barebear Posted May 30, 2006 Report Share Posted May 30, 2006 I run Spybot (with Teatimer), Webroot SpySweeper, Spyware Guard, Spyware Blaster, Trend Micro Anti-Spyware, Computer Associates Pest Patrol, V-Com System Suite,( The preceding run in the system 24/7) along with daily checks via Arovax,, Crap Cleaner, Super Cleaner, Cleanup!, CWS Shredder, Rootkit Revealer, F-Secure Blacklight, and Hijack This.I've been of the opinion that this is a fundamentally sound and thorough system defense posture, but after reading a variety of things online and elsewhere am increasingly paranoid about very- hard- to- catch or totally undetectable keyloggers. This fear has been recently intensified by reading statements that even supposedly safe/legitimate sites are planting keyloggers with the intention of ,at the least, using info from the keylogger to target advertising, and/or selling such info to other entities.As such, I've been looking for legitimate keylogger detector and/or keylogger blocker software ( I do have KL-Detector, but find it a bit time consuming and cumbersome to use---I also am unsure of how effective it really is).After doing some searching online and eliminating some obvious losers per Spywareguide.com, I have run across:Unlogger 2.3I have been unable so far to find any information on it other than advertising blurbs. If anyone reading this is familiar with it please be kind enough to advise me as re its legitimacy (is it malware/spyware/grayware or not)? I also would be grateful for commentary on their effectiveness.If anyone knows of other keylogger detector, blocker, removal software other than Anti-Keylogger 7.1, I would greatly appreciate relevant information and comments.Of particular interest would be a program that can deal with both hook and kernel based keyloggers -- it seems that most anti-keylogger software is only capable of dealing with hook based keyloggers. Quote Link to post Share on other sites
Matt Posted May 30, 2006 Report Share Posted May 30, 2006 I run Spybot (with Teatimer), Webroot SpySweeper, Spyware Guard, Spyware Blaster, Trend Micro Anti-Spyware, Computer Associates Pest Patrol, V-Com System Suite,( The preceding run in the system 24/7) along with daily checks via Arovax,, Crap Cleaner, Super Cleaner, Cleanup!, CWS Shredder, Rootkit Revealer, F-Secure Blacklight, and Hijack This.A bit paranoid are we? There is such a thing as overkill...Anyway.. to your question. There aren't really any popular "Anti-Keylogger" applications out there, mostly because this sort of detection is built into many anti-malware applications; most AVs are good at this. However, if you want something more (not that you appear to need much more) a-squared Free or Trojan Hunter are also known for their keylogger detections.I can't comment or reccomend the programs you mentioned, as I have never used them.There are other applications that examine sections of your system far deeper than most tools, but I woudn't reccomend those to anyone I wasn't sure knew what they are doing. However, Rootkit revealer would most likely see anything kernel-based that is hiding from the OS API.By the way, I hope you don't run any of the registry cleaning features on your tools, they can crash your system. By the way.. moving this to the spyware/adware information section.Matt Quote Link to post Share on other sites
barebear Posted May 30, 2006 Author Report Share Posted May 30, 2006 (edited) Hi Matt, Thanks for getting back to me.In addition to all the other stuff I run, I also run Glarysoft Registry Repair and JV16 Powertools daily---both are really good stuff. I will go after a-squared Free and Trojan Hunter per your info.You mention other applications that you wouldn't recommend to people you weren't sure about in terms of what they were doing---I also use Norton Ghost, make a new one at least every 3 days, and faithfully also use Recovery Commander before doing ANY new software install. With that as a preface, PLEASE advise of the applications you were referring to but not recommending-- I want all the firepower in my defense arsenal that I can get--as far as the paranoia, I freely admit to it and mentioned it in my original post. But, considering the scumbags that are out there (like the creeps that killed Blue Frog), my attitude is that too much protection is just enough.You really have me curious--you said you haven't used any of the software I referred to in my first post?! If thats the case, what do you use for protection?--I am most interested in hearing about this!Thanks again for getting back to me, am looking forward to hearing more from you!Best regards, Barebear Edited May 30, 2006 by barebear Quote Link to post Share on other sites
Matt Posted May 30, 2006 Report Share Posted May 30, 2006 Ok, I will mention some applications that dig deep into the system. These tools do not do any removal, they merely generate a "list" or "map" of key parts of your system, and they leave the user to act on their own discretion.Silent Runners and WinPFind both examine parts of your system and spit out a log (similarly to the way HJT does) and you act from it, whether editing the registry or deleting files.Note to all members: Just because something appears in these logs does NOT make it bad! Use with extreme caution!You really have me curious--you said you haven't used any of the software I referred to in my first post?!Whoops, miscommunication. What I meant was I have not used either of the anti-keylogger applications you mentioned. Matt Quote Link to post Share on other sites
barebear Posted May 30, 2006 Author Report Share Posted May 30, 2006 Hi Matt, Thanks again for getting back to me!When you said "What I meant was I have not used either of the anti-trojan applications you mentioned.", were you referring to JV16 Powertools and Glarysoft Registry Repair? If so, I should state that they're not to my knowledge anti-trojans, but rather just very cool registry cleaners. Glarysoft is ok for all user levels from novice on up, but JV16 if improperly used can create real problems for people with limited computer skills/knowledge.My next question is about Silent Runners and WinPFind..... Re your comment " they merely generate a "list" or "map" of key parts of your system, and they leave the user to act on their own discretion." --- do either or both of them show things that HJT or Sys Internals Process Explorer don't? If they do, then I'll download accordingly and check them out. Please be kind enough to advise regarding similarities/differences?Because it is so vitally important, I'm going to restate:Note to all members: Just because something appears in these logs does NOT make it bad! Use with extreme caution!!!!!!!!!!!! Don't try to be a hero, you can totally waste your OS if you modify/delete/remove the wrong thing(s) !!!!! Far better that you ask for advice/help from the very wise people that run these forums!!!!!!!!THANK YOU SO MUCH AGAIN FOR YOUR TIME AND HELP!!!-----looking forward to hearing back from you.My best regards, Barebear Quote Link to post Share on other sites
barebear Posted May 30, 2006 Author Report Share Posted May 30, 2006 (edited) WOW! My curiosity got the better of me--I downloaded Silent Runners and WinPFind and ran them.I'm knowledgeable enough that I could read the Silent Runners results and feel assured that the system is clean, but the data generated by WinPFind definitely is something that you need to look through more than once to really even begin to get an idea of whats going on ---- it would be overwhelmingly confusing to most anyone who isn't an advanced user. I consider myself at least basically knowledeable, have sources like HJT, Process Explorer, etc that I rely on and in most cases am not afraid to act on their results as I deem necessary. But, I ABSOLUTELY WOULD NOT even think about doing anything with WinPFind results until I consulted with someone designated by a forum as absolutely qualified! To Whomever Reads This ---- don't get into either of these programs unless you REALLY know what you're doing or are instructed to by someone who is helping you!! Matt, thank you so much again! Hope to hear from you......My best regards, Barebear PS , results from Silent Runner and WinPFind follow just so you can see them and anyone else seeing this realizes that this is not stuff to be acted on unless they're either a very advanced user or specifically instructed step by step on what to do/not do----the consequences of mis-action can be CATASTROPHIC!! ( Can you say "total system re-install?)"Silent Runners.vbs", revision 45, http://www.silentrunners.org/Operating System: Windows XP SP2Output limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"TClockEx" = "C:\Program Files\Tclockex\TCLOCKEX.EXE" ["Dale Nurden"]"SmartBackup" = "C:\Program Files\SmartBackup\smartbackup.exe /SYSTEMSTARTUP" ["Onlime Media"]"SuperCleaner" = ""C:\Program Files\SuperCleaner\SuperCleaner.exe" /h/b" ["South Bay Software"]"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]"Fix-It AV" = "C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe" ["Avanquest Publishing USA, Inc."]"Ad Muncher" = "C:\Program Files\Ad Muncher\AdMunch.exe /bt" [null data]"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" ["Sun Microsystems, Inc."]"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]"eTrustPPAP" = ""C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"" ["Computer Associates"]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}\(Default) = (no title provided) -> {HKLM...CLSID} = "HelperObject Class" \InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll" ["TechSmith Corporation"]{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]{2A646672-9C3A-4C28-9A7A-1FB0F63F28B6}\(Default) = (no title provided) -> {HKLM...CLSID} = "IE 4.x-6.x BHO for Internet Download Accelerator" \InProcServer32\(Default) = "C:\PROGRA~1\IDA\idaiehlp.dll" ["WestByte"]{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = (no title provided) -> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper" \InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {HKLM...CLSID} = "Portable Media Devices" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera" -> {HKLM...CLSID} = "My Digital Camera" \InProcServer32\(Default) = "C:\Program Files\PhotoDeluxe BE 1.0\FotoNation Explorer\camview.dll" ["FotoNation Inc."]"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension" -> {HKLM...CLSID} = "PropPage Class" \InProcServer32\(Default) = "C:\Program Files\Symantec\Norton Ghost 2003\GhoShExt.dll" ["Symantec Corporation"]"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard" -> {HKLM...CLSID} = "SpywareGuard.Handler" \InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension" -> {HKLM...CLSID} = "Trend Micro Anti-Spyware Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"]"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension" -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension" \InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]"{EBDF1F20-C829-1010-8233-0020AFCE97A9}" = "iolo File Terminator" -> {HKLM...CLSID} = "iolo File Terminator" \InProcServer32\(Default) = "C:\PROGRA~1\iolo\SEARCH~1\FILETE~1.DLL" ["iolo technologies, LLC"]"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt" -> {HKLM...CLSID} = "SnagIt" \InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"]"{CF74B903-3389-469c-B3B6-0204D204FCBD}" = "SnagIt Shell Extension" -> {HKLM...CLSID} = "SnagItShellExt Class" \InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration" -> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration" \InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler" -> {HKLM...CLSID} = "NeroDigitalIconHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler" -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard" -> {HKLM...CLSID} = "SpywareGuard.Handler" \InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]INFECTION WARNING! "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension" -> {HKLM...CLSID} = "Trend Micro Anti-Spyware Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"]HKLM\System\CurrentControlSet\Control\Session Manager\INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e SsiEfr.e SsiEfr.e" [file not found], [MS], [file not found], [file not found], [file not found], [file not found]HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]HKLM\Software\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler" -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]HKLM\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]DeleteOnClick\(Default) = "{53E4AC39-674F-4A48-B31D-DE3A591D0504}" -> {HKLM...CLSID} = "DeleteOnClick Context Menu Plugin" \InProcServer32\(Default) = "C:\Program Files\2BrightSparks\DeleteOnClick\DeleteOnClick.dll" [null data]FileTerminator\(Default) = "{EBDF1F20-C829-1010-8233-0020AFCE97A9}" -> {HKLM...CLSID} = "iolo File Terminator" \InProcServer32\(Default) = "C:\PROGRA~1\iolo\SEARCH~1\FILETE~1.DLL" ["iolo technologies, LLC"]Fix-It Menu\(Default) = "{A50302A0-8E15-11d2-887B-006008C1C087}" -> {HKLM...CLSID} = "Fix-It Extension" \InProcServer32\(Default) = "C:\Program Files\VCOM\SystemSuite\mxctxmnu.dll" ["Avanquest Publishing USA, Inc."]PowerDesk Menu\(Default) = "{26E7F081-EB97-11d3-9239-006008D2D00F}" -> {HKLM...CLSID} = "PowerDesk ZIP Extension" \InProcServer32\(Default) = "C:\Program Files\VCOM\PowerDesk\PDShExt.dll" ["Avanquest Publishing USA, Inc."]SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}" -> {HKLM...CLSID} = "SnagItShellExt Class" \InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension" \InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]UltraEdit-32\(Default) = "{b5eedee0-c06e-11cf-8c56-444553540000}" -> {HKLM...CLSID} = "UltraEdit-32" \InProcServer32\(Default) = "C:\PROGRA~1\ULTRAE~1\ue32ctmn.dll" [empty string]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]FileTerminator\(Default) = "{EBDF1F20-C829-1010-8233-0020AFCE97A9}" -> {HKLM...CLSID} = "iolo File Terminator" \InProcServer32\(Default) = "C:\PROGRA~1\iolo\SEARCH~1\FILETE~1.DLL" ["iolo technologies, LLC"]Fix-It Menu\(Default) = "{A50302A0-8E15-11d2-887B-006008C1C087}" -> {HKLM...CLSID} = "Fix-It Extension" \InProcServer32\(Default) = "C:\Program Files\VCOM\SystemSuite\mxctxmnu.dll" ["Avanquest Publishing USA, Inc."]PowerDesk Menu\(Default) = "{26E7F081-EB97-11d3-9239-006008D2D00F}" -> {HKLM...CLSID} = "PowerDesk ZIP Extension" \InProcServer32\(Default) = "C:\Program Files\VCOM\PowerDesk\PDShExt.dll" ["Avanquest Publishing USA, Inc."]SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}" -> {HKLM...CLSID} = "SnagItShellExt Class" \InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension" \InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\DeleteOnClick\(Default) = "{53E4AC39-674F-4A48-B31D-DE3A591D0504}" -> {HKLM...CLSID} = "DeleteOnClick Context Menu Plugin" \InProcServer32\(Default) = "C:\Program Files\2BrightSparks\DeleteOnClick\DeleteOnClick.dll" [null data]SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" -> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration" \InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]Active Desktop and Wallpaper:-----------------------------Active Desktop is disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateHKCU\Control Panel\Desktop\"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Bliss.bmp"Startup items in "Peter" & "All Users" startup folders:-------------------------------------------------------C:\Documents and Settings\Peter\Start Menu\Programs\Startup"7way" -> shortcut to: "C:\Program Files\7Way\7WAY.EXE" ["7Way Software."]"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]C:\Documents and Settings\All Users\Start Menu\Programs\Startup"Trend Micro Anti-Spyware" -> shortcut to: "C:\Program Files\Trend Micro\Tmas\Tmas.exe -autostart" ["Trend Micro Incorporated"]Enabled Scheduled Tasks:------------------------"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]"PPv5Scan_Daily as Peter at 2 30 AM" -> launches: "C:\Program Files\CA\eTrust PestPatrol\ppv5consumercl.exe /quarantine" ["Computer Associates"]"SmartBackup (Backup, ID B12D4BE14CA6B58446569)" -> launches: "C:\Program Files\SmartBackup\smartbackup.exe /RunProjectById=B12D4BE14CA6B58446569 /ExitWhenIdle" ["Onlime Media"]"Spybot - Search & Destroy - Scheduled Task" -> launches: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe /AUTOCHECK" ["Safer Networking Limited"]"WindowsReliabilityMetrics" -> launches: "C:\Program Files\Windows NT\Reliability Metrics\relmet.exe" [MS]"wrSpySweeper20060419001847" -> launches: "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /ScheduleSweep=wrSpySweeper20060419001847" ["Webroot Software, Inc."]"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]Transport Service ProvidersHKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05Toolbars, Explorer Bars, Extensions:------------------------------------ToolbarsHKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\"{F2E259E8-0FC8-438C-A6E0-342DD80FA53E}" -> {HKLM...CLSID} = "Copernic Agent" \InProcServer32\(Default) = "C:\PROGRA~1\COPERN~1\COPERN~2.DLL" ["Copernic Technologies Inc."]HKLM\Software\Microsoft\Internet Explorer\Toolbar\"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = (no title provided) -> {HKLM...CLSID} = "SnagIt" \InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"]Explorer BarsHKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{6F480F82-C3A6-4D35-96F7-B297AD49FBE8}\(Default) = (no title provided) -> {HKLM...CLSID} = "Copernic Agent Results" \InProcServer32\(Default) = "C:\Program Files\Copernic Agent\CopernicAgentExt.dll" ["Copernic Technologies Inc."]Extensions (Tools menu items, main toolbar menu buttons)HKLM\Software\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\"MenuText" = "Sun Java Console""CLSIDExtension" = "{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.5.0_07" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll" ["Sun Microsystems, Inc."]{9819CC0E-9669-4D01-9CD7-2C66DA43AC6C}\"ButtonText" = "Internet Download Accelerator""MenuText" = "&Internet Download Accelerator""Exec" = "C:\Program Files\IDA\ida.exe" ["WestByte"]{FB5F1910-F110-11D2-BB9E-00C04F795683}\"ButtonText" = "Messenger""MenuText" = "Windows Messenger""Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]Miscellaneous IE Hijack Points------------------------------HKLM\Software\Microsoft\Internet Explorer\AboutURLs\Missing lines (compared with English-language version):HIJACK WARNING! "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe"" ["Acronis"]Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]Diskeeper, Diskeeper, ""C:\Program Files\Executive Software\Diskeeper\DkService.exe"" ["Executive Software International, Inc."]Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]GhostStartService, GhostStartService, "C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe" ["Symantec Corporation"]MonUPS Power Protect, MonUPS Power Protect, "C:\Program Files\Ups\MonUPS Software\MonUPS.exe" [empty string]SystemSuite Task Manager, SystemSuite Task Manager, "C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe -Service" ["Avanquest Publishing USA, Inc."]Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]Print Monitors:---------------HKLM\System\CurrentControlSet\Control\Print\Monitors\hpzlnt10\Driver = "hpzlnt10.dll" ["HP"]LPR Port\Driver = "lprmon.dll" [MS]Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]----------+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box.---------- (total run time: 39 seconds, including 14 seconds for message boxes)................................................................................................................................................................................................................................WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600Internet Explorer Version: 6.0.2900.2180»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»Checking %SystemDrive% folder...UPX! 5/28/2006 9:54:34 PM 27262976 C:\VIRTPART.DATChecking %ProgramFilesDir% folder...Checking %WinDir% folder...PECompact2 5/31/2005 11:53:46 PM 15070301 C:\WINDOWS\LPT$VPN.653qoologic 5/31/2005 11:53:46 PM 15070301 C:\WINDOWS\LPT$VPN.653SAHAgent 5/31/2005 11:53:46 PM 15070301 C:\WINDOWS\LPT$VPN.653UPX! 3/15/2006 10:03:18 PM 437760 C:\WINDOWS\rapidui.exeUPX! 5/31/2005 11:53:46 PM 170053 C:\WINDOWS\tsc.exePECompact2 5/31/2005 11:53:46 PM 15070301 C:\WINDOWS\VPTNFILE.653qoologic 5/31/2005 11:53:46 PM 15070301 C:\WINDOWS\VPTNFILE.653SAHAgent 5/31/2005 11:53:46 PM 15070301 C:\WINDOWS\VPTNFILE.653UPX! 5/31/2005 11:53:46 PM 1044560 C:\WINDOWS\vsapi32.dllaspack 5/31/2005 11:53:46 PM 1044560 C:\WINDOWS\vsapi32.dllChecking %System% folder...PEC2 8/23/2001 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.mscUPX! 8/31/2005 12:33:56 PM 138752 C:\WINDOWS\SYSTEM32\Flash Screen Saver.scrPECompact2 5/3/2006 9:26:22 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exeaspack 5/3/2006 9:26:22 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exeaspack 8/4/2004 1:56:38 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dllUPX! 11/28/2005 10:50:22 AM 27136 C:\WINDOWS\SYSTEM32\PCWizard.cplUmonitor 8/4/2004 1:56:46 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dllwinsync 8/23/2001 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deuChecking %System%\Drivers folder and sub-folders...PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sysItems found in C:\WINDOWS\SYSTEM32\drivers\etc\hostsChecking the Windows folder and sub-folders for system and hidden files within the last 60 days... 5/29/2006 2:35:02 PM S 2048 C:\WINDOWS\bootstat.dat 5/4/2006 6:52:00 PM H 54156 C:\WINDOWS\QTFont.qfn 5/29/2006 2:35:44 PM H 1024 C:\WINDOWS\system32\config\default.LOG 4/1/2006 9:41:20 PM H 0 C:\WINDOWS\system32\config\default.tmp.LOG 5/29/2006 2:34:14 PM H 28672 C:\WINDOWS\system32\config\SAM 5/29/2006 2:35:04 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG 5/29/2006 2:34:14 PM H 49152 C:\WINDOWS\system32\config\SECURITY 5/29/2006 2:35:44 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG 5/29/2006 9:23:22 PM H 1024 C:\WINDOWS\system32\config\software.LOG 4/1/2006 9:41:18 PM H 0 C:\WINDOWS\system32\config\software.tmp.LOG 5/29/2006 9:19:48 PM H 1024 C:\WINDOWS\system32\config\system.LOG 4/1/2006 9:41:20 PM H 0 C:\WINDOWS\system32\config\system.tmp.LOG 5/9/2006 11:51:30 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG 4/23/2006 9:49:02 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\fb634f60-d5ed-40b4-b6df-d7c0aff94997 4/23/2006 9:49:02 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred 5/29/2006 2:35:04 PM H 6 C:\WINDOWS\Tasks\SA.DAT 5/18/2006 12:00:08 AM H 368 C:\WINDOWS\Tasks\WindowsReliabilityMetrics.jobChecking for CPL files...Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cplFotoNation inc. 3/26/1998 3:01:34 PM 27136 C:\WINDOWS\SYSTEM32\camcpl.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cplSun Microsystems, Inc. 5/3/2006 2:56:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cplMicrosoft Corporation 8/23/2001 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cplMicrosoft Corporation 8/23/2001 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cplMicrosoft Corporation 8/23/2001 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl 11/28/2005 10:50:22 AM 27136 C:\WINDOWS\SYSTEM32\PCWizard.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cplApple Computer, Inc. 9/23/2004 6:57:38 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cplNVIDIA Corporation 11/13/2002 12:33:30 AM R 73728 C:\WINDOWS\SYSTEM32\sscpl.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cplMicrosoft Corporation 8/23/2001 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cplMicrosoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cplMicrosoft Corporation 8/23/2001 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cplMicrosoft Corporation 8/23/2001 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cplMicrosoft Corporation 8/23/2001 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cplMicrosoft Corporation 8/23/2001 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cplMicrosoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cplMicrosoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»Checking files in %ALLUSERSPROFILE%\Startup folder... 1/20/2005 1:45:24 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini 11/4/2005 11:02:00 PM 815 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnkChecking files in %ALLUSERSPROFILE%\Application Data folder... 1/20/2005 5:37:04 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.iniChecking files in %USERPROFILE%\Startup folder... 5/19/2006 9:35:06 PM 647 C:\Documents and Settings\Peter\Start Menu\Programs\Startup\7way.lnk 1/20/2005 1:45:24 PM HS 84 C:\Documents and Settings\Peter\Start Menu\Programs\Startup\desktop.ini 1/21/2006 2:42:50 AM 650 C:\Documents and Settings\Peter\Start Menu\Programs\Startup\SpywareGuard.lnkChecking files in %USERPROFILE%\Application Data folder... 1/21/2005 3:24:58 AM 877 C:\Documents and Settings\Peter\Application Data\AdobeDLM.log 9/15/2004 9:14:30 AM HS 62 C:\Documents and Settings\Peter\Application Data\desktop.ini 1/21/2005 3:24:58 AM 0 C:\Documents and Settings\Peter\Application Data\dm.ini»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] SV1 = [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved][HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved][HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\7-Zip {23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\DeleteOnClick {53E4AC39-674F-4A48-B31D-DE3A591D0504} = C:\Program Files\2BrightSparks\DeleteOnClick\DeleteOnClick.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\FileTerminator {EBDF1F20-C829-1010-8233-0020AFCE97A9} = C:\PROGRA~1\iolo\SEARCH~1\FILETE~1.DLLHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Fix-It Menu {A50302A0-8E15-11d2-887B-006008C1C087} = C:\Program Files\VCOM\SystemSuite\mxctxmnu.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerDesk Menu {26E7F081-EB97-11d3-9239-006008D2D00F} = C:\Program Files\VCOM\PowerDesk\PDShExt.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SnagItMainShellExt {CF74B903-3389-469c-B3B6-0204D204FCBD} = C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TuneUp Shredder {00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\UltraEdit-32 {b5eedee0-c06e-11cf-8c56-444553540000} = C:\PROGRA~1\ULTRAE~1\ue32ctmn.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = %SystemRoot%\system32\SHELL32.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\DeleteOnClick {53E4AC39-674F-4A48-B31D-DE3A591D0504} = C:\Program Files\2BrightSparks\DeleteOnClick\DeleteOnClick.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper {7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UnlockerShellExtension {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Program Files\Unlocker\UnlockerCOM.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip {23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\FileTerminator {EBDF1F20-C829-1010-8233-0020AFCE97A9} = C:\PROGRA~1\iolo\SEARCH~1\FILETE~1.DLLHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Fix-It Menu {A50302A0-8E15-11d2-887B-006008C1C087} = C:\Program Files\VCOM\SystemSuite\mxctxmnu.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerDesk Menu {26E7F081-EB97-11d3-9239-006008D2D00F} = C:\Program Files\VCOM\PowerDesk\PDShExt.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SnagItMainShellExt {CF74B903-3389-469c-B3B6-0204D204FCBD} = C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TuneUp Shredder {00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882} = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627} = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208} HelperObject Class = C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dllHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} IE 4.x-6.x BHO for Internet Download Accelerator = C:\PROGRA~1\IDA\idaiehlp.dllHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2} SpywareGuardDLBLOCK.CBrowserHelper = C:\Program Files\SpywareGuard\dlprotect.dllHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F} = C:\PROGRA~1\SPYBOT~1\SDHelper.dllHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} SSVHelper Class = C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tip of the Day = %SystemRoot%\system32\shdocvw.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{6F480F82-C3A6-4D35-96F7-B297AD49FBE8} Copernic Agent Results = C:\Program Files\Copernic Agent\CopernicAgentExt.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} = SnagIt : C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} ButtonText = Internet Download Accelerator : C:\Program Files\IDA\ida.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683} ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} Explorer Band = %SystemRoot%\system32\shdocvw.dll[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dllHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} = : {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} = Copernic Agent : C:\PROGRA~1\COPERN~1\COPERN~2.DLL[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] HPDJ Taskbar Utility C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe Logitech Utility Logi_MwX.Exe Fix-It AV C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe Ad Muncher C:\Program Files\Ad Muncher\AdMunch.exe /bt SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray eTrustPPAP "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] TClockEx C:\Program Files\Tclockex\TCLOCKEX.EXE SmartBackup C:\Program Files\SmartBackup\smartbackup.exe /SYSTEMSTARTUP SuperCleaner "C:\Program Files\SuperCleaner\SuperCleaner.exe" /h/b SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\servicesHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolderHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupregHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state system.ini 0 win.ini 0 bootini 0 services 0 startup 0[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ExplorerHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = {0DF44EAA-FF21-4412-828E-260A8728E7F1} = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\RatingsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system dontdisplaylastusername 0 legalnoticecaption legalnoticetext shutdownwithoutlogon 1 undockwithoutlogon 1[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoDriveTypeAutoRun 145 NoChangeStartMenu 0 NoRecentDocsHistory 1 MaxRecentDocs 9 NoStartMenuMFUprogramsList 0 NoLowDiskSpaceChecks 0 NoDesktop 0 NoViewContextMenu 0 NoDrives NoSharedDocuments HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, Shell = Explorer.exe System = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\NotifyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent = Ati2evxx.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier = WRLogonNTF.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.Scan completed on 5/29/2006 9:23:49 PM Edited May 30, 2006 by barebear Quote Link to post Share on other sites
Matt Posted May 30, 2006 Report Share Posted May 30, 2006 heh, sorry again. I meant the anti-keylogger software, meh brain fart.Yes, those logs are very complicated to read, many of us go through special training in spyware removal. If you are interested, I can send you information on where to get HJT/malware training.Matt Quote Link to post Share on other sites
barebear Posted May 30, 2006 Author Report Share Posted May 30, 2006 Hi Matt, Thanks, please do send that info--then maybe I can help you guys.Best, barebear Quote Link to post Share on other sites
Matt Posted May 30, 2006 Report Share Posted May 30, 2006 There are many reccomended training schools across the web. TomCoyote Classroom and SpywareInfo Bootcamp are to name a couple. The one I would suggest is Geekstogo's Geek University--as it is where I received my training. I can also reccomend others if you do not find one of those fitting, however, those are the most popular and best-known. No matter which you choose, all schools will require you to register on their form before entering the classroom.Most schools follow similar, but unique courses. As you progres, training gets harder and more advanced. If you have any other questions, feel free to ask. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.