Please help get rid of smitfraud remnants
- Thread starter Millslord
- Start date
No it doesn't and I just noticed another issue as well.
Prior to logging on to Windows with my username and password I get a message saying that I have to press Ctrl+Alt+Del. Only after I do this do I get the log in box.
Also, I noticed that when I click on start I no longer see the icon next to my username. It's just my username.
Prior to logging on to Windows with my username and password I get a message saying that I have to press Ctrl+Alt+Del. Only after I do this do I get the log in box.
Also, I noticed that when I click on start I no longer see the icon next to my username. It's just my username.
Ok sounds that the user account is corrupted.
Could you please create a new account and see if works normally. If it works normally (like it propably will) you could move all your important files to the new profile and dump that old one.
How to create and configure user accounts in Windows XP
:bigthumb:
Could you please create a new account and see if works normally. If it works normally (like it propably will) you could move all your important files to the new profile and dump that old one.
How to create and configure user accounts in Windows XP
:bigthumb:
Hi again 
We'll have to do a little more research...
Go to Start >Run and type "Notepad" without the quotes
Copy the text from the quotebox below to Notepad.
Go to the menu at the top of the Notepad file and Save as:
When finished it will open a file in Notepad.
That file will be named info.txt
Please post the contents of info.txt into your next reply here.
(it migh be a long file and you may have to post it in small parts)
You may also upload the file to RapidShare
Then just post the link to your file to me.
We'll have to do a little more research...
Go to Start >Run and type "Notepad" without the quotes
Copy the text from the quotebox below to Notepad.
Go to the menu at the top of the Notepad file and Save as:
- Name the file peek.bat
- Save as Type: All files
- Select the desktop icon on the left to save it on the desktop.
When finished it will open a file in Notepad.
That file will be named info.txt
Please post the contents of info.txt into your next reply here.
(it migh be a long file and you may have to post it in small parts)
You may also upload the file to RapidShare
Then just post the link to your file to me.
Last edited:
Ok good
Please download the fix.zip file (which is attached to this message) to your desktop. Unzip the fix.zip to your desktop.
Run the file fix.reg and allow to merge when prompted.
Then try if you can change the wallpaper/themes in the normal way.
If you can, restart the computer.
Then see if you can still change the wallpaper.
Let me know :bigthumb:
Please download the fix.zip file (which is attached to this message) to your desktop. Unzip the fix.zip to your desktop.
Run the file fix.reg and allow to merge when prompted.
Then try if you can change the wallpaper/themes in the normal way.
If you can, restart the computer.
Then see if you can still change the wallpaper.
Let me know :bigthumb:
Hi Millsford,
I have been following this problem and may be back later to follow up.
We are going to share so if one or the other if us is here we can try to get some progress.
This:
If you have set the Classic theme, there will be no Icon next to your name.
The welcome screen is a common problem.
Check this page out:
http://www.petri.co.il/disable_the_welcome_screen_in_xp_pro.htm
I have been following this problem and may be back later to follow up.
We are going to share so if one or the other if us is here we can try to get some progress.
This:
If you have set the Classic theme, there will be no Icon next to your name.
The welcome screen is a common problem.
Check this page out:
http://www.petri.co.il/disable_the_welcome_screen_in_xp_pro.htm
Ok. Let's register a couple of files. I am not confident it's going to help. But it wont hurt. I have had no luck duplicating your exact issue. And I have fooled with a lot of files and registry entries.
Go to Start >Run
Copy and paste this command in and press enter:
regsvr32 /i shell32.dll
Wait for the success message.
Go to Start >Run
Copy and paste this command in and press enter:
regsvr32 /i themeui.dll
Wait for the success message.
Restart and see if there's any improvement.
Are you able to change your screensaver or background color? I want to see how bad this all is please.
Go to Start >Run
Copy and paste this command in and press enter:
regsvr32 /i shell32.dll
Wait for the success message.
Go to Start >Run
Copy and paste this command in and press enter:
regsvr32 /i themeui.dll
Wait for the success message.
Restart and see if there's any improvement.
Are you able to change your screensaver or background color? I want to see how bad this all is please.
After you have finished with the first set of directions and posted the results, I'd also like to see one more report:
Download Silent Runners from here:
http://www.silentrunners.org/Silent Runners.vbs
Save it to your C:\ drive.
So you should have c:\silent runners.vbs.
Click start> run> type: (or copy and paste in this line)
"c:\silent runners.vbs" -all
Click enter.
The popup you'll see tells you scan has started.
If you get script warning from your antivirus, please allow script to run. It is not dangerous.
Once complete it will tell you and creates a file in c:\ called "Startup Programs [computername/date/time]"
Post contents of log here.
You may need 2 posts to get entire contents of log in.
-----------
Then please run that registry export script again and we'll have a look to see if there are any changes.
Download Silent Runners from here:
http://www.silentrunners.org/Silent Runners.vbs
Save it to your C:\ drive.
So you should have c:\silent runners.vbs.
Click start> run> type: (or copy and paste in this line)
"c:\silent runners.vbs" -all
Click enter.
The popup you'll see tells you scan has started.
If you get script warning from your antivirus, please allow script to run. It is not dangerous.
Once complete it will tell you and creates a file in c:\ called "Startup Programs [computername/date/time]"
Post contents of log here.
You may need 2 posts to get entire contents of log in.
-----------
Then please run that registry export script again and we'll have a look to see if there are any changes.
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Vidalia" = ""C:\Program Files\Vidalia\vidalia.exe"" [null data]
"updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]
"NWEReboot" = "(empty string)" [file not found]
"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"(Default)" = "(empty string)" [file not found]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"TXP" = "c:\program files\topthemesxp\txp.exe" [file not found]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{0CF0B8EE-6596-11D5-A98E-0003470BB48E}\(Default) = "CCHelper"
-> {HKLM...CLSID} = "CCHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Προέκταση εικονιδίου HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{8F05B1A8-9D77-4B8F-AF54-6B2202066F95}" = "Pop-Up Stopper &Companion"
-> {HKLM...CLSID} = "Pop-Up Stopper &Companion"
\InProcServer32\(Default) = "C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "CorelDRAW Shell Extension Component"
-> {HKLM...CLSID} = "CorelDRAW Shell Extension Component"
\InProcServer32\(Default) = "C:\Program Files\Corel\Graphics10\Draw\CdrViewer\CrlShell100.dll" ["Corel Corporation"]
"{59403EC0-EA55-11d5-954A-9A53884D6E09}" = "SecureDoc"
-> {HKLM...CLSID} = "SecureDoc"
\InProcServer32\(Default) = "C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll" ["msi"]
"{AC0B5D2E-B691-4E12-A4F9-CA88492579A2}" = "Zinio Shell Extension"
-> {HKLM...CLSID} = "Zinio Magazine"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]
"{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}" = "Zinio Magazine Column Provider"
-> {HKLM...CLSID} = "MyMagazinesColumn Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"
-> {HKLM...CLSID} = "Sony Ericsson File Manager"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
"{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell"
-> {HKLM...CLSID} = "Studio.Project"
\InProcServer32\(Default) = "C:\Program Files\Pinnacle\Studio 10\programs\BlueShellExt.dll" [file not found]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{A965C8E0-54A7-11D6-BF08-00079500BB23}" = "ZipZag Shell extension"
-> {HKLM...CLSID} = "ZipZag Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> LBTServ\DLLName = "C:\Program Files\Common Files\Logitech\Bluetooth\lbtserv.dll" ["Logitech Inc."]
HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}\(Default) = "Zinio Magazine Column Provider"
-> {HKLM...CLSID} = "MyMagazinesColumn Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
HexWorkshopContextMenu\(Default) = "{DB34D5DC-D41A-482E-A5EF-8FA0F88761DA}"
-> {HKLM...CLSID} = "Hex Workshop Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\BreakPoint Software\Hex Workshop 4.2\hwext.dll" ["BreakPoint Software, Inc."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
SecureDocMenu\(Default) = "{59403EC0-EA55-11d5-954A-9A53884D6E09}"
-> {HKLM...CLSID} = "SecureDoc"
\InProcServer32\(Default) = "C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll" ["msi"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZipZag\(Default) = "{A965C8E0-54A7-11D6-BF08-00079500BB23}"
-> {HKLM...CLSID} = "ZipZag Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Vidalia" = ""C:\Program Files\Vidalia\vidalia.exe"" [null data]
"updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]
"NWEReboot" = "(empty string)" [file not found]
"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"(Default)" = "(empty string)" [file not found]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"TXP" = "c:\program files\topthemesxp\txp.exe" [file not found]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{0CF0B8EE-6596-11D5-A98E-0003470BB48E}\(Default) = "CCHelper"
-> {HKLM...CLSID} = "CCHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Προέκταση εικονιδίου HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{8F05B1A8-9D77-4B8F-AF54-6B2202066F95}" = "Pop-Up Stopper &Companion"
-> {HKLM...CLSID} = "Pop-Up Stopper &Companion"
\InProcServer32\(Default) = "C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "CorelDRAW Shell Extension Component"
-> {HKLM...CLSID} = "CorelDRAW Shell Extension Component"
\InProcServer32\(Default) = "C:\Program Files\Corel\Graphics10\Draw\CdrViewer\CrlShell100.dll" ["Corel Corporation"]
"{59403EC0-EA55-11d5-954A-9A53884D6E09}" = "SecureDoc"
-> {HKLM...CLSID} = "SecureDoc"
\InProcServer32\(Default) = "C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll" ["msi"]
"{AC0B5D2E-B691-4E12-A4F9-CA88492579A2}" = "Zinio Shell Extension"
-> {HKLM...CLSID} = "Zinio Magazine"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]
"{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}" = "Zinio Magazine Column Provider"
-> {HKLM...CLSID} = "MyMagazinesColumn Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"
-> {HKLM...CLSID} = "Sony Ericsson File Manager"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
"{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell"
-> {HKLM...CLSID} = "Studio.Project"
\InProcServer32\(Default) = "C:\Program Files\Pinnacle\Studio 10\programs\BlueShellExt.dll" [file not found]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{A965C8E0-54A7-11D6-BF08-00079500BB23}" = "ZipZag Shell extension"
-> {HKLM...CLSID} = "ZipZag Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> LBTServ\DLLName = "C:\Program Files\Common Files\Logitech\Bluetooth\lbtserv.dll" ["Logitech Inc."]
HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}\(Default) = "Zinio Magazine Column Provider"
-> {HKLM...CLSID} = "MyMagazinesColumn Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
HexWorkshopContextMenu\(Default) = "{DB34D5DC-D41A-482E-A5EF-8FA0F88761DA}"
-> {HKLM...CLSID} = "Hex Workshop Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\BreakPoint Software\Hex Workshop 4.2\hwext.dll" ["BreakPoint Software, Inc."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
SecureDocMenu\(Default) = "{59403EC0-EA55-11d5-954A-9A53884D6E09}"
-> {HKLM...CLSID} = "SecureDoc"
\InProcServer32\(Default) = "C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll" ["msi"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZipZag\(Default) = "{A965C8E0-54A7-11D6-BF08-00079500BB23}"
-> {HKLM...CLSID} = "ZipZag Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
SecureDocMenu\(Default) = "{59403EC0-EA55-11d5-954A-9A53884D6E09}"
-> {HKLM...CLSID} = "SecureDoc"
\InProcServer32\(Default) = "C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll" ["msi"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZipZag\(Default) = "{A965C8E0-54A7-11D6-BF08-00079500BB23}"
-> {HKLM...CLSID} = "ZipZag Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
FineReader\(Default) = "{AC0DD14A-8F29-4F88-BE1D-0F0ED1B06C9F}"
-> {HKLM...CLSID} = "FineReaderExplorerContextMenuHandler"
\InProcServer32\(Default) = "c:\program files\abbyy finereader 7.0 professional edition\fecmenu.dll" ["ABBYY (BIT Software)"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
Default executables:
--------------------
<<!>> HKLM\Software\Classes\htafile\shell\open\command\(Default) = "NOTEPAD.EXE %1" [MS]
<<!>> HKLM\Software\Classes\scrfile\shell\open\command\(Default) = "NOTEPAD.EXE %1" [MS]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ss3dfo.scr" [MS]
Startup items in "adminX2" & "All Users" startup folders:
---------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση
"BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation"]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
"NETGEAR WG311v2 Smart Configuration" -> shortcut to: "C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe /HIDE" [empty string]
"Privoxy" -> shortcut to: "C:\Program Files\Privoxy\privoxy.exe" ["The Privoxy team - www.privoxy.org"]
Enabled Scheduled Tasks:
------------------------
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"User_Feed_Synchronization-{EB7B6756-B3E1-45F1-9B8C-BB1B7BED1CB0}" -> launches: "C:\WINDOWS\system32\msfeedssync.exe sync" [MS]
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\ZoneLabs\vetredir.dll ["Computer Associates International, Inc."], 01 - 03, 09
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 10 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{8F05B1A8-9D77-4B8F-AF54-6B2202066F95}" = (no title provided)
-> {HKLM...CLSID} = "Pop-Up Stopper &Companion"
\InProcServer32\(Default) = "C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll" [null data]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID\{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = "Adobe PDF"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll" ["Sun Microsystems, Inc."]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation"]
CA ISafe, CAISafe, "C:\WINDOWS\system32\ZoneLabs\isafe.exe" ["Computer Associates International, Inc."]
InCD Helper, InCDsrv, "C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe" ["Nero AG"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]
Winpower, Winpower, "C:\PROGRA~1\UpsPilot\Winpower.exe -zglaxservice Winpower" ["ZeroG Software"]
Winpowermonitor, Winpowermonitor, "C:\PROGRA~1\UpsPilot\monitor.exe -zglaxservice Winpowermonitor" ["ZeroG Software"]
WinpowerRMI, WinpowerRMI, "C:\PROGRA~1\UpsPilot\wpRMI.exe -zglaxservice WinpowerRMI" ["ZeroG Software"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation"]
HP Master Monitor\Driver = "HPBMMON.DLL" ["Hewlett-Packard"]
hpzlnt10\Driver = "hpzlnt10.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
NETGEAR FR Print Server\Driver = "NgSharedPort.dll" [null data]
----------
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 31 seconds)
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
SecureDocMenu\(Default) = "{59403EC0-EA55-11d5-954A-9A53884D6E09}"
-> {HKLM...CLSID} = "SecureDoc"
\InProcServer32\(Default) = "C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll" ["msi"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZipZag\(Default) = "{A965C8E0-54A7-11D6-BF08-00079500BB23}"
-> {HKLM...CLSID} = "ZipZag Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
FineReader\(Default) = "{AC0DD14A-8F29-4F88-BE1D-0F0ED1B06C9F}"
-> {HKLM...CLSID} = "FineReaderExplorerContextMenuHandler"
\InProcServer32\(Default) = "c:\program files\abbyy finereader 7.0 professional edition\fecmenu.dll" ["ABBYY (BIT Software)"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
Default executables:
--------------------
<<!>> HKLM\Software\Classes\htafile\shell\open\command\(Default) = "NOTEPAD.EXE %1" [MS]
<<!>> HKLM\Software\Classes\scrfile\shell\open\command\(Default) = "NOTEPAD.EXE %1" [MS]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ss3dfo.scr" [MS]
Startup items in "adminX2" & "All Users" startup folders:
---------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση
"BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation"]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
"NETGEAR WG311v2 Smart Configuration" -> shortcut to: "C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe /HIDE" [empty string]
"Privoxy" -> shortcut to: "C:\Program Files\Privoxy\privoxy.exe" ["The Privoxy team - www.privoxy.org"]
Enabled Scheduled Tasks:
------------------------
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"User_Feed_Synchronization-{EB7B6756-B3E1-45F1-9B8C-BB1B7BED1CB0}" -> launches: "C:\WINDOWS\system32\msfeedssync.exe sync" [MS]
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\ZoneLabs\vetredir.dll ["Computer Associates International, Inc."], 01 - 03, 09
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 10 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{8F05B1A8-9D77-4B8F-AF54-6B2202066F95}" = (no title provided)
-> {HKLM...CLSID} = "Pop-Up Stopper &Companion"
\InProcServer32\(Default) = "C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll" [null data]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID\{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = "Adobe PDF"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll" ["Sun Microsystems, Inc."]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation"]
CA ISafe, CAISafe, "C:\WINDOWS\system32\ZoneLabs\isafe.exe" ["Computer Associates International, Inc."]
InCD Helper, InCDsrv, "C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe" ["Nero AG"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]
Winpower, Winpower, "C:\PROGRA~1\UpsPilot\Winpower.exe -zglaxservice Winpower" ["ZeroG Software"]
Winpowermonitor, Winpowermonitor, "C:\PROGRA~1\UpsPilot\monitor.exe -zglaxservice Winpowermonitor" ["ZeroG Software"]
WinpowerRMI, WinpowerRMI, "C:\PROGRA~1\UpsPilot\wpRMI.exe -zglaxservice WinpowerRMI" ["ZeroG Software"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation"]
HP Master Monitor\Driver = "HPBMMON.DLL" ["Hewlett-Packard"]
hpzlnt10\Driver = "hpzlnt10.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
NETGEAR FR Print Server\Driver = "NgSharedPort.dll" [null data]
----------
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 31 seconds)
Millslord,
This is an operating system issue. I think you either have a registry permissions problem or a file problem. Missing or corrupted support files.
or possibly in themeui.dll itself. It's the kind if thing which is hard to track down. The fact that you successfully registered shell32.dll makes me wonder. Registry permissions should have had an effect on that. But you never know.
Find the hidden dllcache folder in system32
Copy themeui.dll from the dllcache to system32. Don't move it, this is a backup and you may need it in the future.
Reboot the system. Try registering themeui.dll again and also have a look at display properties to see if it now works.
------------------------
Let me know.
If you still have the prolbem, and you probably will:
The first think I would like to do is to try to register themeui.dll under system auspices to see if that succeeds. This is a test only.
This is step 1 only.
Download and save the attachment. Then unzip it. It contains a file named Date Add cmd.vbs
Look at your clock in systray. When the minute turns over, double click on
Date Add cmd.vbs
If you get a malicious script warning, please allow this to run. It is not malicious. This is going to set a task to run a special command prompt ast the next minute.
Wait a minute for the command to open. It will take until the minute turns over again. ***The Schedule service must be running for this to work.
Then right click in that command and paste in this command again:
regsvr32 /i themeui.dll
Do you still get any error message?
Even if successful, this will not fix your problem if it is permissions. But it may point us to something.
-----------
Step 2 in this diagnostic is a look at Event Viewer.
I'd like to look at your Event logs too.
Can you run
Eventvwr.msc
When Event Viewer opens Right click on Application and click
Save Log file as And give the file a name like apps. Leave the file type alone.
By default it will save as .evt
Find apps.evt and email it to me as an attachment please.
Do the same for system Right click on system and save the log file as sys.evt
I'll load these files into my event viewer and see if there are any clues.
My email is Katie_3232AThotmail.com
Replace the AT with an @ for the email to work please.
-------------------------
For now, we won't be using this next utility, but we may later.
Please go here :
http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx
Download Regmon.zip and then unzip it to someplace easy to find.
We'll use it to do a monitor of regsvr32 themeui /i and look for Access denied messages in the log.
This is an operating system issue. I think you either have a registry permissions problem or a file problem. Missing or corrupted support files.
or possibly in themeui.dll itself. It's the kind if thing which is hard to track down. The fact that you successfully registered shell32.dll makes me wonder. Registry permissions should have had an effect on that. But you never know.
Find the hidden dllcache folder in system32
Copy themeui.dll from the dllcache to system32. Don't move it, this is a backup and you may need it in the future.
Reboot the system. Try registering themeui.dll again and also have a look at display properties to see if it now works.
------------------------
Let me know.
If you still have the prolbem, and you probably will:
The first think I would like to do is to try to register themeui.dll under system auspices to see if that succeeds. This is a test only.
This is step 1 only.
Download and save the attachment. Then unzip it. It contains a file named Date Add cmd.vbs
Look at your clock in systray. When the minute turns over, double click on
Date Add cmd.vbs
If you get a malicious script warning, please allow this to run. It is not malicious. This is going to set a task to run a special command prompt ast the next minute.
Wait a minute for the command to open. It will take until the minute turns over again. ***The Schedule service must be running for this to work.
Then right click in that command and paste in this command again:
regsvr32 /i themeui.dll
Do you still get any error message?
Even if successful, this will not fix your problem if it is permissions. But it may point us to something.
-----------
Step 2 in this diagnostic is a look at Event Viewer.
I'd like to look at your Event logs too.
Can you run
Eventvwr.msc
When Event Viewer opens Right click on Application and click
Save Log file as And give the file a name like apps. Leave the file type alone.
By default it will save as .evt
Find apps.evt and email it to me as an attachment please.
Do the same for system Right click on system and save the log file as sys.evt
I'll load these files into my event viewer and see if there are any clues.
My email is Katie_3232AThotmail.com
Replace the AT with an @ for the email to work please.
-------------------------
For now, we won't be using this next utility, but we may later.
Please go here :
http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx
Download Regmon.zip and then unzip it to someplace easy to find.
We'll use it to do a monitor of regsvr32 themeui /i and look for Access denied messages in the log.
Last edited: