.0\FECMenu.dll" ["ABBYY (BIT Software)"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
StuffIt Compress Menu\(Default) = "{3FBFD0B0-EB46-4797-9101-615610E87DA6}"
-> {HKLM...CLSID} = "StuffIt Compress Menu"
\InProcServer32\(Default) = "C:\Program Files\Allume Systems\StuffIt\CompressMenu.dll" ["Allume Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\WS_FTP\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Steve O'Connor" & "All Users" startup folders:
----------------------------------------------------------------

C:\Documents and Settings\Steve O'Connor\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
INFECTION WARNING! "MacName.lnk.disabled" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {HKLM...CLSID} = "PCTools Browser Monitor"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E19ADC6E-3909-43E4-9A89-B7B676377EE3}\
"ButtonText" = "SWF Catcher"
"MenuText" = "Sothink SWF Catcher"
"Script" = "C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Adaptec I/O Manager Server, IOManager, "C:\Program Files\Adaptec\SMBE\iomgr.exe" [null data]
Adaptec RAID Remote Services Agent, AAC_AGENT, "C:\Program Files\Adaptec\SMBE\afaagent.exe" ["Adaptec, Inc."]
Adaptec Storage Manager Notifier, ASMBENotify, "C:\Program Files\Adaptec\SMBE\notify.exe" [null data]
Adaptec Web Server, ARCPD, "C:\Program Files\Adaptec\SMBE\arcpd.exe" [null data]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
Maya 7.0 Documentation Server, maya70docserver, ""C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf"" [null data]
PC Tools Spyware Doctor, SDhelper, "C:\Program Files\Spyware Doctor\sdhelp.exe" ["PC Tools Research Pty Ltd"]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
TabletService, TabletService, "C:\WINDOWS\System32\Tablet.exe" ["Wacom Technology, Corp."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON Stylus Photo R800 2KMonitor5E\Driver = "E_FLM9YE.DLL" ["SEIKO EPSON CORPORATION"]
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]
PDF Port\Driver = "C:\WINDOWS\System32\pdfports.dll" ["Adobe Systems Incorporated."]
PDF-XChange\Driver = "C:\WINDOWS\System32\pxc25pm.dll" ["Tracker Software"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 98 seconds, including 7 seconds for message boxes)

#15 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 17 August 2006 - 07:39 PM

Hi synth,

SilentRunners looks fine, did the registry fix take care of the desktop problem?

Is the only remaining problem the right click?

If it is try the fix on line 203 on this webpage:

http://www.kellys-ko...m/xp_tweaks.htm

#16 synth

synth

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 August 2006 - 03:38 AM

Well that fixed the right-click! Nice one :thumbsup:

Its still using C:/Desktop though... :scratchhead:

#17 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 21 August 2006 - 02:39 PM

Hi synth,

Can you provide me with more information on exactly what you mean by your desktop has been replaced by "C:\Desktop"?

Are you able to make any changes to the desktop?

#18 synth

synth

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 21 August 2006 - 04:56 PM

The computer is using an alternate desktop source (C:/Desktop - that IS wrong right?) where, before you provided the right-click fix, I couldn't do anything. If I drop a shortcut, file or folder on the desktop TWO copies appear. If I delete one the other stays until I reboot -it can't be deleted.

#19 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 27 August 2006 - 02:41 PM

Hi synth,

I haven't been able to find anything on how to fix this problem. I am going to ask some of the experts here if they have any suggestions and will let you know if they do.

#20 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 27 August 2006 - 05:54 PM

Hi synth,

Try checking this website:

http://www.kellys-ko...ell_folders.htm

Using regedit check the desktop location in these two registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders and \Shell Folders

If the location in one or both of these keys is C:\Desktop you can edit the key to change the location back to the appropriate location, the website will tell you what the default locations are.

If you are not sure how to make the necessary changes let me know and I will provide you more detailed instructions.

#21 synth

synth

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 06 September 2006 - 01:23 AM

Thanks jw50 that worked - to a degree!

My own, personal desktop has been restored to the proper place, but the 'All Users' desktop still points to C:/Desktop. I can't get it to change in normal or safe mode.
Maybe it can be done by booting to the command prompt? Or do you think if I took the drive out, put it in a caddy and hooked it up to my laptop, that I could edit the drive registry without having to boot up the desktop?

#22 jw50

jw50

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 07 September 2006 - 02:27 PM

Use regedit to go to this location and do the same thing you did previously, this should fix the All Users:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders or \Shell Folders




Member of UNITE
Support SpywareInfo Forum - click the button