Tech Support Forum - View Single Post - google redirects/ibm300002.exe error and cant run trend micro w/o error

atcgman · 10-10-2006, 12:19 AM

Hi,

Trend Micro used to run fine on my sysytem did they change it so it'
would not run on ME?

anyway here is the silent runners log

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATI Launchpad" = (empty string)
"systemtray" = (empty string)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"systemtray" = (empty string)
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"OEMRUNONCE" = "c:\windows\options\cabs\oemrun.exe" [MS]
"Hot Key Kbd 9910 Daemon" = "SK9910DM.EXE" ["Silitek Corporation"]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"WorksFUD" = "C:\Program Files\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"]
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"GoBack Polling Service" = "C:\Program Files\Roxio\GoBack\GBPoll.exe" ["Roxio, Inc."]
"ATISmart" = "C:\WINDOWS\SYSTEM\ati2s9ag.exe" [" "]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]
"KB918547" = "C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]
PerUser_Enable_Inis\(Default) = "Windows Setup - Accessibility"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis_remove 64 C:\WINDOWS\INF\enable.inf" [MS]
PerUser_Wingames_Inis\(Default) = "Windows Setup - Classic Games"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Rem_Inis 64 C:\WINDOWS\INF\games.inf" [MS]
PerUser_ZoneGame_Inis\(Default) = "Windows Setup - Internet Games"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Rem_Inis 64 C:\WINDOWS\INF\games.inf" [MS]
PerUser_PBGame_Inis\(Default) = "Windows Setup - Plus! Games"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Rem_Inis 64 C:\WINDOWS\INF\games.inf" [MS]
PerUser_Onlinelnks_Inis\(Default) = "Windows Setup - HyperTerminal"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf" [MS]
PerUser_Dialer_Inis\(Default) = "Windows Setup - Phone Dialer"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf" [MS]
{44BBA842-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "NetMeeting 3.01"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95" [MS]
OlsAolPerUser\(Default) = "Windows Setup - America Online"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]
OlsAttPerUser\(Default) = "Windows Setup - AT&T WorldNet Service"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]
OlsProdigyPerUser\(Default) = "Windows Setup - Prodigy Internet"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]
OlsEarthlinkPerUser\(Default) = "Windows Setup - Earthlink Internet"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsEarthlinkPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec Directcd Shell Extension"
-> {HKLM...CLSID} = "Adaptec Directcd Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adaptec\DirectCD\shellex.dll" ["Adaptec"]
"{6809e580-a3a7-11d1-9a00-00a0c945b006}" = "GoBack Shell Extension"
-> {HKLM...CLSID} = "GoBack Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\GoBack\ShellExt.dll" ["Roxio, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\BTNEIGHBORHOOD.DLL" ["Broadcom Corporation."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{6809e580-a3a7-11d1-9a00-00a0c945b006}" = "GoBack Shell Extension"
-> {HKLM...CLSID} = "GoBack Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\GoBack\ShellExt.dll" ["Roxio, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
GoBack\(Default) = "{6809e580-a3a7-11d1-9a00-00a0c945b006}"
-> {HKLM...CLSID} = "GoBack Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\GoBack\ShellExt.dll" ["Roxio, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\MYPICT~1.SCR" (My Pictures Screen Saver.scr) [MS]

Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"ISP signup reminder 1" -> launches: "C:\WINDOWS\SYSTEM\OOBE\MSOOBE.EXE /s /1" [MS]
"lily *****all anal sucker-3" -> launches: "C:\TEMP\Temp2\FAV\lily *****all anal sucker-3.rm" [file not found]
"lily suspended intruder-2" -> launches: "C:\TEMP\Temp2\FAV\lily suspended intruder-2.rm" [file not found]
"nikki deep doggy1" -> launches: "C:\TEMP\Temp2\FAV\nikki deep doggy1.rm" [file not found]
"nikki violater5" -> launches: "C:\TEMP\Temp2\FAV\nikki violater5.rm" [file not found]
"scotti nipple suck 02" -> launches: "C:\TEMP\Temp2\FAV\scotti nipple suck 02.rm" [file not found]
"scotti nipple suck 03" -> launches: "C:\TEMP\Temp2\FAV\scotti nipple suck 03.rm" [file not found]
"scotti ***** suck" -> launches: "C:\TEMP\Temp2\FAV\scotti ***** suck.rm" [file not found]
"scotti violate and suck 03" -> launches: "C:\TEMP\Temp2\FAV\scotti violate and suck 03.rm" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://gateway.yahoo.com
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "blank*" = "http://66.40.16.201/lng/" [file not found]

HOSTS file
----------

C:\WINDOWS\HOSTS

maps: 13 domain names to IP addresses,
12 of the IP addresses are *not* localhost!

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Bluetooth Printer Port\Driver = "bthcrp98.dll" ["Broadcom Corporation."]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 7 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 11 seconds.
---------- (total run time: 30 seconds)

10-10-2006, 12:19 AM	#26 (permalink)
atcgman Registered User Join Date: Sep 2006 Posts: 98 OS: windows vista	Silent runners Log Hi, Trend Micro used to run fine on my sysytem did they change it so it' would not run on ME? anyway here is the silent runners log "Silent Runners.vbs", revision 48, http://www.silentrunners.org/ Operating System: Windows Me (Millennium Edition) Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ATI Launchpad" = (empty string) "systemtray" = (empty string) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS] "systemtray" = (empty string) "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS] "OEMRUNONCE" = "c:\windows\options\cabs\oemrun.exe" [MS] "Hot Key Kbd 9910 Daemon" = "SK9910DM.EXE" ["Silitek Corporation"] "AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."] "WorksFUD" = "C:\Program Files\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"] "ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS] "AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."] "AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."] "AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++} "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS] "GoBack Polling Service" = "C:\Program Files\Roxio\GoBack\GBPoll.exe" ["Roxio, Inc."] "ATISmart" = "C:\WINDOWS\SYSTEM\ati2s9ag.exe" [" "] "StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS] "KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS] "KB918547" = "C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE" [MS] "StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS] HKLM\Software\Microsoft\Active Setup\Installed Components\ PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS] PerUser_Enable_Inis\(Default) = "Windows Setup - Accessibility" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis_remove 64 C:\WINDOWS\INF\enable.inf" [MS] PerUser_Wingames_Inis\(Default) = "Windows Setup - Classic Games" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Rem_Inis 64 C:\WINDOWS\INF\games.inf" [MS] PerUser_ZoneGame_Inis\(Default) = "Windows Setup - Internet Games" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Rem_Inis 64 C:\WINDOWS\INF\games.inf" [MS] PerUser_PBGame_Inis\(Default) = "Windows Setup - Plus! Games" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Rem_Inis 64 C:\WINDOWS\INF\games.inf" [MS] PerUser_Onlinelnks_Inis\(Default) = "Windows Setup - HyperTerminal" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf" [MS] PerUser_Dialer_Inis\(Default) = "Windows Setup - Phone Dialer" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf" [MS] {44BBA842-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "NetMeeting 3.01" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95" [MS] OlsAolPerUser\(Default) = "Windows Setup - America Online" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS] OlsAttPerUser\(Default) = "Windows Setup - AT&T WorldNet Service" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS] OlsProdigyPerUser\(Default) = "Windows Setup - Prodigy Internet" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS] OlsEarthlinkPerUser\(Default) = "Windows Setup - Earthlink Internet" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsEarthlinkPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec Directcd Shell Extension" -> {HKLM...CLSID} = "Adaptec Directcd Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adaptec\DirectCD\shellex.dll" ["Adaptec"] "{6809e580-a3a7-11d1-9a00-00a0c945b006}" = "GoBack Shell Extension" -> {HKLM...CLSID} = "GoBack Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Roxio\GoBack\ShellExt.dll" ["Roxio, Inc."] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."] "{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places" -> {HKLM...CLSID} = "My Bluetooth Places" \InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\BTNEIGHBORHOOD.DLL" ["Broadcom Corporation."] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{6809e580-a3a7-11d1-9a00-00a0c945b006}" = "GoBack Shell Extension" -> {HKLM...CLSID} = "GoBack Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Roxio\GoBack\ShellExt.dll" ["Roxio, Inc."] HKLM\Software\Classes\\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] GoBack\(Default) = "{6809e580-a3a7-11d1-9a00-00a0c945b006}" -> {HKLM...CLSID} = "GoBack Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Roxio\GoBack\ShellExt.dll" ["Roxio, Inc."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp" WIN.INI & SYSTEM.INI launch points: ----------------------------------- SYSTEM.INI [boot] "SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\MYPICT~1.SCR" (My Pictures Screen Saver.scr) [MS] Startup items in "Startup" & "All Users...Startup" folders: ----------------------------------------------------------- C:\WINDOWS\Start Menu\Programs\StartUp "SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data] Enabled Scheduled Tasks: ------------------------ "Tune-up Application Start" -> launches: "walign" [MS] "ISP signup reminder 1" -> launches: "C:\WINDOWS\SYSTEM\OOBE\MSOOBE.EXE /s /1" [MS] "lily ***all anal sucker-3" -> launches: "C:\TEMP\Temp2\FAV\lily *all anal sucker-3.rm" [file not found] "lily suspended intruder-2" -> launches: "C:\TEMP\Temp2\FAV\lily suspended intruder-2.rm" [file not found] "nikki deep doggy1" -> launches: "C:\TEMP\Temp2\FAV\nikki deep doggy1.rm" [file not found] "nikki violater5" -> launches: "C:\TEMP\Temp2\FAV\nikki violater5.rm" [file not found] "scotti nipple suck 02" -> launches: "C:\TEMP\Temp2\FAV\scotti nipple suck 02.rm" [file not found] "scotti nipple suck 03" -> launches: "C:\TEMP\Temp2\FAV\scotti nipple suck 03.rm" [file not found] "scotti * suck" -> launches: "C:\TEMP\Temp2\FAV\scotti *** suck.rm" [file not found] "scotti violate and suck 03" -> launches: "C:\TEMP\Temp2\FAV\scotti violate and suck 03.rm" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range: C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1 C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4 C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {85D1F590-48F4-11D9-9669-0800200C9A66}\ "MenuText" = "Uninstall BitDefender Online Scanner v8" "Exec" = "%windir%\bdoscandel.exe" [null data] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://gateway.yahoo.com [Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome" Missing lines (compared with English-language version): [Strings]: 2 lines HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ HIJACK WARNING! "blank" = "http://66.40.16.201/lng/" [file not found] HOSTS file ---------- C:\WINDOWS\HOSTS maps: 13 domain names to IP addresses, 12 of the IP addresses are not* localhost! Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Bluetooth Printer Port\Driver = "bthcrp98.dll" ["Broadcom Corporation."] ---------- + This report excludes default entries except where indicated. + To see everywhere the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 7 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 11 seconds. ---------- (total run time: 30 seconds)