Hi there,

Yesterday I was infected with Virusbursters - used smitfraudfix and got rid of pop-ups and other annoying stuff. However when I logged back to windows under normal mode from safe mode, i found it impossible to be able to change the desktop background, which is now blank following my use of the smitfraudfix utility. I right click on desktop, click on properties, the Display box comes up, I click on desktop and when attempting to click on a desirable wallpaper the whole thing disappears!!

I would value your help with this. Thx in advance.

Hi Millslord and welcome to Safer Networking Forums :)

Please post a HijackThis log to here: Click here (http://downloads.malwareremoval.com/HijackThis.exe) to download HijackThis.exe
Save HijackThis.exe to your desktop.
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Run HijackThis.exe
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Hi Mr_JAk3,

Thx for you reply. May I add that i tried smitfraudfix under normal mode in Windows, it fixes the problem described above but only temporarily, since when I restart the same problem occurs. I also used smitrem under Win Safe mode. Below is the log file as requested.

Logfile of HijackThis v1.99.1
Scan saved at 11:22:07 πμ, on 15/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\UpsPilot\Winpower.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\UpsPilot\monitor.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\UpsPilot\wpRMI.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis 1.99.1\any.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ert.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ert.gr/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = turbo.hol.gr:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - (no file)
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [Winpower] C:\Program Files\UpsPilot\Winpower.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} - http://www.hotsearchbar.com/toolbar30/hsrb.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: LBTServ - C:\Program Files\Common Files\Logitech\Bluetooth\lbtserv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Visualware CallerIP (CallerIP) - Unknown owner - C:\Program Files\CallerIP\cip-nt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Winpower - ZeroG Software - C:\PROGRA~1\UpsPilot\Winpower.exe
O23 - Service: Winpowermanager - ZeroG Software - C:\PROGRA~1\UpsPilot\manager.exe
O23 - Service: Winpowermonitor - ZeroG Software - C:\PROGRA~1\UpsPilot\monitor.exe
O23 - Service: WinpowerRMI - ZeroG Software - C:\PROGRA~1\UpsPilot\wpRMI.exe

Hi :)

Ok, please remove any old version of SmitFraudFix.

Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) (by S!Ri)

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

NOTE: Do not run any other options from SmitfraudFix until I tell you to do so!

:bigthumb:

Please find report below:


SmitFraudFix v2.131

Scan done at 18:11:28,79, ƒœ¬ 18/12/2006
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [λ΅›¦©ž 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\adminX2


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\adminX2\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\adminX2\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Open AVG Anti-Spyware:
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - (no file)
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} - http://www.hotsearchbar.com/toolbar30/hsrb.cab

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\sw20.exe
C:\WINDOWS\system32\sw24.exe

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

Hi again,

Thx for help. The problem persists.

Scan Report:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:38:21 μμ 19/12/2006

+ Scan result:



C:\System Volume Information\_restore{1739919A-AF97-4CB0-BE38-3518B3B625D0}\RP461\A0224638.exe -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1739919A-AF97-4CB0-BE38-3518B3B625D0}\RP461\A0224639.exe -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1739919A-AF97-4CB0-BE38-3518B3B625D0}\RP461\A0224644.dll -> Adware.Minibug : Cleaned with backup (quarantined).
G:\My Downloads\Done\Norton Systemworks 2006 cracked .zip/crack.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\My Downloads\Google Earth Pro 5 Plus Crack.zip/Google Earth Pro 5 Plus Crack/Crack.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{1739919A-AF97-4CB0-BE38-3518B3B625D0}\RP461\A0224637.exe -> Downloader.Zlob.awh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1739919A-AF97-4CB0-BE38-3518B3B625D0}\RP455\A0224205.exe -> Downloader.Zlob.bej : Cleaned with backup (quarantined).
G:\My Downloads\XoftSpy_v3[1].44_by_Seven_7 (www.lomalka.ru).zip/XSCrack.exe -> Logger.Banker.zn : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{1739919A-AF97-4CB0-BE38-3518B3B625D0}\RP461\A0224634.exe -> Logger.Delf.ncs : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{1739919A-AF97-4CB0-BE38-3518B3B625D0}\RP461\A0224635.exe -> Logger.Delf.ncs : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{1739919A-AF97-4CB0-BE38-3518B3B625D0}\RP461\A0224636.exe -> Logger.Delf.ncs : Cleaned with backup (quarantined).
G:\System Volume Information\_restore{1739919A-AF97-4CB0-BE38-3518B3B625D0}\RP461\A0224646.exe -> Not-A-Virus.Monitor.Win32.007SpySoft.308 : Cleaned with backup (quarantined).
:mozilla.45:C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{8C7A6CFD-C827-4AA5-9908-513BCA5E9EA6}\{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt/{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt -> TrackingCookie.Adbrite : Error during cleaning.
:mozilla.46:C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{8C7A6CFD-C827-4AA5-9908-513BCA5E9EA6}\{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt/{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt -> TrackingCookie.Adbrite : Error during cleaning.
:mozilla.47:C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{8C7A6CFD-C827-4AA5-9908-513BCA5E9EA6}\{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt/{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt -> TrackingCookie.Adbrite : Error during cleaning.
:mozilla.48:C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{8C7A6CFD-C827-4AA5-9908-513BCA5E9EA6}\{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt/{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt -> TrackingCookie.Adbrite : Error during cleaning.
:mozilla.54:C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{8C7A6CFD-C827-4AA5-9908-513BCA5E9EA6}\{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt/{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt -> TrackingCookie.Adbrite : Error during cleaning.
:mozilla.57:C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{8C7A6CFD-C827-4AA5-9908-513BCA5E9EA6}\{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt/{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt -> TrackingCookie.Clickhype : Error during cleaning.
:mozilla.58:C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{8C7A6CFD-C827-4AA5-9908-513BCA5E9EA6}\{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt/{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt -> TrackingCookie.Clickhype : Error during cleaning.
:mozilla.14:C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{8C7A6CFD-C827-4AA5-9908-513BCA5E9EA6}\{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt/{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt -> TrackingCookie.Doubleclick : Error during cleaning.
:mozilla.40:C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{8C7A6CFD-C827-4AA5-9908-513BCA5E9EA6}\{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt/{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt -> TrackingCookie.Yieldmanager : Error during cleaning.
:mozilla.44:C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{8C7A6CFD-C827-4AA5-9908-513BCA5E9EA6}\{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt/{4E1F3BBD-782D-4079-933C-1F15F3C36131}.txt -> TrackingCookie.Yieldmanager : Error during cleaning.
G:\My Downloads\Adobe_Photoshop_CS_KeyGen_Activation_www[1].lomalka.ru_.zip/Adobe Photoshop CS - Keygen.exe -> Worm.Delf.bd : Cleaned with backup (quarantined).


::Report end


Hijack this log:


Logfile of HijackThis v1.99.1
Scan saved at 6:46:53 μμ, on 19/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\UpsPilot\Winpower.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\UpsPilot\monitor.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\UpsPilot\wpRMI.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis 1.99.1\any.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ert.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ert.gr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = turbo.hol.gr:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunServices: [Winpower] C:\Program Files\UpsPilot\Winpower.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: LBTServ - C:\Program Files\Common Files\Logitech\Bluetooth\lbtserv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Visualware CallerIP (CallerIP) - Unknown owner - C:\Program Files\CallerIP\cip-nt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Winpower - ZeroG Software - C:\PROGRA~1\UpsPilot\Winpower.exe
O23 - Service: Winpowermanager - ZeroG Software - C:\PROGRA~1\UpsPilot\manager.exe
O23 - Service: Winpowermonitor - ZeroG Software - C:\PROGRA~1\UpsPilot\monitor.exe
O23 - Service: WinpowerRMI - ZeroG Software - C:\PROGRA~1\UpsPilot\wpRMI.exe

Hi again, it is looking clean now :)
The computer is running fine ?


G:\My Downloads\Done\Norton Systemworks 2006 cracked .zip/crack.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\My Downloads\Google Earth Pro 5 Plus Crack.zip/Google Earth Pro 5 Plus Crack/Crack.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
G:\My Downloads\XoftSpy_v3[1].44_by_Seven_7 (www.lomalka.ru).zip/XSCrack.exe -> Logger.Banker.zn : Cleaned with backup (quarantined).
G:\My Downloads\Adobe_Photoshop_CS_KeyGen_Activation_www[1].lomalka.ru_.zip/Adobe Photoshop CS - Keygen.exe -> Worm.Delf.bd : Cleaned with backup (quarantined).
:sick: :fear: The use of cracks and keygens is illegal and as you can see, it gets you infected!
I recommend that you remove all of these immediately.

You don't have an antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) on your computer, you must install one antivirus. Otherwise you'll get infected again.

These are good (free) antiviruses: AVG (http://free.grisoft.com)
Antivir (http://www.free-av.com)
Avast (http://www.avast.com)

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.

The unregistered version of FlashGet serves up Ads in Internet Explorer that are downloaded from Cydoor servers. I would suggest removing it if it is this version. The registered version supposedly does not... so it should be ok. You can find Safer Alternatives (http://www.spywareinfo.com/downloads.php?cat=dlman#dlman). Please uninstall FlashGet in the Control Panel /Add Remove programs. These are the items to fix in HijackThis.

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

Then you should update your Java to the latest version (6.0) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 6
Download the latest version of Java Runtime Environment (JRE) 6.0 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

Hi and thanks for your assistance.

No, the computer is not running fine. I still can' t change the desktop wallpaper. The problem I described in my first post still persists.

Kind regards,

Mills

The strange thing is that I run smitfraudfix under Windows normal mode, the problem gets fixed but my Netgear tool on the tray disappears. If I attempt to restart and log on to windows again, trying to change the windows desktop won't work and the problem reoccurs.

Ok...

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

:bigthumb:

adminX2 - 06-12-20 19:25:47,31 Service Pack 2
ComboFix 06.11.27 - Running from: "G:\Downloads"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\winsys.exe


((((((((((((((((((((((((((((((( Files Created from 2006-11-20 to 2006-12-20 ))))))))))))))))))))))))))))))))))


2006-12-20 12:40 <DIR> d-------- C:\Program Files\Common Files\Java
2006-12-18 18:11 <DIR> d-------- C:\SmitfraudFix
2006-12-18 18:10 731,028 --a------ C:\SmitfraudFix.exe
2006-12-15 11:12 1,021,504 --a------ C:\WINDOWS\system32\vete.dll
2006-12-13 21:27 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2006-12-13 21:25 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2006-12-13 21:19 <DIR> d-------- C:\Program Files\SpywareBlaster
2006-12-13 20:29 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-13 20:29 <DIR> d-------- C:\Program Files\Grisoft
2006-12-13 20:12 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2006-12-13 19:08 <DIR> d-------- C:\WINDOWS\temp
2006-12-13 18:34 <DIR> d-------- C:\Downloads
2006-12-13 18:25 <DIR> d-------- C:\Program Files\HijackThis 1.99.1
2006-11-29 22:07 <DIR> d-------- C:\Program Files\ZipZag
2006-11-29 22:07 <DIR> d-------- C:\Documents and Settings\adminX2\Application Data\ZipZag
2006-11-24 21:00 <DIR> d--h----- C:\WINDOWS\PIF
2006-11-23 18:52 <DIR> d-------- C:\Documents and Settings\adminX2\Application Data\Apple Computer
2006-11-21 22:08 <DIR> d-------- C:\My Downloads


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-20 19:21 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-20 18:41 -------- d-------- C:\Documents and Settings\adminX2\Application Data\Vidalia
2006-12-20 12:40 -------- d-------- C:\Program Files\Java
2006-12-20 12:40 -------- d-------- C:\Program Files\Common Files
2006-12-20 12:04 2158 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-19 20:45 -------- d-------- C:\Documents and Settings\adminX2\Application Data\Canon
2006-12-19 19:59 -------- d-------- C:\Program Files\UpsPilot
2006-12-18 19:28 -------- d-------- C:\Documents and Settings\adminX2\Application Data\Azureus
2006-12-18 17:57 -------- d-------- C:\Program Files\Outlook Express
2006-12-18 17:57 -------- d-------- C:\Program Files\Common Files\System
2006-12-15 20:01 -------- d-------- C:\Program Files\XoftSpy
2006-12-15 11:12 645904 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2006-12-15 11:12 115088 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2006-12-13 21:27 -------- d-------- C:\Program Files\Windows Media Player
2006-12-12 13:53 -------- d-------- C:\Program Files\Warcraft III
2006-11-29 19:26 -------- d-------- C:\Documents and Settings\adminX2\Application Data\Tor
2006-11-28 22:10 -------- d-------- C:\Program Files\KVS
2006-11-28 19:45 -------- d-------- C:\Documents and Settings\adminX2\Application Data\Skype
2006-11-21 21:13 -------- d-------- C:\Program Files\Duolabs
2006-11-17 12:40 -------- d-------- C:\Program Files\BreakPoint Software
2006-11-15 11:42 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-14 16:19 -------- d-------- C:\Program Files\Vidalia
2006-11-14 16:19 -------- d-------- C:\Program Files\Tor
2006-11-14 16:19 -------- d-------- C:\Program Files\Privoxy
2006-11-14 10:23 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-11-14 09:57 -------- d-------- C:\Program Files\Electronic Arts
2006-11-13 22:16 -------- d-------- C:\Program Files\Setup Files
2006-11-13 21:45 -------- d-------- C:\Program Files\Common Files\SystemRequirementsLab
2006-11-13 21:45 -------- d-------- C:\Documents and Settings\adminX2\Application Data\System Requirements Lab
2006-11-13 19:55 -------- d-------- C:\Program Files\Adware Away
2006-11-10 10:47 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-10 10:46 -------- d-------- C:\Program Files\QuickTime
2006-11-10 10:42 -------- d-------- C:\Program Files\Britannica 7.0
2006-11-08 07:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-06 21:01 -------- d-------- C:\Program Files\PictureRipper 3
2006-11-06 21:01 -------- d-------- C:\Documents and Settings\adminX2\Application Data\PictureRipper
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-02 11:51 46080 --------- C:\WINDOWS\system32\wpdshextres.dll
2006-10-31 19:02 -------- d-------- C:\Program Files\Azureus
2006-10-31 18:49 -------- d-------- C:\Program Files\dvdSanta
2006-10-26 20:57 -------- d-------- C:\Program Files\FreshDevices
2006-10-26 20:30 -------- d-------- C:\Program Files\Ulead Systems
2006-10-26 20:06 -------- d-------- C:\Program Files\Intel
2006-10-26 20:01 -------- d-------- C:\Documents and Settings\adminX2\Application Data\Ulead Systems
2006-10-26 19:59 -------- d-------- C:\Program Files\Common Files\Ulead Systems
2006-10-26 19:58 -------- d-------- C:\Program Files\SmartSound Software
2006-10-26 19:55 -------- d-------- C:\Program Files\Windows Media Components
2006-10-26 19:54 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-10-25 13:37 -------- d-------- C:\Program Files\KWS
2006-10-25 13:31 -------- d-------- C:\Program Files\Internet Explorer
2006-10-24 20:53 -------- d-------- C:\Program Files\Microsoft.NET
2006-10-20 03:38 716288 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-18 21:58 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 21:58 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-10-18 21:47 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-10-18 21:47 991744 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 21:47 937984 --a------ C:\WINDOWS\system32\WMNetMgr.dll
2006-10-18 21:47 8231936 --a------ C:\WINDOWS\system32\wmploc.dll
2006-10-18 21:47 767488 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-10-18 21:47 757248 --a------ C:\WINDOWS\system32\WMADMOD.dll
2006-10-18 21:47 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-10-18 21:47 656896 --------- C:\WINDOWS\system32\WMVXENCD.dll
2006-10-18 21:47 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 21:47 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 21:47 613376 --------- C:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-10-18 21:47 542720 --a------ C:\WINDOWS\system32\blackbox.dll
2006-10-18 21:47 535040 --------- C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47 429056 --a------ C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 21:47 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\WMVADVE.DLL
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\WMVADVD.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-10-18 21:47 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-10-18 21:47 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-10-18 21:47 356352 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-10-18 21:47 348672 --a------ C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 21:47 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 21:47 321536 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-10-18 21:47 317440 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-10-18 21:47 314880 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-10-18 21:47 295936 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47 284160 --------- C:\WINDOWS\system32\PortableDeviceApi.dll
2006-10-18 21:47 276992 --a------ C:\WINDOWS\system32\audiodev.dll
2006-10-18 21:47 27136 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 21:47 2603008 --------- C:\WINDOWS\system32\WpdShext.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-10-18 21:47 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-10-18 21:47 242688 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-10-18 21:47 229376 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-10-18 21:47 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-10-18 21:47 222208 --a------ C:\WINDOWS\system32\WMASF.dll
2006-10-18 21:47 212992 --------- C:\WINDOWS\system32\MFPLAT.dll
2006-10-18 21:47 211456 --a------ C:\WINDOWS\system32\qasf.dll
2006-10-18 21:47 204288 --a------ C:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 21:47 199168 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-10-18 21:47 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-10-18 21:47 175616 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-10-18 21:47 166912 --------- C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-10-18 21:47 1661440 --a------ C:\WINDOWS\system32\wmpencen.dll
2006-10-18 21:47 1574912 --------- C:\WINDOWS\system32\WMVENCOD.dll
2006-10-18 21:47 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-10-18 21:47 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 21:47 1543680 --------- C:\WINDOWS\system32\WMVDECOD.dll
2006-10-18 21:47 1382912 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-10-18 21:47 133632 --------- C:\WINDOWS\system32\WPDShServiceObj.dll
2006-10-18 21:47 1329152 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-10-18 21:47 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-10-18 21:47 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-10-18 21:47 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-10-18 21:47 1117696 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-10-18 21:47 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-10-18 20:03 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-10-18 20:00 249856 --------- C:\WINDOWS\system32\drmupgds.exe
2006-10-18 20:00 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-17 12:33 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-17 12:33 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 12:33 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-17 12:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-17 12:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-17 12:33 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-17 12:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-17 12:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-17 12:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 12:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-17 12:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-17 12:01 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 12:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 12:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-17 12:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-17 11:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-13 14:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 14:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 14:35 146944 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-02 15:28 312128 --------- C:\WINDOWS\system32\msdelta.dll
2006-09-28 20:13 95344 --------- C:\WINDOWS\system32\WUDFCoinstaller.dll
2006-09-28 18:56 55808 --------- C:\WINDOWS\system32\WudfSvc.dll
2006-09-28 18:56 316416 --------- C:\WINDOWS\system32\WUDFx.dll
2006-09-28 18:56 165376 --------- C:\WINDOWS\system32\WudfPlatform.dll
2006-09-28 18:56 146432 --------- C:\WINDOWS\system32\WudfHost.exe
2006-09-28 16:05 2414360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2006-09-28 16:05 237848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2006-09-28 16:04 68888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2006-09-28 16:03 15128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2006-09-25 17:58 23856 --a------ C:\WINDOWS\system32\spupdsvc.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Vidalia"="\"C:\\Program Files\\Vidalia\\vidalia.exe\""
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\AdobeUpdateManager.exe\" AcPro7_0_7 -reboot 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"SoundMan"="SOUNDMAN.EXE"
"NWEReboot"=""
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
@=""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Winpower"="C:\\Program Files\\UpsPilot\\Winpower.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Προφορτωτής Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Δαίμονας cache κατηγοριών στοιχείων"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoMovingBands"=dword:00000000
"NoCloseDragDropBands"=dword:00000000
"NoSetTaskbar"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoBandCustomize"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^adminX2^Start Menu^Προγράμματα^Εκκίνηση^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\adminX2\\Start Menu\\Προγράμματα\\Εκκίνηση\\Adobe Gamma.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Acrobat Assistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Προγράμματα\\Εκκίνηση\\Acrobat Assistant.lnk"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Distillr\\acrotray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Adobe Acrobat Speed Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Προγράμματα\\Εκκίνηση\\Adobe Acrobat Speed Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{AC76BA86-1033-0000-7760-000000000002}\\SC_Acrobat.exe "
"item"="Adobe Acrobat Speed Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^CoreCenter.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Προγράμματα\\Εκκίνηση\\CoreCenter.lnk"
"backup"="C:\\WINDOWS\\pss\\CoreCenter.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MSI\\CORECE~1\\CORECE~1.EXE "
"item"="CoreCenter"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Device Detector 2.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Προγράμματα\\Εκκίνηση\\Device Detector 2.lnk"
"backup"="C:\\WINDOWS\\pss\\Device Detector 2.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Olympus\\DEVICE~1\\DevDtct2.exe "
"item"="Device Detector 2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Microsoft Office OneNote 2003 Quick Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Προγράμματα\\Εκκίνηση\\Microsoft Office OneNote 2003 Quick Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup"
"location"="Common Startup"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^SecureDoc.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Προγράμματα\\Εκκίνηση\\SecureDoc.lnk"
"backup"="C:\\WINDOWS\\pss\\SecureDoc.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MSI\\SECURE~1\\Logon.exe "
"item"="SecureDoc"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ActiveSpeed]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AS"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ascentive\\ActiveSpeed\\AS.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CallBridgeReg.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy Messaging]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogitechEasyMsg"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy Synchronization]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogitechEasySync"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Easy Synchronization\\LogitechEasySync.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="eBayTBDaemon"
"hkey"="HKLM"
"command"="C:\\Program Files\\eBay\\eBay Toolbar2\\eBayTBDaemon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AbbyyNewsReader"
"hkey"="HKLM"
"command"="C:\\Program Files\\ABBYY FineReader 7.0 Professional Edition\\AbbyyNewsReader.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InCD"
"hkey"="HKLM"
"command"="C:\\Program Files\\Nero\\Nero 7\\InCD\\InCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LMonitor"
"hkey"="HKLM"
"command"="C:\\Program Files\\MSI\\Live Update 3\\LMonitor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaGateway]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaGateway"
"hkey"="HKLM"
"command"="C:\\Program Files\\MediaGateway\\MediaGateway.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF Converter Registry Controller]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RegistryController"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SYSTRAN\\5.0\\Premium\\RegistryController.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SMSystemAnalyzer"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\iolo\\System Mechanic Professional 6\\SMSystemAnalyzer.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TXP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="txp"
"hkey"="HKLM"
"command"="c:\\program files\\topthemesxp\\txp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\AdobeUpdateManager.exe\" AcPro7_0_7 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ZinioDeliveryManager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Zinio\\ZinioDeliveryManager.exe /autostart"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTServ

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{EB7B6756-B3E1-45F1-9B8C-BB1B7BED1CB0}.job
C:\WINDOWS\tasks\XoftSpy.job

Completion time: 06-12-20 19:30:03.48
C:\ComboFix.txt ... 06-12-20 19:30

Ok let's try this:

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Warning : running option #2 on a non infected computer will remove your Desktop background.

Can you change your wallpaper now ?

Hi there,

I cannot change it. Problem remains. I ran the Delete trusted zone option under windows normal mode as it was not clear in your message whether safe or normal.

Kind regards,

Mills

SmitFraudFix v2.131

Scan done at 12:46:31,57, �œ£ 21/12/2006
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [λ΅›¦©ž 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Hi there,

Problem finally fixed. i downloaded a the activedesktop.vbs file from http://www.kellys-korner-xp.com/xp_tweaks.htm

Thanks for your support so far.

Kind regards,

Mills

Hi again,

Sadly for a reason I cannot understand the problem reoccurred...

Hi :)

Rightclick on the desktop -> choose "properties" -> desktop -> click "Customize Desktop" -> click on the "Web" tab

Is something listed in there ?

Uncheck and delete everything you find in there.

Hit Apply and OK.

Let me know if it helped :bigthumb:

No, nothing is listed there. :sick:

Ok...

To what is the wallpaper locked ? Is it a picture ?

No, it's a blue background. It's blank.

Hi ok...

And to what have you tried to change your wallpaper ? Try some of the default ones.

Please download WinPFind2 (http://download.bleepingcomputer.com/oldtimer/winpfind2.exe).
Extract the files to a folder(eg: C:\WinPFind2).
Double click WinPFind2.exe to start the program.
Click the Select All button in the File Options box of the Configuration tab(this is the tab the program opens up to by default).
Click the Run all Scans button.
When its finished scanning you will see Scans Complete! at the bottom left of the program.
Click the Export to Text button.
Notepad will open with the results of the scan and the log will be saved to the folder that you extracted the program to(C:\WinPFind2\WinPFind2.txt)
Post the log in your next reply please. You may need to split the log over a couple posts so that it doesn't get cut off. If so please use the [Start Post #1] and [Start Post #2] deliminators in the log to split the log up.

Hi,

I can't. The moment I move the cursor over a pic and click to choose it the whole thing disappears. :sad:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 22/12/2006 9:27:02 μμ
WinPFind v1.5.0 Folder = C:\DOCUME~1\adminX2\LOCALS~1\Temp\Rar$EX17.281\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 18/12/2006 8:30:16 πμ 731028 C:\SmitfraudFix.exe ()

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
WSUD 22/9/2005 6:30:48 μμ 18776064 C:\WINDOWS\SYSTEM32\alsndmgr.cpl (Realtek Semiconductor Corp.)
aspack 18/3/2005 5:19:58 μμ 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll (Microsoft Corporation)
aspack 26/5/2005 3:34:52 μμ 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll (Microsoft Corporation)
aspack 22/7/2005 7:59:04 μμ 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll (Microsoft Corporation)
aspack 5/12/2005 6:09:18 μμ 2323664 C:\WINDOWS\SYSTEM32\d3dx9_28.dll (Microsoft Corporation)
aspack 3/2/2006 8:43:16 πμ 2332368 C:\WINDOWS\SYSTEM32\d3dx9_29.dll (Microsoft Corporation)
aspack 31/3/2006 12:40:58 μμ 2388176 C:\WINDOWS\SYSTEM32\d3dx9_30.dll (Microsoft Corporation)
aspack 28/9/2006 4:05:20 μμ 2414360 C:\WINDOWS\SYSTEM32\d3dx9_31.dll (Microsoft Corporation)
PEC2 17/4/2003 2:00:00 μμ 41164 C:\WINDOWS\SYSTEM32\dfrg.msc ()
aspack 3/5/2006 3:30:06 μμ 1212928 C:\WINDOWS\SYSTEM32\Incinerator.dll ()
PEC2 26/4/2006 5:58:48 μμ 60156 C:\WINDOWS\SYSTEM32\jspWinNm.DLL ()
PEC2 26/4/2006 5:58:48 μμ 35992 C:\WINDOWS\SYSTEM32\jspWinRnia.DLL ()
PTech 17/5/2006 10:23:38 πμ 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL (Microsoft Corporation)
PECompact2 7/12/2006 3:13:46 μμ 10716584 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 7/12/2006 3:13:46 μμ 10716584 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
WSUD 4/9/2004 5:45:24 πμ 1250816 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
aspack 4/9/2004 5:44:54 πμ 744448 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 4/9/2004 5:45:26 πμ 263168 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
UPX! 30/4/2004 7:46:24 μμ 28672 C:\WINDOWS\SYSTEM32\qtalt.ax (Cyberlink)
Umonitor 4/9/2004 5:45:12 πμ 687104 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
UPX! 26/3/2004 2:32:36 μμ 116224 C:\WINDOWS\SYSTEM32\rmalt.ax (Gabest)
winsync 17/4/2003 2:00:00 μμ 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
PEC2 18/10/2006 9:47:20 μμ 8231936 C:\WINDOWS\SYSTEM32\wmploc.dll (Microsoft Corporation)
WSUD 18/10/2006 9:47:20 μμ 8231936 C:\WINDOWS\SYSTEM32\wmploc.dll (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...
PTech 3/8/2004 9:41:38 μμ 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys (Smart Link)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
22/12/2006 7:48:08 μμ S 2048 C:\WINDOWS\bootstat.dat ()
23/11/2006 1:55:18 μμ H 54156 C:\WINDOWS\QTFont.qfn ()
21/12/2006 2:38:04 μμ HS 5120 C:\WINDOWS\$NtServicePackUninstall$\Thumbs.db ()
25/10/2006 1:32:46 μμ RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme ()
25/10/2006 1:32:46 μμ RH 0 C:\WINDOWS\assembly\pubpol1.dat ()
25/10/2006 9:56:14 μμ RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index22.dat ()
25/10/2006 9:56:18 μμ RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index23.dat ()
22/12/2006 7:48:12 μμ S 64 C:\WINDOWS\CSC\00000001 ()
21/12/2006 12:31:52 μμ S 64 C:\WINDOWS\CSC\00000002 ()
13/12/2006 10:48:32 πμ S 64 C:\WINDOWS\CSC\csc1.tmp ()
13/12/2006 6:51:36 μμ H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ef348e0b99ce18685938c0f5f94eccd6\BIT7.tmp ()
22/12/2006 7:50:56 μμ H 51730 C:\WINDOWS\system32\vsconfig.xml ()
8/11/2006 7:23:54 πμ S 11671 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB923694.cat ()
28/11/2006 8:45:34 μμ S 7868 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem32.CAT ()
28/11/2006 8:46:04 μμ S 17082 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem33.CAT ()
28/11/2006 8:46:04 μμ S 22966 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem34.CAT ()
28/11/2006 8:46:04 μμ S 22966 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem35.CAT ()
28/11/2006 8:46:04 μμ S 22966 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem36.CAT ()
2/11/2006 11:54:58 πμ S 34696 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WMFDist11.cat ()
2/11/2006 12:13:58 μμ S 27554 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\wmp11.cat ()
22/12/2006 9:30:38 μμ H 1024 C:\WINDOWS\system32\config\default.LOG ()
22/12/2006 7:48:26 μμ H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
22/12/2006 7:50:48 μμ H 1024 C:\WINDOWS\system32\config\SECURITY.LOG ()
22/12/2006 9:30:48 μμ H 1024 C:\WINDOWS\system32\config\software.LOG ()
22/12/2006 9:23:34 μμ H 1024 C:\WINDOWS\system32\config\system.LOG ()
18/12/2006 5:57:20 μμ H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
19/11/2006 10:14:20 μμ S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 ()
21/12/2006 1:25:40 μμ S 44083 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 ()
21/12/2006 2:29:48 μμ S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 ()
19/11/2006 10:14:20 μμ S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 ()
21/12/2006 1:25:40 μμ S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 ()
21/12/2006 2:29:48 μμ S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 ()
13/12/2006 9:25:54 μμ H 0 C:\WINDOWS\system32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf ()
13/12/2006 9:25:02 μμ HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\233da1f6-dde6-413e-8c97-e0b9def364eb ()
13/12/2006 9:25:02 μμ HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred ()
3/12/2006 9:37:48 μμ HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\ebab982d-cb20-4bab-b766-60d39acb8a75 ()
3/12/2006 9:37:48 μμ HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
22/12/2006 7:48:14 μμ H 6 C:\WINDOWS\Tasks\SA.DAT ()
22/12/2006 1:45:16 μμ H 396 C:\WINDOWS\Tasks\User_Feed_Synchronization-{EB7B6756-B3E1-45F1-9B8C-BB1B7BED1CB0}.job ()

Checking for CPL files...
4/9/2004 5:45:26 πμ 71168 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
22/9/2005 6:30:48 μμ 18776064 C:\WINDOWS\SYSTEM32\alsndmgr.cpl (Realtek Semiconductor Corp.)
4/9/2004 5:45:26 πμ 556544 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
28/10/2004 5:37:16 μμ 266299 C:\WINDOWS\SYSTEM32\btcpl.cpl (Broadcom Corporation)
4/9/2004 5:45:26 πμ 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
4/9/2004 5:45:26 πμ 138752 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
4/9/2004 5:45:26 πμ 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
4/9/2004 5:45:26 πμ 157696 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
17/10/2006 12:05:48 μμ 1817088 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
4/9/2004 5:45:26 πμ 134144 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
4/9/2004 5:45:26 πμ 380928 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
20/12/2006 12:40:26 μμ 69632 C:\WINDOWS\SYSTEM32\javacpl.cpl (Sun Microsystems, Inc.)
4/9/2004 5:45:26 πμ 70144 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
17/4/2003 2:00:00 μμ 189440 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
4/9/2004 5:45:26 πμ 628224 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
17/4/2003 2:00:00 μμ 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
4/9/2004 5:45:26 πμ 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
4/9/2004 5:45:26 πμ 263168 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
8/8/2006 2:54:00 μμ 69632 C:\WINDOWS\SYSTEM32\nvcpl.cpl (NVIDIA Corporation)
8/8/2006 2:54:00 μμ 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl ()
17/4/2003 2:00:00 μμ 38912 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
4/9/2004 5:45:26 πμ 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
4/9/2004 5:45:26 πμ 119296 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
4/9/2004 5:45:26 πμ 304640 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
17/4/2003 2:00:00 μμ 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
4/9/2004 5:45:26 πμ 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
4/9/2004 5:45:26 πμ 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
26/5/2005 3:16:22 πμ 175384 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
17/10/2006 12:05:48 μμ 1817088 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
17/4/2003 2:00:00 μμ 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
17/4/2003 2:00:00 μμ 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
17/4/2003 2:00:00 μμ 38912 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
17/4/2003 2:00:00 μμ 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
26/5/2005 3:16:22 πμ 175384 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)
1/12/2004 3:53:44 μμ 16166912 C:\WINDOWS\SYSTEM32\ReinstallBackups\0004\DriverFiles\ALSNDMGR.CPL (Realtek Semiconductor Corp.)

Checking for Downloaded Program Files...
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://download.microsoft.com/download/e/9/c/e9c73b60-bff1-4f03-b06f-d3cbe8f8d9f4/LegitCheckControl.cab
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeupdate/content/opuc3.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.6.0 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - Java Plug-in 1.6.0 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.6.0 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
28/8/2006 6:13:38 μμ 681 C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\BTTray.lnk ()
27/3/2005 3:54:58 μμ HS 84 C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\desktop.ini ()
28/8/2006 6:14:32 μμ 1687 C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\Logitech SetPoint.lnk ()
6/9/2006 6:43:34 μμ 1759 C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\NETGEAR WG311v2 Smart Configuration.lnk ()
14/11/2006 4:19:56 μμ 678 C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\Privoxy.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
27/3/2005 4:44:30 μμ HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()

Checking files in %USERPROFILE%\Startup folder...
27/3/2005 3:54:58 μμ HS 84 C:\Documents and Settings\adminX2\Start Menu\Προγράμματα\Εκκίνηση\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
27/3/2005 4:44:30 μμ HS 62 C:\Documents and Settings\adminX2\Application Data\desktop.ini ()
12/4/2006 11:25:00 πμ 1403 C:\Documents and Settings\adminX2\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - C:\windows\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
\\Search Bar - http://search.msn.com/spbasic.htm
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - C:\windows\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
\{0CF0B8EE-6596-11D5-A98E-0003470BB48E} - CCHelper Class = C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll ()
\{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
\{AE7CD045-E861-484f-8273-0445EE161910} - Adobe PDF Conversion Toolbar Helper = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Ζώνη του Explorer = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - Pop-Up Stopper &Companion = C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll ()
\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - Διεύ&θυνση = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - = ()
\ShellBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
\ShellBrowser\\{F3DF2532-A2CC-48D8-8643-A033AE4FC313} - = ()
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - Διεύ&θυνση = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Συνδέσεις = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{F3DF2532-A2CC-48D8-8643-A033AE4FC313} - = ()
\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - = ()
\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
\WebBrowser\\{BF1CED2C-4B3F-4079-A330-864EDA5A4CFF} - = ()
\WebBrowser\\{5D4831E0-5A7C-4A46-AFD5-A79AB8CE36C2} - = ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\NEXTID - 8203
\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8193 =
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8195 = Windows Messenger
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8197 = Sun Java Console
\\{CCA281CA-C863-46ef-9331-5C8D4460577F} - 8201 = @btrez.dll,-4017
\\{e2e2dd38-d088-4134-82b7-f2ba38496583} - 8202 = @xpsp3res.dll,-20001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.)
\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research =
\{CCA281CA-C863-46ef-9331-5C8D4460577F} - ButtonText: @btrez.dll,-4015 = C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
\{e2e2dd38-d088-4134-82b7-f2ba38496583} - MenuText: @xpsp3res.dll,-20001 = ()
\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Προβολή επέκτασης κίνησης CPL = ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Επεκτάσεις κελύφους για συμπίεση αρχείων = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Μενού κρυπτογραφημένου περιεχομένου = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - Προέκταση εικονιδίου HyperTerminal = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Γραμμή εργασιών και μενού Έναρξη = ()
\\{32683183-48a0-441b-a342-7c2a440a9478} - Ζώνη μέσων = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - Λογαριασμοί χρηστών = ()
\\{A70C977A-BF00-412C-90B7-034C51DA2439} - NvCpl DesktopContext Class = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)
\\{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINDOWS\system32\nvshell.dll ()
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - Desktop Explorer Menu = C:\WINDOWS\system32\nvshell.dll ()
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A48} - nView Desktop Context Menu = C:\WINDOWS\system32\nvshell.dll ()
\\{8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - Pop-Up Stopper &Companion = C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll ()
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ()
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.)
\\{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD} - CorelDRAW Shell Extension Component = C:\Program Files\Corel\Graphics10\Draw\CdrViewer\CrlShell100.dll (Corel Corporation)
\\{59403EC0-EA55-11d5-954A-9A53884D6E09} - SecureDoc = C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll (msi)
\\{AC0B5D2E-B691-4E12-A4F9-CA88492579A2} - Zinio Shell Extension = C:\Program Files\Common Files\Zinio\ZShext.dll (Zinio Systems, Inc.)
\\{A9AACA72-1C51-4F84-804D-90EDBA0D58F4} - Zinio Magazine Column Provider = C:\Program Files\Common Files\Zinio\ZShext.dll (Zinio Systems, Inc.)
\\{32020A01-506E-484D-A2A8-BE3CF17601C3} - AlcoholShellEx = C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll (Alcohol Soft Development Team)
\\{B327765E-D724-4347-8B16-78AE18552FC3} - NeroDigitalIconHandler = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG)
\\{7F1CF152-04F8-453A-B34C-E609530A9DC8} - NeroDigitalPropSheetHandler = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG)
\\InCDShellExt extension - {CAE3251E-9B15-4810-B268-852AD9792A59} = ()
\\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} - PowerISO = C:\Program Files\PowerISO\PowerISOShell.dll (PowerISO Computing, Inc.)
\\{A5110426-177D-4e08-AB3F-785F10B4439C} - Sony Ericsson File Manager = C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll (Sony Ericsson Mobile Communications AB)
\\{79BC0345-1015-11D2-A299-006008312725} - blue.shell = C:\Program Files\Pinnacle\Studio 10\programs\BlueShellExt.dll ()
\\ - = ()
\\{6af09ec9-b429-11d4-a1fb-0090960218cb} - My Bluetooth Places = C:\WINDOWS\system32\btneighborhood.dll (Broadcom Corporation)
\\{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} - Adobe.Acrobat.ContextMenu = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll (Adobe Systems Inc.)
\\{e57ce731-33e8-4c51-8354-bb4de9d215d1} - Συσκευές Τοποθέτησης και Άμεσης Λειτουργίας γενικής χρήσης = ()
\\{D9872D13-7651-4471-9EEE-F0A00218BEBB} - Multiscan = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll (Zone Labs, LLC)
\\{FFB699E0-306A-11d3-8BD1-00104B6F7516} - Play on my TV helper = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)
\\{A965C8E0-54A7-11D6-BF08-00079500BB23} - ZipZag Shell extension = C:\PROGRA~1\ZipZag\zipzagcm.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\Adobe.Acrobat.ContextMenu - {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll (Adobe Systems Inc.)
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\HexWorkshopContextMenu - {DB34D5DC-D41A-482E-A5EF-8FA0F88761DA} = C:\Program Files\BreakPoint Software\Hex Workshop 4.2\hwext.dll (BreakPoint Software, Inc.)
\PowerISO - {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PowerISOShell.dll (PowerISO Computing, Inc.)
\SecureDocMenu - {59403EC0-EA55-11d5-954A-9A53884D6E09} = C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll (msi)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\ZipZag - {A965C8E0-54A7-11D6-BF08-00079500BB23} = C:\PROGRA~1\ZipZag\zipzagcm.dll ()
\ZLAVShExt - {D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll (Zone Labs, LLC)
\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} - = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\PowerISO - {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PowerISOShell.dll (PowerISO Computing, Inc.)
\SecureDocMenu - {59403EC0-EA55-11d5-954A-9A53884D6E09} = C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll (msi)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\ZipZag - {A965C8E0-54A7-11D6-BF08-00079500BB23} = C:\PROGRA~1\ZipZag\zipzagcm.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
\00nView - {1E9B04FB-F9E5-4718-997B-B8DA88302A48} = C:\WINDOWS\system32\nvshell.dll ()
\NvCplDesktopContext - {A70C977A-BF00-412C-90B7-034C51DA2439} = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\FineReader - {AC0DD14A-8F29-4F88-BE1D-0F0ED1B06C9F} = c:\program files\abbyy finereader 7.0 professional edition\fecmenu.dll (ABBYY (BIT Software))
\PowerISO - {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PowerISOShell.dll (PowerISO Computing, Inc.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\ZLAVShExt - {D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll (Zone Labs, LLC)
\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} - = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{7D4D6379-F301-4311-BEBA-E26EB0561882} - NeroDigitalExt.NeroDigitalColumnHandler = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG)
\{A9AACA72-1C51-4F84-804D-90EDBA0D58F4} - Zinio Magazine Column Provider = C:\Program Files\Common Files\Zinio\ZShext.dll (Zinio Systems, Inc.)
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll ()
HP Component Manager - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
HPDJ Taskbar Utility - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe (HP)
SoundMan - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
NWEReboot - Reg Data missing or invalid ()
Logitech Hardware Abstraction Layer - C:\WINDOWS\KHALMNPR.EXE (Logitech Inc.)
- Reg Data missing or invalid ()
Zone Labs Client - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
nwiz - C:\WINDOWS\SYSTEM32\nwiz.exe ()
NvMediaCenter - RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll ()
SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0\bin\jusched.exe (Sun Microsystems, Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Winpower - C:\Program Files\UpsPilot\Winpower.exe (ZeroG Software)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
Vidalia - C:\Program Files\Vidalia\vidalia.exe ()
updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe (Adobe Systems Incorporated)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation)
C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\desktop.ini ()
C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech Inc.)
C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\NETGEAR WG311v2 Smart Configuration.lnk - C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe ()
C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\Privoxy.lnk - C:\Program Files\Privoxy\privoxy.exe (The Privoxy team - www.privoxy.org)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\adminX2\Start Menu\Προγράμματα\Εκκίνηση\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^adminX2^Start Menu^Προγράμματα^Εκκίνηση^Adobe Gamma.lnk
path C:\Documents and Settings\adminX2\Start Menu\Προγράμματα\Εκκίνηση\Adobe Gamma.lnk
backup C:\WINDOWS\pss\Adobe Gamma.lnkStartup
location Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Acrobat Assistant.lnk
path C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\Acrobat Assistant.lnk
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~2.0\Distillr\acrotray.exe
item Acrobat Assistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Adobe Acrobat Speed Launcher.lnk
path C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\Adobe Acrobat Speed Launcher.lnk
backup C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
location Common Startup
command C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
item Adobe Acrobat Speed Launcher

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^CoreCenter.lnk
path C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\CoreCenter.lnk
backup C:\WINDOWS\pss\CoreCenter.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MSI\CORECE~1\CORECE~1.EXE
item CoreCenter

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Device Detector 2.lnk
path C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\Device Detector 2.lnk
backup C:\WINDOWS\pss\Device Detector 2.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Olympus\DEVICE~1\DevDtct2.exe
item Device Detector 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Microsoft Office OneNote 2003 Quick Launch.lnk
path C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\Microsoft Office OneNote 2003 Quick Launch.lnk
backup C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
location Common Startup
item Microsoft Office OneNote 2003 Quick Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^SecureDoc.lnk
path C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\SecureDoc.lnk
backup C:\WINDOWS\pss\SecureDoc.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MSI\SECURE~1\Logon.exe
item SecureDoc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKLM
command
inimapping 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Acrobat Assistant 7.0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Acrotray
hkey HKLM
command "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ActiveSpeed
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AS
hkey HKLM
command C:\Program Files\Ascentive\ActiveSpeed\AS.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CallBridgeReg.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Easy Messaging
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item LogitechEasyMsg
hkey HKCU
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Easy Synchronization
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item LogitechEasySync
hkey HKLM
command C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\eBayToolbar
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item eBayTBDaemon
hkey HKLM
command C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\FineReader7NewsReaderPro
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AbbyyNewsReader
hkey HKLM
command C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\InCD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item InCD
hkey HKLM
command C:\Program Files\Nero\Nero 7\InCD\InCD.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LiveMonitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item LMonitor
hkey HKLM
command C:\Program Files\MSI\Live Update 3\LMonitor.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MediaGateway
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MediaGateway
hkey HKLM
command C:\Program Files\MediaGateway\MediaGateway.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvCpl
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvMediaCenter
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvMcTray
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nwiz
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nwiz
hkey HKLM
command nwiz.exe /install
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PDF Converter Registry Controller
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RegistryController
hkey HKLM
command "C:\Program Files\SYSTRAN\5.0\Premium\RegistryController.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PDVDServ
hkey HKLM
command "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Skype
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Skype
hkey HKCU
command "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SMSystemAnalyzer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SMSystemAnalyzer
hkey HKCU
command "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TXP
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item txp
hkey HKLM
command c:\program files\topthemesxp\txp.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\updateMgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AdobeUpdateManager
hkey HKCU
command "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Zinio DLM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ZinioDeliveryManager
hkey HKCU
command C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)
\\WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} = C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Προφορτωτής Browseui = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Δαίμονας cache κατηγοριών στοιχείων = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\LBTServ - C:\Program Files\Common Files\Logitech\Bluetooth\lbtserv.dll = (Logitech Inc.)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{2B189D7A-0484-4018-9933-946A5666B41E} - ()
{9A5143B9-6588-4A68-ACA0-670AB776DD39} - (Προσαρμογέας δικτύου 1394)
{9AF8CE68-A451-4C51-A003-5CAF8F86E1AB} - (NETGEAR WG311v2 802.11g Wireless PCI Adapter)
{F7E641DF-DE51-4D8A-8D1F-0868E66B518F} - ()

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - CC:\WINDOWS\system32\ZoneLabs\vetredir.dll ()
\000000000002\\PackedCatalogItem - CC:\WINDOWS\system32\ZoneLabs\vetredir.dll ()
\000000000003\\PackedCatalogItem - CC:\WINDOWS\system32\ZoneLabs\vetredir.dll ()
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - CC:\WINDOWS\system32\ZoneLabs\vetredir.dll ()
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000019\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000020\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000021\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\cetihpz - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
\ipp - ()
\msdaipp - ()
\widimg - C:\WINDOWS\system32\btxppanel.dll (Broadcom Corporation)

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hi :)

I'll do a little more research on your problem and ask some help too.

I'll get back to you as soon as possible :bigthumb:

Ok I got some help from an expert :)

Please copy the contents of the following quote box into Notepad: Don't forget to add the REGEDIT4


REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=-
"Wallpaper"=-
"NoDispBackgroundPage"=-
"NoDispAppearancePage"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-
"NoThemesTab"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=-


Save it to your desktop as fixme.reg

Then, locate fixme.reg on your desktop and <double-click> it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully"

Reboot.

Can you access/change the desktop now?
=====================================

If that didn't work:
=====================================


Download next tool to a place where you'll find it easily:

http://djlizard.net/Dial-a-fix-2006-09-19.exe

Doubleclick Dial-a-fix-2006-09-19.exe to start the program.
Immediately a window will open with on top: "Dial-A-fix : Restrictive policies"
You'll see registry keys.
Check them all and click the remove button below.
Then click close. This should close the policies window.
Then click exit in the main window under it, because we don't need anything from there.

REBOOT your computer afterwards, important.

now see if HJT will work

Let me know if that helps :bigthumb:

Also, what theme are you using ?

Hi Mr_JAk3,

and thanks for your help.

1) The fixme.reg copied into notepad and saved as you suggested does not work. I double-click it and what happens is that a window with the content of this notepad file pops up with no message such as the ones you suggested.

2) The other program did not help either.

Kind regards,

Mills

Ok, let's try this:

Right click on an empty spot on your desktop > properties
on first page "Themes" choose a different theme click apply, Now choose the theme you prefer click apply.
Basically, change it then change it back.
If you lost the XP style windows and buttons.
Right click on an empty spot on your desktop > properties > Appearance
under "Windows and buttons" change it then change it back to Windows XP style (clicking apply each time)
Same method basically, change it then change it back.

Let me know if you can now change yout wallpaper :bigthumb:

Then you seem to have this TopthemesXP (http://www.topthinks.com/TopthemesXP/) installed.
It might have something to do with this problem. Have you uninstalled it ?
Have you tried to change the theme/background via it ?

Hi and Happy New Year,

I cannot change it. I haven't installed the program you mention. I can't choose any of the themes. The moment I am about to click on one the whole thing disappears. The only option I am able to choose and click is Windows Classic but this also does not work eventually, since my buttons and appearance are the WinXP style.

Thx

Happy New Year to you too :)

Let's try this...

Please download test.bmp (http://koti.mbnet.fi/jpk88/TEST.bmp) and save it to C:\
(to the root of your C-drive, do not rename the file!)

Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window


Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :


REGEDIT4

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"="C:\\Test.bmp"



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then click on Start -> Run -> Copy the following to the box and hit OK:
RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True

Then go back to your desktop and see if your wallpaper is changed. There should be a picture that says "TEST".
Let me know if this worked :bigthumb:

If i didn't work, please try to uninstall the TopthemesXP and see if it helps.
You may install it again later but I would like to see if the removal helps.

Let me know :bigthumb:

Hi there,

You said:

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

I did exactly as you say but when I double-click I get no merge dialogue box but instead notepad pops up with the contents of the fix.reg file. Therefore I am unable to proceed with the rest of the steps.

Kind regards,

Mills

By the way,

I uninstalled TopthemesXP but things didn't get any better.

I finally managed to merge files into registry, but now I click on properties and nothing happens. The display dialogue does not pop up at all. I tried to import the reg backup to restore things but not all values were successfully imported. I tried the import both under normal and safe modes.

I applied the fixme.reg found in one of your previous posts on page 3 of this discussion. This brought back the display box but I still can't change the wallpaper or any theme really.

Under themes I have the following options:

Windows XP (modified)
My current Theme
Windows XP
Windows Classic

Hi :)

So you followed the instructions and saved the bmp to your C-drive ?
Did the regfix but did you do the "Start -> Run" part too ?

Do you have any other userprofiles on your computer ?
If you have, do they have the same issue ?

Let's try this:

Rightclick the following Smiley -->:bigthumb:<-- and choose "Set as Background"
See if the smiley now is your wallpaper.

Let me know :bigthumb:

I did part 2 but it didn't help.

Yes the smiley is my background now and the when i righ click on desktop click on properties nothing happens.

Ok what if you try this:

Click Start, click Control Panel, click Appearance and Themes -> Change the desktop background

Does it work now ?

No it doesn't and I just noticed another issue as well.

Prior to logging on to Windows with my username and password I get a message saying that I have to press Ctrl+Alt+Del. Only after I do this do I get the log in box.

Also, I noticed that when I click on start I no longer see the icon next to my username. It's just my username.

The strange thing is that when I run the simtfraudfix.exe utility under WinXP normal mode, the problem gets sorted but reoccurs after reboot...:sick:

Ok sounds that the user account is corrupted.

Could you please create a new account and see if works normally. If it works normally (like it propably will) you could move all your important files to the new profile and dump that old one.

How to create and configure user accounts in Windows XP (http://support.microsoft.com/kb/279783)

:bigthumb:

I created a new admin account. The same problem occurs. I deleted the new account. I am so pissed off with this thing....:sick: :sick: :sick: :sick:

Hi again :)

We'll have to do a little more research...

Go to Start >Run and type "Notepad" without the quotes
Copy the text from the quotebox below to Notepad.
Go to the menu at the top of the Notepad file and Save as: Name the file peek.bat Save as Type: All files Select the desktop icon on the left to save it on the desktop.
Double click on peek.bat and let it run.
When finished it will open a file in Notepad.
That file will be named info.txt
Please post the contents of info.txt into your next reply here.
(it migh be a long file and you may have to post it in small parts)

You may also upload the file to RapidShare (http://www.RapidShare.com)
Then just post the link to your file to me.


if not exist Files MkDir Files

regedit /e peek1.txt "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit /e peek2.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit /e peek3.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit /e peek4.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Policies"
regedit /e peek5.txt "HKEY_CURRENT_USER\SOFTWARE\Policies"
regedit /e peek6.txt "HKEY_USERS\.DEFAULT\SOFTWARE\Policies"

type peek1.txt >> info.txt
type peek2.txt >> info.txt
type peek3.txt >> info.txt
type peek4.txt >> info.txt
type peek5.txt >> info.txt
type peek6.txt >> info.txt

del peek*.txt
start notepad info.txt

Copy files\*.txt = info.txt
rmdir /s /q files
Start Notepad info.txt

Hi there,

http://rapidshare.com/files/10196512/info.txt

Ok good :)

Please download the fix.zip file (which is attached to this message) to your desktop. Unzip the fix.zip to your desktop.

Run the file fix.reg and allow to merge when prompted.

Then try if you can change the wallpaper/themes in the normal way.
If you can, restart the computer.

Then see if you can still change the wallpaper.

Let me know :bigthumb:

Hi Millsford,

I have been following this problem and may be back later to follow up.

We are going to share so if one or the other if us is here we can try to get some progress.


This:

Prior to logging on to Windows with my username and password I get a message saying that I have to press Ctrl+Alt+Del. Only after I do this do I get the log in box.

Also, I noticed that when I click on start I no longer see the icon next to my username. It's just my username.


If you have set the Classic theme, there will be no Icon next to your name.

The welcome screen is a common problem.

Check this page out:

http://www.petri.co.il/disable_the_welcome_screen_in_xp_pro.htm

Hi all,

The file didn't help.

Yes I use the classic standard log On to Windows dialog box.

Thx,

Mills

Ok. Let's register a couple of files. I am not confident it's going to help. But it wont hurt. I have had no luck duplicating your exact issue. And I have fooled with a lot of files and registry entries.


Go to Start >Run
Copy and paste this command in and press enter:

regsvr32 /i shell32.dll

Wait for the success message.



Go to Start >Run
Copy and paste this command in and press enter:

regsvr32 /i themeui.dll

Wait for the success message.


Restart and see if there's any improvement.

Are you able to change your screensaver or background color? I want to see how bad this all is please.

After you have finished with the first set of directions and posted the results, I'd also like to see one more report:

Download Silent Runners from here:

http://www.silentrunners.org/Silent%20Runners.vbs

Save it to your C:\ drive.
So you should have c:\silent runners.vbs.

Click start> run> type: (or copy and paste in this line)

"c:\silent runners.vbs" -all

Click enter.

The popup you'll see tells you scan has started.
If you get script warning from your antivirus, please allow script to run. It is not dangerous.

Once complete it will tell you and creates a file in c:\ called "Startup Programs [computername/date/time]"

Post contents of log here.

You may need 2 posts to get entire contents of log in.

-----------

Then please run that registry export script again and we'll have a look to see if there are any changes.

Hi Mosaic,

I registered

regsvr32 /i shell32.dll

successfully

Running

regsvr32 /i themeui.dll

FAILED

Hence I did not proceed any further

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Vidalia" = ""C:\Program Files\Vidalia\vidalia.exe"" [null data]
"updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]
"NWEReboot" = "(empty string)" [file not found]
"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"(Default)" = "(empty string)" [file not found]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"TXP" = "c:\program files\topthemesxp\txp.exe" [file not found]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{0CF0B8EE-6596-11D5-A98E-0003470BB48E}\(Default) = "CCHelper"
-> {HKLM...CLSID} = "CCHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Προέκταση εικονιδίου HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{8F05B1A8-9D77-4B8F-AF54-6B2202066F95}" = "Pop-Up Stopper &Companion"
-> {HKLM...CLSID} = "Pop-Up Stopper &Companion"
\InProcServer32\(Default) = "C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "CorelDRAW Shell Extension Component"
-> {HKLM...CLSID} = "CorelDRAW Shell Extension Component"
\InProcServer32\(Default) = "C:\Program Files\Corel\Graphics10\Draw\CdrViewer\CrlShell100.dll" ["Corel Corporation"]
"{59403EC0-EA55-11d5-954A-9A53884D6E09}" = "SecureDoc"
-> {HKLM...CLSID} = "SecureDoc"
\InProcServer32\(Default) = "C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll" ["msi"]
"{AC0B5D2E-B691-4E12-A4F9-CA88492579A2}" = "Zinio Shell Extension"
-> {HKLM...CLSID} = "Zinio Magazine"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]
"{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}" = "Zinio Magazine Column Provider"
-> {HKLM...CLSID} = "MyMagazinesColumn Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"
-> {HKLM...CLSID} = "Sony Ericsson File Manager"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
"{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell"
-> {HKLM...CLSID} = "Studio.Project"
\InProcServer32\(Default) = "C:\Program Files\Pinnacle\Studio 10\programs\BlueShellExt.dll" [file not found]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{A965C8E0-54A7-11D6-BF08-00079500BB23}" = "ZipZag Shell extension"
-> {HKLM...CLSID} = "ZipZag Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> LBTServ\DLLName = "C:\Program Files\Common Files\Logitech\Bluetooth\lbtserv.dll" ["Logitech Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}\(Default) = "Zinio Magazine Column Provider"
-> {HKLM...CLSID} = "MyMagazinesColumn Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
HexWorkshopContextMenu\(Default) = "{DB34D5DC-D41A-482E-A5EF-8FA0F88761DA}"
-> {HKLM...CLSID} = "Hex Workshop Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\BreakPoint Software\Hex Workshop 4.2\hwext.dll" ["BreakPoint Software, Inc."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
SecureDocMenu\(Default) = "{59403EC0-EA55-11d5-954A-9A53884D6E09}"
-> {HKLM...CLSID} = "SecureDoc"
\InProcServer32\(Default) = "C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll" ["msi"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZipZag\(Default) = "{A965C8E0-54A7-11D6-BF08-00079500BB23}"
-> {HKLM...CLSID} = "ZipZag Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
SecureDocMenu\(Default) = "{59403EC0-EA55-11d5-954A-9A53884D6E09}"
-> {HKLM...CLSID} = "SecureDoc"
\InProcServer32\(Default) = "C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll" ["msi"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZipZag\(Default) = "{A965C8E0-54A7-11D6-BF08-00079500BB23}"
-> {HKLM...CLSID} = "ZipZag Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
FineReader\(Default) = "{AC0DD14A-8F29-4F88-BE1D-0F0ED1B06C9F}"
-> {HKLM...CLSID} = "FineReaderExplorerContextMenuHandler"
\InProcServer32\(Default) = "c:\program files\abbyy finereader 7.0 professional edition\fecmenu.dll" ["ABBYY (BIT Software)"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]


Default executables:
--------------------

<<!>> HKLM\Software\Classes\htafile\shell\open\command\(Default) = "NOTEPAD.EXE %1" [MS]

<<!>> HKLM\Software\Classes\scrfile\shell\open\command\(Default) = "NOTEPAD.EXE %1" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ss3dfo.scr" [MS]


Startup items in "adminX2" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση
"BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation"]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
"NETGEAR WG311v2 Smart Configuration" -> shortcut to: "C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe /HIDE" [empty string]
"Privoxy" -> shortcut to: "C:\Program Files\Privoxy\privoxy.exe" ["The Privoxy team - www.privoxy.org"]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"User_Feed_Synchronization-{EB7B6756-B3E1-45F1-9B8C-BB1B7BED1CB0}" -> launches: "C:\WINDOWS\system32\msfeedssync.exe sync" [MS]
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\ZoneLabs\vetredir.dll ["Computer Associates International, Inc."], 01 - 03, 09
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 10 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{8F05B1A8-9D77-4B8F-AF54-6B2202066F95}" = (no title provided)
-> {HKLM...CLSID} = "Pop-Up Stopper &Companion"
\InProcServer32\(Default) = "C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll" [null data]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = "Adobe PDF"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation"]
CA ISafe, CAISafe, "C:\WINDOWS\system32\ZoneLabs\isafe.exe" ["Computer Associates International, Inc."]
InCD Helper, InCDsrv, "C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe" ["Nero AG"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]
Winpower, Winpower, "C:\PROGRA~1\UpsPilot\Winpower.exe -zglaxservice Winpower" ["ZeroG Software"]
Winpowermonitor, Winpowermonitor, "C:\PROGRA~1\UpsPilot\monitor.exe -zglaxservice Winpowermonitor" ["ZeroG Software"]
WinpowerRMI, WinpowerRMI, "C:\PROGRA~1\UpsPilot\wpRMI.exe -zglaxservice WinpowerRMI" ["ZeroG Software"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation"]
HP Master Monitor\Driver = "HPBMMON.DLL" ["Hewlett-Packard"]
hpzlnt10\Driver = "hpzlnt10.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
NETGEAR FR Print Server\Driver = "NgSharedPort.dll" [null data]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 31 seconds)

To be more specific the message I get is:

DllRegisterServer in themeui.dll failed. The return code was: 0X80004005

Millslord,

This is an operating system issue. I think you either have a registry permissions problem or a file problem. Missing or corrupted support files.
or possibly in themeui.dll itself. It's the kind if thing which is hard to track down. The fact that you successfully registered shell32.dll makes me wonder. Registry permissions should have had an effect on that. But you never know.

Find the hidden dllcache folder in system32

Copy themeui.dll from the dllcache to system32. Don't move it, this is a backup and you may need it in the future.

Reboot the system. Try registering themeui.dll again and also have a look at display properties to see if it now works.


------------------------
Let me know.

If you still have the prolbem, and you probably will:


The first think I would like to do is to try to register themeui.dll under system auspices to see if that succeeds. This is a test only.

This is step 1 only.

Download and save the attachment. Then unzip it. It contains a file named Date Add cmd.vbs

Look at your clock in systray. When the minute turns over, double click on
Date Add cmd.vbs
If you get a malicious script warning, please allow this to run. It is not malicious. This is going to set a task to run a special command prompt ast the next minute.


Wait a minute for the command to open. It will take until the minute turns over again. ***The Schedule service must be running for this to work.

Then right click in that command and paste in this command again:

regsvr32 /i themeui.dll

Do you still get any error message?


Even if successful, this will not fix your problem if it is permissions. But it may point us to something.


-----------

Step 2 in this diagnostic is a look at Event Viewer.

I'd like to look at your Event logs too.
Can you run
Eventvwr.msc

When Event Viewer opens Right click on Application and click
Save Log file as And give the file a name like apps. Leave the file type alone.
By default it will save as .evt

Find apps.evt and email it to me as an attachment please.

Do the same for system Right click on system and save the log file as sys.evt

I'll load these files into my event viewer and see if there are any clues.

My email is Katie_3232AThotmail.com

Replace the AT with an @ for the email to work please.

-------------------------

For now, we won't be using this next utility, but we may later.

Please go here :

http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx

Download Regmon.zip and then unzip it to someplace easy to find.

We'll use it to do a monitor of regsvr32 themeui /i and look for Access denied messages in the log.

Good. I see you're here. I have edited in the meantime because you weren't here when I started. Please go back and read my last post again. I added one easy step at the beginning as a test.

Hi there,

No dllcache folder found. I made hidden files viewable but no avail. However, Themeui.dll is in System32.

Regmon requires the Load Driver and Debug Privileges. This is the message I get when attempting to run the app.

Regmon works. Placed it in C:/

Having no dllcache folder can be a problem.

Please go to start >Run and type cmd.exe

Press enter

Copy and paste in this command( Right click in the command window and click paste on the context menu)

cd \ & dir /s /a /b themeui.dll > where.txt


When that finishes running, open C:\where.txt and post the contents please.

C:\WINDOWS\$NtServicePackUninstall$\themeui.dll
C:\WINDOWS\ServicePackFiles\i386\themeui.dll
C:\WINDOWS\system32\themeui.dll

none of my three PCs has dllcache.

dllcache is where backups for system files are kept. IF one goes missing, file protection uses the copy in dllcache to replce the file. It's not foolproo

Let's try this.

Go to:
C:\WINDOWS\ServicePackFiles\i386\themeui.dll

Hold down the right mouse button on themeui.dll and drag it to the system32 folder. Release the mouse. A menu will appear. Click copy. It will ask if youwant to overwrite the current copy. Say yes.

Now see if you can register themeui.dll

Restart.Test your display properties.


Let me know how it all goes and if you get any errors.

Also, please og back to this post:
http://forums.spybot.info/showpost.php?p=61807&postcount=57

I had asked you to try some other things. Please do them as well if you still havce no luck after trying this latest. I am trying to pinpoint where the hangup is.

I have done and e-mailed the results to you already

I am unable to copy themeui.dll into system 32. I always get a message along the following lines:

Themeui.dll can't be copied. It is being used by another user or program. Close down all programs using this file and try again.

Try it in Safe mode. The Theme service doesn't run there.

I don't see anything to help in your Event Viewer files.

Although replacing themeui.dll and then registering it again, seems like a simplistic approach, we should try it.

I'll have to do more diagnostics to check this out here. It's not really a huge issue, although it is annoying. If you're willing we can dig deeper into it.

We'll use Regmon to monitor an attempt at registering themeui if you still can't properly register themeui.dll after it has been replaced. It has to be the user interface.

You had that theme program installed.
It might have replaced files or made changes. There's a lot more we can do before giving up.

Unable to copy themeui.dll into System32 even under safe mode. I receive the same error message as described in my previous post above. Weird.

I found dllcache after I selected the VIEW tab and found HIDDEN FILES AND FOLDERS under FILES and FOLDERS,

and clicked the radio button for SHOW HIDDEN FILES AND FOLDERS

A N D

deselected (unchecked) HIDE PROTECTED OPERATING SYSTEM FILES

BUT

No themeui.dll in the folder.

Below are the processes running with explorer.exe. I post this in case you might want to have a look.


========================= ====== =============================================
System Idle Process 0 ƒ/“
System 4 ƒ/“
smss.exe 640 ntdll.dll
csrss.exe 1344 ntdll.dll, CSRSRV.dll, basesrv.dll,
winsrv.dll, GDI32.dll, KERNEL32.dll,
USER32.dll, sxs.dll, ADVAPI32.dll,
RPCRT4.dll, Apphelp.dll, VERSION.dll
winlogon.exe 1368 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, AUTHZ.dll, msvcrt.dll,
CRYPT32.dll, USER32.dll, GDI32.dll,
MSASN1.dll, NDdeApi.dll, PROFMAP.dll,
NETAPI32.dll, USERENV.dll, PSAPI.DLL,
REGAPI.dll, Secur32.dll, SETUPAPI.dll,
VERSION.dll, WINSTA.dll, WINTRUST.dll,
IMAGEHLP.dll, WS2_32.dll, WS2HELP.dll,
IMM32.DLL, MSGINA.dll, SHELL32.dll,
SHLWAPI.dll, COMCTL32.dll, ODBC32.dll,
comdlg32.dll, comctl32.dll, odbcint.dll,
SHSVCS.dll, sfc.dll, sfc_os.dll, ole32.dll,
Apphelp.dll, msctfime.ime, WINSCARD.DLL,
WTSAPI32.dll, sxs.dll, uxtheme.dll,
WINMM.dll, cscdll.dll, lbtserv.dll, HID.DLL,
MSIMG32.dll, WINSPOOL.DRV, OLEAUT32.dll,
NTMARTA.DLL, WLDAP32.dll, SAMLIB.dll,
lbtintw.dll, BtCoreIf.dll, MFC42.DLL,
MFC42LOC.DLL, rsaenh.dll, WlNotify.dll,
MPR.dll, msv1_0.dll, iphlpapi.dll,
cscui.dll, MPRAPI.dll, ACTIVEDS.dll,
adsldpc.dll, ATL.DLL, rtutils.dll,
xpsp2res.dll, COMRes.dll, CLBCATQ.DLL,
wdmaud.drv, msacm32.drv, MSACM32.dll,
midimap.dll
services.exe 1416 ntdll.dll, kernel32.dll, msvcrt.dll,
ADVAPI32.dll, RPCRT4.dll, USER32.dll,
GDI32.dll, USERENV.dll, SCESRV.dll,
AUTHZ.dll, umpnpmgr.dll, WINSTA.dll,
NETAPI32.dll, NCObjAPI.DLL, MSVCP60.dll,
ShimEng.dll, AcAdProc.dll, IMM32.DLL,
secur32.dll, Apphelp.dll, VERSION.dll,
eventlog.dll, WS2_32.dll, WS2HELP.dll,
PSAPI.DLL, wtsapi32.dll
lsass.exe 1428 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, LSASRV.dll, MPR.dll, USER32.dll,
GDI32.dll, MSASN1.dll, msvcrt.dll,
NETAPI32.dll, NTDSAPI.dll, DNSAPI.dll,
WS2_32.dll, WS2HELP.dll, WLDAP32.dll,
Secur32.dll, SAMLIB.dll, SAMSRV.dll,
cryptdll.dll, ShimEng.dll, AcGenral.DLL,
WINMM.dll, ole32.dll, OLEAUT32.dll,
MSACM32.dll, VERSION.dll, SHELL32.dll,
SHLWAPI.dll, USERENV.dll, UxTheme.dll,
IMM32.DLL, comctl32.dll, comctl32.dll,
msprivs.dll, kerberos.dll, msv1_0.dll,
iphlpapi.dll, netlogon.dll, w32time.dll,
MSVCP60.dll, schannel.dll, CRYPT32.dll,
wdigest.dll, rsaenh.dll, scecli.dll,
SETUPAPI.dll, ipsecsvc.dll, AUTHZ.dll,
oakley.DLL, WINIPSEC.DLL, pstorsvc.dll,
vetredir.dll, mswsock.dll, hnetcfg.dll,
isafeif.dll, wshtcpip.dll, psbase.dll,
dssenh.dll
svchost.exe 1572 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
USER32.dll, GDI32.dll, WINMM.dll, ole32.dll,
msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
VERSION.dll, SHELL32.dll, SHLWAPI.dll,
USERENV.dll, UxTheme.dll, IMM32.DLL,
comctl32.dll, comctl32.dll, NTMARTA.DLL,
WLDAP32.dll, SAMLIB.dll, rpcss.dll,
Secur32.dll, WS2_32.dll, WS2HELP.dll,
xpsp2res.dll, WTSAPI32.dll, WINSTA.dll,
NETAPI32.dll, msv1_0.dll, iphlpapi.dll,
CLBCATQ.DLL, COMRes.dll, Apphelp.dll,
termsrv.dll, ICAAPI.dll, SETUPAPI.dll,
WINTRUST.dll, CRYPT32.dll, MSASN1.dll,
IMAGEHLP.dll, AUTHZ.dll, mstlsapi.dll,
ACTIVEDS.dll, adsldpc.dll, ATL.DLL,
REGAPI.dll, rsaenh.dll
svchost.exe 1632 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
USER32.dll, GDI32.dll, WINMM.dll, ole32.dll,
msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
VERSION.dll, SHELL32.dll, SHLWAPI.dll,
USERENV.dll, UxTheme.dll, IMM32.DLL,
comctl32.dll, comctl32.dll, rpcss.dll,
Secur32.dll, WS2_32.dll, WS2HELP.dll,
xpsp2res.dll, rsaenh.dll, mswsock.dll,
vetredir.dll, hnetcfg.dll, isafeif.dll,
wshtcpip.dll, DNSAPI.dll, iphlpapi.dll,
winrnr.dll, WLDAP32.dll, rasadhlp.dll,
CLBCATQ.DLL, COMRes.dll
svchost.exe 1672 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
USER32.dll, GDI32.dll, WINMM.dll, ole32.dll,
msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
VERSION.dll, SHELL32.dll, SHLWAPI.dll,
USERENV.dll, UxTheme.dll, IMM32.DLL,
comctl32.dll, comctl32.dll, NTMARTA.DLL,
WLDAP32.dll, SAMLIB.dll, xpsp2res.dll,
shsvcs.dll, WINSTA.dll, NETAPI32.dll,
rsaenh.dll, dhcpcsvc.dll, DNSAPI.dll,
WS2_32.dll, WS2HELP.dll, iphlpapi.dll,
Secur32.dll, wzcsvc.dll, rtutils.dll,
WMI.dll, CRYPT32.dll, MSASN1.dll,
WTSAPI32.dll, ESENT.dll, ATL.DLL,
rastls.dll, CRYPTUI.dll, WINTRUST.dll,
IMAGEHLP.dll, WININET.dll, Normaliz.dll,
iertutil.dll, MPRAPI.dll, ACTIVEDS.dll,
adsldpc.dll, SETUPAPI.dll, RASAPI32.dll,
rasman.dll, TAPI32.dll, SCHANNEL.dll,
WinSCard.dll, raschap.dll, msv1_0.dll,
CLBCATQ.DLL, COMRes.dll, MSVCP60.dll,
WZCSAPI.DLL, schedsvc.dll, NTDSAPI.dll,
MSIDLE.DLL, audiosrv.dll, wkssvc.dll,
qmgr.dll, MPR.dll, SHFOLDER.dll,
WINHTTP.dll, vetredir.dll, mswsock.dll,
hnetcfg.dll, isafeif.dll, wshtcpip.dll,
cryptsvc.dll, certcli.dll, dmserver.dll,
ersvc.dll, es.dll, pchsvc.dll, hidserv.dll,
HID.DLL, srvsvc.dll, winspool.drv,
netman.dll, netshell.dll, credui.dll,
seclogon.dll, sens.dll, srsvc.dll,
POWRPROF.dll, trkwks.dll, SXS.DLL,
w32time.dll, wmisvc.dll, VSSAPI.DLL,
browser.dll, wuauserv.dll, ipnathlp.dll,
AUTHZ.dll, wuaueng.dll, ADVPACK.dll,
Cabinet.dll, mspatcha.dll, sfc.dll,
sfc_os.dll, comsvcs.dll, colbact.DLL,
MTXCLU.DLL, WSOCK32.dll, CLUSAPI.DLL,
RESUTILS.DLL, wscsvc.dll, msi.dll,
RASDLG.dll, upnp.dll, SSDPAPI.dll,
wbemcomn.dll, wbemcore.dll, esscli.dll,
FastProx.dll, wbemsvc.dll, wmiutils.dll,
repdrvfs.dll, wmiprvsd.dll, NCObjAPI.DLL,
wbemess.dll, netcfgx.dll, rasmans.dll,
WINIPSEC.DLL, ncprov.dll, msxml3.dll,
Apphelp.dll, wups.dll, tapisrv.dll,
PSAPI.DLL, dssenh.dll, rasadhlp.dll,
rastapi.dll, unimdm.tsp, uniplat.dll,
kmddsp.tsp, winrnr.dll, ndptsp.tsp,
ipconf.tsp, h323.tsp, hidphone.tsp,
rasppp.dll, ntlsapi.dll, kerberos.dll,
cryptdll.dll, urlmon.dll, mlang.dll,
xmlprovi.dll

InCDsrv.exe 1696 ntdll.dll, kernel32.dll, MSVCR71.dll,
USER32.dll, GDI32.dll, ADVAPI32.dll,
RPCRT4.dll, MSVCP71.dll, IMM32.DLL,
AdvrCntr2.dll, WININET.dll, msvcrt.dll,
SHLWAPI.dll, Normaliz.dll, iertutil.dll,
comdlg32.dll, COMCTL32.dll, SHELL32.dll,
WINSPOOL.DRV, ole32.dll, OLEAUT32.dll,
VERSION.dll, comctl32.dll, DriveLocker.dll,
uxtheme.dll
svchost.exe 1864 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
USER32.dll, GDI32.dll, WINMM.dll, ole32.dll,
msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
VERSION.dll, SHELL32.dll, SHLWAPI.dll,
USERENV.dll, UxTheme.dll, IMM32.DLL,
comctl32.dll, comctl32.dll, dnsrslvr.dll,
DNSAPI.dll, WS2_32.dll, WS2HELP.dll,
iphlpapi.dll, vetredir.dll, mswsock.dll,
hnetcfg.dll, isafeif.dll, wshtcpip.dll
svchost.exe 1968 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
USER32.dll, GDI32.dll, WINMM.dll, ole32.dll,
msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
VERSION.dll, SHELL32.dll, SHLWAPI.dll,
USERENV.dll, UxTheme.dll, IMM32.DLL,
comctl32.dll, comctl32.dll, NTMARTA.DLL,
WLDAP32.dll, SAMLIB.dll, xpsp2res.dll,
lmhsvc.dll, iphlpapi.dll, WS2_32.dll,
WS2HELP.dll, webclnt.dll, WININET.dll,
Normaliz.dll, iertutil.dll, Secur32.dll,
ssdpsrv.dll, hnetcfg.dll, CLBCATQ.DLL,
COMRes.dll, vetredir.dll, mswsock.dll,
isafeif.dll, wshtcpip.dll
spoolsv.exe 412 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, GDI32.dll, USER32.dll,
msvcrt.dll, ShimEng.dll, AcGenral.DLL,
WINMM.dll, ole32.dll, OLEAUT32.dll,
MSACM32.dll, VERSION.dll, SHELL32.dll,
SHLWAPI.dll, USERENV.dll, UxTheme.dll,
IMM32.DLL, comctl32.dll, comctl32.dll,
SPOOLSS.DLL, WS2_32.dll, WS2HELP.dll,
DNSAPI.dll, iphlpapi.dll, rasadhlp.dll,
localspl.dll, Secur32.dll, sfc_os.dll,
WINTRUST.dll, CRYPT32.dll, MSASN1.dll,
IMAGEHLP.dll, winspool.drv, netapi32.dll,
AdobePDF.dll, MSVCR71.dll, adistres.dll,
cnbjmon.dll, bthcrp.dll, WidcommSdk.dll,
wbtapi.dll, CFGMGR32.dll, setupapi.dll,
msi.dll, MFC42.DLL, MSVCP60.dll,
MFC42LOC.DLL, HPBMMON.DLL, hpdomon.dll,
pjlmon.dll, usbmon.dll, HPBHealr.dll,
hpzlnt10.dll, mdimon.dll, NgSharedPort.dll,
WSOCK32.dll, tcpmon.dll, HPPRN05.DLL,
mdippr.dll, mswsock.dll, winrnr.dll,
WLDAP32.dll, win32spl.dll, NETRAP.dll,
NTDSAPI.dll, CLBCATQ.DLL, COMRes.dll,
xpsp2res.dll, inetpp.dll
guard.exe 588 ƒ/“
btwdins.exe 664 ntdll.dll, kernel32.dll, WS2_32.dll,
msvcrt.dll, WS2HELP.dll, ADVAPI32.dll,
RPCRT4.dll, USER32.dll, GDI32.dll,
ole32.dll, OLEAUT32.dll, IMM32.DLL,
uxtheme.dll, xpsp2res.dll, rsaenh.dll,
SHELL32.dll, SHLWAPI.dll, comctl32.dll,
comctl32.dll, CRYPT32.dll, MSASN1.dll,
HID.DLL, WINTRUST.dll, IMAGEHLP.dll,
Secur32.dll
MDM.EXE 724 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ole32.dll, GDI32.dll,
USER32.dll, msvcrt.dll, OLEAUT32.dll,
SHELL32.dll, SHLWAPI.dll, VERSION.dll,
IMM32.DLL, comctl32.dll, comctl32.dll,
psapi.dll, xpsp2res.dll, CLBCATQ.DLL,
COMRes.dll
nvsvc32.exe 824 ntdll.dll, kernel32.dll, USER32.dll,
GDI32.dll, ADVAPI32.dll, RPCRT4.dll,
USERENV.dll, msvcrt.dll, POWRPROF.dll,
IMM32.DLL, wtsapi32.dll, WINSTA.dll,
NETAPI32.dll, SHLWAPI.dll, ole32.dll,
COMCTL32.dll, OLEAUT32.dll, comctl32.dll,
nvapi.dll, UxTheme.dll, msctfime.ime,
WINTRUST.dll, CRYPT32.dll, MSASN1.dll,
IMAGEHLP.dll, secur32.dll, NTMARTA.DLL,
WLDAP32.dll, SAMLIB.dll, msv1_0.dll,
WS2_32.dll, WS2HELP.dll, iphlpapi.dll,
Apphelp.dll, VERSION.dll
StarWindService.exe 904 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, WS2_32.dll, msvcrt.dll,
WS2HELP.dll, USER32.dll, GDI32.dll,
IMM32.DLL, mswsock.dll, DNSAPI.dll,
iphlpapi.dll, winrnr.dll, WLDAP32.dll,
rasadhlp.dll, vetredir.dll, hnetcfg.dll,
isafeif.dll, wshtcpip.dll
svchost.exe 928 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
USER32.dll, GDI32.dll, WINMM.dll, ole32.dll,
msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
VERSION.dll, SHELL32.dll, SHLWAPI.dll,
USERENV.dll, UxTheme.dll, IMM32.DLL,
comctl32.dll, comctl32.dll, wiaservc.dll,
CFGMGR32.dll, setupapi.DLL, mscms.dll,
WINSPOOL.DRV, WINSTA.dll, NETAPI32.dll,
xpsp2res.dll, CLBCATQ.DLL, COMRes.dll,
WINTRUST.dll, CRYPT32.dll, MSASN1.dll,
IMAGEHLP.dll, CNQU71.DLL, CNQL1208.DLL,
actxprxy.dll
ULCDRSvr.exe 1060 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll
vsmon.exe 1196 ƒ/“

explorer.exe 2004 ntdll.dll, kernel32.dll, msvcrt.dll,
ADVAPI32.dll, RPCRT4.dll, GDI32.dll,
USER32.dll, SHLWAPI.dll, SHELL32.dll,
ole32.dll, OLEAUT32.dll, BROWSEUI.dll,
SHDOCVW.dll, CRYPT32.dll, MSASN1.dll,
CRYPTUI.dll, WINTRUST.dll, IMAGEHLP.dll,
NETAPI32.dll, WININET.dll, Normaliz.dll,
iertutil.dll, WLDAP32.dll, VERSION.dll,
UxTheme.dll, ShimEng.dll, AcGenral.DLL,
WINMM.dll, MSACM32.dll, USERENV.dll,
IMM32.DLL, comctl32.dll, comctl32.dll,
msctfime.ime, appHelp.dll, CLBCATQ.DLL,
COMRes.dll, cscui.dll, CSCDLL.dll,
themeui.dll, Secur32.dll, MSIMG32.dll,
xpsp2res.dll, actxprxy.dll, msutb.dll,
MSCTF.dll, MLANG.dll, LINKINFO.dll,
ntshrui.dll, ATL.DLL, SAMLIB.dll,
ieframe.dll, PSAPI.DLL, urlmon.dll,
mshtml.dll, msls31.dll, ws2_32.dll,
WS2HELP.dll, RASAPI32.dll, rasman.dll,
TAPI32.dll, rtutils.dll, SETUPAPI.dll,
NETSHELL.dll, credui.dll, iphlpapi.dll,
msi.dll, mslbui.dll, MPR.dll, drprov.dll,
ntlanman.dll, NETUI0.dll, NETUI1.dll,
NETRAP.dll, davclnt.dll, rsaenh.dll,
lgscroll.dll, shellexecutehook.dll,
msv1_0.dll, sensapi.dll, msimtf.dll,
sptip.dll, OLEACC.dll, MSVCP60.dll,
SPGRMR.DLL, SKCHUI.DLL, WINSTA.dll,
webcheck.dll, stobject.dll, BatMeter.dll,
POWRPROF.dll, WTSAPI32.dll,
WPDShServiceObj.dll, WINHTTP.dll,
btncopy.dll, mydocs.dll, wdmaud.drv,
msacm32.drv, midimap.dll,
PortableDeviceTypes.dll,
PortableDeviceApi.dll, WZCSAPI.DLL,
mlfhook.dll, SXS.DLL, mshtmled.dll,
NeroDigitalExt.dll, MFC71.DLL, MSVCR71.dll,
MSVCP71.dll, ZShext.dll, PDFShell.dll,
nvcpl.dll, comdlg32.dll, WINSPOOL.DRV,
NVRSEL.DLL, NTMARTA.DLL, nvapi.dll,
nvshell.dll, browselc.dll
Winpower.exe 856 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, USER32.dll, GDI32.dll,
IMM32.DLL, version.dll
javaw.exe 976 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, USER32.dll, GDI32.dll,
MSVCRT.dll, IMM32.DLL, jvm.dll, WINMM.dll,
hpi.dll, verify.dll, java.dll, zip.dll,
Secur32.dll, SHELL32.DLL, SHLWAPI.dll,
comctl32.dll, comctl32.dll, awt.dll,
WINSPOOL.DRV, ole32.dll, TrayIcon12.dll,
uxtheme.dll, msctfime.ime, fontmanager.dll,
nvoglnt.dll, Apphelp.dll, VERSION.dll
hpcmpmgr.exe 1092 ntdll.dll, kernel32.dll, USER32.dll,
GDI32.dll, ADVAPI32.dll, RPCRT4.dll,
SHELL32.dll, msvcrt.dll, SHLWAPI.dll,
ole32.dll, OLEAUT32.dll, HPVCR70.dll,
IMM32.DLL, comctl32.dll, comctl32.dll,
Cabinet.dll, uxtheme.dll, rsaenh.dll,
WINTRUST.dll, CRYPT32.dll, MSASN1.dll,
IMAGEHLP.dll, Secur32.dll, CLBCATQ.DLL,
COMRes.dll, VERSION.dll, msctfime.ime,
MSXML4.dll, WININET.dll, Normaliz.dll,
iertutil.dll, ws2_32.dll, WS2HELP.dll,
urlmon.dll, xpsp2res.dll, msi.dll, SXS.DLL,
MSCTF.dll, lgscroll.dll, mlfhook.dll
hpztsb10.exe 1132 ntdll.dll, kernel32.dll, USER32.dll,
GDI32.dll, WINSPOOL.DRV, msvcrt.dll,
RPCRT4.dll, ADVAPI32.dll, SHELL32.dll,
SHLWAPI.dll, COMCTL32.dll, IMM32.DLL,
comctl32.dll, uxtheme.dll, HPZR3210.dll,
msctfime.ime, ole32.dll, lgscroll.dll,
MSCTF.dll
zlclient.exe 1916 ƒ/“
jusched.exe 2064 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, GDI32.dll, USER32.dll,
WININET.dll, msvcrt.dll, SHLWAPI.dll,
Normaliz.dll, iertutil.dll, ole32.dll,
SHELL32.dll, OLEAUT32.dll, MSVCR71.dll,
IMM32.DLL, comctl32.dll, comctl32.dll,
uxtheme.dll
SOUNDMAN.EXE 2124 ntdll.dll, kernel32.dll, USER32.dll,
GDI32.dll, ADVAPI32.dll, RPCRT4.dll,
SHELL32.dll, msvcrt.dll, SHLWAPI.dll,
SETUPAPI.dll, WINMM.dll, IMM32.DLL,
comctl32.dll, comctl32.dll, uxtheme.dll,
msctfime.ime, ole32.dll, WINTRUST.dll,
CRYPT32.dll, MSASN1.dll, IMAGEHLP.dll,
lgscroll.dll, MSCTF.dll, mslbui.dll
ctfmon.exe 2148 ntdll.dll, kernel32.dll, msvcrt.dll,
ADVAPI32.dll, RPCRT4.dll, USER32.dll,
GDI32.dll, MSCTF.dll, MSUTB.dll,
ShimEng.dll, AcGenral.DLL, WINMM.dll,
ole32.dll, OLEAUT32.dll, MSACM32.dll,
VERSION.dll, SHELL32.dll, SHLWAPI.dll,
USERENV.dll, UxTheme.dll, IMM32.DLL,
comctl32.dll, msctfime.ime, lgscroll.dll
BTTray.exe 2332 ntdll.dll, kernel32.dll, CFGMGR32.dll,
setupapi.dll, msvcrt.dll, ADVAPI32.dll,
RPCRT4.dll, GDI32.dll, USER32.dll,
wbtapi.dll, msi.dll, SHLWAPI.dll, MFC42.DLL,
ole32.dll, OLEAUT32.dll, VERSION.dll,
MSVCP60.dll, RASAPI32.dll, rasman.dll,
WS2_32.dll, WS2HELP.dll, NETAPI32.dll,
TAPI32.dll, rtutils.dll, WINMM.dll,
btosif.dll, BtBalloon.dll, SHELL32.dll,
comdlg32.dll, COMCTL32.dll, IMM32.DLL,
MFC42LOC.DLL, btrez.dll, CSH.dll,
uxtheme.dll, MSCTF.dll, CLBCATQ.DLL,
COMRes.dll, xpsp2res.dll, SXS.DLL,
lgscroll.dll

BTSTAC~1.EXE 2368 ntdll.dll, kernel32.dll, btins.dll, msi.dll,
ADVAPI32.dll, RPCRT4.dll, GDI32.dll,
USER32.dll, msvcrt.dll, CFGMGR32.dll,
setupapi.dll, SHLWAPI.dll, TAPI32.dll,
rtutils.dll, WINMM.dll, MFC42.DLL,
SHELL32.dll, ole32.dll, VERSION.dll,
MSVCP60.dll, btosif.dll, WS2_32.dll,
WS2HELP.dll, OLEAUT32.dll, iphlpapi.dll,
BtAudioHelper.dll, IMM32.DLL, comctl32.dll,
MFC42LOC.DLL, comctl32.dll, btrez.dll,
CSH.dll, comdlg32.dll, rsaenh.dll,
CRYPT32.dll, MSASN1.dll, CLBCATQ.DLL,
COMRes.dll, xpsp2res.dll, uxtheme.dll,
MSCTF.dll, msctfime.ime, Wtsapi32.dll,
WINSTA.dll, NETAPI32.dll, SXS.DLL,
lgscroll.dll, WINTRUST.dll, IMAGEHLP.dll,
wdmaud.drv, msacm32.drv, MSACM32.dll,
midimap.dll
SetPoint.exe 2384 ntdll.dll, kernel32.dll, VERSION.dll,
lgscroll.dll, USER32.dll, GDI32.dll,
KEMUI.dll, MSIMG32.dll, comdlg32.dll,
SHLWAPI.dll, ADVAPI32.dll, RPCRT4.dll,
msvcrt.dll, COMCTL32.dll, SHELL32.dll,
WINSPOOL.DRV, OLEAUT32.dll, ole32.dll,
gdiplus.dll, oledlg.dll, IMM32.DLL,
uxtheme.dll, MSCTF.dll, msctfime.ime,
MacroBT.dll, WINMM.dll, KEMHook.dll,
MacroCore.dll, lbtserv.dll, HID.DLL,
SETUPAPI.dll, NTMARTA.DLL, WLDAP32.dll,
SAMLIB.dll, lbtintw.dll, BtCoreIf.dll,
WS2_32.dll, WS2HELP.dll, MFC42.DLL,
MFC42LOC.DLL, KhalApi.dll, mlfhook.dll
KHALMNPR.EXE 2488 ntdll.dll, kernel32.dll, SETUPAPI.dll,
msvcrt.dll, ADVAPI32.dll, RPCRT4.dll,
GDI32.dll, USER32.dll, IMM32.DLL,
KHALAPI.DLL, uxtheme.dll, MSCTF.dll,
lgscroll.dll, msctfime.ime, ole32.dll,
wtsapi32.dll, WINSTA.dll, NETAPI32.dll,
lbtserv.dll, HID.DLL, MSIMG32.dll,
comdlg32.dll, SHLWAPI.dll, COMCTL32.dll,
SHELL32.dll, WINSPOOL.DRV, OLEAUT32.dll,
comctl32.dll, NTMARTA.DLL, WLDAP32.dll,
SAMLIB.dll, lbtintw.dll, BtCoreIf.dll,
WS2_32.dll, WS2HELP.dll, MFC42.DLL,
MFC42LOC.DLL, cfgmgr32.dll, KHALITCH.DLL,
KHALMW.DLL, KHALHPP.DLL, WINMM.dll,
WINTRUST.dll, CRYPT32.dll, MSASN1.dll,
IMAGEHLP.dll
wlancfg5.exe 2664 ntdll.dll, kernel32.dll, WlanDll.dll,
ExtWLANconfig.dll, odSupp_M.dll,
CRYPT32.dll, ADVAPI32.dll, RPCRT4.dll,
msvcrt.dll, USER32.dll, GDI32.dll,
MSASN1.dll, CRYPTUI.dll, WINTRUST.dll,
IMAGEHLP.dll, OLEAUT32.dll, ole32.dll,
NETAPI32.dll, WININET.dll, SHLWAPI.dll,
Normaliz.dll, iertutil.dll, WLDAP32.dll,
VERSION.dll, WS2_32.dll, WS2HELP.dll,
iphlpapi.dll, SETUPAPI.dll, MFC42.DLL,
comdlg32.dll, COMCTL32.dll, SHELL32.dll,
WINSPOOL.DRV, oledlg.dll, OLEPRO32.DLL,
IMM32.DLL, comctl32.dll, MFC42LOC.DLL,
ICMP.DLL, uxtheme.dll, MSCTF.dll,
lgscroll.dll, msctfime.ime, tiwlnapi.dll,
Secur32.dll, RICHED32.DLL, RICHED20.dll,
mslbui.dll
monitor.exe 2252 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, USER32.dll, GDI32.dll,
IMM32.DLL, version.dll
isafe.exe 2832 ntdll.dll, kernel32.dll, WS2_32.dll,
msvcrt.dll, WS2HELP.dll, ADVAPI32.dll,
RPCRT4.dll, NTMARTA.DLL, USER32.dll,
GDI32.dll, WLDAP32.dll, ole32.dll,
SAMLIB.dll, IMM32.DLL, ISafeProduct.dll,
arclib.dll, vete.dll, isafeif.dll,
vetredir.dll, mswsock.dll, hnetcfg.dll,
wshtcpip.dll
javaw.exe 2844 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, USER32.dll, GDI32.dll,
MSVCRT.dll, IMM32.DLL, jvm.dll, WINMM.dll,
hpi.dll, verify.dll, java.dll, zip.dll,
Secur32.dll, SHELL32.DLL, SHLWAPI.dll,
comctl32.dll, comctl32.dll, net.dll,
WSOCK32.dll, WS2_32.dll, WS2HELP.dll,
mswsock.dll, DNSAPI.dll, winrnr.dll,
WLDAP32.dll, rasadhlp.dll, vetredir.dll,
hnetcfg.dll, isafeif.dll, wshtcpip.dll,
Apphelp.dll, VERSION.dll, jspWin.dll
alg.exe 2912 ntdll.dll, kernel32.dll, msvcrt.dll,
ATL.DLL, USER32.dll, GDI32.dll,
ADVAPI32.dll, RPCRT4.dll, ole32.dll,
OLEAUT32.dll, WSOCK32.dll, WS2_32.dll,
WS2HELP.dll, MSWSOCK.DLL, ShimEng.dll,
AcGenral.DLL, WINMM.dll, MSACM32.dll,
VERSION.dll, SHELL32.dll, SHLWAPI.dll,
USERENV.dll, UxTheme.dll, IMM32.DLL,
comctl32.dll, comctl32.dll, CLBCATQ.DLL,
COMRes.dll, xpsp2res.dll, hnetcfg.dll,
vetredir.dll, isafeif.dll, wshtcpip.dll
firefox.exe 3756 ntdll.dll, kernel32.dll, js3250.dll,
nspr4.dll, ADVAPI32.dll, RPCRT4.dll,
WSOCK32.dll, WS2_32.dll, msvcrt.dll,
WS2HELP.dll, WINMM.dll, USER32.dll,
GDI32.dll, xpcom_core.dll, plc4.dll,
plds4.dll, SHELL32.dll, SHLWAPI.dll,
ole32.dll, VERSION.dll, smime3.dll,
nss3.dll, softokn3.dll, ssl3.dll,
xpcom_compat.dll, comdlg32.dll,
COMCTL32.dll, OLEAUT32.dll, WINSPOOL.DRV,
IMM32.DLL, uxtheme.dll, mlfhook.dll,
MSCTF.dll, lgscroll.dll, msctfime.ime,
SETUPAPI.dll, CLBCATQ.DLL, COMRes.dll,
myspell.dll, vetredir.dll, mswsock.dll,
hnetcfg.dll, isafeif.dll, wshtcpip.dll,
iphlpapi.dll, jar50.dll, DNSAPI.dll,
winrnr.dll, WLDAP32.dll, Apphelp.dll,
msimtf.dll, xpsp2res.dll, freebl3.dll,
nssckbi.dll, spellchk.dll, rasadhlp.dll,
msimg32.dll, mslbui.dll, CRYPT32.dll,
MSASN1.dll, mlang.dll, WINTRUST.dll,
IMAGEHLP.dll, wdmaud.drv, msacm32.drv,
MSACM32.dll, midimap.dll

mantispm.exe 3852 ntdll.dll, kernel32.dll, COMCTL32.dll,
ADVAPI32.dll, RPCRT4.dll, GDI32.dll,
USER32.dll, VERSION.dll, WS2_32.dll,
msvcrt.dll, WS2HELP.dll, SHELL32.dll,
SHLWAPI.dll, crsrpt.dll, DBGHELP.dll,
ole32.dll, OLEAUT32.dll, MSVCP70.dll,
MSVCR70.dll, WININET.dll, Normaliz.dll,
iertutil.dll, IMM32.DLL, comctl32.dll,
Secur32.dll, uxtheme.dll, MSCTF.dll,
lgscroll.dll, mbzaenu.dll, msctfime.ime,
RASAPI32.dll, rasman.dll, NETAPI32.dll,
TAPI32.dll, rtutils.dll, WINMM.dll,
USERENV.dll, msv1_0.dll, iphlpapi.dll,
rsaenh.dll, sensapi.dll, mswsock.dll,
rasadhlp.dll, DNSAPI.dll, winrnr.dll,
WLDAP32.dll, urlmon.dll, mlfhook.dll,
mslbui.dll, vetredir.dll, hnetcfg.dll,
isafeif.dll, wshtcpip.dll
wpRMI.exe 3868 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, USER32.dll, GDI32.dll,
IMM32.DLL, version.dll
javaw.exe 1012 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, USER32.dll, GDI32.dll,
MSVCRT.dll, IMM32.DLL, jvm.dll, WINMM.dll,
hpi.dll, verify.dll, java.dll, zip.dll,
Secur32.dll, SHELL32.DLL, SHLWAPI.dll,
comctl32.dll, comctl32.dll, net.dll,
WSOCK32.dll, WS2_32.dll, WS2HELP.dll,
vetredir.dll, mswsock.dll, hnetcfg.dll,
isafeif.dll, wshtcpip.dll, DNSAPI.dll,
winrnr.dll, WLDAP32.dll, rasadhlp.dll
cmd.exe 244 ntdll.dll, kernel32.dll, msvcrt.dll,
USER32.dll, GDI32.dll, ShimEng.dll,
AcGenral.DLL, ADVAPI32.dll, RPCRT4.dll,
WINMM.dll, ole32.dll, OLEAUT32.dll,
MSACM32.dll, VERSION.dll, SHELL32.dll,
SHLWAPI.dll, USERENV.dll, UxTheme.dll,
IMM32.DLL, comctl32.dll, comctl32.dll,
Apphelp.dll
tasklist.exe 2184 ntdll.dll, kernel32.dll, msvcrt.dll,
ADVAPI32.dll, RPCRT4.dll, USER32.dll,
GDI32.dll, MPR.dll, ole32.dll, OLEAUT32.dll,
Secur32.dll, WS2_32.dll, WS2HELP.dll,
framedyn.dll, NETAPI32.dll, DBGHELP.dll,
VERSION.dll, ShimEng.dll, AcGenral.DLL,
WINMM.dll, MSACM32.dll, SHELL32.dll,
SHLWAPI.dll, USERENV.dll, UxTheme.dll,
IMM32.DLL, comctl32.dll, comctl32.dll,
mlfhook.dll, MSCTF.dll, lgscroll.dll,
xpsp2res.dll, CLBCATQ.DLL, COMRes.dll,
wbemprox.dll, wbemcomn.dll, Winsta.dll,
wbemsvc.dll, fastprox.dll, MSVCP60.dll,
NTDSAPI.dll, DNSAPI.dll, WLDAP32.dll
wmiprvse.exe 3164 ntdll.dll, kernel32.dll, msvcrt.dll,
ADVAPI32.dll, RPCRT4.dll, USER32.dll,
GDI32.dll, wbemcomn.dll, OLEAUT32.dll,
ole32.dll, FastProx.dll, MSVCP60.dll,
NTDSAPI.dll, DNSAPI.dll, WS2_32.dll,
WS2HELP.dll, WLDAP32.dll, NETAPI32.dll,
Secur32.dll, NCObjAPI.DLL, ShimEng.dll,
AcGenral.DLL, WINMM.dll, MSACM32.dll,
VERSION.dll, SHELL32.dll, SHLWAPI.dll,
USERENV.dll, UxTheme.dll, IMM32.DLL,
comctl32.dll, comctl32.dll, xpsp2res.dll,
CLBCATQ.DLL, COMRes.dll, wbemprox.dll,
wbemsvc.dll, wmiutils.dll, cimwin32.dll,
framedyn.dll, SETUPAPI.dll, WTSAPI32.dll,
WINSTA.dll, CFGMGR32.DLL, WMI.DLL

I also noticed that I cannot run sfc/scannow

stupid me. I had to leave space between the words. However it can't run properly. It asks for the WinXPSP2 CD. I insert and I get a message that it is incorrect.

Let's try this. Go into system32 and right click on themeui.dll

Click on rename. Rename it as oldthemeui.dll


See if that does it.


It asks for the WinXPSP2 CD. I insert and I get a message that it is incorrect

Sometimes there's a registry entry preventing the CD from being recognized.

HERE:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

If you are comfortable in the registry, go to start>run and type regedit
Press enter.

Go to this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Highlight Winlogon in the left pane.

Look in the right pane for this value:
Allocatecdroms

Double click on allocatecdroms
Change the value data to 0


Do the same for this value:
allocatedasd

Close the registry.

I'm not sure if you need a restart to take effect. Give it a try.

I'm hoping that File Protection will give you a new copy of themeui.dll from your service pack install files.

SFC is a good idea. Please go ahead on it. BUT it often doesn't do the trick. So we may still need to do some digging and replace some files manually.

Hi Mosaic,

Unfortunately it did not the trick. I reinstalled SP2 but it didn't help either

Tomorrow, I'll do some more diagnostics and see what files are accessed when I use display properties.

I take it you still can't register themeui.dll?

It would be a good idea to create a new folder somewhere on your system drive, even the desktop, for reports and apps I'll be asking you to use and generate.

I know there's a newer utility to replace regmon and filemon, but for now, I want you to use them to generate shorter reports.

It's very imortant you follow the directions as given or the report will be many Megabytes long, and therefore unmanageable.

We'll be generating several reports in the next few days as we monitor avtivity. Some will be very large.

-------------------------------------

Let's start with themeui.dll
If you still can't register themeui.dll, let's see if you are getting any access denied messages in the registry. We'll use Regmon for that.

Run Regmon.
Go to the toolbar and click on Options. From the options menu, click on Filter/Highlight.

When the dialog appears, in the include box type this:

Regsvr32

Then press ok.

Minimize regmon.

Go to start > run

Type
regsvr32 /i themeui.dll

Press enter.

After you get whatever message regsvr32 gives you, restore regmon and go to the file menu, and then save as:

Themeui Regmon

Save as type:
Regmon Data log.

Zip that and upload it into your next post please.

--------------------------------------

Next, we'll use filemon in the same way.

Download Filemon here:
http://download.sysinternals.com/Files/Filemon.zip

Unzip it.

Run Filemon. And do exactly as you did with Regmon. Set the filter.
Minimize Filemon.

Run regsvr32 /i themeui.dll
Press enter.

Restore Filemon.

Save the log as Themeui Filemon

Save as Type: Filemon Data Log.

Zip and upload into the next post.

------------

These two logs are going to show if access is denied to files or registry keys. Plus, filemon will give us a list of files accessed during your registration of themeui.dll.

This is a start. Later we'll monitor opening display properties and an attempted wallpaper change. Those logs will be considerably larger.


I need to know if renaming themeui.dll was allowed.

Do you run on NTFS or FAT32 file system?

If not sure, open my computer. Right click on the hard drive icon and click Porperties.

When the properties sheet comes up, look at what is listed next to

File system:

Let me know.

Hi Mosaic,

and many thx for your help.


1181

1182

I am using NTFS.

Renaming themeui.dll was successful but when I copied a fresh themeui.dll I was trying to rename the one back to its original name while I was trying to delete the other. Impossible. I had to cut and paste on of the two onto desktop where it still is, since I am unable to delete it.

I ran regomon and used the filter for 'display'

This is what I received below, among other things

5.34800911 rundll32.exe:3160 QueryValue HKCU\Control Panel\Appearance\DisplayThemesPage NOT FOUND

Hi Millslord,

You're welcome.


Renaming themeui.dll was successful but when I copied a fresh themeui.dll I was trying to rename the one back to its original name while I was trying to delete the other. Impossible. I had to cut and paste on of the two onto desktop where it still is, since I am unable to delete it.



Don't leave a dll out on the desktop. Put it in a folder. DO that first and if successful, continue.


Check to see if you have themeui.dll in system32

Rename the copy of themeui.dll which is in system32.

Then wait a minute. Reopen the system32 folder and see if File protection has put a new copy of themeui.dll into system32.

This is a test of File protection.

Let me know.



I don't have that registry key or value either.


Plesae let's take this one step at a time . I realize that's hard, but otherwise this is going to become very confusing.


I don't want any logs yet. I want to see if file protection will replace themeui.dll

If it does, then try to register themeui.dll. If it won't register and you get an error, make a note of the error and then do the filemon and regmon routine again and post the new logs please.

Will you try something please? I want to have File Protection replace another file. This probably won't do it, but it is one we should replace anyway.

Go to start >Run and type

Resources
Press enter.

This should open your Windows\resources folder

Click on the Themes folder.
Inside the themes folder, click on the Luna Folder.

Now right click on this file:
luna.msstyles


Choose rename.

Rename the file as oldluna.msstyles

Close up the folder. File protection should replace it.

Give it about 30 seconds. Now go back and be sure that along with the renamed file, you now have luna.msstyles in the folder. If not,then name oldluna.msstyles back to luna.msstyles

Otherwise, if you do, then Double click on this new copy of luna.msstyles

This will open display properties.

Can you change the wallpaper?

Let me know step by step how things go. What succeeded and what failed.

I want you to follow these instructions I give you one post at a time please.


Another file, and this is a big one, is uxtheme.dll

Find it in the system32 folder.

Rename it as olduxtheme.dll


Close system32 and wait about 30 seconds.

Reopen system32 and look to see if File Protection has put in a new copy of uxtheme.dll

If so, great. If not, rename olduxtheme.dll back.


Sometimes when trying to rename back, you'll get an error that the file already exists. That just means that File protection has finally kicked in and replaced the file. Then just do nothing. Forget about the renaming back. Don't panic or try to move the file you renamed. You can delete it if you like.

Just be sure that you don't restart until you have these files in place.
]
Once you have them, restart the computer. See if any of this helps.


There are a few more files to try later. And of course, the registry which is very important.

When you reinstalled Service Pack 2, did you first uninstall it?

And have you visited Windows Update? If not, you should do that as soon as possible.

Hi Mosaic,

Sorry for the delay in responding. I was away from PC.

Renaming files didn't help. File Protection failed to kick in in all instances.

No, I did not uninstall SP2 prior to reinstallation.

Windows Update is always on auto.

Thx

Mills

Hi Millslord,

I believe you should uninstall the service pack and then reinstall it for maximum results.

Can you see what version those files are and then get copies from your SP2 CD or Service pack files if the versions are not earlier than these please?


I don't want to skip anything.



Mo

One more thing. Windows File protection should have warned you that those files were missing when you renamed them and ask for your install CD.

Let's see if you are missing sfc_os.dll
Have a look in system32 for sfc_os.dll and sfcfiles.dll

Are they there?

Both *.dll files are in place.

Regards,

Mills

I uninstalled SP2 and reinstalled it afresh. Ran Win Update too.

The files are the same version as the SP2 files. E.g. uxtheme.dll is 6.0.2900.2180.

Regards,

Mills

When I try changing a theme by scrolling the highlighted area using the wheel mouse button (I can't click on an option - the windows just disappears) I get the following error message:

Could not load theme. Access denied.

File: C:\Documents and Settings\adminX2\Application Data\Microsoft\Window\Themes\Custom.Theme

That message is important. Because you have the NTFS file system, file ownership and security comes into play.



Let's see if you can take ownership of this file:

C:\Documents and Settings\adminX2\Application Data\Microsoft\Window\Themes\Custom.Theme


Follow the directions here:

http://support.microsoft.com/kb/308421

See if that helps.

I followed the instructions in the MS KB below:

How to take ownership of a file
Note You must be logged on to the computer with an account that has administrative credentials.

To take ownership of a file, follow these steps: 1. Right-click the file that you want to take ownership of, and then click Properties.
2. Click the Security tab, and then click OK on the Security message (if one appears).
3. Click Advanced, and then click the Owner tab.
4. In the Name list, click Administrator, or click the Administrators group, and then click OK.

The administrator or the Administrators group now owns the file. To change the permissions on the files and folders under this folder, go to step 5.
5. Click Add.
6. In the Enter the object names to select (examples) list, type the user or group account that you want to give access to the file. For example, type Administrator.
7. Click OK.
8. In the Group or user names list, click the account that you want, and then select the check boxes of the permissions that you want to assign that user.
9. When you are finished assigning permissions, click OK.

No security tab under custom.theme located in

C:\Documents and Settings\adminX2\Application Data\Microsoft\Windows\Themes\Custom.Theme

Did you read the entire article? For that security tab to show up on files and folders, you have to follow the rest of the directions.

Oh yes, I see what you mean. I've now read and followed the entire article and the other article therein.
I had and still have full control of the respective file. Problem situation remains.

That's crazy. I use the smitfraudfixutility under Windows normal mode and everything works fine. I restart the machine and problem reoccurs. :sad: :sick:

Are you able to delete the custom.theme file?


There may be more to it than just ownership. Please give me any and all error messages you get when you try to delete custom.theme

I have a FAT32 file system and can't test, but there could be special permissions set on custom theme.


Let's do something we were going to do and haven't yet.

Run filemon
Set the filter to
rundll32.exe

Open display properties. Try to change your desktop wallpaper.

Just let it go as usual.

Then save the log and look for access denied messages.

Or email it to me and I'll have a look.

Once I see those Access denied messages we can check the files and/or folders involved using a tool you already have called cacls.

This access denied message did not reappear.

Thx

Mills

Can you please run Filemon according to my last directions and send me the log?

Dear Mosaic,

No error messages when deleting custom theme.

I've emailed you two files. The first depicts the system in the state it was after I ran smitfraud.fix - if you remember it corrected the problem when run under WinXP normal mode - and the second file is after I rebooted - with the problem reoccuring.

Let's see if regmon gives us anything.

Make sure your dsplay properties doesn't work.


Then set the Regmons filter to rundll32.exe

Open display properties and try to change the wallpaper.

Send me the regmon report please.

You never told me if you are able to change your screensaver or anything else . Is this more than just the wallpaper? This information is important.


When you ran Filemon, did you do it exactly the same as when the error was generated? Did you use the Scroll on the mouse? If not, can you do it that way please.


Also, use serch and search for *.theme

Let me know what you find.

When you double click on Custom.theme, does it open in Display Properties?

This has been a long topic. Please be careful to do everything and post all results here.

I'd like to see some registry keys too.

Download and save the zip. Extract the batch it contains (exportit.bat) and then double click on it. When it has finished and the command window closes, there will be a file named themes.txt.

Please upload themes.txt in you next reply here.

Hi again,

I am able to change screensaver.

I am unable to change wallpaper or theme.

I will do the tests later on and let you know asap.

thx

Yes, display properties pops up when I double-click on custom.theme.

I've e-mailed you the results of the tests.

You sent me two copies of the filemon report by mistake. Can you please double check and send me the real Regmon report? Thanks.

I've just emailed you the files.

thx

I'm not seeing anything in the logs except maybe a possible language issue. And I can't test that here.


HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Pictures SUCCESS "%USERPROFILE%\Ôá ÝããñáöÜ ìïõ\Ïé åéêüíåò ìïõ"

Does this folder exist?


"%USERPROFILE%\Ôá ÝããñáöÜ ìïõ\Ïé åéêüíåò ìïõ"



When Smitfraudfix runs. it sets your wallpaper to nothing.

Are you saying that then you can go in and change it to anything you like? But then after a restart, you can't?

I had thought you said that you just can't change it at all.

Can you clarify?

What language is your System set to please?

Can you send me a copy of your custom.theme file when you have the problem please?

System is in Greek. Yes I mean that,

After Smitfraudfix runs I can go in and change it to anything I like. After restart, I cannot.

That would point to a restriction of some type. But I see nothing in your logs. Regmon shows us what keys are accessed. And it does show that Windows is looking for restrictions which it doesn't find.
This is baffling. And the logs you sent were logs from when you have the problem?

I'll have to give this more thought.

WE never really did get to the bottom of the regsvr32 themeui.dll problem.


You have tried several things which have fixed the changing wallpaper problem. Then after reboot an it's back. Everything would effect the registry. But Regmon isn't showing us any problems when we monitor. There's only so much Smitfraud does. And removing registry restrictions is the big thing which would effect this problem. But how yours is behaving is strange. woith these restrictions in place, the area which shows you the choices would be dimmed and yours is not.


Can you run smitfraudfix again please? As soon as it has finished running, go to start >Run

Type
regsvr32 /i themeui.dll


Press enter

Does it succeed now?

After a restart, can you try it again?

regsvr32 /i themeui.dll


Do you now get an error?

Thx

I will try this on Sunday as I am away.

Kind regards,

Mills

Dear Mosaic,

After running Smitfraud fix I was able to change the wallpaper and successfully register themeui.dll.

After reboot I am unable to change the wallpaper or theme BUT I can successfully register themeui.dll. I no longer get any errors regarding this.

Any ideas?

Thx

Mills

Hi,

To tell you the truth, I'm baffled. I have scoured your Regmon and Filemon logs. There is no indication of any restrictions being in place at all. Otherwise I'd say the restrictions have been put back in place. But Regmon shows keys being queried for restrictions with none being found. Filemon show no access denied on any of the files it accesses either.

Smitfraud and the fix only do so much.

At one point you used a script to disable Active Desktop and that worked for a while too.




Let's have another look at the registry.

Download Registry Search from this link:

http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip

unzip to a folder on the desktop and then run the exe.

For the search, enter

Policies


Press ok

This will take a bit to run. When finished, it will create a text file.

Post the results please.


Then do the same for Restrictions please.


Quick question. When you open display properties and click the desktop tab, is the list of files dimmed out instead of being white?


What does the themes page look like?

You use Xp Pro, correct?

I do too. Although I have nothing showing in my registry regarding any wallpaper policy and can change mine at will, there's something here. A leftover.

The Policy editor shows a wallpaper policy in effect even though I removed the registry entries I had added earlier.

Can you find the hidden folder:

C:\WINDOWS\system32\GroupPolicy


Inside the Group Policy folder will be these subfolders:
Machine
User
Adm

Open each one and then look for a file named:
Registry.pol

Don't edit them. Please just open in notepad and then see what they say. Or make copies and send them to me.

Let me know which one is from each folder.

Mine has a policy or two still listed. No ill effects here but if you have anything in there, I'll have you open gpedit.msc and properly remove it later. Then we'll see if anything changes.

There are proper ways of doing things in Windows. Sometimes bypassing those can cause problems. It's worth a try.

I will post replies tomorrow afternoon.

Many thx

You're welcome. Have a good night.

Dear Mosaic,

When I open display properties and click the desktop tab, the list of files is white. It's normal.


I' ve emailed you the files.

thx

I had a look at your results. You sent me two searches for Restrictions.

Please do one for policies and send it.

Did you do the other where I asked you to look for the .pol files?


The fact that the Display properties list is white points to no policy in place. But Smitfraudfix can fix the problem until reboot. So this would point to some restriction in the registry. But none has shown up anywhere in any log.

Dear Mosaic,

No reg.pol under Adm.

I have emailed you the files requested.

thx

Hello Millslord,

Thanks for the files. We have no added information from them.
This is quite a mystery. So far there has been no progress.

Will you do something for me please?

Fix using smitfraudfix again. Then change your wallpaper to be sure it can be done.

then gio to start >Run and paste in this command:

sc stop Themes
Press enter

This is going to stop the themes service. You taskbar and windows will look different. The taskbar will be tan. Don't be concerned.
Wait a minute to let everything settle. Now go back to start >Run

Paste this comand in:
sc start themes

Press enter.

Let the themes load back up. It will take a minute.
Now go into display properties and see if you can change your wallpaper.


This is a test only.

Well do one more registry export after you reboot and know that display properties is broken.

Dear Mosaic,

I followed all the steps. Before reboot I was able to change the wallpaper. After reboot the chosen wallpaper remained as the background of choice but I could not even open display properties. I had to rerun smitfraud fix to correct the problem i.e. to be able to open display properties, since as to the wallpaper issue things are the same. Unable to effect any change after reboot.

Another thing I have noticed after all times I have run smitfraud, is that the NETGEAR configuration utility on taskbar disappears. I have to reboot for it to reappear.

Thx

So then shutting down and restarting themes didn't disable display properties?

I wonder if you have a problem registering themeui.dll now.

When Smitfraudfix is run it kills explorer and restarts it.

When Explorer is killed, the systray icons disappear. Most come back because the programmer who wrote the program coded it so the program would recognise the crash, ir check periodically to be sure its icon was there.

This one must not be putting its icon back in the tray. If you look in Task Manager, though, the program is generally running. Closing and restarting the program manually should put the icon back. If not, try a log off and back on.

I use this little utility on my own system. It may not be much help here, but let's give it a try.

Download Regshot from this link, extract and put it in its own folder. That folder will have two zips. The one you want to extract and use is:regshot1_7_2.zip
http://www.snapfiles.com/get/regshot.html

Be sure the display properties is broken.

Double click on regshot.exe to run it.

Click the 1st shot button. This is going to make a snapshot of your registry. Let it go. Do not close the program. When it has finished , then run Smitfraudfix.

When smitfraudfix finises, go back to tyhe regshot window and click the 2nd shot button. This will take a snapshot of your registry in its current state.


When this finishes, click the compare button. This will do a comparison of the two registry snapshots and when finished, will open a file with the results.


Do not close that file. Save it as a text file and upload here please. Let's see if we can spot something in the registry changes.

Dear Mosaic,

Results attached

thx

Hi Millslord,

That is showing us nothing. Darn it.

To double check. You cant change anything in display properties?

So you do shot1

Run Smitfraudfix
Do shot2
Press compare

And this is the result?

Restarting themes doesn't break display properties.

A friend is going to read this. I am not sure she'll have any ideas. IF she does, we'll take them.

Do you still have that disable active desktop script you downloaded nad used before? IF you do, try that to see if it fixes this before a reboot. And if after a reboot, you have the same problem again or not.

I keep thinking it is either the themes or your active desktop at the root of the problem. BUT smitfraud fixes the problem temporarily.

If we continue to get nowhere, I am going to suggest you uninstall Service Pack 2 and then do a repair install of Windows using your original install CD. Do yo have that? IF youy use a restore CD that is not the same. Let me know please. Then reapply Service Pack2 and Immediately go to Windows Update so that your updates can be reapplied.

My friend, a very respected Expert named Kimberly has suggested you try this from Microsoft:

http://www.microsoft.com/downloads/details.aspx?FamilyID=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en


It's the User Profile Hive Cleanup Service

And will help to unload your user hive properly before the system shuts down.


Every single Regmon log you have sent, shows no restrictions. But smitfraudfix fixes until a reboot. Either, you are confused and creating logs when things work, or this is the strangest thing I have seen.

At any rate, this last will get your registry hive saved proerly at shutdown, if that is contributing to the problem.

Ok, I'll try that tomorrow. I am definitely not confused and sober when saving logs. :D: :bigthumb:

shall I rerun smitfraud prior to trying this solution from Microsoft?

LOL that's good to hear!

Yes. Do run smitfraud. We want to be sure it's all working right before you try to shut down.

Let me know if that works.


Good luck.

I followed the instructions. Ran smitfraud fix, after that i ran the *.exe of this Microsoft utility and did shut down the machine. I rebooted - the problem remains unsolved. I guess this is all? :lip: :red: :scratch:

Do you want to give me another day?


Let's see if we can track down your system file protection problem.


Please go to System32

Right click on sfc_OS.dll

Clcik on Properties. When the properties page appears, click the version tab.

What is the file version please?

5.1.2600.2180

Ok. That's the correct version. I can't remember, did you finally find the dllcache folder?

I have to say that because smitfraudfix does fix temporarily I have doubts. But your other symptoms are too odd. They don't match. So I really think you may be better served if you remove Service Pack2 and then use your install CD, if it is a regular install CD, and not a restore CD to do a windows Repair install, be sure your Anti Virus and Firewalls are in good working order
and then get the windows updates you'll need to reapply.


BUT Before you do that, uninstall Internet Explorer 7. If you attempt a repair install while Internet Explorer 7 is present, it may cause your system to become extremely unstable. Do not attempt a Repair install until IE 7 has been successfully uninstalled and you have restarted after doing so.


Further Help for Repair install here:

http://www.michaelstevenstech.com/XPrepairinstall.htm

can't u think of anything else?

thx

I'm sorry. I have read your logs. They show no restrictions. And they should. IF you took the regmon logs for rundll32.exe when display properties was broken, they should have shown something. But no. However, snitfraudfix fixed something. And that's a mystery.

Plus, not being abke to register themeui.dll occasionally and havig a white list in Display Properties\desktop

That doesn't follow. A restriction dims that out. I believe you disabled Active Desktop using a vbs you downloaded. That also fixed this for a short time. But it came back.

We have gone in circles.

A repair install is not a format. Your personal files will still be there when you finish. It is a bit of work, but I can't see much hope in keeping this up.

WE can fool around and remove some registry keys & values which will restore themselves clean without the previous information. In the event of some kind of registry corruption, that would be a last ditch effort.

I am too tired today to go in and do that. If you want to wait another day, we can do that.


Are you able to open dispaly properties at this point?

Yes I want to try.

Since we did a tweak one of the times, I have always been able to register themeui.dll successfully.

I can open display properties but I cannot change wallpaper or theme. It's kind of strange that smitfraud.fix is able to sort this out until the next reboot.

Thx

Mills

I am not sure this is helpful. A repair install is really the best thing. I am not going to be able to continue this much longer, and neither should you.


Download and install subinacl from:
http://download.microsoft.com/download/1/7/d/17d82b72-bc6a-4dc8-bfaa-98b37b22b367/subinacl.msi

Install it. It will auto install to this location:

C:\Program Files\Windows Resource Kits\Tools

Next. Download and save the zip attachment.

Extract the file it contains to this folder:
C:\Program Files\Windows Resource Kits\Tools



So now you'll have
C:\Program Files\Windows Resource Kits\Tools\reset.cmd


Double click on reset.cmd to run it. The command window will open and there will be a lot of activity. This is a labor intense operation. Be offline and go for coffee while it runs. Let it do its job of resetting default permissions. It will take a while. Then restart the computer.

See if anything has improved. If not, run Smitfraudfix and restart again.

What's the situation now?

Millslord,

Did you try it and if so, any results?

Mo

Dear Mosaic,

The same crap as always.

Thx

Mills

I think we have to say enough then. Either live with it and whatever other damage may have been done, or uninstall IE7 and restart the system.

Do your repair install.


BTW if you uninstall Service Pack 2 & IE 7 does this problem persist?

Millslord this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.


Thank you Mr_JAk3 & Mosaic1.

Re-opened upon request.

I can't imagine why this was reopened. Unless there is new information on the last question I asked which was never answered, I have no more avenues to help Millslord.


I think we have to say enough then. Either live with it and whatever other damage may have been done, or uninstall IE7 and restart the system.

Do your repair install.


BTW if you uninstall Service Pack 2 & IE 7 does this problem persist?

That is why I did not pm anyone about re-opening.

Millslord do you understand this? I will leave topic open for your response to see if you are going to provide new information. If not this topic will be closed and archived promptly.

Thanks Tashi. I'm still subscribed to this thread.

Millslord, if you wish to start another topic please do so.

This one is done. ;)