Page 6 of 16 FirstFirst ... 2345678910 ... LastLast
Results 51 to 60 of 156

Thread: Please help get rid of smitfraud remnants

  1. #51
    Esteemed Security Expert: Emeritus
    Join Date
    Feb 2006
    Posts
    367

    Default

    Ok. Let's register a couple of files. I am not confident it's going to help. But it wont hurt. I have had no luck duplicating your exact issue. And I have fooled with a lot of files and registry entries.


    Go to Start >Run
    Copy and paste this command in and press enter:

    regsvr32 /i shell32.dll

    Wait for the success message.



    Go to Start >Run
    Copy and paste this command in and press enter:

    regsvr32 /i themeui.dll

    Wait for the success message.


    Restart and see if there's any improvement.

    Are you able to change your screensaver or background color? I want to see how bad this all is please.

  2. #52
    Esteemed Security Expert: Emeritus
    Join Date
    Feb 2006
    Posts
    367

    Default

    After you have finished with the first set of directions and posted the results, I'd also like to see one more report:

    Download Silent Runners from here:

    http://www.silentrunners.org/Silent%20Runners.vbs

    Save it to your C:\ drive.
    So you should have c:\silent runners.vbs.

    Click start> run> type: (or copy and paste in this line)

    "c:\silent runners.vbs" -all

    Click enter.

    The popup you'll see tells you scan has started.
    If you get script warning from your antivirus, please allow script to run. It is not dangerous.

    Once complete it will tell you and creates a file in c:\ called "Startup Programs [computername/date/time]"

    Post contents of log here.

    You may need 2 posts to get entire contents of log in.

    -----------

    Then please run that registry export script again and we'll have a look to see if there are any changes.

  3. #53
    Member
    Join Date
    Dec 2006
    Posts
    81

    Default

    Hi Mosaic,

    I registered

    regsvr32 /i shell32.dll

    successfully

    Running

    regsvr32 /i themeui.dll

    FAILED


    Hence I did not proceed any further

  4. #54
    Member
    Join Date
    Dec 2006
    Posts
    81

    Default

    "Silent Runners.vbs", revision 49, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "Vidalia" = ""C:\Program Files\Vidalia\vidalia.exe"" [null data]
    "updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1" ["Adobe Systems Incorporated"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
    "HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
    "HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]
    "NWEReboot" = "(empty string)" [file not found]
    "Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
    "(Default)" = "(empty string)" [file not found]
    "Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
    "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
    "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
    "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0\bin\jusched.exe"" ["Sun Microsystems, Inc."]
    "TXP" = "c:\program files\topthemesxp\txp.exe" [file not found]
    "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {0CF0B8EE-6596-11D5-A98E-0003470BB48E}\(Default) = "CCHelper"
    -> {HKLM...CLSID} = "CCHelper Class"
    \InProcServer32\(Default) = "C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll" [empty string]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]
    {AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Προέκταση εικονιδίου HyperTerminal"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
    -> {HKLM...CLSID} = "DesktopContext Class"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
    -> {HKLM...CLSID} = "Desktop Explorer"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
    -> {HKLM...CLSID} = "nView Desktop Context Menu"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{8F05B1A8-9D77-4B8F-AF54-6B2202066F95}" = "Pop-Up Stopper &Companion"
    -> {HKLM...CLSID} = "Pop-Up Stopper &Companion"
    \InProcServer32\(Default) = "C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll" [null data]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
    -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
    \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
    "{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "CorelDRAW Shell Extension Component"
    -> {HKLM...CLSID} = "CorelDRAW Shell Extension Component"
    \InProcServer32\(Default) = "C:\Program Files\Corel\Graphics10\Draw\CdrViewer\CrlShell100.dll" ["Corel Corporation"]
    "{59403EC0-EA55-11d5-954A-9A53884D6E09}" = "SecureDoc"
    -> {HKLM...CLSID} = "SecureDoc"
    \InProcServer32\(Default) = "C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll" ["msi"]
    "{AC0B5D2E-B691-4E12-A4F9-CA88492579A2}" = "Zinio Shell Extension"
    -> {HKLM...CLSID} = "Zinio Magazine"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]
    "{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}" = "Zinio Magazine Column Provider"
    -> {HKLM...CLSID} = "MyMagazinesColumn Class"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]
    "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
    -> {HKLM...CLSID} = "Microsoft Office Outlook"
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
    -> {HKLM...CLSID} = "Outlook File Icon Extension"
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
    "{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
    -> {HKLM...CLSID} = "AlcoholShellEx"
    \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]
    "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
    -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
    "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
    -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
    "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
    -> {HKLM...CLSID} = "PowerISO"
    \InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
    "{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"
    -> {HKLM...CLSID} = "Sony Ericsson File Manager"
    \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
    "{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell"
    -> {HKLM...CLSID} = "Studio.Project"
    \InProcServer32\(Default) = "C:\Program Files\Pinnacle\Studio 10\programs\BlueShellExt.dll" [file not found]
    "{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
    -> {HKLM...CLSID} = "My Bluetooth Places"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation"]
    "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
    -> {HKLM...CLSID} = "Acrobat Elements Context Menu"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
    "{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
    -> {HKLM...CLSID} = "ZLAVShExt Class"
    \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
    "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
    -> {HKLM...CLSID} = "NVIDIA CPL Extension"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{A965C8E0-54A7-11D6-BF08-00079500BB23}" = "ZipZag Shell extension"
    -> {HKLM...CLSID} = "ZipZag Shell Extension"
    \InProcServer32\(Default) = "C:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
    -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
    -> {HKLM...CLSID} = "WPDShServiceObj Class"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> LBTServ\DLLName = "C:\Program Files\Common Files\Logitech\Bluetooth\lbtserv.dll" ["Logitech Inc."]

    HKLM\Software\Classes\PROTOCOLS\Filter\
    <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

    HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
    {7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
    -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
    {A9AACA72-1C51-4F84-804D-90EDBA0D58F4}\(Default) = "Zinio Magazine Column Provider"
    -> {HKLM...CLSID} = "MyMagazinesColumn Class"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
    -> {HKLM...CLSID} = "Acrobat Elements Context Menu"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
    AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
    -> {HKLM...CLSID} = "CContextScan Object"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
    HexWorkshopContextMenu\(Default) = "{DB34D5DC-D41A-482E-A5EF-8FA0F88761DA}"
    -> {HKLM...CLSID} = "Hex Workshop Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\BreakPoint Software\Hex Workshop 4.2\hwext.dll" ["BreakPoint Software, Inc."]
    PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
    -> {HKLM...CLSID} = "PowerISO"
    \InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
    SecureDocMenu\(Default) = "{59403EC0-EA55-11d5-954A-9A53884D6E09}"
    -> {HKLM...CLSID} = "SecureDoc"
    \InProcServer32\(Default) = "C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll" ["msi"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    ZipZag\(Default) = "{A965C8E0-54A7-11D6-BF08-00079500BB23}"
    -> {HKLM...CLSID} = "ZipZag Shell Extension"
    \InProcServer32\(Default) = "C:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]
    ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
    -> {HKLM...CLSID} = "ZLAVShExt Class"
    \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

  5. #55
    Member
    Join Date
    Dec 2006
    Posts
    81

    Default

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
    -> {HKLM...CLSID} = "CContextScan Object"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
    PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
    -> {HKLM...CLSID} = "PowerISO"
    \InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
    SecureDocMenu\(Default) = "{59403EC0-EA55-11d5-954A-9A53884D6E09}"
    -> {HKLM...CLSID} = "SecureDoc"
    \InProcServer32\(Default) = "C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll" ["msi"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    ZipZag\(Default) = "{A965C8E0-54A7-11D6-BF08-00079500BB23}"
    -> {HKLM...CLSID} = "ZipZag Shell Extension"
    \InProcServer32\(Default) = "C:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    FineReader\(Default) = "{AC0DD14A-8F29-4F88-BE1D-0F0ED1B06C9F}"
    -> {HKLM...CLSID} = "FineReaderExplorerContextMenuHandler"
    \InProcServer32\(Default) = "c:\program files\abbyy finereader 7.0 professional edition\fecmenu.dll" ["ABBYY (BIT Software)"]
    PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
    -> {HKLM...CLSID} = "PowerISO"
    \InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
    -> {HKLM...CLSID} = "ZLAVShExt Class"
    \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]


    Default executables:
    --------------------

    <<!>> HKLM\Software\Classes\htafile\shell\open\command\(Default) = "NOTEPAD.EXE %1" [MS]

    <<!>> HKLM\Software\Classes\scrfile\shell\open\command\(Default) = "NOTEPAD.EXE %1" [MS]


    Group Policies {GPedit.msc branch and setting}:
    -----------------------------------------------

    Note: detected settings may not have any effect.

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Devices: Allow undock without having to log on}


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be enabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


    Enabled Screen Saver:
    ---------------------

    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "C:\WINDOWS\System32\ss3dfo.scr" [MS]


    Startup items in "adminX2" & "All Users" startup folders:
    ---------------------------------------------------------

    C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση
    "BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation"]
    "Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
    "NETGEAR WG311v2 Smart Configuration" -> shortcut to: "C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe /HIDE" [empty string]
    "Privoxy" -> shortcut to: "C:\Program Files\Privoxy\privoxy.exe" ["The Privoxy team - www.privoxy.org"]


    Enabled Scheduled Tasks:
    ------------------------

    "Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
    "User_Feed_Synchronization-{EB7B6756-B3E1-45F1-9B8C-BB1B7BED1CB0}" -> launches: "C:\WINDOWS\system32\msfeedssync.exe sync" [MS]
    "XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    C:\WINDOWS\system32\ZoneLabs\vetredir.dll ["Computer Associates International, Inc."], 01 - 03, 09
    %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 10 - 21
    %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
    "{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
    -> {HKLM...CLSID} = "Adobe PDF"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
    -> {HKLM...CLSID} = "Adobe PDF"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

    HKLM\Software\Microsoft\Internet Explorer\Toolbar\
    "{8F05B1A8-9D77-4B8F-AF54-6B2202066F95}" = (no title provided)
    -> {HKLM...CLSID} = "Pop-Up Stopper &Companion"
    \InProcServer32\(Default) = "C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll" [null data]
    "{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

    Explorer Bars

    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

    HKLM\Software\Classes\CLSID\{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = "Adobe PDF"
    Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
    InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

    HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
    Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
    InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}"
    -> {HKLM...CLSID} = "Java Plug-in 1.6.0"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll" ["Sun Microsystems, Inc."]

    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
    "ButtonText" = "Research"

    {CCA281CA-C863-46EF-9331-5C8D4460577F}\
    "ButtonText" = "@btrez.dll,-4015"
    "MenuText" = "@btrez.dll,-4017"
    "Script" = "C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]

    {E2E2DD38-D088-4134-82B7-F2BA38496583}\
    "MenuText" = "@xpsp3res.dll,-20001"
    "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
    Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation"]
    CA ISafe, CAISafe, "C:\WINDOWS\system32\ZoneLabs\isafe.exe" ["Computer Associates International, Inc."]
    InCD Helper, InCDsrv, "C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe" ["Nero AG"]
    Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
    NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
    StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
    TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
    Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]
    Winpower, Winpower, "C:\PROGRA~1\UpsPilot\Winpower.exe -zglaxservice Winpower" ["ZeroG Software"]
    Winpowermonitor, Winpowermonitor, "C:\PROGRA~1\UpsPilot\monitor.exe -zglaxservice Winpowermonitor" ["ZeroG Software"]
    WinpowerRMI, WinpowerRMI, "C:\PROGRA~1\UpsPilot\wpRMI.exe -zglaxservice WinpowerRMI" ["ZeroG Software"]


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
    Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation"]
    HP Master Monitor\Driver = "HPBMMON.DLL" ["Hewlett-Packard"]
    hpzlnt10\Driver = "hpzlnt10.dll" ["HP"]
    Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
    NETGEAR FR Print Server\Driver = "NgSharedPort.dll" [null data]


    ----------
    <<!>>: Suspicious data at a malware launch point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points, use the -supp parameter or answer "No" at the
    first message box and "Yes" at the second message box.
    ---------- (total run time: 31 seconds)

  6. #56
    Member
    Join Date
    Dec 2006
    Posts
    81

    Default

    To be more specific the message I get is:

    DllRegisterServer in themeui.dll failed. The return code was: 0X80004005

  7. #57
    Esteemed Security Expert: Emeritus
    Join Date
    Feb 2006
    Posts
    367

    Default

    Millslord,

    This is an operating system issue. I think you either have a registry permissions problem or a file problem. Missing or corrupted support files.
    or possibly in themeui.dll itself. It's the kind if thing which is hard to track down. The fact that you successfully registered shell32.dll makes me wonder. Registry permissions should have had an effect on that. But you never know.

    Find the hidden dllcache folder in system32

    Copy themeui.dll from the dllcache to system32. Don't move it, this is a backup and you may need it in the future.

    Reboot the system. Try registering themeui.dll again and also have a look at display properties to see if it now works.


    ------------------------
    Let me know.

    If you still have the prolbem, and you probably will:


    The first think I would like to do is to try to register themeui.dll under system auspices to see if that succeeds. This is a test only.

    This is step 1 only.

    Download and save the attachment. Then unzip it. It contains a file named Date Add cmd.vbs

    Look at your clock in systray. When the minute turns over, double click on
    Date Add cmd.vbs
    If you get a malicious script warning, please allow this to run. It is not malicious. This is going to set a task to run a special command prompt ast the next minute.


    Wait a minute for the command to open. It will take until the minute turns over again. ***The Schedule service must be running for this to work.

    Then right click in that command and paste in this command again:

    regsvr32 /i themeui.dll

    Do you still get any error message?


    Even if successful, this will not fix your problem if it is permissions. But it may point us to something.


    -----------

    Step 2 in this diagnostic is a look at Event Viewer.

    I'd like to look at your Event logs too.
    Can you run
    Eventvwr.msc

    When Event Viewer opens Right click on Application and click
    Save Log file as And give the file a name like apps. Leave the file type alone.
    By default it will save as .evt

    Find apps.evt and email it to me as an attachment please.

    Do the same for system Right click on system and save the log file as sys.evt

    I'll load these files into my event viewer and see if there are any clues.

    My email is Katie_3232AThotmail.com

    Replace the AT with an @ for the email to work please.

    -------------------------

    For now, we won't be using this next utility, but we may later.

    Please go here :

    http://www.microsoft.com/technet/sys...es/regmon.mspx

    Download Regmon.zip and then unzip it to someplace easy to find.

    We'll use it to do a monitor of regsvr32 themeui /i and look for Access denied messages in the log.
    Last edited by Mosaic1; 2007-01-05 at 21:01.

  8. #58
    Esteemed Security Expert: Emeritus
    Join Date
    Feb 2006
    Posts
    367

    Default

    Good. I see you're here. I have edited in the meantime because you weren't here when I started. Please go back and read my last post again. I added one easy step at the beginning as a test.

  9. #59
    Member
    Join Date
    Dec 2006
    Posts
    81

    Default

    Hi there,

    No dllcache folder found. I made hidden files viewable but no avail. However, Themeui.dll is in System32.

  10. #60
    Member
    Join Date
    Dec 2006
    Posts
    81

    Default

    Regmon requires the Load Driver and Debug Privileges. This is the message I get when attempting to run the app.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •