Jump to content

Malwarebytes, HijackThis, RootRepeal all won't run


Recommended Posts

I noticed that my browser had been Hijacked, so I tried to run MWAM, and after starting the scan for a few seconds, the open program dissapeared, and when trying to run it again, and "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access this item."

Reinstalling and renaming the program still resulted in the same problem.

I tried running HijackThis and the exact same situation occurred.

I tried running RootRepeal as mentioned in this thread: http://www.malwarebytes.org/forums/index.php?showtopic=12709

but the program would hang at "Initializing" and eventually the system would lock up.

I again tried all of this in safe mode (reinstalling, renaming, re-running with all 3 programs) and still the same problems occurred.

I've also tried running dds.scr letting it run for about 20 minutes in normal and safe mode but no log ever pops up.

Trying to open up the task manager causes the machine to lock up and procexp will only open in safe mode, and I don't seem to see anything that looks suspicious.

What should I do next?

Link to post
Share on other sites

Download then run gmer

http://www2.gmer.net/download.php

That link triggers the download of a random named gmer

Once downloaded run the file, it does an initial scan when started, that should be enough, save the log and post it please.

Is the pc ntfs or fat 32 maximal ?

NTFS running Vista Ultimate with SP1

Here's what I got from GMER:

GMER 1.0.15.15020 [qe5suuyn.exe] - http://www.gmer.net

Rootkit quick scan 2009-08-11 06:59:18

Windows 6.0.6001 Service Pack 1

GMER 1.0.15.15020 [qe5suuyn.exe] - http://www.gmer.net

Rootkit quick scan 2009-08-11 06:59:18

Windows 6.0.6001 Service Pack 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: copy of MBR

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 852531E8

Device \FileSystem\fastfat \Fat 866881E8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Run gmer again and ensure only these items are checked over to the right

[x]system

[x]services

[x]registry

[x]files

then scan , save the log and post it again please

I've tried running this twice (in safe mode, I can't seem to boot into normal mode anymore) and both times the open instance of Gmer has just dissapeared, like MWB and HijackThis have.

It dies while looking in c:/windows/system32/drivers (and disabled access to Gmer, so I've had to re-download it) if that helps?

Link to post
Share on other sites

Uncheck files and try again , problems ?

If so check only system, services and files

[x]system

[x]services

[ ]registry

[x]files

Without files checked:

GMER 1.0.15.15020 [c7wccbmv.exe] - http://www.gmer.net

Rootkit scan 2009-08-11 19:36:39

Windows 6.0.6001 Service Pack 1

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001c26efcda2

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x20 0x26 0xF7 0x15 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA2 0xED 0xB3 0xBA ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7A 0x64 0x62 0x4B ...

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001c26efcda2 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Upgrade\LocalRadioSettings (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x20 0x26 0xF7 0x15 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA2 0xED 0xB3 0xBA ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7A 0x64 0x62 0x4B ...

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@IconServiceLib IconCodecService.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DdeSendTimeout 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DesktopHeapLogging 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@ShutdownWarningDialogTimeout -1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERPostMessageLimit 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@ mnmsrvc

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Try a scan with just files checked , problems ?

Then post a gmer autostart log

Open gmer > use the >>> tab near the top > autostart then scan the [] "show all box" is unchecked, leave it.

copy and paste that log back here.

Scanning just files I run into the same problem as before.

Here is the autostart log:

GMER 1.0.15.15020 - http://www.gmer.net

Autostart scan 2009-08-11 19:54:14

Windows 6.0.6001 Service Pack 1

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\Windows\system32\userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>

AESTFilters@ = C:\Windows\system32\aestsrv.exe

AntiVirSchedulerService@ = "C:\Program Files\Avira\AntiVir Desktop\sched.exe"

AntiVirService@ = "C:\Program Files\Avira\AntiVir Desktop\avguard.exe"

Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe"

EvtEng@ = C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

Lavasoft Ad-Aware Service@ = "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"

pgsql-8.0.0-rc1@ = "C:\Program Files\PostgreSQL\8.0.0-rc1\bin\pg_ctl.exe" runservice -N "pgsql-8.0.0-rc1" -D "C:\Program Files\PostgreSQL\8.0.0-rc1\data\"

RegSrvc@ = C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

RoxWatch9@ = "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe"

Rpcnet@ = C:\Windows\System32\rpcnet.exe

rpcnetp@ = %SystemRoot%\System32\rpcnetp.exe

slsvc@ = %SystemRoot%\system32\SLsvc.exe

STacSV@ = C:\Windows\system32\STacSV.exe

wlidsvc@ = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE"

WMPNetworkSvc@ = "%ProgramFiles%\Windows Media Player\wmpnetwk.exe"

WSearch@ = %systemroot%\system32\SearchIndexer.exe /Embedding

XAudioService@ = %SystemRoot%\system32\DRIVERS\xaudio.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>

@Windows Defender%ProgramFiles%\Windows Defender\MSASCui.exe -hide /*file not found*/ = %ProgramFiles%\Windows Defender\MSASCui.exe -hide /*file not found*/

@ApointC:\Program Files\DellTPad\Apoint.exe = C:\Program Files\DellTPad\Apoint.exe

@dscactivatec:\dell\dsca.exe 3 = c:\dell\dsca.exe 3

@ISUSScheduler"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

@Logitech Hardware Abstraction Layer"C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" = "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"

@PCMService"C:\Program Files\Dell\MediaDirect\PCMService.exe" = "C:\Program Files\Dell\MediaDirect\PCMService.exe"

@ISUSPM StartupC:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

@RoxWatchTray"C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" = "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

@RoxioDragToDisc"C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" = "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

@GrooveMonitor"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" = "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

@Kernel and Hardware Abstraction LayerKHALMNPR.EXE = KHALMNPR.EXE

@DeadAIMrundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs = rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs

@WinampAgent"C:\Program Files\Winamp\winampa.exe" = "C:\Program Files\Winamp\winampa.exe"

@QuickTime Task"C:\Program Files\QuickTime\QTTask.exe" -atboottime = "C:\Program Files\QuickTime\QTTask.exe" -atboottime

@OEM02Mon.exeC:\Windows\OEM02Mon.exe = C:\Windows\OEM02Mon.exe

@SigmatelSysTrayApp%ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe /*file not found*/ = %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe /*file not found*/

@NvSvcRUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart = RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

@NvCplDaemonRUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

@NvMediaCenterRUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit = RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

@NVHotkeyrundll32.exe C:\Windows\system32\nvHotkey.dll,Start = rundll32.exe C:\Windows\system32\nvHotkey.dll,Start

@Ad-WatchC:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe = C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

@SMSTrayC:\Program Files\Samsung\EmoDio\SMSTray.exe = C:\Program Files\Samsung\EmoDio\SMSTray.exe

@net"C:\Windows\system32\net.net" /*file not found*/ = "C:\Windows\system32\net.net" /*file not found*/

@avgnt"C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min = "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce >>>

@Malwarebytes' Anti-MalwareC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent /*file not found*/ = C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent /*file not found*/

@GrpConvgrpconv -o = grpconv -o

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>

@DAEMON Tools"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 = "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

@SidebarC:\Program Files\Windows Sidebar\sidebar.exe /autoRun /*file not found*/ = C:\Program Files\Windows Sidebar\sidebar.exe /autoRun /*file not found*/

@AIMC:\Program Files\AIM\aim.exe -cnetwait.odl /*file not found*/ = C:\Program Files\AIM\aim.exe -cnetwait.odl /*file not found*/

@ehTray.exeC:\Windows\ehome\ehTray.exe = C:\Windows\ehome\ehTray.exe

@TranscodingService"C:\Program Files\TiVo\Desktop\TranscodingService.exe" /auto = "C:\Program Files\TiVo\Desktop\TranscodingService.exe" /auto

@TivoNotify"C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify = "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

@TivoServer"C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer = "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer

@MonopodC:\Users\Gary\AppData\Local\temp\b.exe = C:\Users\Gary\AppData\Local\temp\b.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ >>>

SharedTaskScheduler@{E31004D1-A431-41B8-826F-E902F9D95C81} = %SystemRoot%\System32\DreamScene.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>

@{B5A7F190-DDA6-4420-B3BA-52453494E6CD}C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

@{AEB6717E-7E19-11d0-97EE-00C04FD91972}(null) =

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>

@{F02C1A0D-BE21-4350-88B0-7367FC96EF3C} /*Computers and Devices*/%systemroot%\system32\NetworkExplorer.dll = %systemroot%\system32\NetworkExplorer.dll

@{4A1E5ACD-A108-4100-9E26-D2FAFA1BA486} /*IGD Property Sheet Handler*/%SystemRoot%\System32\icsigd.dll = %SystemRoot%\System32\icsigd.dll

@{92dbad9f-5025-49b0-9078-2d78f935e341} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll

@{b9815375-5d7f-4ce2-9245-c9d4da436930} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll

@{f8b8412b-dea3-4130-b36c-5e8be73106ac} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll

@{5FA29220-36A1-40f9-89C6-F4B384B7642E} /*Shell Message Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll

@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/(null) =

@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{8856f961-340a-11d0-a96b-00c04fd705a2} /*Microsoft Web Browser*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll

@{00020d75-0000-0000-c000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL

@{CC6EEFFB-43F6-46c5-9619-51D571967F7D} /*Web Publishing Wizard*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll

@{add36aa8-751a-4579-a266-d66f5202ccbb} /*Print Ordering via the Web*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll

@{6b33163c-76a5-4b6c-bf21-45de9cd503a1} /*Shell Publishing Wizard Object*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll

@{176d6597-26d3-11d1-b350-080036a75b03} /*ICM Scanner Management*/%SystemRoot%\System32\colorui.dll = %SystemRoot%\System32\colorui.dll

@{5DB2625A-54DF-11D0-B6C4-0800091AA605} /*ICM Monitor Management*/%SystemRoot%\System32\colorui.dll = %SystemRoot%\System32\colorui.dll

@{675F097E-4C4D-11D0-B6C1-0800091AA605} /*ICM Printer Management*/%SystemRoot%\system32\colorui.dll = %SystemRoot%\system32\colorui.dll

@{DBCE2480-C732-101B-BE72-BA78E9AD5B27} /*ICC Profile*/%SystemRoot%\system32\colorui.dll = %SystemRoot%\system32\colorui.dll

@{b2c761c6-29bc-4f19-9251-e6195265baf1} /*Color Control Panel Applet*/(null) =

@{74246bfc-4c96-11d0-abef-0020af6b0b7a} /*Device Manager*/%SystemRoot%\System32\devmgr.dll = %SystemRoot%\System32\devmgr.dll

@{7A979262-40CE-46ff-AEEE-7884AC3B6136} /*Add New Hardware*/(null) =

@{3e7efb4c-faf1-453d-89eb-56026875ef90} /*Get Programs Online*/(null) =

@{1b24a030-9b20-49bc-97ac-1be4426f9e59} /*ActiveDirectory Folder*/(null) =

@{34449847-FD14-4fc8-A75A-7432F5181EFB} /*ActiveDirectory Folder*/(null) =

@{C8494E42-ACDD-4739-B0FB-217361E4894F} /*Sam Account Folder*/(null) =

@{E29F9716-5C08-4FCD-955A-119FDB5A522D} /*Sam Account Folder*/(null) =

@{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0} /*Control Panel command object for Start menu*/(null) =

@{E44E5D18-0652-4508-A4E2-8A090067BCB0} /*Default Programs command object for Start menu*/(null) =

@{6dfd7c5c-2451-11d3-a299-00c04f8ef6af} /*Folder Options*/(null) =

@{97e467b4-98c6-4f19-9588-161b7773d6f6} /*Office Document Property Handler*/%SystemRoot%\system32\propsys.dll = %SystemRoot%\system32\propsys.dll

@{2C2577C2-63A7-40e3-9B7F-586602617ECB} /*Explorer Query Band*/(null) =

@{DC1C5A9C-E88A-4dde-A5A1-60F82A20AEF7} /*File Open Dialog*/%SystemRoot%\System32\comdlg32.dll = %SystemRoot%\System32\comdlg32.dll

@{C0B4E2F3-BA21-4773-8DBA-335EC946EB8B} /*File Save Dialog*/%SystemRoot%\System32\comdlg32.dll = %SystemRoot%\System32\comdlg32.dll

@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\Windows\system32\dfshim.dll = C:\Windows\system32\dfshim.dll

@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\Windows\system32\dfshim.dll = C:\Windows\system32\dfshim.dll

@{92337A8C-E11D-11D0-BE48-00C04FC30DF6} /*OlePrn.PrinterURL*/%SystemRoot%\system32\oleprn.dll = %SystemRoot%\system32\oleprn.dll

@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft XPS Properties*/%SystemRoot%\system32\XPSSHHDR.DLL = %SystemRoot%\system32\XPSSHHDR.DLL

@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft XPS Thumbnail*/%SystemRoot%\system32\XPSSHHDR.DLL = %SystemRoot%\system32\XPSSHHDR.DLL

@{38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b} /*View Available Networks*/(null) =

@{13D3C4B8-B179-4ebb-BF62-F704173E7448} /*Windows Contact Preview Handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll

@{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} /*Contacts folder*/(null) =

@{4F58F63F-244B-4c07-B29F-210BE59BE9B4} /*.group shell extension handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll

@{8082C5E6-4C27-48ec-A809-B8E1122E8F97} /*.contact shell extension handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll

@{16C2C29D-0E5F-45f3-A445-03E03F587B7D} /*group_wab_auto_file*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll

@{CF67796C-F57F-45F8-92FB-AD698826C602} /*contact_wab_auto_file*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll

@{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} /*Compatibility Property Page*/%windir%\system32\acppage.dll = %windir%\system32\acppage.dll

@{4026492f-2f69-46b8-b9bf-5654fc07e423} /*Windows Firewall*/(null) =

@{fcfeecae-ee1b-4849-ae50-685dcf7717ec} /*Problem Reports and Solutions*/(null) =

@{a304259d-52b8-4526-8b1a-a1d6cecc8243} /*iSCSI Initiator*/(null) =

@{11dbb47c-a525-400b-9e80-a54615a090c0} /*Execute Folder*/ExplorerFrame.dll = ExplorerFrame.dll

@{90b9bce2-b6db-4fd3-8451-35917ea1081b} /*Search Execute Command*/ExplorerFrame.dll = ExplorerFrame.dll

@{911051fa-c21c-4246-b470-070cd8df6dc4} /*.cab or .zip files*/(null) =

@{da67b8ad-e81b-4c70-9b91b417b5e33527} /*Windows Search Shell Service*/(null) =

@{a38b883c-1682-497e-97b0-0a3a9e801682} /*IPropertyStore Handler for Images*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll

@{C7657C4A-9F68-40fa-A4DF-96BC08EB3551} /*Photo Thumbnail Provider*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll

@{3F30C968-480A-4C6C-862D-EFC0897BB84B} /*Photo Thumbnail Extractor*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll

@{BC65FB43-1958-4349-971A-210290480130} /*Network Explorer Property Sheet Handler*/%SystemRoot%\System32\NcdProp.dll = %SystemRoot%\System32\NcdProp.dll

@{d3e34b21-9d75-101a-8c3d-00aa001a1652} /*Bitmap Image*/(null) =

@{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} /*Video Media Properties Handler*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll

@{E598560B-28D5-46aa-A14A-8A3BEA34B576} /*Windows Photo Gallery Viewer Video Verbs*/%ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/

@{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3} /*Microsoft.ScannersAndCameras*/(null) =

@{0a4286ea-e355-44fb-8086-af3df7645bd9} /*Windows Media Player*/C:\PROGRA~1\WI4EB4~1\wmpband.dll = C:\PROGRA~1\WI4EB4~1\wmpband.dll

@{BB6B2374-3D79-41DB-87F4-896C91846510} /*EMDFileProperties*/emdmgmt.dll = emdmgmt.dll

@{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} /*Audio Media Properties Handler*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll

@{89D83576-6BD1-4c86-9454-BEB04E94C819} /*MAPI Search Namespace Extension*/%systemroot%\system32\mssvp.dll = %systemroot%\system32\mssvp.dll

@{7A0F6AB7-ED84-46B6-B47E-02AA159A152B} /*Sync Center Simple Conflict Presenter*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll

@{9D687A4C-1404-41ef-A089-883B6FBECDE6} /*Windows Photo Gallery Viewer Autoplay Handler*/(null) =

@{37efd44d-ef8d-41b1-940d-96973a50e9e0} /*Windows Sidebar Properties*/(null) =

@{00f20eb5-8fd6-4d9d-b75e-36801766c8f1} /*PhotoAcqDropTarget*/%ProgramFiles%\Windows Photo Gallery\PhotoAcq.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoAcq.dll /*file not found*/

@{BC48B32F-5910-47F5-8570-5074A8A5636A} /*Sync Results Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll

@{ED228FDF-9EA8-4870-83B1-96B02CFE0D52} /*Games Folder*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll

@{E413D040-6788-4C22-957E-175D1C513A34} /*Sync Center Conflict Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll

@{67718415-c450-4f3c-bf8a-b487642dc39b} /*Windows Features*/(null) =

@{91ADC906-6722-4B05-A12B-471ADDCCE132} /*Touch Band*/%SystemRoot%\System32\TouchX.dll = %SystemRoot%\System32\TouchX.dll

@{2781761E-28E0-4109-99FE-B9D127C57AFE} /*Windows Defender IOfficeAntiVirus implementation*/%ProgramFiles%\Windows Defender\MpOav.dll /*file not found*/ = %ProgramFiles%\Windows Defender\MpOav.dll /*file not found*/

@{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A} /*Windows Photo Gallery Viewer Image Verbs*/%ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/

@{4B534112-3AF6-4697-A77C-D62CE9B9E7CF} /*Sync Center Event Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll

@{F1390A9A-A3F4-4E5D-9C5F-98F3BD8D935C} /*Sync Setup Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll

@{4E5BFBF8-F59A-4e87-9805-1F9B42CC254A} /*GameUX.RichGameMediaThumbnail*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll

@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll

@{d8559eb9-20c0-410e-beda-7ed416aecc2a} /*Windows Defender*/(null) =

@{576C9E85-1300-4EF5-BF6B-D00509F4EDCD} /*Sync Center Handler Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll

@{5ea4f148-308c-46d7-98a9-49041b1dd468} /*Mobility Center Control Panel*/(null) =

@{289978AC-A101-4341-A817-21EBA7FD046D} /*Sync Center Conflict Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll

@{877ca5ac-cb41-4842-9c69-9136e42d47e2} /*File Backup Index*/%systemroot%\system32\sdshext.dll = %systemroot%\system32\sdshext.dll

@{71D99464-3B6B-475C-B241-E15883207529} /*Sync Results Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll

@{B32D3949-ED98-4DBB-B347-17A144969BBA} /*Sync Center Item Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll

@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll

@{2E9E59C0-B437-4981-A647-9C34B9B90891} /*Sync Setup Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll

@{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF} /*Sync Center Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll

@{CB1B7F8C-C50A-4176-B604-9E24DEE8D4D1} /*Welcome Center*/oobefldr.dll = oobefldr.dll

@{15D633E2-AD00-465b-9EC7-F56B7CDF8E27} /*Tablet PC Input Panel*/%CommonProgramFiles%\microsoft shared\ink\TipBand.dll /*file not found*/ = %CommonProgramFiles%\microsoft shared\ink\TipBand.dll /*file not found*/

@{F04CC277-03A2-4277-96A9-77967471BDFF} /*Sync Center Conflict Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll

@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll

@{53BEDF0B-4E5B-4183-8DC9-B844344FA104} /*Microsoft Windows MAPI Preview Handler*/%SystemRoot%\system32\mssvp.dll = %SystemRoot%\system32\mssvp.dll

@{6b9228da-9c15-419e-856c-19e768a13bdc} /*Windows gadget DropTarget*/%ProgramFiles%\Windows Sidebar\sbdrop.dll /*file not found*/ = %ProgramFiles%\Windows Sidebar\sbdrop.dll /*file not found*/

@{8E25992B-373E-486E-80E5-BD23AE417E66} /*Sync Center Device Notification Sink*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll

@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll

@{031EE060-67BC-460d-8847-E4A7C5E45A27} /*Windows Media Player Rich Preview Handler*/(null) =

@{1FA9085F-25A2-489B-85D4-86326EEDCD87} /*Manage Wireless Networks*/%SystemRoot%\system32\wlanpref.dll = %SystemRoot%\system32\wlanpref.dll

@{ECDD6472-2B9B-4b4b-AE36-F316DF3C8D60} /*RichGameMediaPropertyStore Class*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll

@{BD7A2E7B-21CB-41b2-A086-B309680C6B7E} /*Client Side Cache Namespace Extension*/%systemroot%\system32\mssvp.dll = %systemroot%\system32\mssvp.dll

@{c5a40261-cd64-4ccf-84cb-c394da41d590} /*Video Thumbnail Extractor*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll

@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\Windows\system32\nvcpl.dll = C:\Windows\system32\nvcpl.dll

@{7842554E-6BED-11D2-8CDB-B05550C10000} /*Monitor*/C:\Windows\system32\btncopy.dll = C:\Windows\system32\btncopy.dll

@{B9B9F083-2B04-452A-8691-83694AC1037B} /*Logitech Setpoint Extension*/C:\Program Files\SetPoint\mcplext.dll = C:\Program Files\SetPoint\mcplext.dll

@{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C} /*Logitech Setpoint Extension*/C:\Program Files\SetPoint\kbcplext.dll = C:\Program Files\SetPoint\kbcplext.dll

@{5E44E225-A408-11CF-B581-008029601108} /*Roxio DragToDisc Shell Extension*/C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll = C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll

@{72853161-30C5-4D22-B7F9-0BBC1D38A37E} /*Groove GFS Browser Helper*/C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

@{2A541AE1-5BF6-4665-A8A3-CFA9672E4291} /*Groove GFS Explorer Bar*/C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

@{A449600E-1DC6-4232-B948-9BD794D62056} /*Groove GFS Stub Icon Handler*/C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

@{B5A7F190-DDA6-4420-B3BA-52453494E6CD} /*Groove GFS Stub Execution Hook*/C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

@{6C467336-8281-4E60-8204-430CED96822D} /*Groove GFS Context Menu Handler*/C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

@{387E725D-DC16-4D76-B310-2C93ED4752A0} /*Groove XML Icon Handler*/C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

@{16F3DD56-1AF5-4347-846D-7C10C4192619} /*Groove Explorer Icon Overlay 3 (GFS Folder)*/C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

@{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} /*Groove Explorer Icon Overlay 2 (GFS Stub)*/C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

@{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} /*Groove Explorer Icon Overlay 4 (GFS Unread Mark)*/C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

@{99FD978C-D287-4F50-827F-B2C658EDA8E7} /*Groove Explorer Icon Overlay 1 (GFS Unread Stub)*/C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

@{920E6DB1-9907-4370-B3A0-BAFC03D81399} /*Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)*/C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL

@{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} /*Microsoft Office OneNote Namespace Extension for Windows Desktop Search*/C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL = C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL

@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office12\msohevi.dll = C:\Program Files\Microsoft Office\Office12\msohevi.dll

@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll

@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll

@{506F4668-F13E-4AA1-BB04-B43203AB3CC0} /*{506F4668-F13E-4AA1-BB04-B43203AB3CC0}*/C:\Program Files\Microsoft Office\Office12\VISSHE.DLL = C:\Program Files\Microsoft Office\Office12\VISSHE.DLL

@{D66DC78C-4F61-447F-942B-3FB6980118CF} /*{D66DC78C-4F61-447F-942B-3FB6980118CF}*/C:\Program Files\Microsoft Office\Office12\VISSHE.DLL = C:\Program Files\Microsoft Office\Office12\VISSHE.DLL

@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\Windows\system32\nvcpl.dll = C:\Windows\system32\nvcpl.dll

@{06A2568A-CED6-4187-BB20-400B8C02BE5A} /**/(null) =

@{00F33137-EE26-412F-8D71-F84E4C2C6625} /**/C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll

@{2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} /*Windows Live Photo Gallery Autoplay Drop Target*/(null) =

@{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} /*Windows Live Photo Gallery Viewer Drop Target*/(null) =

@{00F374B7-B390-4884-B372-2FC349F2172B} /*Windows Live Photo Gallery Editor Drop Target*/(null) =

@{00F346CB-35A4-465B-8B8F-65A29DBAB1F6} /*Windows Live Photo Gallery Viewer Drop Target Shim*/C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll

@{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} /*Windows Live Photo Gallery Editor Drop Target Shim*/C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll

@{00F30F90-3E96-453B-AFCD-D71989ECC2C7} /*Windows Live Photo Gallery Autoplay Drop Target Shim*/C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll

@{11016101-E366-4D22-BC06-4ADA335C892B} /*IE History and Feeds Shell Data Source for Windows Search*/C:\Windows\System32\ieframe.dll = C:\Windows\System32\ieframe.dll

@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/C:\Program Files\Avira\AntiVir Desktop\shlext.dll = C:\Program Files\Avira\AntiVir Desktop\shlext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>

LavasoftShellExt@{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} = C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll

Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\Avira\AntiVir Desktop\shlext.dll

XXX Groove GFS Context Menu Handler XXX@{6C467336-8281-4E60-8204-430CED96822D} = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\XXX Groove GFS Context Menu Handler XXX@{6C467336-8281-4E60-8204-430CED96822D} = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers@{596AB062-B4D2-4215-9F74-E9109B0A8153} = %SystemRoot%\system32\twext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>

LavasoftShellExt@{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} = C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll

MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\Avira\AntiVir Desktop\shlext.dll

XXX Groove GFS Context Menu Handler XXX@{6C467336-8281-4E60-8204-430CED96822D} = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>

@{72853161-30C5-4D22-B7F9-0BBC1D38A37E}C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll = C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

@{9030D464-4C02-4ABF-8ECC-5164760863C6}C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>

@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157

@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157

@Local PageC:\Windows\System32\blank.htm = C:\Windows\System32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>

@Start Pagehttp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070901 = http://www.google.com/ig/dell?hl=en&cl...amp;ibd=5070901

@Local PageC:\Windows\system32\blank.htm = C:\Windows\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>

dvd@CLSID = C:\Windows\System32\msvidctl.dll

grooveLocalGWS@CLSID = C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

its@CLSID = %SystemRoot%\System32\itss.dll

mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll

ms-help@CLSID = C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

ms-its@CLSID = %SystemRoot%\System32\itss.dll

tv@CLSID = C:\Windows\System32\msvidctl.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{18F7C6F3-4EA4-4502-A21D-24E3A59BDD25} /*Wireless Network Connection*/ >>>

@IPAddress =

@NameServer =

@DefaultGateway =

@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A2A4110F-C92A-4421-8B72-81BBED27680F} /*Local Area Connection*/ >>>

@IPAddress =

@NameServer =

@DefaultGateway =

@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>>

000000000001@LibraryPath = %SystemRoot%\system32\NLAapi.dll

000000000002@LibraryPath = %SystemRoot%\system32\napinsp.dll

000000000003@LibraryPath = %SystemRoot%\system32\pnrpnsp.dll

000000000004@LibraryPath = %SystemRoot%\system32\pnrpnsp.dll

000000000005@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000008@LibraryPath = %SystemRoot%\system32\wshbth.dll

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup >>>

Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk

Bluetooth.lnk = Bluetooth.lnk

Digital Line Detect.lnk = Digital Line Detect.lnk

QuickSet.lnk = QuickSet.lnk

SetPoint.lnk = SetPoint.lnk

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Do you have windows set to show hidden files ? if not that can be found via control panel folder options view tab

C:\Windows\system32\net.net

Is that file present ? if so start a topic and attach it here http://www.malwarebytes.org/forums/index.php?showforum=55

Are you able to run antivir while in safe mode ?

Do you have another pc in house ? if not dont start the infected pc to safe mode with networking except to visit here,

and to work on it restart to plain safe mode without networking

Link to post
Share on other sites

Do you have windows set to show hidden files ? if not that can be found via control panel folder options view tab

C:\Windows\system32\net.net

Is that file present ? if so start a topic and attach it here http://www.malwarebytes.org/forums/index.php?showforum=55

Are you able to run antivir while in safe mode ?

Do you have another pc in house ? if not dont start the infected pc to safe mode with networking except to visit here,

and to work on it restart to plain safe mode without networking

I do have it showing hidden files, and no, I do not see net.net in the system32 folder

I was able to run Avira Antivirus prior to posting here, but what it found and removed seem to have been unrelated to this, because I'm still unable to run MBAM, HJT, etc

I have been posting here on my desktop, the problem is on my laptop, I've been booting into regular safe mode without networking.

Link to post
Share on other sites

Run rootrepel > use the hidden services tab and scan , if any items show save and post that report.

If no items show use the stealth objects tab > scan, if any items show save and post that report.

Will hijackthis run if you rename it to such as renamedhjt.exe ?

Have you already tried that ?

Have you tried renaming mbam.exe ?

"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

Link to post
Share on other sites

Run rootrepel > use the hidden services tab and scan , if any items show save and post that report.

If no items show use the stealth objects tab > scan, if any items show save and post that report.

Will hijackthis run if you rename it to such as renamedhjt.exe ?

Have you already tried that ?

Have you tried renaming mbam.exe ?

"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

I have already (and again just now) tried renaming HJT and MBAM but they both still die after a few seconds

One thing that is strange, the other day I was unable to get rootrepeal to run, but today it ran fine...

Nothing shows up on the hidden services tab.

Here is the log for the stealth objects tab:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/11 22:05

Program Version: Version 1.3.3.0

Windows Version: Windows Vista SP1

==================================================

Stealth Objects

-------------------

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]

Process: System Address: 0x852531e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_CREATE]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_CLOSE]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_READ]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_WRITE]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_QUERY_EA]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_SET_EA]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_SHUTDOWN]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_CLEANUP]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_PNP]

Process: System Address: 0x866c91e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]

Process: System Address: 0x852521e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]

Process: System Address: 0x852521e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x852521e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x852521e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]

Process: System Address: 0x852521e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x852521e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]

Process: System Address: 0x852521e8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_CREATE]

Process: System Address: 0x85fb81e8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_CLOSE]

Process: System Address: 0x85fb81e8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_READ]

Process: System Address: 0x85fb81e8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_WRITE]

Process: System Address: 0x85fb81e8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x85fb81e8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85fb81e8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x85fb81e8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_SHUTDOWN]

Process: System Address: 0x85fb81e8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_POWER]

Process: System Address: 0x85fb81e8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x85fb81e8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_PNP]

Process: System Address: 0x85fb81e8 Size: 121

Object: Hidden Code [Driver: azv1j9xa䡕䉕І瑎湦܇$, IRP_MJ_CREATE]

Process: System Address: 0x85fbc488 Size: 121

Object: Hidden Code [Driver: azv1j9xa䡕䉕І瑎湦܇$, IRP_MJ_CLOSE]

Process: System Address: 0x85fbc488 Size: 121

Object: Hidden Code [Driver: azv1j9xa䡕䉕І瑎湦܇$, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85fbc488 Size: 121

Object: Hidden Code [Driver: azv1j9xa䡕䉕І瑎湦܇$, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x85fbc488 Size: 121

Object: Hidden Code [Driver: azv1j9xa䡕䉕І瑎湦܇$, IRP_MJ_POWER]

Process: System Address: 0x85fbc488 Size: 121

Object: Hidden Code [Driver: azv1j9xa䡕䉕І瑎湦܇$, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x85fbc488 Size: 121

Object: Hidden Code [Driver: azv1j9xa䡕䉕І瑎湦܇$, IRP_MJ_PNP]

Process: System Address: 0x85fbc488 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]

Process: System Address: 0x85f49658 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]

Process: System Address: 0x85f49658 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85f49658 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x85f49658 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]

Process: System Address: 0x85f49658 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x85f49658 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]

Process: System Address: 0x85f49658 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_CREATE]

Process: System Address: 0x852511e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_CLOSE]

Process: System Address: 0x852511e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x852511e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x852511e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_POWER]

Process: System Address: 0x852511e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x852511e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_PNP]

Process: System Address: 0x852511e8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄ᴨ裧裴, IRP_MJ_CREATE]

Process: System Address: 0x85fd11e8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄ᴨ裧裴, IRP_MJ_CLOSE]

Process: System Address: 0x85fd11e8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄ᴨ裧裴, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85fd11e8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄ᴨ裧裴, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x85fd11e8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄ᴨ裧裴, IRP_MJ_POWER]

Process: System Address: 0x85fd11e8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄ᴨ裧裴, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x85fd11e8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄ᴨ裧裴, IRP_MJ_PNP]

Process: System Address: 0x85fd11e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]

Process: System Address: 0x8524f1e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]

Process: System Address: 0x8524f1e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]

Process: System Address: 0x8524f1e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8524f1e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8524f1e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8524f1e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8524f1e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]

Process: System Address: 0x8524f1e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]

Process: System Address: 0x8524f1e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8524f1e8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]

Process: System Address: 0x8524f1e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]

Process: System Address: 0x85f4c790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]

Process: System Address: 0x85f4c790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85f4c790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x85f4c790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]

Process: System Address: 0x85f4c790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x85f4c790 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]

Process: System Address: 0x85f4c790 Size: 121

Link to post
Share on other sites

Ok maximal

run gmer once again all box's checked except for [ ] files. post the log

GMER 1.0.15.15020 [c7wccbmv.exe] - http://www.gmer.net

Rootkit scan 2009-08-12 06:57:41

Windows 6.0.6001 Service Pack 1

---- Kernel code sections - GMER 1.0.15 ----

? C:\Windows\System32\Drivers\sptd.sys The process cannot access the file because it is being used by another process.

.text USBPORT.SYS!DllUnload 8C43646F 5 Bytes JMP 85F05770

? System32\Drivers\akqsmhvt.SYS The system cannot find the path specified. !

? win32k.sys:1 The system cannot find the file specified. !

? win32k.sys:2 The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8069A61E] \SystemRoot\System32\Drivers\sptd.sys

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80699AD4] \SystemRoot\System32\Drivers\sptd.sys

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8069A748] \SystemRoot\System32\Drivers\sptd.sys

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [80699B9C] \SystemRoot\System32\Drivers\sptd.sys

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [80699C1A] \SystemRoot\System32\Drivers\sptd.sys

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806AF29A] \SystemRoot\System32\Drivers\sptd.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74037BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [740798C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7403D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7402F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74037599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7402E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7406B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7403D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7403012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74030095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [740271F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [740BD802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [740575E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7402DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7402668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [740266BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[1576] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74031E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e

c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 852531E8

Device \Driver\volmgr \Device\VolMgrControl 8524F1E8

Device \Driver\usbuhci \Device\USBPDO-0 85F4A610

Device \Driver\usbuhci \Device\USBPDO-1 85F4A610

Device \Driver\usbehci \Device\USBPDO-2 85EF3790

Device \Driver\usbuhci \Device\USBPDO-3 85F4A610

Device \Driver\usbuhci \Device\USBPDO-4 85F4A610

Device \Driver\usbuhci \Device\USBPDO-5 85F4A610

Device \Driver\usbehci \Device\USBPDO-6 85EF3790

Device \Driver\volmgr \Device\HarddiskVolume1 8524F1E8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume2 8524F1E8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 85FBA1E8

Device \Driver\volmgr \Device\HarddiskVolume3 8524F1E8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom1 85FBA1E8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 852521E8

Device \Driver\iaStor \Device\Ide\iaStor0 852511E8

Device \Driver\atapi \Device\Ide\IdePort0 852521E8

Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 852511E8

Device \Driver\volmgr \Device\HarddiskVolume4 8524F1E8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\iScsiPrt \Device\RaidPort0 85FD2450

Device \Driver\usbuhci \Device\USBFDO-0 85F4A610

Device \Driver\usbuhci \Device\USBFDO-1 85F4A610

Device \Driver\usbehci \Device\USBFDO-2 85EF3790

Device \Driver\usbuhci \Device\USBFDO-3 85F4A610

Device \Driver\usbuhci \Device\USBFDO-4 85F4A610

Device \Driver\PCI_NTPNP6882 \Device\0000007e sptd.sys

Device \Driver\usbuhci \Device\USBFDO-5 85F4A610

Device \Driver\usbehci \Device\USBFDO-6 85EF3790

Device \Driver\akqsmhvt \Device\Scsi\akqsmhvt1Port3Path0Target0Lun0 85FBF1E8

Device \Driver\akqsmhvt \Device\Scsi\akqsmhvt1 85FBF1E8

Device \FileSystem\fastfat \Fat 85F47790

Device \FileSystem\fastfat \Fat A0E3145E

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\1FAC8A71.x86.dll (*** hidden *** ) @ C:\Windows\system32\wininit.exe [580] 0x35670000

Library \\?\globalroot\Device\__max++>\1FAC8A71.x86.dll (*** hidden *** ) @ C:\Windows\system32\services.exe [656] 0x35670000

Library \\?\globalroot\Device\__max++>\1FAC8A71.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [876] 0x35670000

Library \\?\globalroot\Device\__max++>\1FAC8A71.x86.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1008] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001c26efcda2

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x20 0x26 0xF7 0x15 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA2 0xED 0xB3 0xBA ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7A 0x64 0x62 0x4B ...

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001c26efcda2 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Upgrade\LocalRadioSettings (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x20 0x26 0xF7 0x15 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA2 0xED 0xB3 0xBA ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7A 0x64 0x62 0x4B ...

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@IconServiceLib IconCodecService.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DdeSendTimeout 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DesktopHeapLogging 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@ShutdownWarningDialogTimeout -1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERPostMessageLimit 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@ mnmsrvc

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Download this tool to your desktop then run it

http://download.bleepingcomputer.com/sUBs/...x++/sVCHOSt.exe

It will eventualy reboot your pc, post its log when it opens automaticly.

If it doesnt, open and post this c:\combofix.log

When I click on this I get the following error message:

16 bit MS-DOS Subsystem

C:\Users\Gary\Desktop\sVCHOSt.exe

The NTVDM CPU has encountered an illegal instruction

CS:e700 IP:00c7 OP:ff ff ff ff Choose 'Close' to terminate the application

{Close} {Ignore}

If I click on ignore it just increments the 00c7 by 1 each time.

Link to post
Share on other sites

Click start > on the search box, type in cmd

the search result will show a cmd.exe, right click it choose> run as admin

paste in this line

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\ntelogon.dll >Log.txt & START notepad Log.txt

and press enter, post the results please.

Also, right click on the file you downloaded sVCHOSt.exe > properties and tell us the size ?

Link to post
Share on other sites

Click start > on the search box, type in cmd

the search result will show a cmd.exe, right click it choose> run as admin

paste in this line

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\ntelogon.dll >Log.txt & START notepad Log.txt

and press enter, post the results please.

Also, right click on the file you downloaded sVCHOSt.exe > properties and tell us the size ?

Volume in drive C is SYSTEM

Volume Serial Number is 5024-060F

Directory of C:\Windows\System32

01/19/2008 03:36 AM 60,928 scecli.dll

Directory of C:\Windows\System32

01/19/2008 03:35 AM 592,384 netlogon.dll

2 File(s) 653,312 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e

11/02/2006 05:46 AM 176,640 scecli.dll

1 File(s) 176,640 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12

01/19/2008 03:36 AM 177,152 scecli.dll

1 File(s) 177,152 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783

11/02/2006 05:46 AM 559,616 netlogon.dll

1 File(s) 559,616 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

01/19/2008 03:35 AM 592,384 netlogon.dll

1 File(s) 592,384 bytes

Total Files Listed:

6 File(s) 2,159,104 bytes

0 Dir(s) 43,804,217,344 bytes free

The sVCHOSt.exe is 345 bytes

4.00 kb on disk

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.