|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
07-07-2007, 10:42 PM
|
#21 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 57
OS: WinXP SP2
|
Re: iexplore.exe running each time I reboot/Please help
Ried, that's exactly what I did to generate that SREng log, I rebooted, I left iexplore.exe running in the background (I did not end it) and generated the log according to your instructions....
|
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
07-07-2007, 10:56 PM
|
#23 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,610
OS: WinXP and Vista
|
Re: iexplore.exe running each time I reboot/Please help
peiraster, what are all those C:\Program Files\XP Repair Pro entries about?
How long have you had IE7 installed? |
|
|
|
|
07-07-2007, 11:22 PM
|
#24 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 57
OS: WinXP SP2
|
Re: iexplore.exe running each time I reboot/Please help
Ried, I have the program "XP Repair Pro 2007" (http://www.xprepairpro.com/) which is a system optimizer. I run it maybe once every month to repair registry errors. When it's executed it generates those XP Repair Pro entries.
Regarding IE7, I upgraded to IE7 from IE6 just before posting this issue in this forum in the hope that by upgrading to IE7 the issue would be resolved, but unfortunately it didn't, that's why I posted the problem here. Let me know if you need any further scans/logs, etc. Thanks for your efforts. |
|
|
|
|
07-07-2007, 11:26 PM
|
#25 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,610
OS: WinXP and Vista
|
Re: iexplore.exe running each time I reboot/Please help
Do you happen to recall if this issue arose after running XPRepairPro? I'm wondering if it 'fixed' something that it shouldn't have. I'm assuming it makes backups of any changes to the registry..
|
|
|
|
|
07-07-2007, 11:42 PM
|
#26 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 57
OS: WinXP SP2
|
Re: iexplore.exe running each time I reboot/Please help
Ried, it's hard to tell if this issue is a result of some registry mess created by Xp Repair Pro.I regularly check Task Manager for background activity since I'm a paranoid type :-) but I really don't recall precisely what was the "before" and "after" activity log regariding installed programs or scans made with XP repair Pro, so hard to tell for sure what was the responsible action for this. As you can see I have many programs installed, and maybe also one of those programs was the problem. One of the latest programs I installed was "trojan remover" and "trojan hunter". I think the latter was creating trouble (it froze my system), so I decided to uninstall it, and when uninstalled it created a BSOD (very rare, in fact the only BSOD I recall in my PC in years). I'm mentioning this eventhough it might have nothing to do with the problem at hand. Regarding XP Repair Pro, it does create restore points, but for some reason the only ones I see are very old ones (dated 4/14/07 and 4/15/07), and restoring to those points would create many problems since I did install many programs after that date that would be compromised.
|
|
|
|
|
07-08-2007, 12:08 AM
|
#27 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,610
OS: WinXP and Vista
|
Re: iexplore.exe running each time I reboot/Please help
No, going back almost 3 months is certainly not desirable.
 I'm going to do some in-depth researching on this. It may be a day or so before I reply, but rest assured I've not abandoned you. One more log I'd like to see...  Please download SilentRunners.vbs (299kb) - Right click & choose Save As... SilentRunners.vbs  Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete. When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply. |
|
|
|
|
07-08-2007, 12:20 AM
|
#28 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 57
OS: WinXP SP2
|
Re: iexplore.exe running each time I reboot/Please help
Ried, regarding silentRunners.vbs, can I run it now while working in my PC (of course disabling Norton as you indicate)? Or should I also run it after a fresh reboot? I'm asking this because if it's the latter case I'd have to wait a couple of hours before a current task I'm doing finishes, otherwise I can generate it now and report to you immediately, let me know...thanks
|
|
|
|
|
07-08-2007, 12:30 AM
|
#29 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,610
OS: WinXP and Vista
|
Re: iexplore.exe running each time I reboot/Please help
It depends on the task you're doing.
 There's no rush. Why don't you wait until you're through, reboot so iexplore.exe is running and then run SilentRunners. I'll receive notification when you've posted. |
|
|
|
|
07-08-2007, 12:48 AM
|
#30 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 57
OS: WinXP SP2
|
Re: iexplore.exe running each time I reboot/Please help
Ok, I'll do that. But you know, just as a test I disabled Norton and run Silent runners just to see how it works. I downloaded the vbs file to the Desktop and clicked on it, I gave Windows authorization to run it, then it showed the screen you posted and clicked NO as you also instructed. This was about 20min ago and supposedly a log file should be created also in the desktop and a window should appear saying "All Done!" as you posted, but nothing so far, and I checked Task Manager and no CPU activity almost, as if the VBS script is not running....is this normal? Does it take so long? Should I wait longer to see if the task finishes?
|
|
|
|
|
07-08-2007, 01:57 AM
|
#31 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 57
OS: WinXP SP2
|
Re: iexplore.exe running each time I reboot/Please help
OK, here is the log, I'm also uploading it in case you need the filename.I ran the vbs after a fresh reboot with iexplore.exe running in the background.
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "ATI Launchpad" = "(empty string)" [file not found] "(Default)" = "(empty string)" [file not found] "Directory Opus Desktop Dblclk" = "; "C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe" /dblclk" [file not found] "WMPNSCFG" = "; C:\Program Files\Windows Media Player\WMPNSCFG.exe" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CoolSwitch" = "C:\WINDOWS\system32\taskswitch.exe" [null data] "Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."] "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "LTWinModem1" = ""ltmsg.exe" 9" ["LUCENT TECHNOLOGIES"] "DellTouch" = "C:\WINDOWS\DELLMMKB.EXE" ["Netropa Corp."] "Symantec NetDriver Monitor" = ""C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer" ["Symantec Corporation"] "MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"] "NeroFilterCheck" = ""C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"" ["Nero AG"] "pdfSaver3" = "(empty string)" [file not found] HKLM\Software\Microsoft\Active Setup\Installed Components\ {7AC5DF9C-0F1C-E2CB-6770-4B2C483A02CD}\(Default) = (no title provided) \StubPath = "C:\WINDOWS\system32\Systemfiles\taskmgr.exe s" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {00C6482D-C502-44C8-8409-FCE54AD9C208}\(Default) = (no title provided) -> {HKLM...CLSID} = "SnagIt Toolbar Loader" \InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll" ["TechSmith Corporation"] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {07A11D74-9D25-4fea-A833-8B0D76A5577A}\(Default) = (no title provided) -> {HKLM...CLSID} = "CmjBrowserHelperObject Object" \InProcServer32\(Default) = "C:\Program Files\Mindjet\MindManager 7\Mm7InternetExplorer.dll" ["Mindjet"] {22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)" -> {HKLM...CLSID} = "Skype add-on (mastermind)" \InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = "flashget urlcatch" -> {HKLM...CLSID} = "FGCatchUrl" \InProcServer32\(Default) = "C:\Program Files\FlashGet\jccatch.dll" ["www.flashget.com"] {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25}\(Default) = (no title provided) -> {HKLM...CLSID} = "FlpLauncher Class" \InProcServer32\(Default) = "C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll" [empty string] {724d43a9-0d85-11d4-9908-00400523e39a}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"] {72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided) -> {HKLM...CLSID} = "Groove GFS Browser Helper" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."] {9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security" -> {HKLM...CLSID} = "CNisExtBho Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"] {AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"] {BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper" -> {HKLM...CLSID} = "CNavExtBho Class" \InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] {F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided) -> {HKLM...CLSID} = "FlashGet GetFlash Class" \InProcServer32\(Default) = "C:\Program Files\FlashGet\getflash.dll" ["www.flashget.com"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{709C6E11-538F-4759-86AC-6ACB302AA0DE}" = "Desktop Manager" -> {HKCU...CLSID} = "Desktop Manager" \InProcServer32\(Default) = "C:\WINDOWS\system32\msvdm.dll" [null data] "{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys" -> {HKCU...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\phototoys.dll" [MS] "{efb97cb8-a4a4-4357-a261-002ffaed0267}" = "CD Slideshow Powertoy" -> {HKCU...CLSID} = "CD Burn Slideshow Hook" \InProcServer32\(Default) = "C:\WINDOWS\system32\slideshow.dll" [MS] "{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx" -> {HKLM...CLSID} = "AlcoholShellEx" \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AxShlex.dll" ["Alcohol Soft Development Team"] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS] "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" -> {HKLM...CLSID} = "ImageExtractorShellExt Class" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS] "{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}" -> {HKLM...CLSID} = "CInfoTipShellExt Class" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS] "{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"] "{a45cfb7d-6e23-40b5-94fa-290314f01dc5}" = "Better File Rename" -> {HKLM...CLSID} = "Better File Rename" \InProcServer32\(Default) = "C:\Program Files\Better File Series\BfrExt.dll" ["Informatique sur Mesure"] "{a5ae61b0-130e-4097-a7e3-ce7eb6597f15}" = "Better File Select" -> {HKLM...CLSID} = "Better File Select" \InProcServer32\(Default) = "C:\Program Files\Better File Series\BfsExt.dll" ["ISM"] "{04c71d05-8862-44e8-9e99-965b69494244}" = "Better File Attributes" -> {HKLM...CLSID} = "Better File Attributes" \InProcServer32\(Default) = "C:\Program Files\Better File Series\BfaExt.dll" ["ISM"] "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO" -> {HKLM...CLSID} = "PowerISO" \InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."] "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{DBD8E168-244D-448C-9922-25508950D1DC}" = "Ulead UDF Driver" -> {HKLM...CLSID} = "USIShellExt Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll" ["Ulead Systems, Inc."] "{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\msaccrt\Access 97\soa800.dll" [MS] "{6EE51AA0-77A0-11D7-B4E1-000347126E46}" = "Window Washer Shredding Utility" -> {HKLM...CLSID} = "Window Washer Shredding Utility" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"] "{5EB5D616-DC17-4f5c-BB4F-73D99A0C7C32}" = "ScanSoft PDF Converter 3.0 Shell Extension" -> {HKLM...CLSID} = "ScanSoft PDF Converter 3.0 Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\ShellExt30.dll" ["ScanSoft, Inc."] "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler" -> {HKLM...CLSID} = "NeroDigitalIconHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler" -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] "{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler" -> {HKLM...CLSID} = "Microsoft Office Metadata Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler" -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{AB4F43CA-ADCD-4384-B9AF-3CECEA7D6544}" = "Web Sites" -> {HKLM...CLSID} = "Web Sites" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\12\BIN\FPNSE.DLL" [MS] "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension" -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension" \InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"] "{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension" -> {HKLM...CLSID} = "TuneUp Theme Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\uxtuneup.dll" ["TuneUp Software GmbH"] "{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5}" = "Context Menu Shell Extension" -> {HKLM...CLSID} = "Context Menu Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\TAGREN~1\TRshell.dll" ["Softpointer Inc"] "{8932AEFE-9DB6-4f43-AFB2-5682F55E773A}" = "VPCHostCopyHook" -> {HKLM...CLSID} = "VPCHostCopyHook" \InProcServer32\(Default) = "C:\Program Files\Microsoft Virtual PC\VPCShExH.DLL" [MS] "{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device" -> {HKLM...CLSID} = "Siemens Device" \InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"] "{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device ContextMenuHandler" -> {HKLM...CLSID} = "Siemens Device ContextMenuHandler" \InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"] "{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens SX1 PropertySheetHandler" -> {HKLM...CLSID} = "Siemens Device PropertySheetHandler" \InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"] "{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places" -> {HKLM...CLSID} = "My Bluetooth Places" \InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."] "{7842554E-6BED-11D2-8CDB-B05550C10000}" = "Monitor" -> {HKLM...CLSID} = "Monitor Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\btncopy.dll" ["Broadcom Corporation."] "{AD392E40-428C-459F-961E-9B147782D099}" = "UltraISO" -> {HKLM...CLSID} = "UIContextMenu Class" \InProcServer32\(Default) = "C:\Program Files\UltraISO\isoshell.dll" ["EZB Systems, Inc."] "{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt" -> {HKLM...CLSID} = "SnagIt" \InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"] "{CF74B903-3389-469c-B3B6-0204D204FCBD}" = "SnagIt Shell Extension" -> {HKLM...CLSID} = "SnagItShellExt Class" \InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"] "{D0DC6B97-C6FA-4B42-9649-5891A97E5005}" = "N5ShellExtension Shell Extension" -> {HKLM...CLSID} = "N5ShellExtension ContextMenu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Nitro PDF\Professional\N5ShellExtension.dll" [empty string] "{E8D43C7E-EFA1-41A2-9AD9-0CFECD1678B7}" = "SafeErase" -> {HKLM...CLSID} = "SafeEraseObj Class" \InProcServer32\(Default) = "C:\Program Files\OO Software\SafeErase\oosesh.dll" ["O&O Software GmbH"] "{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}" = "OODefrag" -> {HKLM...CLSID} = "OODShellExtObj Class" \InProcServer32\(Default) = "C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll" ["O&O Software GmbH"] "{3CF9ECE0-1A9F-11d2-8C73-00C06C2005DE}" = "Directory Opus Shell Execute Hook" -> {HKLM...CLSID} = "Directory Opus Shell Execute Hook" \InProcServer32\(Default) = "C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll" ["GP Software"] "{E9FE4040-3C93-11d4-8006-00201860E88A}" = "Directory Opus Context Menu" -> {HKLM...CLSID} = "Directory Opus Context Menu" \InProcServer32\(Default) = "C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll" ["GP Software"] "{B9DD4945-1BED-4cb7-994C-F40B72B7725A}" = "Directory Opus Desktop Context Menu" -> {HKLM...CLSID} = "Directory Opus Desktop Context Menu" \InProcServer32\(Default) = "C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll" ["GP Software"] "{42BEF283-A10E-472D-B105-9F2B59AFBFC8}" = "Directory Opus Find Extension" -> {HKLM...CLSID} = "Directory Opus Find Extension" \InProcServer32\(Default) = "C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll" ["GP Software"] "{2DF394BA-1955-4a52-900E-303836135F67}" = "Directory Opus Info Tip Handler" -> {HKLM...CLSID} = "Directory Opus Info Tip Handler" \InProcServer32\(Default) = "C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll" ["GP Software"] "{BBD5F00E-26A6-4fb2-BAE1-31543C0BEA47}" = "Directory Opus Icon Handler" -> {HKLM...CLSID} = "Directory Opus Icon Handler" \InProcServer32\(Default) = "C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll" ["GP Software"] "{F85D7E1E-9662-4b38-B1AE-3CF1E9581A3C}" = "Directory Opus Drop Target" -> {HKLM...CLSID} = "Directory Opus Drop Target" \InProcServer32\(Default) = "C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll" ["GP Software"] "{D2FCA36D-93CD-46f2-8324-6308F6E31B53}" = "Directory Opus File Collection Shell Extension" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll" ["GP Software"] "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data] "{CAE3251E-9B15-4810-B268-852AD9792A59}" = "InCDShellExt extension" -> {HKLM...CLSID} = "InCDShellExt Class" \InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\InCD\InCDshx.dll" ["Nero AG"] "{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons" -> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class" \InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"] "{B3D9AEDE-B2C3-406d-A254-6BE07767B08B}" = "InCDUdfPerm extension" -> {HKLM...CLSID} = "InCDUdfPerm Class" \InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\InCD\InCDUP.dll" ["Nero AG"] "{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpoweramp Music Converter" -> {HKLM...CLSID} = "dMCIShell Class" \InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpoweramp\dMCShell.dll" ["Illustrate"] "{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}" = "CopyToCD shell extension" -> {HKLM...CLSID} = "CopyToCD shell extension" \InProcServer32\(Default) = "C:\PROGRA~1\VSO\COPYTO~1\CTCDSH~1.DLL" ["VSO Software SARL"] "{8f7261d0-d2b9-11d2-9909-00605205b24c}" = "CuteFTP 8 Professional Shell Extension" -> {HKLM...CLSID} = "CuteFTP 8 Professional Shell Extension" \InProcServer32\(Default) = "C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll" ["GlobalSCAPE Texas, LP."] "{336B02CE-F88A-4aea-8731-79EF94D3723A}" = "Free AOL & Unlimited Internet.url" -> {HKLM...CLSID} = "Free AOL & Unlimited Internet.url" \InProcServer32\(Default) = "C:\WINDOWS\aod\aodshext.dll" [null data] "{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension" -> {HKLM...CLSID} = "ICQ Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{51C55F9E-C308-4c95-89AB-8858D8AFD819}" = "ParetoLogic Anti-Spyware" -> {HKLM...CLSID} = "PASShlExt Class" \InProcServer32\(Default) = "C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll" ["ParetoLogic Inc."] "{E5EE7DC9-D673-434a-86E1-306EAFD4A4CF}" = "O&O DiskImage Mount" -> {HKLM...CLSID} = "OODIMount Class" \InProcServer32\(Default) = "C:\Program Files\OO Software\DiskImage\oodishm.dll" ["O&O Software GmbH"] "{5B036813-4E35-4421-ADCB-E06925C7A7ED}" = "O&O DiskImage Unmount" -> {HKLM...CLSID} = "OODIUnmount Class" \InProcServer32\(Default) = "C:\Program Files\OO Software\DiskImage\oodishu.dll" ["O&O Software GmbH"] "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu" -> {HKLM...CLSID} = "Acrobat Elements Context Menu" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."] "{447F3140-D081-11D1-AAC3-444553540001}" = "SmartBackup Context Menu Extension" -> {HKLM...CLSID} = "SmartBackup Context Menu Extension" \InProcServer32\(Default) = "C:\Program Files\JAM Software\SmartBackup\SBCtxt.dll" ["JAM Software"] "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio" -> {HKLM...CLSID} = "JetFlExt Class" \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["COWON America"] "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration" -> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration" \InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{A213B520-C6C2-11d0-AF9D-008029E1027E}" = (no title provided) -> {HKLM...CLSID} = "WinFax PRO IShellExecuteHook" \InProcServer32\(Default) = "C:\Program Files\WinFax\WfxSeh32.Dll" ["Symantec Corporation"] <<!>> "{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}" = (no title provided) -> {HKLM...CLSID} = "Directory Opus Shell Execute Hook" \InProcServer32\(Default) = "C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll" ["GP Software"] <<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided) -> {HKLM...CLSID} = "SABShellExecuteHook Class" \InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"] <<!>> "{51C55F9E-C308-4c95-89AB-8858D8AFD819}" = "ParetoLogic Anti-Spyware" -> {HKLM...CLSID} = "PASShlExt Class" \InProcServer32\(Default) = "C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll" ["ParetoLogic Inc."] <<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook" -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook" \InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <<!>> "AppInit_DLLs" = "acaptuser32.dll" ["Adobe Systems, Inc."] HKLM\System\CurrentControlSet\Control\Session Manager\ <<!>> "BootExecute" = "PDBoot.exe" ["Raxco Software, Inc."] |"autocheck autochk *"|"OODBS" ["O&O Software GmbH"] |"lsdelete" [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"] <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] <<!>> WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."] HKLM\Software\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {0BC1E559-9D68-4E99-AFD9-98D27DAB971D}\(Default) = "TreeSize FolderSizeColumn" -> {HKLM...CLSID} = "ColHandler" \InProcServer32\(Default) = "C:\PROGRA~1\JAMSOF~1\TREESI~1\FSizeCol.dll" ["JAM Software"] {7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler" -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] {B3AFAE44-F603-4456-808F-C9F8F0C76082}\(Default) = "Microsoft Digital Image Viewer Extension Column Provider" -> {HKLM...CLSID} = "CRawViewerExtension Class" \InProcServer32\(Default) = "C:\Program Files\Pro Imaging Powertoys\Microsoft RAW Image Thumbnailer and Viewer for Windows XP\CRawViewerExtension.dll" [MS] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] {FED7043D-346A-414D-ACD7-550D052499A7}\(Default) = "dBpoweramp Column Handler" -> {HKLM...CLSID} = "dBpShell Class" \InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpoweramp\dBShell.dll" ["Illustrate"] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"] Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" -> {HKLM...CLSID} = "Acrobat Elements Context Menu" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."] CopyToCD\(Default) = "{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}" -> {HKLM...CLSID} = "CopyToCD shell extension" \InProcServer32\(Default) = "C:\PROGRA~1\VSO\COPYTO~1\CTCDSH~1.DLL" ["VSO Software SARL"] Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}" -> {HKLM...CLSID} = "NeroCoverEdContextMenu Class" \InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"] CuteFTP 8 Professional\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}" -> {HKLM...CLSID} = "CuteFTP 8 Professional Shell Extension" \InProcServer32\(Default) = "C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll" ["GlobalSCAPE Texas, LP."] InCDShellExt\(Default) = "{CAE3251E-9B15-4810-B268-852AD9792A59}" -> {HKLM...CLSID} = "InCDShellExt Class" \InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\InCD\InCDshx.dll" ["Nero AG"] MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}" -> {HKLM...CLSID} = "MShellExtMenu Class" \InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."] N5ShellExtension\(Default) = "{D0DC6B97-C6FA-4B42-9649-5891A97E5005}" -> {HKLM...CLSID} = "N5ShellExtension ContextMenu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Nitro PDF\Professional\N5ShellExtension.dll" [empty string] NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data] OODefrag\(Default) = "{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}" -> {HKLM...CLSID} = "OODShellExtObj Class" \InProcServer32\(Default) = "C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll" ["O&O Software GmbH"] PandoShellExt\(Default) = "{9C150845-2A2D-44CC-90B3-AA03480AA3D2}" -> {HKLM...CLSID} = "PDShellExt Class" \InProcServer32\(Default) = "C:\Program Files\Pando Networks\Pando\PandoShellExt.dll" ["Pando Networks"] PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" -> {HKLM...CLSID} = "PowerISO" \InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."] SafeErase\(Default) = "{E8D43C7E-EFA1-41A2-9AD9-0CFECD1678B7}" -> {HKLM...CLSID} = "SafeEraseObj Class" \InProcServer32\(Default) = "C:\Program Files\OO Software\SafeErase\oosesh.dll" ["O&O Software GmbH"] SmartBackup\(Default) = "{447F3140-D081-11D1-AAC3-444553540001}" -> {HKLM...CLSID} = "SmartBackup Context Menu Extension" \InProcServer32\(Default) = "C:\Program Files\JAM Software\SmartBackup\SBCtxt.dll" ["JAM Software"] SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}" -> {HKLM...CLSID} = "SnagItShellExt Class" \InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {HKLM...CLSID} = "IEContextMenu Class" \InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] TagRename_ContextMenu\(Default) = "{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5}" -> {HKLM...CLSID} = "Context Menu Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\TAGREN~1\TRshell.dll" ["Softpointer Inc"] TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension" \InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"] Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}" -> {HKLM...CLSID} = "Window Washer Shredding Utility" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}" -> {HKLM...CLSID} = "RtClkCtxMenu Class" \InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Professional\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"] XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS] Zeon.ShellExt\(Default) = "{B8E8494C-9300-48AC-BD8E-EDED185E5A04}" -> {HKLM...CLSID} = "ZnShlExt Class" \InProcServer32\(Default) = "C:\Program Files\ScanSoft\OmniPage15.0\PDFCreate3\PDF Create! 3\Plugin\ZnShellExt.dll" ["ScanSoft, Inc."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"] CopyToCD\(Default) = "{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}" -> {HKLM...CLSID} = "CopyToCD shell extension" \InProcServer32\(Default) = "C:\PROGRA~1\VSO\COPYTO~1\CTCDSH~1.DLL" ["VSO Software SARL"] CuteFTP 8 Professional\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}" -> {HKLM...CLSID} = "CuteFTP 8 Professional Shell Extension" \InProcServer32\(Default) = "C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll" ["GlobalSCAPE Texas, LP."] InCDShellExt\(Default) = "{CAE3251E-9B15-4810-B268-852AD9792A59}" -> {HKLM...CLSID} = "InCDShellExt Class" \InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\InCD\InCDshx.dll" ["Nero AG"] jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" -> {HKLM...CLSID} = "JetFlExt Class" \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["COWON America"] MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}" -> {HKLM...CLSID} = "MShellExtMenu Class" \InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."] PandoShellExt\(Default) = "{9C150845-2A2D-44CC-90B3-AA03480AA3D2}" -> {HKLM...CLSID} = "PDShellExt Class" \InProcServer32\(Default) = "C:\Program Files\Pando Networks\Pando\PandoShellExt.dll" ["Pando Networks"] PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" -> {HKLM...CLSID} = "PowerISO" \InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."] SmartBackup\(Default) = "{447F3140-D081-11D1-AAC3-444553540001}" -> {HKLM...CLSID} = "SmartBackup Context Menu Extension" \InProcServer32\(Default) = "C:\Program Files\JAM Software\SmartBackup\SBCtxt.dll" ["JAM Software"] SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}" -> {HKLM...CLSID} = "SnagItShellExt Class" \InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"] TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension" \InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"] UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}" -> {HKLM...CLSID} = "UIContextMenu Class" \InProcServer32\(Default) = "C:\Program Files\UltraISO\isoshell.dll" ["EZB Systems, Inc."] Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}" -> {HKLM...CLSID} = "Window Washer Shredding Utility" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" -> {HKLM...CLSID} = "Acrobat Elements Context Menu" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."] CopyToCD\(Default) = "{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}" -> {HKLM...CLSID} = "CopyToCD shell extension" \InProcServer32\(Default) = "C:\PROGRA~1\VSO\COPYTO~1\CTCDSH~1.DLL" ["VSO Software SARL"] FlipAlbum\(Default) = "{89947519-E64E-4EBE-9FCD-AD84E717809B}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\E-BOOK~1\FLIPAL~1\FlpShell.dll" ["E-Book Systems"] FSShellExt\(Default) = "{56160A70-D083-4856-9998-F565ABC03F86}" -> {HKLM...CLSID} = "FSShellContext Class" \InProcServer32\(Default) = "C:\Program Files\FolderSizes\FSShExt.dll" ["Key Metric Software, LLC"] InCDShellExt\(Default) = "{CAE3251E-9B15-4810-B268-852AD9792A59}" -> {HKLM...CLSID} = "InCDShellExt Class" \InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\InCD\InCDshx.dll" ["Nero AG"] jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" -> {HKLM...CLSID} = "JetFlExt Class" \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["COWON America"] Library\(Default) = "{54F51408-DD44-4a12-82EF-519AD2A80DE9}" -> {HKLM...CLSID} = "Media Library Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ATI Multimedia\mlibrary\MLShell.dll" ["ATI Technologies Inc."] MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}" -> {HKLM...CLSID} = "MShellExtMenu Class" \InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."] NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data] OODefrag\(Default) = "{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}" -> {HKLM...CLSID} = "OODShellExtObj Class" \InProcServer32\(Default) = "C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll" ["O&O Software GmbH"] PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" -> {HKLM...CLSID} = "PowerISO" \InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."] SafeErase\(Default) = "{E8D43C7E-EFA1-41A2-9AD9-0CFECD1678B7}" -> {HKLM...CLSID} = "SafeEraseObj Class" \InProcServer32\(Default) = "C:\Program Files\OO Software\SafeErase\oosesh.dll" ["O&O Software GmbH"] SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" -> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration" \InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {HKLM...CLSID} = "IEContextMenu Class" \InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] TagRename_ContextMenu\(Default) = "{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5}" -> {HKLM...CLSID} = "Context Menu Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\TAGREN~1\TRshell.dll" ["Softpointer Inc"] UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}" -> {HKLM...CLSID} = "UIContextMenu Class" \InProcServer32\(Default) = "C:\Program Files\UltraISO\isoshell.dll" ["EZB Systems, Inc."] UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}" -> {HKLM...CLSID} = "RtClkCtxMenu Class" \InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Professional\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"] XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" -> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration" \InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data] XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoCDBurning" = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState DESKTOP.INI DLL launch in local fixed drive directories: -------------------------------------------------------- C:\Program Files\WIDCOMM\Bluetooth Software\My Bluetooth Places\DESKTOP.INI [.ShellClassInfo] CLSID={6af09ec9-b429-11d4-a1fb-0090960218cb} -> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."] Startup items in "Dell" & "All Users" startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Perstray" -> shortcut to: "C:\Program Files\PerSono\perstray.exe" ["Plantronics"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" -> {HKLM...CLSID} = "Norton AntiVirus" \InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] "{47833539-D0C5-4125-9FA8-0819E2EAAC93}" -> {HKLM...CLSID} = "Adobe PDF" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"] "{724D43A0-0D85-11D4-9908-00400523E39A}" -> {HKLM...CLSID} = "&RoboForm" \InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" -> {HKLM...CLSID} = "Norton Internet Security" \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"] "{47833539-D0C5-4125-9FA8-0819E2EAAC93}" -> {HKLM...CLSID} = "Adobe PDF" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"] "{F2CF5485-4E02-4F68-819C-B92DE9277049}" -> {HKLM...CLSID} = "&Links" \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS] "{724D43A0-0D85-11D4-9908-00400523E39A}" -> {HKLM...CLSID} = "&RoboForm" \InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" -> {HKLM...CLSID} = "Norton Internet Security" \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"] "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" -> {HKLM...CLSID} = "Norton AntiVirus" \InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] "{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = (no title provided) -> {HKLM...CLSID} = "SnagIt" \InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"] "{724D43A0-0D85-11D4-9908-00400523E39A}" = (no title provided) -> {HKLM...CLSID} = "&RoboForm" \InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"] "{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided) -> {HKLM...CLSID} = "Adobe PDF" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"] HKLM\Software\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS] HKLM\Software\Classes\CLSID\{44226DFF-747E-4EDC-B30C-78752E50CD0C}\(Default) = "&ATI TV" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL" ["ATI Technologies Inc."] HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_01" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_01" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."] {2670000A-7350-4F3C-8081-5663EE0C6C49}\ "ButtonText" = "Send to OneNote" "MenuText" = "S&end to OneNote" "CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}" -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll" [MS] {320AF880-6646-11D3-ABEE-C5DBF3571F46}\ "ButtonText" = "Fill Forms" "MenuText" = "Fill Forms" "Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html" [file not found] {320AF880-6646-11D3-ABEE-C5DBF3571F49}\ "ButtonText" = "Save" "MenuText" = "Save Forms" "Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html" [file not found] {44226DFF-747E-4EDC-B30C-78752E50CD0C}\ "ButtonText" = "ATI TV" {6224F700-CBA3-4071-B251-47CB894244CD}\ "ButtonText" = "ICQ Pro" "MenuText" = "ICQ" "Exec" = "C:\PROGRA~1\ICQ\ICQ.exe" ["ICQ Inc."] {724D43AA-0D85-11D4-9908-00400523E39A}\ "ButtonText" = "RoboForm" "MenuText" = "RoboForm Toolbar" "Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html" [file not found] {77BF5300-1474-4EC7-9980-D32B190E9B07}\ "ButtonText" = "Skype" "CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}" -> {HKLM...CLSID} = "Skype add-on (button)" \InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Research" {941E1A34-C6AF-4BAA-A973-224F9C3E04BF}\ "ButtonText" = "Send to Mindjet MindManager" "CLSIDExtension" = "{07A11D74-9D25-4fea-A833-8B0D76A5577A}" -> {HKLM...CLSID} = "CmjBrowserHelperObject Object" \InProcServer32\(Default) = "C:\Program Files\Mindjet\MindManager 7\Mm7InternetExplorer.dll" ["Mindjet"] {CCA281CA-C863-46EF-9331-5C8D4460577F}\ "ButtonText" = "@btrez.dll,-4015" "MenuText" = "@btrez.dll,-12650" "Script" = "C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data] {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ "ButtonText" = "FlashGet" "MenuText" = "FlashGet" "Exec" = "C:\Program Files\FlashGet\FlashGet.exe" ["FlashGet.com"] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ "MenuText" = "@xpsp3res.dll,-20001" "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] {FD9DE2B4-C926-4460-81C4-FC58C6F1062E}\ "ButtonText" = "SmartWhois" "Exec" = "C:\Program Files\SmartWhois\swmsie.exe" ["TamoSoft"] {FF983118-58C7-4AD4-B5A7-691C39CB7B42}\ "MenuText" = "SmartWhois" "Exec" = "C:\Program Files\SmartWhois\swmsie.exe" ["TamoSoft"] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ <<H>> "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"] Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."] ISSvc, ISSVC, ""C:\Program Files\Norton Internet Security\ISSVC.exe"" ["Symantec Corporation"] Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS] Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"] PDAgent, PDAgent, ""C:\Program Files\Raxco\PerfectDisk\PDAgent.exe"" ["Raxco Software, Inc."] PDEngine, PDEngine, ""C:\Program Files\Raxco\PerfectDisk\PDEngine.exe"" ["Raxco Software, Inc."] Process Monitor, LVPrcSrv, ""C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe"" ["Logitech Inc."] SAVScan, SAVScan, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe"" ["Symantec Corporation"] ScsiAccess, ScsiAccess, "C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe" [null data] Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"] Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"] Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"] TuneUp Design Expansion, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"] } Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]} Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ "UpperFilters" = <<!>> "SSKBFD" ["Webroot Software Inc (www.webroot.com)"] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."] Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation."] Ice Monitor E\Driver = "BiEMonNT.dll" ["Black Ice Software"] Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] PDF-XChange\Driver = "C:\WINDOWS\system32\pxc25pm.dll" ["Tracker Software"] Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS] WinFax Ports\Driver = "WFXMNT40.DLL" [MS] WinFax Ports (Photo Quality)\Driver = "WFXMNTHQ.DLL" [MS] ---------- <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 336 seconds. ---------- (total run time: 567 seconds) |
|
|
|
|
07-10-2007, 08:28 AM
|
#32 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,610
OS: WinXP and Vista
|
Re: iexplore.exe running each time I reboot/Please help
Hi peiraster,
First thing we're going to do is uninstall unnecessary programs. You have more than 1 AV installed which can certainly cause odd things to happen--even if they aren't 'running'. It is never a good idea to have more than 1 AV installed at a given time. Choose only 1 AV and uninstall the other via Add or Remove programs: NOD32 antivirus system or Norton Internet Security You also have too many Anti-Malware programs, let's bring that down to just 1 for now. Personally, I'd choose either Spybot S&D or Webroot. (AdAware-2007 is a great program as well, but has been having some difficulties lately. I would recommend this program in another month or so once they've worked out the 'bugs'.) Choose 1 and uninstall the others via Add or Remove programs: ParetoLogic Anti-Spyware Spybot - Search & Destroy 1.4 Spyware Doctor 5.0 Webroot SpySweeper ------------------------------------------------------------ Reboot your system. If iexplore.exe is still loading at bootup, run SREng again and attach that log. |
|
|
|
|
07-10-2007, 12:41 PM
|
#33 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 57
OS: WinXP SP2
|
Re: iexplore.exe running each time I reboot/Please help
Hi Ried, let me tell you that eventhough I have Nod32 installed, I only run it on demand, which means that not only all online activities for Nod32 are disabled, but I also disable the Nod32 Kernel Service, preventing "nod32krn.exe" from running in the background on each reboot. The same can be said of all anti-malware programs I have installed, none of them have the online live detection turned on, and their respective services are all disabled, I onlyh turn them on when I choose to run an on demand scan and turn it off afterwards. I even have the auto update feature of all these programs disabled, I do all things manually.This means that no task associated to any of these antimalware programs is running in the background, so it shouldn't interfere with Norton's or any other program. Additionally, I use and have installed all of these antimalware programs and Nod32 way before the "iexplore.exe" issue would arise. Therefore my common sense tells me that the issue is nonrelated to this. But you're the expert, so let me know if you still want me to uninstall any of these...thanks.
Last edited by peiraster; 07-10-2007 at 12:43 PM. |
|
|
|
|
07-10-2007, 06:27 PM
|
#34 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,610
OS: WinXP and Vista
|
Re: iexplore.exe running each time I reboot/Please help
It doesn't really matter what was installed and running properly before this problem occurred. My first thought is that the last running of Windows XPRepair Pro has botched something. Since that program doesn't provide you with a report of what it fixed, nor did it create a restore point on it's most recent run, we have to do this the hard way and eliminate programs.
Please uninstall all those and leave 1 of each. Also uninstall any unlicensed software (if this applies) If iexplore.exe is still running at boot up, then I'd like you to do the following: Download Combofix and save it to your desktop. **Note: It is important that it is saved directly to your desktop** -------------------------------------------------------------------- Download Blacklight -------------------------------------------------------------------- Close any open browsers. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt so we can continue cleaning the system. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall -------------------------------------------------------------------- Run Blacklight: *Note that you must have local administrative privileges to run the program. Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you need to allow BlackLight to do this. When it finishes, click Next. Click on Close BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log. |
|
|
|
|
07-10-2007, 07:20 PM
|
#35 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 57
OS: WinXP SP2
|
Re: iexplore.exe running each time I reboot/Please help
Ried, correct me if I'm wrong, but if I start uninstalling programs to find the issue, maybe I'm better off reformatting and freshly reinstall WinXP? :( Not that I don't accept your approach, I can go ahead and uninstall those antimalware products you listed, it's just that I don't have much hope that will solve the issue and we'll lose time. What about these approaches?
1) Run a registry repair program again (like jv16, XP Repair Pro, etc)? 2) Uninstall/Reinstall/Repair Internet Explorer? 3) Maybe rename iexplore.exe to iexplore.bak and when reboot Windows will report that a certain program is requesting iexplore.exe? 4) Repair WinXP? Anyway, I'm not saying I will go off course of your planned approach, just making a pause to reconsider avoiding having to uninstall programs to a point that I'll be better off reinstalling WinXP. Let me know, thanks. |
|
|
|
|
07-10-2007, 09:34 PM
|
#36 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,610
OS: WinXP and Vista
|
Re: iexplore.exe running each time I reboot/Please help
Well, you could do any of those things, but consider this...
1. Before you do anything (other than a reformat or reinstall of XP) re-enable System Restore--it will create a restore point for you to revert to should matters get worse. 2. A Repair Install of XP or IE, will only work if IE itself is 'messed up'. If a program is calling it, neither of those would do any good. 3. I can't see how it would hurt to try another Registry Repair and see if that does anything. I would prefer, and suggest that you use one that gives you the option of replacing what it 'fixes'. Personally, I use CCleaner and have for years. It makes a backup of the registry fixes done and saves them in a file. If I find something isn't working properly, I simply navigate to that file and double click to merge it back into the registry. 4. I suppose you could try renaming iexplore.exe and see what happens--you can easily re-name it back. 5. Before you try any of the above, how about sending me a ComboFix.txt and Blacklight scan so we can rule out rootkits. |
|
|
|
|
07-11-2007, 12:16 AM
|
#37 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 57
OS: WinXP SP2
|
Re: iexplore.exe running each time I reboot/Please help
Ried, I'm posting and attaching the logs you requested for your evaluation. As always I ran these scans after a reboot with iexplore.exe running in the background. Just for you to know, I uninstalled "Opus Directory" (a program I seldom used) and installed "jv 16" (a reg cleaner) right before these scans were made. I renamed the fsbl "log" extension to "txt" in order to attach it. Apparently no rootkits were found?
"Dell" - 2007-07-11 1:49:26 - ComboFix 07-07-10.5 - Service Pack 2 ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\Dell\APPLIC~1.\addon.dat ((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 ))))))))))))))))))))))))))))))) 2007-07-11 01:46 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-10 18:49 <DIR> d-------- C:\Program Files\jv16 PowerTools 2007 2007-07-10 01:30 <DIR> d-------- C:\DOCUME~1\Dell\APPLIC~1\MainConcept 2007-07-06 00:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-07-05 06:48 <DIR> d-------- C:\Program Files\Windows Defender 2007-07-05 03:27 <DIR> d-------- C:\Deckard 2007-07-04 20:45 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-07-04 20:45 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-07-04 20:45 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-07-04 20:45 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys 2007-07-04 20:45 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-07-04 20:45 <DIR> d-------- C:\Program Files\Spyware Doctor 2007-07-02 19:39 0 --a------ C:\WINDOWS\system32\SBRC.dat 2007-07-02 19:39 0 --a------ C:\WINDOWS\system32\SBFC.dat 2007-07-02 18:57 <DIR> d-------- C:\DOCUME~1\Dell\APPLIC~1\Sunbelt Software 2007-07-01 20:30 <DIR> d-------- C:\Program Files\Apple Software Update 2007-07-01 20:29 <DIR> d-------- C:\Program Files\Common Files\Apple 2007-07-01 20:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple 2007-07-01 16:32 75 -r-hs---- C:\WINDOWS\FFSSET.BIN 2007-07-01 16:29 <DIR> d-------- C:\DOCUME~1\Dell\APPLIC~1\PanoramaStudio 2007-07-01 16:28 <DIR> d-------- C:\Program Files\PanoramaStudio 2007-07-01 16:21 <DIR> d-------- C:\Program Files\Typhoon Software 2007-07-01 16:16 <DIR> d-------- C:\Program Files\Collectorz.com 2007-07-01 16:10 <DIR> d-------- C:\WINDOWS\system32\QuickTime 2007-07-01 16:08 <DIR> d--h----- C:\WINDOWS\system32\Systemfiles 2007-07-01 13:12 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys 2007-07-01 13:12 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys 2007-07-01 13:12 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys 2007-07-01 13:12 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys 2007-07-01 13:12 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot 2007-07-01 13:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot 2007-07-01 12:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft 2007-06-29 15:09 490,272 --a------ C:\WINDOWS\system32\LVUI2.dll 2007-06-29 15:09 465,696 --a------ C:\WINDOWS\system32\LVUI2RC.dll 2007-06-29 15:09 416,544 --a------ C:\WINDOWS\system32\lvcodec2.dll 2007-06-29 15:09 41,888 --a------ C:\WINDOWS\system32\drivers\LVUSBSta.sys 2007-06-29 15:09 3,580,832 --a------ C:\WINDOWS\system32\drivers\lvuvc.sys 2007-06-29 15:09 22,560 --a------ C:\WINDOWS\system32\drivers\lvuvcflt.sys 2007-06-29 15:09 195,360 --a------ C:\WINDOWS\system32\lvci1100.dll 2007-06-29 15:09 15,558 --a------ C:\WINDOWS\system32\Repository.reg 2007-06-29 15:09 1,921,184 --a------ C:\WINDOWS\system32\drivers\lvpopflt.sys 2007-06-29 15:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\LogiShrd 2007-06-28 00:34 <DIR> d-------- C:\Program Files\Pando Networks 2007-06-28 00:31 <DIR> d-------- C:\Program Files\Common Files\Skype 2007-06-27 19:48 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys 2007-06-25 20:24 10,395,648 --a------ C:\WINDOWS\The Spartans 3D Screensaver.scr 2007-06-25 20:20 10,395,648 --a------ C:\WINDOWS\system32\The Spartans 3D Screensaver.scr 2007-06-25 20:20 <DIR> d-------- C:\Program Files\The Spartans 3D Screensaver 2007-06-24 18:11 <DIR> d-------- C:\DOCUME~1\Dell\APPLIC~1\TERMINAL Studio 2007-06-24 18:07 11,755,520 --a------ C:\WINDOWS\system32\Wild West 3D Screensaver.scr 2007-06-24 15:07 <DIR> d-------- C:\Program Files\PhotoWatermark Professional 7 2007-06-24 15:02 <DIR> d-------- C:\Program Files\Carnival Software 2007-06-24 15:01 <DIR> d-------- C:\DOCUME~1\Dell\APPLIC~1\Carnival Software 2007-06-24 14:51 <DIR> d-------- C:\Program Files\Natura Sound Therapy v2.0 2007-06-24 14:48 <DIR> d-------- C:\Program Files\Forest Lake 3D Screensaver 2007-06-24 14:43 197,120 --a------ C:\WINDOWS\system32\3-D_Serengeti_Safari.scr 2007-06-24 14:43 <DIR> d-------- C:\WINDOWS\system32\3-D_Serengeti_Safari dir 2007-06-24 14:39 2,523,136 --a------ C:\WINDOWS\system32\3DFireworks.scr 2007-06-24 14:39 <DIR> d-------- C:\Program Files\WebAppstogo 2007-06-24 14:37 241,664 --a------ C:\WINDOWS\system32\Cape Hatteras Lighthouse.scr 2007-06-24 14:36 241,664 --a------ C:\WINDOWS\Cape Hatteras Lighthouse.scr 2007-06-24 14:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Softdisk LLC 2007-06-24 12:37 <DIR> d-------- C:\Program Files\Common Files\COWON 2007-06-20 13:33 532,480 --a------ C:\WINDOWS\system32\3-D_Ghost_Ship.scr 2007-06-20 13:33 <DIR> d-------- C:\WINDOWS\system32\3-D_Ghost_Ship dir 2007-06-20 13:30 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll 2007-06-16 19:11 2,106,368 --a------ C:\WINDOWS\radarss.scr 2007-06-16 19:09 2,106,368 --a------ C:\WINDOWS\system32\radarss.scr 2007-06-16 19:09 <DIR> d-------- C:\Program Files\Radar Screensaver 2007-06-13 12:20 94,208 --a------ C:\WINDOWS\system32\Dream Aquarium.scr 2007-06-13 12:20 925,696 --a------ C:\WINDOWS\system32\Flight Simulator Screensaver.scr 2007-06-13 12:20 8,990,720 --a------ C:\WINDOWS\system32\FascinatingAntarctica.scr 2007-06-13 12:20 771,584 --a------ C:\WINDOWS\system32\Water_Illusion.scr 2007-06-13 12:20 585,728 --a------ C:\WINDOWS\system32\3D Sea Aquarium.scr 2007-06-13 12:20 3,344,422 --a------ C:\WINDOWS\system32\SimAQUARIUM2 Tank-2.scr 2007-06-13 12:20 3,305,472 --a------ C:\WINDOWS\system32\3D Fish School 3.scr 2007-06-13 12:20 208,896 --a------ C:\WINDOWS\system32\boinc.scr 2007-06-13 12:20 2,243,072 --a------ C:\WINDOWS\system32\Fantastic Flame Screensaver.scr 2007-06-13 12:20 102,400 --a------ C:\WINDOWS\system32\EarthView.scr 2007-06-13 12:20 1,032,192 --a------ C:\WINDOWS\system32\AquaReal.scr (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-11 04:36:45 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\uTorrent 2007-07-11 04:20:08 -------- d-----w C:\Program Files\Weather Watcher 2007-07-10 19:14:54 -------- d-----w C:\Program Files\SUPERAntiSpyware 2007-07-10 08:16:18 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-07-10 04:46:37 73 ----a-w C:\WINDOWS\system32\ssprs.dll 2007-07-10 04:46:37 205 ----a-w C:\WINDOWS\system32\lsprst7.dll 2007-07-09 22:36:17 -------- d-----w C:\Program Files\FlashGet 2007-07-05 07:55:03 -------- d-----w C:\Program Files\XoftSpySE 2007-07-03 06:22:21 -------- d-----w C:\Program Files\Starry Night Pro Plus 6 2007-07-03 04:49:58 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-07-03 03:34:10 -------- d-----w C:\Program Files\TrojanHunter 4.6 2007-07-03 02:39:03 -------- d-----w C:\Program Files\Norton Internet Security 2007-07-02 15:01:44 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\ATI MMC 2007-07-01 23:30:48 -------- d-----w C:\Program Files\iTunes 2007-07-01 23:30:41 -------- d-----w C:\Program Files\iPod 2007-07-01 19:33:49 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\Reallusion 2007-07-01 19:32:27 -------- d-----w C:\Program Files\Reallusion 2007-07-01 19:23:44 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\Skype 2007-07-01 16:12:40 -------- d-----w C:\Program Files\Webroot 2007-07-01 16:11:49 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\Webroot 2007-07-01 15:56:45 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-06-29 18:11:03 -------- d-----w C:\Program Files\Common Files\LogiShrd 2007-06-29 18:08:19 -------- d-----w C:\Program Files\Logitech 2007-06-28 17:00:29 -------- d-----w C:\Program Files\eMule 2007-06-28 04:03:09 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\bibble 2007-06-28 03:31:41 -------- d-----w C:\Program Files\Skype 2007-06-27 16:20:00 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\Vso 2007-06-26 07:43:40 -------- d-----w C:\Program Files\VSO 2007-06-26 03:57:51 -------- d-----w C:\Program Files\Xilisoft 2007-06-25 05:11:41 -------- d-----w C:\Program Files\Intel Corporation 2007-06-24 21:16:22 -------- d-----w C:\Program Files\Fantastic Flame Screensaver 2007-06-24 21:07:59 -------- d-----w C:\Program Files\Astro Gemini Software 2007-06-24 15:54:50 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\dvdcss 2007-06-24 15:37:25 -------- d-----w C:\Program Files\JetAudio 2007-06-23 22:42:28 -------- d-----w C:\Program Files\FolderSizes 2007-06-19 12:32:11 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\Apple Computer 2007-06-18 12:20:52 -------- d-----w C:\Program Files\Macro Express3 2007-06-15 14:01:49 -------- d-----w C:\Program Files\Total Training 2007-06-15 10:01:42 -------- d-----w C:\Program Files\Lavasoft 2007-06-15 10:00:39 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\Lavasoft 2007-06-13 02:04:44 -------- d-----w C:\Program Files\Microsoft SQL Server 2007-06-10 10:56:15 -------- d-----w C:\Program Files\BT Engine 2007-06-07 09:59:07 -------- d-----w C:\Program Files\Tweak-XP Pro 4 2007-06-07 09:39:20 -------- d-----w C:\Program Files\MediaInfo 2007-06-04 22:53:24 -------- d-----w C:\Program Files\Framing Studio 2007-06-04 22:51:40 -------- d-----w C:\Program Files\HDD Regenerator 2007-06-04 22:42:15 -------- d-----w C:\Program Files\Venus 3D Space Survey Screensaver 2007-06-04 22:35:11 -------- d-----w C:\Program Files\EarthView 2007-06-04 22:35:10 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\DeskSoft 2007-06-04 22:34:23 102,400 ----a-w C:\WINDOWS\EarthView.scr 2007-06-04 22:27:21 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\JAM Software 2007-06-04 22:26:26 -------- d-----w C:\Program Files\JAM Software 2007-06-04 22:24:31 -------- d-----w C:\Program Files\Wondershare 2007-06-04 18:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2007-06-04 18:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys 2007-06-04 18:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys 2007-06-04 09:09:16 -------- d-----w C:\Program Files\Photozoom Pro 2007-06-04 09:04:45 -------- d-----w C:\Program Files\AnMing 2007-06-04 09:02:09 -------- d-----w C:\Program Files\Nova Development 2007-06-04 08:49:00 -------- d-----w C:\Program Files\Mindjet 2007-06-04 08:41:46 204 ----a-w C:\WINDOWS\system32\c546nfu.dll 2007-06-04 08:41:46 100 ----a-w C:\WINDOWS\system32\prsgrc.dll 2007-06-04 08:41:46 -------- d-----w C:\Program Files\SYSTAT 12 2007-06-04 08:40:11 1,025 ----a-w C:\WINDOWS\system32\uroriee.dll 2007-06-04 08:40:10 1,025 ----a-w C:\WINDOWS\system32\grcauth2.dll 2007-06-04 08:40:10 1,025 ----a-w C:\WINDOWS\system32\grcauth1.dll 2007-06-04 08:33:26 -------- d-----w C:\Program Files\Aptika 2007-06-04 08:30:56 -------- d-----w C:\Program Files\webcamXP 2007-06-04 08:25:14 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\SoundSpectrum 2007-06-04 08:21:47 -------- d-----w C:\Program Files\SoundSpectrum 2007-06-04 02:22:44 1,257,520 ----a-w C:\WINDOWS\system32\Venus_3D_Space_Survey_Screensaver.scr 2007-06-03 05:58:57 501,760 ----a-w C:\WINDOWS\system32\Deutz Engine.scr 2007-06-03 05:58:57 501,760 ----a-w C:\WINDOWS\system32\Deutz Engine.exe 2007-06-02 17:18:01 -------- d-----w C:\Program Files\Orion Studios HD 2007-06-01 10:16:15 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\HTNetMeter 2007-06-01 10:15:45 -------- d-----w C:\Program Files\HooTech 2007-06-01 10:14:04 -------- d-----w C:\Program Files\LG Software Innovations 2007-06-01 10:01:56 -------- d-----w C:\Program Files\MP3Resizer 2007-06-01 09:59:02 -------- d-----w C:\Program Files\SmartWhois 2007-06-01 09:55:43 -------- d-----w C:\Program Files\Picture Merge Genius 2007-06-01 09:52:54 -------- d-----w C:\Program Files\OO Software 2007-06-01 09:44:26 -------- d-----w C:\Program Files\DVDFab Platinum 3 2007-05-31 22:30:22 266,088 ----a-w C:\WINDOWS\system32\xactengine2_8.dll 2007-05-31 22:29:42 18,280 ----a-w C:\WINDOWS\system32\x3daudio1_2.dll 2007-05-31 13:19:18 -------- d-----w C:\Program Files\GrandBackup Ultimate 2007-05-30 04:09:23 -------- d-----w C:\Program Files\Easiestutils 2007-05-30 04:05:52 -------- d-----w C:\Program Files\3D Sea Aquarium 2007-05-30 03:58:56 -------- d-----w C:\Program Files\BinarySense 2007-05-30 03:51:39 -------- d-----w C:\Program Files\LEDSET 2007-05-30 03:13:26 -------- d-----w C:\Program Files\ParetoLogic 2007-05-30 03:13:25 -------- d-----w C:\Program Files\Common Files\ParetoLogic 2007-05-30 03:11:58 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\WinRAR 2007-05-29 04:31:50 -------- d-----w C:\Program Files\DVD-RB PRO 2007-05-29 04:30:20 34,308 ----a-w C:\WINDOWS\system32\Chip.dll 2007-05-29 04:28:34 -------- d-----w C:\Program Files\AviSynth 2.5 2007-05-29 04:21:44 -------- d-----w C:\Program Files\Real 2007-05-29 04:10:46 -------- d-----w C:\Program Files\NetLimiter 2 Pro 2007-05-29 04  40 -------- d-----w C:\Program Files\ICQ2007-05-29 03:28:46 -------- d-----w C:\Program Files\DVD Audio Extractor 2007-05-29 03:23:27 -------- d-----w C:\Program Files\Photo to Color Sketch 2007-02-27 04:33:34 56 --sh--r C:\WINDOWS\system32\9E16596497.sys 2007-03-10 12:49:54 8 --sh--r C:\WINDOWS\system32\D624CD96E0.sys 2007-02-27 22:00:16 88 --sh--r C:\WINDOWS\system32\E096CD24D6.sys 2007-03-10 12:49:54 4,704 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}] 2007-05-01 11:11 63048 --a------ C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07A11D74-9D25-4fea-A833-8B0D76A5577A}] 2007-05-18 00:05 71184 -ra------ C:\Program Files\Mindjet\MindManager 7\Mm7InternetExplorer.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}] 2007-06-08 15:18 976424 --a------ C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}] 2007-05-16 06:03 94308 --a------ C:\Program Files\FlashGet\jccatch.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4401FDC3-7996-4774-8D2B-C1AE9CD6CC25}] 2000-08-21 12:39 61440 --a------ C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}] 2007-05-27 04:01 5600312 --a------ C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}] 2006-10-27 00:48 2210608 --a------ C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] 2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}] 2004-08-30 23:29 103568 --a------ C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}] 2007-05-10 22:47 321120 --a------ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}] 2005-10-19 12:54 218736 --a------ C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F156768E-81EF-470C-9057-481BA8380DBA}] 2007-05-16 02:05 163840 --a------ C:\Program Files\FlashGet\getflash.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Logitech Utility"="Logi_MwX.Exe" [2002-11-08 09:50 C:\WINDOWS\LOGI_MWX.EXE] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19] "LTWinModem1"="ltmsg.exe" [2001-04-03 10:38 C:\WINDOWS\system32\ltmsg.exe] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-04-03 21:23] "MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-06-25 12:17] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57] "pdfSaver3"="" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATI Launchpad"="" [] "@"="" [] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{A213B520-C6C2-11d0-AF9D-008029E1027E}"="C:\Program Files\WinFax\WfxSeh32.Dll" [1998-07-27 04:54] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55] "{51C55F9E-C308-4c95-89AB-8858D8AFD819}"="C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll" [2007-03-29 15:08] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=acaptuser32.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages msv1_0 relog_ap [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Ati HotKey Poller"=2 (0x2) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs UxTuneUp HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7AC5DF9C-0F1C-E2CB-6770-4B2C483A02CD} C:\WINDOWS\system32\Systemfiles\taskmgr.exe s Contents of the 'Scheduled Tasks' folder 2007-07-05 09:51:52 C:\WINDOWS\tasks\MP Scheduled Scan.job ************************************************************************** catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-11 01:55:47 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs = acaptuser32.dll?? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-11 1:56:40 C:\ComboFix-quarantined-files.txt ... 2007-07-11 01:56 --- E O F --- 07/11/07 02:00:48 [Info]: BlackLight Engine 1.0.64 initialized 07/11/07 02:00:48 [Info]: OS: 5.1 build 2600 (Service Pack 2) 07/11/07 02:00:48 [Note]: 7019 4 07/11/07 02:00:48 [Note]: 7005 0 07/11/07 02:00:58 [Note]: 7006 0 07/11/07 02:00:58 [Note]: 7011 9316 07/11/07 02:00:58 [Note]: 7026 0 07/11/07 02:00:59 [Note]: 7026 0 07/11/07 02:01:12 [Note]: FSRAW library version 1.7.1022 07/11/07 02:59:45 [Note]: 7007 0 |
|
|
|
|
07-11-2007, 12:20 AM
|
#38 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 57
OS: WinXP SP2
|
Re: iexplore.exe running each time I reboot/Please help
One more note, when I ran combofix.exe, an error window popped up (see attached snapshot). I gave it OK and the MS-DOS window of the program proceeded normally, entered "1" and the scan continued generating the log. Just for you to know.
|
|
|
|
|
07-11-2007, 12:28 AM
|
#39 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,610
OS: WinXP and Vista
|
Re: iexplore.exe running each time I reboot/Please help
Correct, Blacklight is coming up clean.
We may as well go ahead and fix these orphaned registry entries: Go to Start->Run and type in regedit and hit OK. Open notepad and copy/paste the entire text in the quotebox below: (don't forget to copy and paste REGEDIT4) Quote:
It should look like this:  Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. -------------------------------------------------------------------- How you proceed from here is up to you. I'd be interested to know the outcome. |
|
|
|
|
|
07-11-2007, 01:08 AM
|
#40 (permalink) |
|
Registered User
Join Date: Jul 2007
Posts: 57
OS: WinXP SP2
|
Re: iexplore.exe running each time I reboot/Please help
Ried, when you say "How you proceed from here is up to you. I'd be interested to know the outcome.", do you mean you're giving up since you can't find a solution to this? If that's so, let me anyway thank you again for all your efforts in this case. And be assured that if I find a way to solve this I'll let you know.
One question, if this would be your computer, and assuming that there's no way to fix this, would you keep things as they are or would you reinstall WinXP? I mean, from what you told me earlier, my PC is 100% safe to work online right? (it's clean from malware, including rootkits). So as long as I terminate "iexplore.exe" after each reboot then I'm safe? I'm really curious what's causing this, "iexplore.exe" after reboot is utilizing about 60% of CPU, I wonder doing what. |
|
|
|
| Thread Tools | |
|
|
