Join or sign in Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below. Use Your Email Use FacebookUse Linkedin

Junk/trash characters stop access to desktop

Locked

Hi.
Yesterday a technician from Symantec was helping to remove a virus from my
machine. He went into my registry to change some values. (I wanted to the
titles for all desktop files transparent).

Immediately afterward, a strange dialog box began to appear everytime I would boot my machine. The dialog box appeared right after the Windows XP splash screen. It is basically an all white box but with what looks like
“junk/trash” characters in it. Generally there are only three characters. The first character was a like a small rectangle standing on end followed by this: ?r. The title of the dialog box was this small rectangle and ?. I have to click OK on the dialog box and I am immediately taken to the desk top. The characters might change on each boot. Today the title was a string of trash characters including a Chinese character. Generally there are two or three and always some random, weird combination.

Any ideas as to what is causing this and how to fix it?

Topic

Clarifications

In reply to Junk/trash characters stop access to desktop

Clarifications

You’re still infected……..

In reply to Junk/trash characters stop access to desktop

Call them back and have them finish the job. They’re not done.

Why do you say that?

In reply to You’re still infected……..

I *have* talked with Symantec many times about this. They have run their virus diagnostic tool, including a complete scan of my system. They said my system is clean, no viruses. And I saw the results that said that was true.

Without something more specific, I am afraid I will be in a loop of them telling my system is fine and other telling me it is not.

Suggestions?

Are you running…..

In reply to Why do you say that?

…. any anti-spyware/anti-virus software of your own? Have you used it to check your system? Have you used CCleaner or any other tool to clean out the registry?

Just exactly what have you done, besides calling Symantec? If you think they’re going to tell you there’s something left on your system which can not be detected by their software, think again. If you’ve got a pop-up window appearing, there’s something left that hasn’t been repaired.

This might help you with your virus issue..

In reply to Junk/trash characters stop access to desktop

http://antivirus.about.com/od/securitytips/a/bootsectorvirus.htm

Please post back if you have any more problems or questions.

Interesting but not a solution

In reply to This might help you with your virus issue..

Thanks for providing a lot of information.

I am still looking for a solution to correct the current problem I have with booting up and the trash characters I still am receiving. Any suggestions?

Do you normally get a readable dialog box at boot?

In reply to Interesting but not a solution

Regardless, either you’re still infected, damage from the infection hasn’t been repaired, or the technician broke something in the registry.

The dialog box is trying to tell you something, but you don’t have the proper character set to display it, probably because it is in another language.

I would recommend a different antivirus (try an online scan), anti-trojan, anti-rootkit, or registry cleaner.

You might be right

In reply to Do you normally get a readable dialog box at boot?

I agree that the dialog box is trying to tell me something, and I might not have the character set installed. This still leaves the problem trying to find the right character set but then interpreting something in a foreign language.

I definitely think something is broken in the registry but can’t figure out how to repair it.

Any suggestions for an online can that will also remove the traces of a virus if found?

This might be worth a try….

In reply to You might be right

On occation, I’ve seen the default language settings get corrupted on certain dialog boxes, especially after you’ve been messing around in the registry or after a virus has damaged things. Not all will display the corruption though, so it’s a tough one to track down.

To fix it, try setting your default language to another language, reboot, then setting it back to English, if that’s what you’re using. This can be very tricky though, if you can’t read another language. What I did was to write down where the default language was located in the list of languages… say 3rd from the bottom of the list, or where ever it is… set to another language like Spanish which I could read a few words… reboot using your memory to know what it’s going to ask for upon reboot, then reset back to English and reboot again.

Be very carefull, because if you can’t navigate around in the new language, you could get lost. 😉

I need a little clarification

In reply to This might be worth a try….

This sounds like a very good suggestion. I presume you mean going into control panel -> regional and language option. Right? If so, than should I change the language in both the regional and advanced tab? Thanks.

I suspect the answer is, “Yes”.

In reply to I need a little clarification

The settings affect programs based on whether or not the character encoding is Unicode or not. I would suggest doing both so that you don’t have to go through the procedure more than once. I also suggest that, when you change the setting, you pick a different type of English for your temporary change, as you will still be able to read text on your system with little difficulty. U.K. English or Zimbabwe English should work well.

Then, you’ll have to tell us what that dialog box says! I’m curious.

Cheers.

I think ThumbsUp2 has got it here

In reply to You might be right

You don’t want to change/ add a character set just for the dialog box, you just need to fix the settings. I would try what Thumbs suggests.

I would also recommend running a free registry cleaner, like CClean, to remove anything in the registry that is damaged, or that might cause your system to call the virus back (viruses do make registry changes like that). I don’t know if a reg cleaner will fix the dialog box problem, but it depends on what settings are involved. If the dialog is looking for a file that is no longer present, a reg cleaner should help.

Yes and no

In reply to I think ThumbsUp2 has got it here

The suggestion to use a registry cleaner is good. I have run CClean and I still get the dialog box. Some suggested that the “junk” characters are actually codes for a foreign language. Does that make any sense?

I am still wondering if there is a way to find what key was deleted when the Symantec rep deleted it? I don’t think a restore point will work because I might have a virus for a long time (6 weeks). I am open to suggestions.

Have you checked the startup items?

In reply to Yes and no

Start – Run – (type) Msconfig and review the services and startup items. Google any suspect entries and turn them off. Open services.msc and disable any suspected service that was found. Reboot and enter Safe Mode, delete the object(s) from the path you found using MSconfig.

There are 2 good suggestions

In reply to Yes and no

1 Check on your startup items.

2 Try resetting your default language per ThumbsUp2’s instructions.

The junk characters are an attempt to map a foreign character set to the fonts you have. You can see the same type of thing opening a binary file in a text editor that does not support the ASCII or OEM extended characters. You will get random characters, odd characters that your fonts have, and especially the little square boxes, which show that your font has no matching character at all.

re: seanfred No luck

In reply to I think ThumbsUp2 has got it here

I have tried changing the language settings in control panel. No luck. However, I definitely think my problem is “language related.” This morning the dialog box title definitely had either Chinese or Japanese characters in it.

Also, this morning, within the dialog there was this cryptic message:

unicode characters here ĉc:\windows\apppatch\acspecfc.dll

Does this help?

Thanks

acspecfc.dll

In reply to re: seanfred No luck

That is an application compatibility DLL, so, the first thing I would do is to check if that file is where the dialog box says it is, including the name of the Windows directory (is it actually c:\windows, or is it c:\winnt, or something else).

Additionally, go here:
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
and read the page if you like, but download the Autoruns utility, the link is at the bottom of the page. Unzip the contenets to your desktop or a folder of your choice, double-click Autoruns.exe. This will show you everything that starts at system start up. Ignore highlighted lines, they are empty entries. You can check the Image Hijacks tab first, to see if there is anything left over from your previous infection. If not, go back to the Everything tab, and look for programs that are running at start up that you do not recognize, or that you recognize as being recently installed prior to you noticing the dialog box. What we are trying to do here is find the program which is find the program that is giving you the dialog box in the first place.

If you are positively confused by the listings from the program, click File > Export As, save the text file, then copy/paste the text into a post on this thread so we can see it.

This is all just diagnostic, I or someone else will be able to make further suggestions depending on what info you can give on these two items.

re; Seanferd & bwilmot — Clean computer still with problem

In reply to Do you normally get a readable dialog box at boot?

I now have what I think is a complete virus free computer, yet the dialog box with the unicode/ascii characters stills keeps appearing on boot-up.

Today, this line appeared in the questioned dialog box:
LJĎMicrosoft Unified Security Protocol Provider

Does this help diagnose the problem?

I’m beginning to think that I need to *add* something to my registry, since Windows XP is trying to find something on boot-up. Any ideas?

Thanks.

Lets try one more scanner

In reply to re; Seanferd & bwilmot — Clean computer still with problem

A growing number of trojans and root kits will hijack windows dll and/or exe files and use them to mask their own.
Go to this link and download the free version.
Try to scan in Safe mode then from normal.

http://www.superantispyware.com/

One thing leads to the next thing –> PSAPI.dll

In reply to Lets try one more scanner

Downloaded and ran the scan as you suggested, both in safe mode and normal. Safe mode found the Vundo and a couple other things. However, the antivirus program downloaded now signals that it has a problem with the PSAPI.DLL file:

Procedure entry point GetProcessImageFileNameW could not be located in the dynamic link library. PSAPI.DLL

A quick internet search suggests that I should have only one psapi.dll file in system32. I have that one along with a psapi.dll file name in Windows\Drivers|video3; Windows\ServicePackFiles\i386; and Windows\System32\dllcache

I presuming that dhcpsapi.dll is completely different.

Should I care about the psapi.dll message, since it appears only with the newly downloaded antispyware program?

See if this shines a light :)

In reply to One thing leads to the next thing –> PSAPI.dll

do an online scan with Bitdefender. 😉

http://www.bitdefender.com/scan8/ie.html

Trivia

In reply to One thing leads to the next thing –> PSAPI.dll

Do the scans as suggested.

The trivia is: GetProcessImageFileNameW is a Unicode function. Hmmm.

Edit: The W gives it away.

bwilmot & TrueBlue: what about schannel.dll?

In reply to re; Seanferd & bwilmot — Clean computer still with problem

Hmmmm.

Microsoft Unified Security Protocol Provider
schannel.dll = TLS / SSL Security Provider
http://www.microsoft.com/technet/security/Bulletin/ms07-031.mspx
Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution
http://news.cnet.com/8301-10784_3-9728711-7.html
Schannel zero-day exploit released

Been around for awhile

In reply to bwilmot & TrueBlue: what about schannel.dll?

Description schannel.dll is a library which contains the functions for 128-bit strong encryption in Internet Explorer 3.x or 4.x.

I really think that it is an orphaned popup and is probably related to Hidownload. The last time that I saw Program Files on D: was because of a Trojan Downloader. My son had installed a Downloader that he thought was safe.

Ah.

In reply to Been around for awhile

Yes. I was wondering if malware had compromised or used an unpatched schannel.dll in regards to up/downloading somehow. XPSP2 without further updates contains a vulnerable version of this file, so I was just wondering if the mention of Microsoft Unified Security Protocol Provider in the pop-up might help identify the actual malware, but it sounds like you have a good idea of what it might be already.

I didn’t check

In reply to Been around for awhile

when I removed it but it would not surprise me if this could have happend as some of these Virus’s are very clever.

“I was wondering if malware had compromised or used an unpatched schannel.dll”

See if this sorts it out

In reply to Junk/trash characters stop access to desktop

Check to see that it isn’t a Pagefile Problem

By default, Windows XP Professional does not clear the virtual memory pagefile when the system is shut down. In some organizations this is considered a breach of security because the data in the pagefile might be accessible to users who are not authorized to view that information. To enable this feature and clear the pagefile each time the system is shut down, start the Group Policy snap-in, expand Local Policies, and then select Security Options. Right-click Shutdown: Clear Virtual Memory Pagefile and then click Properties. By default, it is disabled. To force Windows XP Professional to clear the pagefile when the system is shut down, select Enabled.

Thanks for all the advice

In reply to See if this sorts it out

I have run Bitdefender. Still the same problem with a dialog box on boot. Thanks for all the good advice. This looks like an issue I will just have to live with.

If you still have an XP install cd handy

In reply to Thanks for all the advice

Run a sfc /scannow

That may restore any hijacked system files.

Could you do this for us

In reply to Thanks for all the advice

Download HijackThis v2.0.2

http://aumha.org/downloads/hijackthis.exe

Run a scan and save a copy to Notepad and post it for us. I am interested to see what is running from the Registry Run.

Here it is

In reply to Could you do this for us

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:53 PM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Al Rosenbloom\Desktop\HijackThis.exe
D:\Downloads\Computer Programs\hijackthis-06-08.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 – BHO: Symantec Intrusion Prevention – {6D53EC84-6AAE-4787-AEEE-F4628F01010C} – C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 – BHO: Google Toolbar Notifier BHO – {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} – C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 – Toolbar: Adobe PDF – {47833539-D0C5-4125-9FA8-0819E2EAAC93} – D:\Program Files\Acrobat\AcroIEFavClient.dll
O3 – Toolbar: SnagIt – {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} – C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 – HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 – HKLM\..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 – HKLM\..\Run: [osCheck] “C:\Program Files\Norton AntiVirus\osCheck.exe”
O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 – Extra context menu item: &Save Flash In This Page by Flash Saver – D:\PROGRA~1\FLASHS~1\save.htm
O8 – Extra context menu item: Convert link target to Adobe PDF – res://D:\Program Files\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 – Extra context menu item: Convert link target to existing PDF – res://D:\Program Files\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 – Extra context menu item: Convert selected links to Adobe PDF – res://D:\Program Files\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 – Extra context menu item: Convert selected links to existing PDF – res://D:\Program Files\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 – Extra context menu item: Convert selection to Adobe PDF – res://D:\Program Files\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 – Extra context menu item: Convert selection to existing PDF – res://D:\Program Files\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 – Extra context menu item: Convert to Adobe PDF – res://D:\Program Files\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 – Extra context menu item: Convert to existing PDF – res://D:\Program Files\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 – Extra button: (no name) – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 – Extra ‘Tools’ menuitem: Sun Java Console – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 – Extra button: Flash Saver – {09EA1F80-F40A-11D1-B792-444553540001} – D:\PROGRA~1\FLASHS~1\save.htm
O9 – Extra ‘Tools’ menuitem: Flash Saver – {09EA1F80-F40A-11D1-B792-444553540001} – D:\PROGRA~1\FLASHS~1\save.htm
O9 – Extra button: (no name) – {85d1f590-48f4-11d9-9669-0800200c9a66} – C:\WINDOWS\bdoscandel.exe
O9 – Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 – {85d1f590-48f4-11d9-9669-0800200c9a66} – C:\WINDOWS\bdoscandel.exe
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – D:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 – Extra button: (no name) – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra button: HiDownload – {F4FBA929-A891-492C-A0F6-5C79CC4F1742} – D:\Program Files\HiDownload\hidownload.exe
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O14 – IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 – DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} – http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 – DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) – http://esupport.sony.com/VaioInfo.CAB
O16 – DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft.com/fwlink/?linkid=39204
O16 – DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} – http://scanner2.malware-scan.com/setup/webinst.cab
O16 – DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) – C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 – DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) – https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 – DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) – https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 – DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) – http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 – DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} – http://download.sidestep.com/get/k00721/sb02a.cab
O16 – DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} – http://download.divx.com/player/DivXBrowserPlugin.cab
O16 – DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) – https://webdl.symantec.com/activex/symdlmgr.cab
O16 – DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) – http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173453454234
O16 – DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) – http://web1.shutterfly.com/downloads/Uploader.cab
O16 – DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) – http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 – DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} – http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O23 – Service: Ad-Aware 2007 Service (aawservice) – Lavasoft – D:\Program Files\aawservice.exe
O23 – Service: Automatic LiveUpdate Scheduler – Symantec Corporation – C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: Symantec Settings Manager (ccSetMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: Symantec Lic NetConnect service (CLTNetCnService) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: Diskeeper – Diskeeper Corporation – C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 – Service: Google Updater Service (gusvc) – Google – C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 – Service: LiveUpdate – Symantec Corporation – C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 – Service: LiveUpdate Notice – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: MSCSPTISRV – Sony Corporation – C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 – Service: NVIDIA Driver Helper Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: PACSPTISVR – Unknown owner – C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 – Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) – NetGroup – Politecnico di Torino – C:\Program Files\WinPcap\rpcapd.exe
O23 – Service: SonicStage Back-End Service – Sony Corporation – C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 – Service: Sony SPTI Service (SPTISRV) – Sony Corporation – C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 – Service: SonicStage SCSI Service (SSScsiSV) – Sony Corporation – C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 – Service: Symantec Core LC – Unknown owner – C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 – Service: Symantec RemoteAssist – Unknown owner – (no file)
O23 – Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) – Sony Corporation – C:\Program Files\Sony\Giga Pocket\GPVSvr.exe

—
End of file – 9506 bytes

See if this helps

In reply to Here it is

Try uninstalling all of your ToolBars and HiDownload.

Why?

In reply to See if this helps

I’m interested in knowing why. None of the toolbars have been recently added. All were installed before the virus attack.

I believe, like Seanferd said, the problem is with loading unicode characters on start-up. Is there a way to reinstall a set of “default” unicode character set. I know there are tons of unicodes, but I haven’t added any — or at least I don’t think I have. No “new” foreign language fonts, etc.

Toolbars load at the time you are seeing the dialog box

In reply to Why?

and registry settings for one or some toolbars may have been corrupted by an infection or the repair process. You could always try uninstalling one at a time until the problem is corrected, then reinstall the toolbars.

My only other suggestion at this time, if you think your psapi.dll file is valid, is to type in the Run box:
regsvr32 /u C:\windows\system32\psapi.dll
then
regsvr32 C:\windows\system32\psapi.dll
on the off-chance that psapi is improperly registered.
_____________________
Unicode:
It doesn’t really matter if you, personally, are using Unicode character sets. Most Windows executables have Unicode functions, and it seems that something is improperly calling a Unicode function from somewhere else due to corruption.

Why

In reply to Why?

because we are trying to troubleshoot a problem for You. The Toolbars can be added back later. They have also been known to cause problems. You are suffering from the after effects of Viral damage. Lots of things don’t work as expected when this happens. I have offerd a suggestion in my previous post to remove Hidownload and the Toolbars. This software can be reinstalled if it is not causing the problem. I would remove one at a time starting with Hidownload.
The ball is in your court, you will have to decide if you want to follow my suggestions.

Nothing has changed however….

In reply to See if this helps

I tried to unregister and then reregister the PSAPI.dll file as seanferd suggested. It would not unregister or reregister. Both times I got the same message: psapi.dll was loaded but the DllUnregister Server entry point was not found.

A quick check of the Microsoft KB said the following: “Dllname may not be exported, or a corrupted version of Dllname may be in memory. Consider using Pview to detect the file and remove it.” So I am wondering if that dll is corrupted. What do you think?

I have also done sfc /scannow from a C prompt, but nothing turned up.

RE: Nothing has changed however

In reply to Nothing has changed however….

Not sure what that means. Could you be a bit more specific.

Open up Search from Start Menu.
Find all instances PSAPI.DLL on your PC.
Rename all extra copies of PSAPI.DLL files found EXCEPT the one located in \Windows\System32\ folder to some other names like PSAPIOLD.DLL (never delete or do anything with the PSAPI.DLL file in your Windows or Windows/System 32 folder).
Reboot the system.
After reboot, there will not be anymore conflict and Windows will automatically look for valid PSAPI file in the Windows system folder.

One more question about PSAPI.DLL

In reply to Nothing has changed however….

Should I rename the PSAPI.DLL that is in the windows\system32\dllcache file?

re: Seanferd Autorun log

In reply to Junk/trash characters stop access to desktop

Hi there. Thanks so much for your help. I *do* have the apppatch file exactly where it should be c:\windows\apppatch\acspecfc.dll.

I also did the autorun and things to my nontechnical eye seem pretty okay.

Under image hijack there was only one entry: Your Image File Name Here without a path Symbolic Debugger for Windows 2000 Microsoft Corporation c:\windows\system32\ntsd.exe

I looked at my autorun long. One item that jumped out at me: ezShieldProtector for PxezSP_Px MFC Application Easy Systems Japan Ltd. c:\windows\system32\ezsp_px.exe.

There are several items that say no file found. Here is the complete log. Thanks so much.

HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
+ rdpclip RDP Clip Monitor Microsoft Corporation c:\windows\system32\rdpclip.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+ C:\WINDOWS\system32\userinit.exe Userinit Logon Application Microsoft Corporation c:\windows\system32\userinit.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
+ Explorer.exe Windows Explorer Microsoft Corporation c:\windows\explorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ ccApp Symantec User Session Symantec Corporation c:\program files\common files\symantec shared\ccapp.exe
+ ezShieldProtector for Px ezSP_Px MFC Application Easy Systems Japan Ltd. c:\windows\system32\ezsp_px.exe
+ osCheck osCheck Symantec Corporation c:\program files\norton antivirus\oscheck.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ ctfmon.exe CTF Loader Microsoft Corporation c:\windows\system32\ctfmon.exe
+ swg GoogleToolbarNotifier Google Inc. c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
HKLM\SOFTWARE\Classes\Protocols\Filter
+ application/octet-stream Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-complus Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-msdownload Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll
+ Class Install Handler OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ deflate OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ gzip OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ lzdhtml OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ text/webviewhtml Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ text/xml Microsoft Office XML MIME Filter Microsoft Corporation c:\program files\common files\microsoft shared\office11\msoxmlmf.dll
HKLM\SOFTWARE\Classes\Protocols\Handler
+ about Microsoft (R) HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ cdl OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ dvd ActiveX control for streaming video Microsoft Corporation c:\windows\system32\msvidctl.dll
+ file OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ ftp OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ gopher OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ http OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ https OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ its Microsoft? InfoTech Storage System Library Microsoft Corporation c:\windows\system32\itss.dll
+ javascript Microsoft (R) HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ local OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ mailto Microsoft (R) HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ mhtml Microsoft Internet Messaging API Microsoft Corporation c:\windows\system32\inetcomm.dll
+ mk OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ ms-its Microsoft? InfoTech Storage System Library Microsoft Corporation c:\windows\system32\itss.dll
+ mso-offdap Microsoft Office XP Web Components Microsoft Corporation c:\program files\common files\microsoft shared\web components\10\owc10.dll
+ mso-offdap11 Microsoft Office Web Components 2003 Microsoft Corporation c:\program files\common files\microsoft shared\web components\11\owc11.dll
+ res Microsoft (R) HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ sysimage Microsoft (R) HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ tv ActiveX control for streaming video Microsoft Corporation c:\windows\system32\msvidctl.dll
+ vbscript Microsoft (R) HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ wia WIA Scripting Layer Microsoft Corporation c:\windows\system32\wiascr.dll
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
+ 0 File not found: About:Home
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ Address Book 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe
+ Browser Customizations IEAK branding Microsoft Corporation c:\windows\system32\iedkcs32.dll
+ Browser Customizations IEAK branding Microsoft Corporation c:\windows\system32\iedkcs32.dll
+ IE7 Uninstall Stub IE Per User Active Setup Uninstall Utility Microsoft Corporation c:\windows\system32\ieudinit.exe
+ Internet Explorer IE Per-User Initialization Utility Microsoft Corporation c:\windows\system32\ie4uinit.exe
+ Internet Explorer IE Per-User Initialization Utility Microsoft Corporation c:\windows\system32\ie4uinit.exe
+ Microsoft Outlook Express 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe
+ Microsoft Windows Media Player ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
+ n/a Microsoft .NET IE SECURITY REGISTRATION Microsoft Corporation c:\windows\system32\mscories.dll
+ NetMeeting 3.01 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
+ Outlook Express Windows NT User Data Migration Tool Microsoft Corporation c:\windows\system32\shmgrate.exe
+ Themes Setup Microsoft(C) Register Server Microsoft Corporation c:\windows\system32\regsvr32.exe
+ Windows Desktop Update Microsoft(C) Register Server Microsoft Corporation c:\windows\system32\regsvr32.exe
+ Windows Media Player Microsoft Windows Media Player Setup Utility Microsoft Corporation c:\windows\inf\unregmp2.exe
+ Windows Messenger 4.7 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
+ Browseui preloader Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Component Categories cache daemon Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+ CDBurn Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ PostBootReminder Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ SysTray Systray shell service object Microsoft Corporation c:\windows\system32\stobject.dll
+ WebCheck Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ WPDShServiceObj Windows Portable Device Shell Service Object Microsoft Corporation c:\windows\system32\wpdshserviceobj.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ URL Exec Hook Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
+ Adobe.Acrobat.ContextMenu Adobe Acrobat Context Menu Adobe Systems Inc. d:\program files\acrobat elements\contextmenu.dll
+ Offline Files Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
+ Open With Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ Open With EncryptionMenu Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ SnagItMainShellExt SnagIt Shell Extension DLL TechSmith Corporation c:\program files\techsmith\snagit 8\snagitshellext.dll
+ Start Menu Pin Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ Symantec.Norton.Antivirus.IEContextMenu Norton AntiVirus Shell Extension Module Symantec Corporation c:\program files\norton antivirus\navshext.dll
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
+ Send To Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
+ Symantec.Norton.Antivirus.IEContextMenu Norton AntiVirus Shell Extension Module Symantec Corporation c:\program files\norton antivirus\navshext.dll
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
+ EncryptionMenu Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ Offline Files Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
+ Sharing Shell extensions for sharing Microsoft Corporation c:\windows\system32\ntshrui.dll
+ SnagItMainShellExt SnagIt Shell Extension DLL TechSmith Corporation c:\program files\techsmith\snagit 8\snagitshellext.dll
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
+ igfxcui igfxpph Module Intel Corporation c:\windows\system32\igfxpph.dll
+ New Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ PDF Shell Extension PDF Shell Extension Adobe Systems, Inc. d:\program files\activex\pdfshell.dll
+ {0D2E74C4-3C34-11d2-A27E-00C04FC30871} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ {24F14F01-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ {24F14F02-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ {66742402-F9B9-11D1-A202-0000F81FEDEE} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
+ Offline Files Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ Google Toolbar Notifier BHO GoogleToolbarNotifier Google Inc. c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
+ Symantec Intrusion Prevention IPS Browser Helper DLL Symantec Corporation c:\program files\common files\symantec shared\ids\ipsbho.dll
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
+ Microsoft Url Search Hook Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ &Google Google IE Client Toolbar Google Inc. c:\program files\google\googletoolbar1.dll
+ Adobe PDF Adobe IE plugin Adobe Systems Incorporated d:\program files\acrobat\acroiefavclient.dll
+ SnagIt SnagIt Add-in for Internet Explorer TechSmith Corporation c:\program files\techsmith\snagit 8\snagitieaddin.dll
HKLM\Software\Microsoft\Internet Explorer\Extensions
+ Diagnose Connection Problems… Network Diagnostic for Windows XP Microsoft Corporation c:\windows\network diagnostic\xpnetdiag.exe
+ Flash Saver d:\program files\flash saver\save.htm
+ HiDownload download rtsp/mms/http/ftp HiDownload Software d:\program files\hidownload\hidownload.exe
+ Windows Messenger Windows Messenger Microsoft Corporation c:\program files\messenger\msmsgs.exe
Task Scheduler
+ AppleSoftwareUpdate.job Software Application Apple Computer, Inc. c:\program files\apple software update\softwareupdate.exe
+ Norton AntiVirus – Run Full System Scan – Al Rosenbloom.job Norton AntiVirus Scanner Module Symantec Corporation c:\program files\norton antivirus\navw32.exe
+ Registration reminder 1.job Windows OOBE Balloon Reminder Microsoft Corporation c:\windows\system32\oobe\oobebaln.exe
HKLM\System\CurrentControlSet\Services
+ aawservice Protects your computer from spyware Lavasoft d:\program files\aawservice.exe
+ AudioSrv Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\audiosrv.dll
+ Automatic LiveUpdate Scheduler Manages the scheduling of Automatic LiveUpdate sessions Symantec Corporation c:\program files\symantec\liveupdate\aluschedulersvc.exe
+ BITS Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled. Microsoft Corporation c:\windows\system32\qmgr.dll
+ Browser Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\browser.dll
+ ccEvtMgr Event propagation and logging service Symantec Corporation c:\program files\common files\symantec shared\ccsvchst.exe
+ ccSetMgr Settings storage and management service Symantec Corporation c:\program files\common files\symantec shared\ccsvchst.exe
+ CLTNetCnService Symantec Lic NetConnect Service Symantec Corporation c:\program files\common files\symantec shared\ccsvchst.exe
+ CryptSvc Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\cryptsvc.dll
+ DcomLaunch Provides launch functionality for DCOM services. Microsoft Corporation c:\windows\system32\rpcss.dll
+ Dhcp Manages network configuration by registering and updating IP addresses and DNS names. Microsoft Corporation c:\windows\system32\dhcpcsvc.dll
+ Diskeeper Controls the Windows Diskeeper Service Diskeeper Corporation c:\program files\diskeeper corporation\diskeeper\dkservice.exe
+ Dnscache Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\dnsrslvr.dll
+ ERSvc Allows error reporting for services and applictions running in non-standard environments. Microsoft Corporation c:\windows\system32\ersvc.dll
+ Eventlog Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. Microsoft Corporation c:\windows\system32\services.exe
+ helpsvc Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\pchealth\helpctr\binaries\pchsvc.dll
+ lanmanserver Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\srvsvc.dll
+ lanmanworkstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\wkssvc.dll
+ LiveUpdate Notice Manages Norton product notices Symantec Corporation c:\program files\common files\symantec shared\ccsvchst.exe
+ LmHosts Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Microsoft Corporation c:\windows\system32\lmhsvc.dll
+ NVSvc NVIDIA Driver Helper Service, Version 43.03 NVIDIA Corporation c:\windows\system32\nvsvc32.exe
+ PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Microsoft Corporation c:\windows\system32\services.exe
+ PolicyAgent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Microsoft Corporation c:\windows\system32\lsass.exe
+ ProtectedStorage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Microsoft Corporation c:\windows\system32\lsass.exe
+ RpcSs Provides the endpoint mapper and other miscellaneous RPC services. Microsoft Corporation c:\windows\system32\rpcss.dll
+ SamSs Stores security information for local user accounts. Microsoft Corporation c:\windows\system32\lsass.exe
+ Schedule Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\schedsvc.dll
+ seclogon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\seclogon.dll
+ SENS Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Microsoft Corporation c:\windows\system32\sens.dll
+ SharedAccess Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. Microsoft Corporation c:\windows\system32\ipnathlp.dll
+ ShellHWDetection Windows Shell Services Dll Microsoft Corporation c:\windows\system32\shsvcs.dll
+ Spooler Loads files to memory for later printing. Microsoft Corporation c:\windows\system32\spoolsv.exe
+ srservice Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties Microsoft Corporation c:\windows\system32\srsvc.dll
+ stisvc Provides image acquisition services for scanners and cameras. Microsoft Corporation c:\windows\system32\wiaservc.dll
+ Themes Provides user experience theme management. Microsoft Corporation c:\windows\system32\shsvcs.dll
+ TrkWks Maintains links between NTFS files within a computer or across computers in a network domain. Microsoft Corporation c:\windows\system32\trkwks.dll
+ W32Time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\w32time.dll
+ WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\webclnt.dll
+ winmgmt Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\wbem\wmisvc.dll
+ wuauserv Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. Microsoft Corporation c:\windows\system32\wuauserv.dll
+ WZCSVC Provides automatic configuration for the 802.11 adapters Microsoft Corporation c:\windows\system32\wzcsvc.dll
HKLM\System\CurrentControlSet\Services
+ ACPI ACPI Driver for NT Microsoft Corporation c:\windows\system32\drivers\acpi.sys
+ aeaudio Andrea Audio Stub Driver Andrea Electronics Corporation c:\windows\system32\drivers\aeaudio.sys
+ aec Microsoft Acoustic Echo Canceller Microsoft Corporation c:\windows\system32\drivers\aec.sys
+ AFD AFD Networking Support Environment Microsoft Corporation c:\windows\system32\drivers\afd.sys
+ AgereSoftModem SoftModem Device Driver Agere Systems c:\windows\system32\drivers\agrsm.sys
+ agp440 440 NT AGP Filter Microsoft Corporation c:\windows\system32\drivers\agp440.sys
+ ALCXWDM Realtek AC’97 Audio Driver (WDM) Realtek Semiconductor Corp. c:\windows\system32\drivers\alcxwdm.sys
+ Arp1394 1394 ARP Client Protocol Microsoft Corporation c:\windows\system32\drivers\arp1394.sys
+ AsyncMac RAS Asynchronous Media Driver Microsoft Corporation c:\windows\system32\drivers\asyncmac.sys
+ atapi IDE/ATAPI Port Driver Microsoft Corporation c:\windows\system32\drivers\atapi.sys
+ ati2mtag ATI Radeon Miniport Driver ATI Technologies Inc. c:\windows\system32\drivers\ati2mtag.sys
+ Atmarpc ATM ARP Client Protocol Microsoft Corporation c:\windows\system32\drivers\atmarpc.sys
+ audstub AudStub Driver Microsoft Corporation c:\windows\system32\drivers\audstub.sys
+ Beep BEEP Driver Microsoft Corporation c:\windows\system32\drivers\beep.sys
+ CCDECODE WDM Closed Caption VBI Codec Microsoft Corporation c:\windows\system32\drivers\ccdecode.sys
+ Cdaudio CD-ROM Audio Filter Driver Microsoft Corporation c:\windows\system32\drivers\cdaudio.sys
+ Cdrom SCSI CD-ROM Driver Microsoft Corporation c:\windows\system32\drivers\cdrom.sys
+ Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys
+ COH_Mon Confidence Online v6.1 WDM driver (6,1,4,10) Symantec Corporation c:\windows\system32\drivers\coh_mon.sys
+ Disk PnP Disk Driver Microsoft Corporation c:\windows\system32\drivers\disk.sys
+ DMICall Windows 2000 DMI Call Kernel Driver Sony Corporation c:\windows\system32\drivers\dmicall.sys
+ DMusic Microsoft Kernel DLS Synthesizer Microsoft Corporation c:\windows\system32\drivers\dmusic.sys
+ drmkaud Microsoft Kernel DRM Audio Descrambler Filter Microsoft Corporation c:\windows\system32\drivers\drmkaud.sys
+ E1000 Intel(R) PRO/1000 Adapter NDIS 5.1 deserialized driver Intel Corporation c:\windows\system32\drivers\e1000325.sys
+ E100B Intel(R) PRO/100 Adapter NDIS 5.1 driver Intel Corporation c:\windows\system32\drivers\e100b325.sys
+ eeCtrl Symantec Eraser Control Driver Symantec Corporation c:\program files\common files\symantec shared\eengine\eectrl.sys
+ elagopro GoProto Protocol Driver for LELA Gteko Ltd. c:\windows\system32\drivers\elagopro.sys
+ elaunidr GUniDriver Gteko Ltd. c:\windows\system32\drivers\elaunidr.sys
+ EraserUtilRebootDrv Symantec Eraser Utility Driver Symantec Corporation c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys
+ Fdc Floppy Disk Controller Driver Microsoft Corporation c:\windows\system32\drivers\fdc.sys
+ Fips FIPS Crypto Driver Microsoft Corporation c:\windows\system32\drivers\fips.sys
+ Flpydisk Floppy Driver Microsoft Corporation c:\windows\system32\drivers\flpydisk.sys
+ FltMgr File System Filter Manager Driver Microsoft Corporation c:\windows\system32\drivers\fltmgr.sys
+ Ftdisk FT Disk Driver Microsoft Corporation c:\windows\system32\drivers\ftdisk.sys
+ Gpc Generic Packet Classifier Microsoft Corporation c:\windows\system32\drivers\msgpc.sys
+ HidUsb USB Miniport Driver for Input Devices Microsoft Corporation c:\windows\system32\drivers\hidusb.sys
+ HTTP This service implements the hypertext transfer protocol (HTTP). If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\drivers\http.sys
+ i2omgmt File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys
+ i8042prt i8042 Port Driver Microsoft Corporation c:\windows\system32\drivers\i8042prt.sys
+ ialm Controller Hub for Intel Graphics Driver Intel Corporation c:\windows\system32\drivers\ialmnt5.sys
+ Imapi IMAPI Kernel Driver Microsoft Corporation c:\windows\system32\drivers\imapi.sys
+ IntelIde Intel PCI IDE Driver Microsoft Corporation c:\windows\system32\drivers\intelide.sys
+ intelppm Processor Device Driver Microsoft Corporation c:\windows\system32\drivers\intelppm.sys
+ ip6fw Provides intrusion prevention service for a home or small office network. Microsoft Corporation c:\windows\system32\drivers\ip6fw.sys
+ IpFilterDriver IP Traffic Filter Driver Microsoft Corporation c:\windows\system32\drivers\ipfltdrv.sys
+ IpInIp IP in IP Tunnel Driver Microsoft Corporation c:\windows\system32\drivers\ipinip.sys
+ IpNat IP Network Address Translator Microsoft Corporation c:\windows\system32\drivers\ipnat.sys
+ IPSec IPSEC driver Microsoft Corporation c:\windows\system32\drivers\ipsec.sys
+ IRENUM Infra-Red Bus Enumerator Microsoft Corporation c:\windows\system32\drivers\irenum.sys
+ isapnp PNP ISA Bus Driver Microsoft Corporation c:\windows\system32\drivers\isapnp.sys
+ Kbdclass Keyboard Class Driver Microsoft Corporation c:\windows\system32\drivers\kbdclass.sys
+ kbdhid HID Mouse Filter Driver Microsoft Corporation c:\windows\system32\drivers\kbdhid.sys
+ kmixer Kernel Mode Audio Mixer Microsoft Corporation c:\windows\system32\drivers\kmixer.sys
+ KSecDD Kernel Security Support Provider Interface Microsoft Corporation c:\windows\system32\drivers\ksecdd.sys
+ lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys
+ mnmdd Frame buffer simulator Microsoft Corporation c:\windows\system32\drivers\mnmdd.sys
+ Modem Modem Device Driver Microsoft Corporation c:\windows\system32\drivers\modem.sys
+ Mouclass Mouse Class Driver Microsoft Corporation c:\windows\system32\drivers\mouclass.sys
+ MountMgr Mount Manager Microsoft Corporation c:\windows\system32\drivers\mountmgr.sys
+ MRxDAV WebDav Client Redirector Microsoft Corporation c:\windows\system32\drivers\mrxdav.sys
+ MRxSmb MRXSMB Microsoft Corporation c:\windows\system32\drivers\mrxsmb.sys
+ Msfs Mailslot driver Microsoft Corporation c:\windows\system32\drivers\msfs.sys
+ MSKSSRV MS KS Server Microsoft Corporation c:\windows\system32\drivers\mskssrv.sys
+ MSPCLOCK MS Proxy Clock Microsoft Corporation c:\windows\system32\drivers\mspclock.sys
+ MSPQM MS Proxy Quality Manager Microsoft Corporation c:\windows\system32\drivers\mspqm.sys
+ mssmbios System Management BIOS Driver Microsoft Corporation c:\windows\system32\drivers\mssmbios.sys
+ MSTEE WDM Tee/Communication Transform Filter Microsoft Corporation c:\windows\system32\drivers\mstee.sys
+ Mup Multiple UNC Provider driver Microsoft Corporation c:\windows\system32\drivers\mup.sys
+ NABTSFEC WDM NABTS/FEC VBI Codec Microsoft Corporation c:\windows\system32\drivers\nabtsfec.sys
+ NAVENG AV Engine Symantec Corporation c:\program files\common files\symantec shared\virusdefs\20080607.018\naveng.sys
+ NAVEX15 AV Engine Symantec Corporation c:\program files\common files\symantec shared\virusdefs\20080607.018\navex15.sys
+ NDIS NDIS 5.1 wrapper driver Microsoft Corporation c:\windows\system32\drivers\ndis.sys
+ NdisIP Microsoft IP Driver Microsoft Corporation c:\windows\system32\drivers\ndisip.sys
+ NdisTapi Remote Access NDIS TAPI Driver Microsoft Corporation c:\windows\system32\drivers\ndistapi.sys
+ Ndisuio NDIS Usermode I/O Protocol Microsoft Corporation c:\windows\system32\drivers\ndisuio.sys
+ NdisWan Remote Access NDIS WAN Driver Microsoft Corporation c:\windows\system32\drivers\ndiswan.sys
+ NDProxy NDIS Proxy Microsoft Corporation c:\windows\system32\drivers\ndproxy.sys
+ NetBIOS NetBIOS Interface Microsoft Corporation c:\windows\system32\drivers\netbios.sys
+ NetBT NetBios over Tcpip Microsoft Corporation c:\windows\system32\drivers\netbt.sys
+ NIC1394 IEEE1394 Ndis Miniport and Call Manager Microsoft Corporation c:\windows\system32\drivers\nic1394.sys
+ nm Netmon NT Driver Microsoft Corporation c:\windows\system32\drivers\nmnt.sys
+ NPF npf NetGroup – Politecnico di Torino c:\windows\system32\drivers\npf.sys
+ Npfs NPFS Driver Microsoft Corporation c:\windows\system32\drivers\npfs.sys
+ Null NULL Driver Microsoft Corporation c:\windows\system32\drivers\null.sys
+ nv NVIDIA Compatible Windows 2000 Miniport Driver, Version 43.03 NVIDIA Corporation c:\windows\system32\drivers\nv4_mini.sys
+ NwlnkFlt IPX Traffic Filter Driver Microsoft Corporation c:\windows\system32\drivers\nwlnkflt.sys
+ NwlnkFwd IPX Traffic Forwarder Driver Microsoft Corporation c:\windows\system32\drivers\nwlnkfwd.sys
+ ohci1394 1394 OpenHCI Port Driver Microsoft Corporation c:\windows\system32\drivers\ohci1394.sys
+ Parport Parallel Port Driver Microsoft Corporation c:\windows\system32\drivers\parport.sys
+ PartMgr Partition Manager Microsoft Corporation c:\windows\system32\drivers\partmgr.sys
+ ParVdm VDM Parallel Driver Microsoft Corporation c:\windows\system32\drivers\parvdm.sys
+ PCI NT Plug and Play PCI Enumerator Microsoft Corporation c:\windows\system32\drivers\pci.sys
+ PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
+ PCIIde Generic PCI IDE Bus Driver Microsoft Corporation c:\windows\system32\drivers\pciide.sys
+ PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys
+ PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys
+ PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys
+ PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys
+ pfc Padus(R) ASPI Shell Padus, Inc. c:\windows\system32\drivers\pfc.sys
+ PptpMiniport WAN Miniport (PPTP) Microsoft Corporation c:\windows\system32\drivers\raspptp.sys
+ Processor Processor Device Driver Microsoft Corporation c:\windows\system32\drivers\processr.sys
+ PSched QoS Packet Scheduler Microsoft Corporation c:\windows\system32\drivers\psched.sys
+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\windows\system32\drivers\ptilink.sys
+ PxHelp20 Px Engine Device Driver for Windows 2000/XP Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys
+ RasAcd Remote Access Auto Connection Driver Microsoft Corporation c:\windows\system32\drivers\rasacd.sys
+ Rasl2tp WAN Miniport (L2TP) Microsoft Corporation c:\windows\system32\drivers\rasl2tp.sys
+ RasPppoe Remote Access PPPOE Driver Microsoft Corporation c:\windows\system32\drivers\raspppoe.sys
+ Raspti Direct Parallel Microsoft Corporation c:\windows\system32\drivers\raspti.sys
+ Rdbss Rdbss Microsoft Corporation c:\windows\system32\drivers\rdbss.sys
+ RDPCDD RDP Miniport Microsoft Corporation c:\windows\system32\drivers\rdpcdd.sys
+ RDPWD RDP Terminal Stack Driver (US/Canada Only, Not for Export) Microsoft Corporation c:\windows\system32\drivers\rdpwd.sys
+ redbook Redbook Audio Filter Driver Microsoft Corporation c:\windows\system32\drivers\redbook.sys
+ rtl8139 Realtek RTL8139 NDIS 5.0 Driver Realtek Semiconductor Corporation c:\windows\system32\drivers\rtl8139.sys
+ Secdrv SafeDisc driver Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. c:\windows\system32\drivers\secdrv.sys
+ Serenum Serial Port Enumerator Microsoft Corporation c:\windows\system32\drivers\serenum.sys
+ Serial Serial Device Driver Microsoft Corporation c:\windows\system32\drivers\serial.sys
+ Sfloppy SCSI Floppy Driver Microsoft Corporation c:\windows\system32\drivers\sfloppy.sys
+ SLIP Microsoft Slip Deframing Filter Minidriver Microsoft Corporation c:\windows\system32\drivers\slip.sys
+ smrt Sony MPEG RealTime encoder board Sony Corporation c:\windows\system32\drivers\smrt.sys
+ smwdm SoundMAX Integrated Digital Audio Analog Devices, Inc. c:\windows\system32\drivers\smwdm.sys
+ SONYPVU1 Sony USB Lower Filter driver Sony Corporation c:\windows\system32\drivers\sonypvu1.sys
+ SONYWBMS Sony Memory Stick I/F Driver Sony Corporation c:\windows\system32\drivers\sonywbms.sys
+ SPBBCDrv SPBBC Driver Symantec Corporation c:\program files\common files\symantec shared\spbbc\spbbcdrv.sys
+ splitter Microsoft Kernel Audio Splitter Microsoft Corporation c:\windows\system32\drivers\splitter.sys
+ sr System Restore Filesystem Filter Driver Microsoft Corporation c:\windows\system32\drivers\sr.sys
+ SRTSP Symantec AutoProtect Symantec Corporation c:\windows\system32\drivers\srtsp.sys
+ SRTSPL Symantec AutoProtect Symantec Corporation c:\windows\system32\drivers\srtspl.sys
+ SRTSPX Symantec AutoProtect Symantec Corporation c:\windows\system32\drivers\srtspx.sys
+ Srv Srv Microsoft Corporation c:\windows\system32\drivers\srv.sys
+ streamip Microsoft IP Test Driver Microsoft Corporation c:\windows\system32\drivers\streamip.sys
+ swenum Plug and Play Software Device Enumerator Microsoft Corporation c:\windows\system32\drivers\swenum.sys
+ swmidi Microsoft GS Wavetable Synthesizer Microsoft Corporation c:\windows\system32\drivers\swmidi.sys
+ SYMDNS DNS Filter Driver Symantec Corporation c:\windows\system32\drivers\symdns.sys
+ SymEvent Symantec Event Library Symantec Corporation c:\windows\system32\drivers\symevent.sys
+ SYMFW Firewall Filter Driver Symantec Corporation c:\windows\system32\drivers\symfw.sys
+ SYMIDS IDS Filter Driver Symantec Corporation c:\windows\system32\drivers\symids.sys
+ SYMIDSCO IDS Core Driver Symantec Corporation c:\program files\common files\symantec shared\symcdata\ipsdefs\20080606.003\symidsco.sys
+ SymIM NDIS Intermediate Driver Symantec Corporation c:\windows\system32\drivers\symim.sys
+ SymIMMP NDIS Intermediate Driver Symantec Corporation c:\windows\system32\drivers\symim.sys
+ SYMNDIS NDIS Filter Driver Symantec Corporation c:\windows\system32\drivers\symndis.sys
+ SYMREDRV Redirector Filter Driver Symantec Corporation c:\windows\system32\drivers\symredrv.sys
+ SYMTDI Network Dispatch Driver Symantec Corporation c:\windows\system32\drivers\symtdi.sys
+ sysaudio System Audio WDM Filter Microsoft Corporation c:\windows\system32\drivers\sysaudio.sys
+ Tcpip TCP/IP Protocol Driver Microsoft Corporation c:\windows\system32\drivers\tcpip.sys
+ TDPIPE Named Pipe Transport Driver Microsoft Corporation c:\windows\system32\drivers\tdpipe.sys
+ TDTCP TCP Transport Driver Microsoft Corporation c:\windows\system32\drivers\tdtcp.sys
+ TermDD Terminal Server Driver Microsoft Corporation c:\windows\system32\drivers\termdd.sys
+ Update Update Driver Microsoft Corporation c:\windows\system32\drivers\update.sys
+ usbehci EHCI eUSB Miniport Driver Microsoft Corporation c:\windows\system32\drivers\usbehci.sys
+ usbhub Default Hub Driver for USB Microsoft Corporation c:\windows\system32\drivers\usbhub.sys
+ usbscan USB Scanner Driver Microsoft Corporation c:\windows\system32\drivers\usbscan.sys
+ USBSTOR USB Mass Storage Class Driver Microsoft Corporation c:\windows\system32\drivers\usbstor.sys
+ usbuhci UHCI USB Miniport Driver Microsoft Corporation c:\windows\system32\drivers\usbuhci.sys
+ VgaSave Controls the VGA display adapter to provide basic display capabilities. Microsoft Corporation c:\windows\system32\drivers\vga.sys
+ VolSnap Volume Shadow Copy Driver Microsoft Corporation c:\windows\system32\drivers\volsnap.sys
+ Wanarp Remote Access IP ARP Driver Microsoft Corporation c:\windows\system32\drivers\wanarp.sys
+ WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys
+ wdmaud MMSYSTEM Wave/Midi API mapper Microsoft Corporation c:\windows\system32\drivers\wdmaud.sys
+ WSTCODEC WDM WST Codec Driver Microsoft Corporation c:\windows\system32\drivers\wstcodec.sys
+ WudfPf Provide communciation services for UMDF components. Microsoft Corporation c:\windows\system32\drivers\wudfpf.sys
+ {6080A529-897E-4629-A488-ABA0C29B635E} Intel Graphics Platform (SoftBIOS) Driver for Windows 2000(R) & Windows XP(TM) Intel Corporation c:\windows\system32\drivers\ialmsbw.sys
+ {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} Intel Graphics Chipset (KCH) Driver for Windows 2000(R) & Windows XP(TM) Intel Corporation c:\windows\system32\drivers\ialmkchw.sys
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ autocheck autochk * Auto Check Utility Microsoft Corporation c:\windows\system32\autochk.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
+ Your Image File Name Here without a path Symbolic Debugger for Windows 2000 Microsoft Corporation c:\windows\system32\ntsd.exe
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
+ advapi32 Advanced Windows 32 Base API Microsoft Corporation c:\windows\system32\advapi32.dll
+ comdlg32 Common Dialogs DLL Microsoft Corporation c:\windows\system32\comdlg32.dll
+ gdi32 GDI Client DLL Microsoft Corporation c:\windows\system32\gdi32.dll
+ imagehlp Windows NT Image Helper Microsoft Corporation c:\windows\system32\imagehlp.dll
+ kernel32 Windows NT BASE API Client DLL Microsoft Corporation c:\windows\system32\kernel32.dll
+ lz32 LZ Expand/Compress API DLL Microsoft Corporation c:\windows\system32\lz32.dll
+ ole32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\ole32.dll
+ oleaut32 Microsoft Corporation c:\windows\system32\oleaut32.dll
+ olecli32 Object Linking and Embedding Client Library Microsoft Corporation c:\windows\system32\olecli32.dll
+ olecnv32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\olecnv32.dll
+ olesvr32 Object Linking and Embedding Server Library Microsoft Corporation c:\windows\system32\olesvr32.dll
+ olethk32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\olethk32.dll
+ rpcrt4 Remote Procedure Call Runtime Microsoft Corporation c:\windows\system32\rpcrt4.dll
+ shell32 Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ url Internet Shortcut Shell Extension DLL Microsoft Corporation c:\windows\system32\url.dll
+ urlmon OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ user32 Windows XP USER API Client DLL Microsoft Corporation c:\windows\system32\user32.dll
+ version Version Checking and File Installation Libraries Microsoft Corporation c:\windows\system32\version.dll
+ wininet Internet Extensions for Win32 Microsoft Corporation c:\windows\system32\wininet.dll
+ wldap32 Win32 LDAP API DLL Microsoft Corporation c:\windows\system32\wldap32.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
+ logonui.exe Windows Logon UI Microsoft Corporation c:\windows\system32\logonui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ crypt32chain Crypto API32 Microsoft Corporation c:\windows\system32\crypt32.dll
+ cryptnet Crypto Network Related API Microsoft Corporation c:\windows\system32\cryptnet.dll
+ cscdll Offline Network Agent Microsoft Corporation c:\windows\system32\cscdll.dll
+ igfxcui igfxsrvc Module Intel Corporation c:\windows\system32\igfxsrvc.dll
+ ScCertProp Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ Schedule Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ sclgntfy Secondary Logon Service Notification DLL Microsoft Corporation c:\windows\system32\sclgntfy.dll
+ SensLogn Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ termsrv Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ WgaLogon Windows Genuine Advantage Notification Microsoft Corporation c:\windows\system32\wgalogon.dll
+ wlballoon Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
HKCU\Control Panel\Desktop\Scrnsave.exe
+ C:\WINDOWS\System32\logon.scr Logon Screen Saver Microsoft Corporation c:\windows\system32\logon.scr
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
+ 000000000001 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000002 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000003 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000004 Microsoft Windows Rsvp 1.0 Service Provider Microsoft Corporation c:\windows\system32\rsvpsp.dll
+ 000000000005 Microsoft Windows Rsvp 1.0 Service Provider Microsoft Corporation c:\windows\system32\rsvpsp.dll
+ 000000000006 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000007 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000008 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000009 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000010 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000011 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000012 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000013 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000014 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000015 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000016 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000017 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000018 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000019 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000020 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000021 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000022 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000023 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
+ Network Location Awareness (NLA) Namespace Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ NTDS LDAP RnR Provider DLL Microsoft Corporation c:\windows\system32\winrnr.dll
+ Tcpip Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ Adobe PDF Port Acrobat ? PDF Port Adobe Systems Incorporated. c:\windows\system32\adobepdf.dll
+ BJ Language Monitor Langage Monitor for Canon Bubble-Jet Printer Microsoft Corporation c:\windows\system32\cnbjmon.dll
+ Local Port Local Spooler DLL Microsoft Corporation c:\windows\system32\localspl.dll
+ Microsoft Document Imaging Writer Monitor Microsoft? Document Imaging Microsoft Corporation c:\windows\system32\mdimon.dll
+ PJL Language Monitor PJL Language monitor Microsoft Corporation c:\windows\system32\pjlmon.dll
+ Standard TCP/IP Port Standard TCP/IP Port Monitor DLL Microsoft Corporation c:\windows\system32\tcpmon.dll
+ USB Monitor Standard Dynamic Printing Port Monitor DLL Microsoft Corporation c:\windows\system32\usbmon.dll
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
+ digest.dll Digest SSPI Authentication Package Microsoft Corporation c:\windows\system32\digest.dll
+ msapsspc.dll DPA Client for 32 bit platforms Microsoft Corporation c:\windows\system32\msapsspc.dll
+ msnsspc.dll MSN Internet Access Microsoft Corporation c:\windows\system32\msnsspc.dll
+ schannel.dll TLS / SSL Security Provider Microsoft Corporation c:\windows\system32\schannel.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
+ C:\WINDOWS\system32\fccCrrro File not found: C:\WINDOWS\system32\fccCrrro
+ msv1_0 Microsoft Authentication Package v1.0 Microsoft Corporation c:\windows\system32\msv1_0.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
+ scecli Windows Security Configuration Editor Client Engine Microsoft Corporation c:\windows\system32\scecli.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
+ kerberos Kerberos Security Package Microsoft Corporation c:\windows\system32\kerberos.dll
+ msv1_0 Microsoft Authentication Package v1.0 Microsoft Corporation c:\windows\system32\msv1_0.dll
+ schannel TLS / SSL Security Provider Microsoft Corporation c:\windows\system32\schannel.dll
+ wdigest Microsoft Digest Access Microsoft Corporation c:\windows\system32\wdigest.dll
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
+ LanmanWorkstation Microsoft Windows Network Microsoft Corporation c:\windows\system32\ntlanman.dll
+ RDPNP Microsoft Terminal Services Microsoft Corporation c:\windows\system32\drprov.dll
+ WebClient Web Client Network Microsoft Corporation c:\windows\system32\davclnt.dll

re: ezShieldProtector

In reply to re: Seanferd Autorun log

ezSP_Px.exe is part of Easy Systems CD & DVD writing software.

ezSP_Px.exe is located in “C:\WINDOWS\SYSTEM\” on Windows 95/98/ME, “C:\WINNT\SYSTEM32\” on Windows NT/2000 and “C:\WINDOWS\SYSTEM32\” on Windows XP.

I would be more concerned about all the entries pointing to d:\program files\

Do you have a 2nd hard drive (D) with some programs installed over there? Adobe Reader, for one, shows that in it’s path.

If you’ve already run CCleaner, you must not have run the registry cleaner portion of the program, repeatedly until it reports no more errors. If you had, all of those “file not found” errors would have disappeared.

This entry is the one that looks suspicious to me:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
+ C:\WINDOWS\system32\fccCrrro File not found: C:\WINDOWS\system32\fccCrrro

In addition, have you tried uninstalling the Google Toolbar(s), Google Toolbar Notifier?

Still a problem

In reply to re: ezShieldProtector

Ask you suggested, I ran cCleaner several times. It tells me I have no registry issues. I deleted Google Tool Bar from IE 8. Yes, I have some programs on a D partition because my C partion was getting full.

I ran autorun again and have posted it at the end. As far as I can tell, the two items you pointed out, HKLM\System\…. and C:\Windows\System 32\fccCrrro are still problems. How do I get rid of them? Can I do this through autorun?

Lastly, earlier this AM in the dialog box in question, this appeared: ?? ūĊ?acn_np:[\\PIPE\\wkssvc,Security=Impersonation Dynamic False]

Thanks.

Below is the autorun:

HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
+ rdpclip RDP Clip Monitor Microsoft Corporation c:\windows\system32\rdpclip.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+ C:\WINDOWS\system32\userinit.exe Userinit Logon Application Microsoft Corporation c:\windows\system32\userinit.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
+ Explorer.exe Windows Explorer Microsoft Corporation c:\windows\explorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ ccApp Symantec User Session Symantec Corporation c:\program files\common files\symantec shared\ccapp.exe
+ ezShieldProtector for Px ezSP_Px MFC Application Easy Systems Japan Ltd. c:\windows\system32\ezsp_px.exe
+ osCheck osCheck Symantec Corporation c:\program files\norton antivirus\oscheck.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ ctfmon.exe CTF Loader Microsoft Corporation c:\windows\system32\ctfmon.exe
+ swg GoogleToolbarNotifier Google Inc. c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
HKLM\SOFTWARE\Classes\Protocols\Filter
+ application/octet-stream Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-complus Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-msdownload Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll
+ Class Install Handler OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ deflate OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ gzip OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ lzdhtml OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ text/webviewhtml Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ text/xml Microsoft Office XML MIME Filter Microsoft Corporation c:\program files\common files\microsoft shared\office11\msoxmlmf.dll
HKLM\SOFTWARE\Classes\Protocols\Handler
+ about Microsoft (R) HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ cdl OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ dvd ActiveX control for streaming video Microsoft Corporation c:\windows\system32\msvidctl.dll
+ file OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ ftp OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ gopher OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ http OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ https OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ its Microsoft? InfoTech Storage System Library Microsoft Corporation c:\windows\system32\itss.dll
+ javascript Microsoft (R) HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ local OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ mailto Microsoft (R) HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ mhtml Microsoft Internet Messaging API Microsoft Corporation c:\windows\system32\inetcomm.dll
+ mk OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ ms-its Microsoft? InfoTech Storage System Library Microsoft Corporation c:\windows\system32\itss.dll
+ mso-offdap Microsoft Office XP Web Components Microsoft Corporation c:\program files\common files\microsoft shared\web components\10\owc10.dll
+ mso-offdap11 Microsoft Office Web Components 2003 Microsoft Corporation c:\program files\common files\microsoft shared\web components\11\owc11.dll
+ res Microsoft (R) HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ sysimage Microsoft (R) HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ tv ActiveX control for streaming video Microsoft Corporation c:\windows\system32\msvidctl.dll
+ vbscript Microsoft (R) HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ wia WIA Scripting Layer Microsoft Corporation c:\windows\system32\wiascr.dll
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
+ 0 File not found: About:Home
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ Address Book 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe
+ Browser Customizations IEAK branding Microsoft Corporation c:\windows\system32\iedkcs32.dll
+ Browser Customizations IEAK branding Microsoft Corporation c:\windows\system32\iedkcs32.dll
+ IE7 Uninstall Stub IE Per User Active Setup Uninstall Utility Microsoft Corporation c:\windows\system32\ieudinit.exe
+ Internet Explorer IE Per-User Initialization Utility Microsoft Corporation c:\windows\system32\ie4uinit.exe
+ Internet Explorer IE Per-User Initialization Utility Microsoft Corporation c:\windows\system32\ie4uinit.exe
+ Microsoft Outlook Express 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe
+ Microsoft Windows Media Player ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
+ n/a Microsoft .NET IE SECURITY REGISTRATION Microsoft Corporation c:\windows\system32\mscories.dll
+ NetMeeting 3.01 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
+ Outlook Express Windows NT User Data Migration Tool Microsoft Corporation c:\windows\system32\shmgrate.exe
+ Themes Setup Microsoft(C) Register Server Microsoft Corporation c:\windows\system32\regsvr32.exe
+ Windows Desktop Update Microsoft(C) Register Server Microsoft Corporation c:\windows\system32\regsvr32.exe
+ Windows Media Player Microsoft Windows Media Player Setup Utility Microsoft Corporation c:\windows\inf\unregmp2.exe
+ Windows Messenger 4.7 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
+ Browseui preloader Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Component Categories cache daemon Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+ CDBurn Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ PostBootReminder Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ SysTray Systray shell service object Microsoft Corporation c:\windows\system32\stobject.dll
+ WebCheck Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ WPDShServiceObj Windows Portable Device Shell Service Object Microsoft Corporation c:\windows\system32\wpdshserviceobj.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ URL Exec Hook Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
+ Adobe.Acrobat.ContextMenu Adobe Acrobat Context Menu Adobe Systems Inc. d:\program files\acrobat elements\contextmenu.dll
+ Offline Files Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
+ Open With Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ Open With EncryptionMenu Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ SnagItMainShellExt SnagIt Shell Extension DLL TechSmith Corporation c:\program files\techsmith\snagit 8\snagitshellext.dll
+ Start Menu Pin Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ Symantec.Norton.Antivirus.IEContextMenu Norton AntiVirus Shell Extension Module Symantec Corporation c:\program files\norton antivirus\navshext.dll
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
+ Send To Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
+ Symantec.Norton.Antivirus.IEContextMenu Norton AntiVirus Shell Extension Module Symantec Corporation c:\program files\norton antivirus\navshext.dll
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
+ EncryptionMenu Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ Offline Files Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
+ Sharing Shell extensions for sharing Microsoft Corporation c:\windows\system32\ntshrui.dll
+ SnagItMainShellExt SnagIt Shell Extension DLL TechSmith Corporation c:\program files\techsmith\snagit 8\snagitshellext.dll
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
+ igfxcui igfxpph Module Intel Corporation c:\windows\system32\igfxpph.dll
+ New Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ PDF Shell Extension PDF Shell Extension Adobe Systems, Inc. d:\program files\activex\pdfshell.dll
+ {0D2E74C4-3C34-11d2-A27E-00C04FC30871} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ {24F14F01-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ {24F14F02-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ {66742402-F9B9-11D1-A202-0000F81FEDEE} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
+ Offline Files Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ Google Toolbar Notifier BHO GoogleToolbarNotifier Google Inc. c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
+ Symantec Intrusion Prevention IPS Browser Helper DLL Symantec Corporation c:\program files\common files\symantec shared\ids\ipsbho.dll
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
+ Microsoft Url Search Hook Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ Adobe PDF Adobe IE plugin Adobe Systems Incorporated d:\program files\acrobat\acroiefavclient.dll
+ SnagIt SnagIt Add-in for Internet Explorer TechSmith Corporation c:\program files\techsmith\snagit 8\snagitieaddin.dll
HKLM\Software\Microsoft\Internet Explorer\Extensions
+ Diagnose Connection Problems… Network Diagnostic for Windows XP Microsoft Corporation c:\windows\network diagnostic\xpnetdiag.exe
+ Flash Saver d:\program files\flash saver\save.htm
+ HiDownload download rtsp/mms/http/ftp HiDownload Software d:\program files\hidownload\hidownload.exe
+ Windows Messenger Windows Messenger Microsoft Corporation c:\program files\messenger\msmsgs.exe
Task Scheduler
+ AppleSoftwareUpdate.job Software Application Apple Computer, Inc. c:\program files\apple software update\softwareupdate.exe
+ Norton AntiVirus – Run Full System Scan – Al Rosenbloom.job Norton AntiVirus Scanner Module Symantec Corporation c:\program files\norton antivirus\navw32.exe
+ Registration reminder 1.job Windows OOBE Balloon Reminder Microsoft Corporation c:\windows\system32\oobe\oobebaln.exe
HKLM\System\CurrentControlSet\Services
+ aawservice Protects your computer from spyware Lavasoft d:\program files\aawservice.exe
+ AudioSrv Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\audiosrv.dll
+ Automatic LiveUpdate Scheduler Manages the scheduling of Automatic LiveUpdate sessions Symantec Corporation c:\program files\symantec\liveupdate\aluschedulersvc.exe
+ BITS Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled. Microsoft Corporation c:\windows\system32\qmgr.dll
+ Browser Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\browser.dll
+ ccEvtMgr Event propagation and logging service Symantec Corporation c:\program files\common files\symantec shared\ccsvchst.exe
+ ccSetMgr Settings storage and management service Symantec Corporation c:\program files\common files\symantec shared\ccsvchst.exe
+ CLTNetCnService Symantec Lic NetConnect Service Symantec Corporation c:\program files\common files\symantec shared\ccsvchst.exe
+ CryptSvc Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\cryptsvc.dll
+ DcomLaunch Provides launch functionality for DCOM services. Microsoft Corporation c:\windows\system32\rpcss.dll
+ Dhcp Manages network configuration by registering and updating IP addresses and DNS names. Microsoft Corporation c:\windows\system32\dhcpcsvc.dll
+ Diskeeper Controls the Windows Diskeeper Service Diskeeper Corporation c:\program files\diskeeper corporation\diskeeper\dkservice.exe
+ Dnscache Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\dnsrslvr.dll
+ ERSvc Allows error reporting for services and applictions running in non-standard environments. Microsoft Corporation c:\windows\system32\ersvc.dll
+ Eventlog Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. Microsoft Corporation c:\windows\system32\services.exe
+ helpsvc Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\pchealth\helpctr\binaries\pchsvc.dll
+ lanmanserver Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\srvsvc.dll
+ lanmanworkstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\wkssvc.dll
+ LiveUpdate Notice Manages Norton product notices Symantec Corporation c:\program files\common files\symantec shared\ccsvchst.exe
+ LmHosts Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Microsoft Corporation c:\windows\system32\lmhsvc.dll
+ NVSvc NVIDIA Driver Helper Service, Version 43.03 NVIDIA Corporation c:\windows\system32\nvsvc32.exe
+ PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Microsoft Corporation c:\windows\system32\services.exe
+ PolicyAgent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Microsoft Corporation c:\windows\system32\lsass.exe
+ ProtectedStorage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Microsoft Corporation c:\windows\system32\lsass.exe
+ RpcSs Provides the endpoint mapper and other miscellaneous RPC services. Microsoft Corporation c:\windows\system32\rpcss.dll
+ SamSs Stores security information for local user accounts. Microsoft Corporation c:\windows\system32\lsass.exe
+ Schedule Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\schedsvc.dll
+ seclogon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\seclogon.dll
+ SENS Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Microsoft Corporation c:\windows\system32\sens.dll
+ SharedAccess Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. Microsoft Corporation c:\windows\system32\ipnathlp.dll
+ ShellHWDetection Windows Shell Services Dll Microsoft Corporation c:\windows\system32\shsvcs.dll
+ Spooler Loads files to memory for later printing. Microsoft Corporation c:\windows\system32\spoolsv.exe
+ srservice Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties Microsoft Corporation c:\windows\system32\srsvc.dll
+ stisvc Provides image acquisition services for scanners and cameras. Microsoft Corporation c:\windows\system32\wiaservc.dll
+ Themes Provides user experience theme management. Microsoft Corporation c:\windows\system32\shsvcs.dll
+ TrkWks Maintains links between NTFS files within a computer or across computers in a network domain. Microsoft Corporation c:\windows\system32\trkwks.dll
+ W32Time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\w32time.dll
+ WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\webclnt.dll
+ winmgmt Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\wbem\wmisvc.dll
+ wuauserv Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. Microsoft Corporation c:\windows\system32\wuauserv.dll
+ WZCSVC Provides automatic configuration for the 802.11 adapters Microsoft Corporation c:\windows\system32\wzcsvc.dll
HKLM\System\CurrentControlSet\Services
+ ACPI ACPI Driver for NT Microsoft Corporation c:\windows\system32\drivers\acpi.sys
+ aeaudio Andrea Audio Stub Driver Andrea Electronics Corporation c:\windows\system32\drivers\aeaudio.sys
+ aec Microsoft Acoustic Echo Canceller Microsoft Corporation c:\windows\system32\drivers\aec.sys
+ AFD AFD Networking Support Environment Microsoft Corporation c:\windows\system32\drivers\afd.sys
+ AgereSoftModem SoftModem Device Driver Agere Systems c:\windows\system32\drivers\agrsm.sys
+ agp440 440 NT AGP Filter Microsoft Corporation c:\windows\system32\drivers\agp440.sys
+ ALCXWDM Realtek AC’97 Audio Driver (WDM) Realtek Semiconductor Corp. c:\windows\system32\drivers\alcxwdm.sys
+ Arp1394 1394 ARP Client Protocol Microsoft Corporation c:\windows\system32\drivers\arp1394.sys
+ AsyncMac RAS Asynchronous Media Driver Microsoft Corporation c:\windows\system32\drivers\asyncmac.sys
+ atapi IDE/ATAPI Port Driver Microsoft Corporation c:\windows\system32\drivers\atapi.sys
+ ati2mtag ATI Radeon Miniport Driver ATI Technologies Inc. c:\windows\system32\drivers\ati2mtag.sys
+ Atmarpc ATM ARP Client Protocol Microsoft Corporation c:\windows\system32\drivers\atmarpc.sys
+ audstub AudStub Driver Microsoft Corporation c:\windows\system32\drivers\audstub.sys
+ Beep BEEP Driver Microsoft Corporation c:\windows\system32\drivers\beep.sys
+ CCDECODE WDM Closed Caption VBI Codec Microsoft Corporation c:\windows\system32\drivers\ccdecode.sys
+ Cdaudio CD-ROM Audio Filter Driver Microsoft Corporation c:\windows\system32\drivers\cdaudio.sys
+ Cdrom SCSI CD-ROM Driver Microsoft Corporation c:\windows\system32\drivers\cdrom.sys
+ Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys
+ COH_Mon Confidence Online v6.1 WDM driver (6,1,4,10) Symantec Corporation c:\windows\system32\drivers\coh_mon.sys
+ Disk PnP Disk Driver Microsoft Corporation c:\windows\system32\drivers\disk.sys
+ DMICall Windows 2000 DMI Call Kernel Driver Sony Corporation c:\windows\system32\drivers\dmicall.sys
+ DMusic Microsoft Kernel DLS Synthesizer Microsoft Corporation c:\windows\system32\drivers\dmusic.sys
+ drmkaud Microsoft Kernel DRM Audio Descrambler Filter Microsoft Corporation c:\windows\system32\drivers\drmkaud.sys
+ E1000 Intel(R) PRO/1000 Adapter NDIS 5.1 deserialized driver Intel Corporation c:\windows\system32\drivers\e1000325.sys
+ E100B Intel(R) PRO/100 Adapter NDIS 5.1 driver Intel Corporation c:\windows\system32\drivers\e100b325.sys
+ eeCtrl Symantec Eraser Control Driver Symantec Corporation c:\program files\common files\symantec shared\eengine\eectrl.sys
+ elagopro GoProto Protocol Driver for LELA Gteko Ltd. c:\windows\system32\drivers\elagopro.sys
+ elaunidr GUniDriver Gteko Ltd. c:\windows\system32\drivers\elaunidr.sys
+ EraserUtilRebootDrv Symantec Eraser Utility Driver Symantec Corporation c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys
+ Fdc Floppy Disk Controller Driver Microsoft Corporation c:\windows\system32\drivers\fdc.sys
+ Fips FIPS Crypto Driver Microsoft Corporation c:\windows\system32\drivers\fips.sys
+ Flpydisk Floppy Driver Microsoft Corporation c:\windows\system32\drivers\flpydisk.sys
+ FltMgr File System Filter Manager Driver Microsoft Corporation c:\windows\system32\drivers\fltmgr.sys
+ Ftdisk FT Disk Driver Microsoft Corporation c:\windows\system32\drivers\ftdisk.sys
+ Gpc Generic Packet Classifier Microsoft Corporation c:\windows\system32\drivers\msgpc.sys
+ HidUsb USB Miniport Driver for Input Devices Microsoft Corporation c:\windows\system32\drivers\hidusb.sys
+ HTTP This service implements the hypertext transfer protocol (HTTP). If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\drivers\http.sys
+ i2omgmt File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys
+ i8042prt i8042 Port Driver Microsoft Corporation c:\windows\system32\drivers\i8042prt.sys
+ ialm Controller Hub for Intel Graphics Driver Intel Corporation c:\windows\system32\drivers\ialmnt5.sys
+ Imapi IMAPI Kernel Driver Microsoft Corporation c:\windows\system32\drivers\imapi.sys
+ IntelIde Intel PCI IDE Driver Microsoft Corporation c:\windows\system32\drivers\intelide.sys
+ intelppm Processor Device Driver Microsoft Corporation c:\windows\system32\drivers\intelppm.sys
+ ip6fw Provides intrusion prevention service for a home or small office network. Microsoft Corporation c:\windows\system32\drivers\ip6fw.sys
+ IpFilterDriver IP Traffic Filter Driver Microsoft Corporation c:\windows\system32\drivers\ipfltdrv.sys
+ IpInIp IP in IP Tunnel Driver Microsoft Corporation c:\windows\system32\drivers\ipinip.sys
+ IpNat IP Network Address Translator Microsoft Corporation c:\windows\system32\drivers\ipnat.sys
+ IPSec IPSEC driver Microsoft Corporation c:\windows\system32\drivers\ipsec.sys
+ IRENUM Infra-Red Bus Enumerator Microsoft Corporation c:\windows\system32\drivers\irenum.sys
+ isapnp PNP ISA Bus Driver Microsoft Corporation c:\windows\system32\drivers\isapnp.sys
+ Kbdclass Keyboard Class Driver Microsoft Corporation c:\windows\system32\drivers\kbdclass.sys
+ kbdhid HID Mouse Filter Driver Microsoft Corporation c:\windows\system32\drivers\kbdhid.sys
+ kmixer Kernel Mode Audio Mixer Microsoft Corporation c:\windows\system32\drivers\kmixer.sys
+ KSecDD Kernel Security Support Provider Interface Microsoft Corporation c:\windows\system32\drivers\ksecdd.sys
+ lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys
+ mnmdd Frame buffer simulator Microsoft Corporation c:\windows\system32\drivers\mnmdd.sys
+ Modem Modem Device Driver Microsoft Corporation c:\windows\system32\drivers\modem.sys
+ Mouclass Mouse Class Driver Microsoft Corporation c:\windows\system32\drivers\mouclass.sys
+ MountMgr Mount Manager Microsoft Corporation c:\windows\system32\drivers\mountmgr.sys
+ MRxDAV WebDav Client Redirector Microsoft Corporation c:\windows\system32\drivers\mrxdav.sys
+ MRxSmb MRXSMB Microsoft Corporation c:\windows\system32\drivers\mrxsmb.sys
+ Msfs Mailslot driver Microsoft Corporation c:\windows\system32\drivers\msfs.sys
+ MSKSSRV MS KS Server Microsoft Corporation c:\windows\system32\drivers\mskssrv.sys
+ MSPCLOCK MS Proxy Clock Microsoft Corporation c:\windows\system32\drivers\mspclock.sys
+ MSPQM MS Proxy Quality Manager Microsoft Corporation c:\windows\system32\drivers\mspqm.sys
+ mssmbios System Management BIOS Driver Microsoft Corporation c:\windows\system32\drivers\mssmbios.sys
+ MSTEE WDM Tee/Communication Transform Filter Microsoft Corporation c:\windows\system32\drivers\mstee.sys
+ Mup Multiple UNC Provider driver Microsoft Corporation c:\windows\system32\drivers\mup.sys
+ NABTSFEC WDM NABTS/FEC VBI Codec Microsoft Corporation c:\windows\system32\drivers\nabtsfec.sys
+ NAVENG AV Engine Symantec Corporation c:\program files\common files\symantec shared\virusdefs\20080609.003\naveng.sys
+ NAVEX15 AV Engine Symantec Corporation c:\program files\common files\symantec shared\virusdefs\20080609.003\navex15.sys
+ NDIS NDIS 5.1 wrapper driver Microsoft Corporation c:\windows\system32\drivers\ndis.sys
+ NdisIP Microsoft IP Driver Microsoft Corporation c:\windows\system32\drivers\ndisip.sys
+ NdisTapi Remote Access NDIS TAPI Driver Microsoft Corporation c:\windows\system32\drivers\ndistapi.sys
+ Ndisuio NDIS Usermode I/O Protocol Microsoft Corporation c:\windows\system32\drivers\ndisuio.sys
+ NdisWan Remote Access NDIS WAN Driver Microsoft Corporation c:\windows\system32\drivers\ndiswan.sys
+ NDProxy NDIS Proxy Microsoft Corporation c:\windows\system32\drivers\ndproxy.sys
+ NetBIOS NetBIOS Interface Microsoft Corporation c:\windows\system32\drivers\netbios.sys
+ NetBT NetBios over Tcpip Microsoft Corporation c:\windows\system32\drivers\netbt.sys
+ NIC1394 IEEE1394 Ndis Miniport and Call Manager Microsoft Corporation c:\windows\system32\drivers\nic1394.sys
+ nm Netmon NT Driver Microsoft Corporation c:\windows\system32\drivers\nmnt.sys
+ NPF npf NetGroup – Politecnico di Torino c:\windows\system32\drivers\npf.sys
+ Npfs NPFS Driver Microsoft Corporation c:\windows\system32\drivers\npfs.sys
+ Null NULL Driver Microsoft Corporation c:\windows\system32\drivers\null.sys
+ nv NVIDIA Compatible Windows 2000 Miniport Driver, Version 43.03 NVIDIA Corporation c:\windows\system32\drivers\nv4_mini.sys
+ NwlnkFlt IPX Traffic Filter Driver Microsoft Corporation c:\windows\system32\drivers\nwlnkflt.sys
+ NwlnkFwd IPX Traffic Forwarder Driver Microsoft Corporation c:\windows\system32\drivers\nwlnkfwd.sys
+ ohci1394 1394 OpenHCI Port Driver Microsoft Corporation c:\windows\system32\drivers\ohci1394.sys
+ Parport Parallel Port Driver Microsoft Corporation c:\windows\system32\drivers\parport.sys
+ PartMgr Partition Manager Microsoft Corporation c:\windows\system32\drivers\partmgr.sys
+ ParVdm VDM Parallel Driver Microsoft Corporation c:\windows\system32\drivers\parvdm.sys
+ PCI NT Plug and Play PCI Enumerator Microsoft Corporation c:\windows\system32\drivers\pci.sys
+ PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
+ PCIIde Generic PCI IDE Bus Driver Microsoft Corporation c:\windows\system32\drivers\pciide.sys
+ PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys
+ PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys
+ PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys
+ PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys
+ pfc Padus(R) ASPI Shell Padus, Inc. c:\windows\system32\drivers\pfc.sys
+ PptpMiniport WAN Miniport (PPTP) Microsoft Corporation c:\windows\system32\drivers\raspptp.sys
+ Processor Processor Device Driver Microsoft Corporation c:\windows\system32\drivers\processr.sys
+ PSched QoS Packet Scheduler Microsoft Corporation c:\windows\system32\drivers\psched.sys
+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\windows\system32\drivers\ptilink.sys
+ PxHelp20 Px Engine Device Driver for Windows 2000/XP Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys
+ RasAcd Remote Access Auto Connection Driver Microsoft Corporation c:\windows\system32\drivers\rasacd.sys
+ Rasl2tp WAN Miniport (L2TP) Microsoft Corporation c:\windows\system32\drivers\rasl2tp.sys
+ RasPppoe Remote Access PPPOE Driver Microsoft Corporation c:\windows\system32\drivers\raspppoe.sys
+ Raspti Direct Parallel Microsoft Corporation c:\windows\system32\drivers\raspti.sys
+ Rdbss Rdbss Microsoft Corporation c:\windows\system32\drivers\rdbss.sys
+ RDPCDD RDP Miniport Microsoft Corporation c:\windows\system32\drivers\rdpcdd.sys
+ RDPWD RDP Terminal Stack Driver (US/Canada Only, Not for Export) Microsoft Corporation c:\windows\system32\drivers\rdpwd.sys
+ redbook Redbook Audio Filter Driver Microsoft Corporation c:\windows\system32\drivers\redbook.sys
+ rtl8139 Realtek RTL8139 NDIS 5.0 Driver Realtek Semiconductor Corporation c:\windows\system32\drivers\rtl8139.sys
+ Secdrv SafeDisc driver Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. c:\windows\system32\drivers\secdrv.sys
+ Serenum Serial Port Enumerator Microsoft Corporation c:\windows\system32\drivers\serenum.sys
+ Serial Serial Device Driver Microsoft Corporation c:\windows\system32\drivers\serial.sys
+ Sfloppy SCSI Floppy Driver Microsoft Corporation c:\windows\system32\drivers\sfloppy.sys
+ SLIP Microsoft Slip Deframing Filter Minidriver Microsoft Corporation c:\windows\system32\drivers\slip.sys
+ smrt Sony MPEG RealTime encoder board Sony Corporation c:\windows\system32\drivers\smrt.sys
+ smwdm SoundMAX Integrated Digital Audio Analog Devices, Inc. c:\windows\system32\drivers\smwdm.sys
+ SONYPVU1 Sony USB Lower Filter driver Sony Corporation c:\windows\system32\drivers\sonypvu1.sys
+ SONYWBMS Sony Memory Stick I/F Driver Sony Corporation c:\windows\system32\drivers\sonywbms.sys
+ SPBBCDrv SPBBC Driver Symantec Corporation c:\program files\common files\symantec shared\spbbc\spbbcdrv.sys
+ splitter Microsoft Kernel Audio Splitter Microsoft Corporation c:\windows\system32\drivers\splitter.sys
+ sr System Restore Filesystem Filter Driver Microsoft Corporation c:\windows\system32\drivers\sr.sys
+ SRTSP Symantec AutoProtect Symantec Corporation c:\windows\system32\drivers\srtsp.sys
+ SRTSPL Symantec AutoProtect Symantec Corporation c:\windows\system32\drivers\srtspl.sys
+ SRTSPX Symantec AutoProtect Symantec Corporation c:\windows\system32\drivers\srtspx.sys
+ Srv Srv Microsoft Corporation c:\windows\system32\drivers\srv.sys
+ streamip Microsoft IP Test Driver Microsoft Corporation c:\windows\system32\drivers\streamip.sys
+ swenum Plug and Play Software Device Enumerator Microsoft Corporation c:\windows\system32\drivers\swenum.sys
+ swmidi Microsoft GS Wavetable Synthesizer Microsoft Corporation c:\windows\system32\drivers\swmidi.sys
+ SYMDNS DNS Filter Driver Symantec Corporation c:\windows\system32\drivers\symdns.sys
+ SymEvent Symantec Event Library Symantec Corporation c:\windows\system32\drivers\symevent.sys
+ SYMFW Firewall Filter Driver Symantec Corporation c:\windows\system32\drivers\symfw.sys
+ SYMIDS IDS Filter Driver Symantec Corporation c:\windows\system32\drivers\symids.sys
+ SYMIDSCO IDS Core Driver Symantec Corporation c:\program files\common files\symantec shared\symcdata\ipsdefs\20080607.001\symidsco.sys
+ SymIM NDIS Intermediate Driver Symantec Corporation c:\windows\system32\drivers\symim.sys
+ SymIMMP NDIS Intermediate Driver Symantec Corporation c:\windows\system32\drivers\symim.sys
+ SYMNDIS NDIS Filter Driver Symantec Corporation c:\windows\system32\drivers\symndis.sys
+ SYMREDRV Redirector Filter Driver Symantec Corporation c:\windows\system32\drivers\symredrv.sys
+ SYMTDI Network Dispatch Driver Symantec Corporation c:\windows\system32\drivers\symtdi.sys
+ sysaudio System Audio WDM Filter Microsoft Corporation c:\windows\system32\drivers\sysaudio.sys
+ Tcpip TCP/IP Protocol Driver Microsoft Corporation c:\windows\system32\drivers\tcpip.sys
+ TDPIPE Named Pipe Transport Driver Microsoft Corporation c:\windows\system32\drivers\tdpipe.sys
+ TDTCP TCP Transport Driver Microsoft Corporation c:\windows\system32\drivers\tdtcp.sys
+ TermDD Terminal Server Driver Microsoft Corporation c:\windows\system32\drivers\termdd.sys
+ Update Update Driver Microsoft Corporation c:\windows\system32\drivers\update.sys
+ usbehci EHCI eUSB Miniport Driver Microsoft Corporation c:\windows\system32\drivers\usbehci.sys
+ usbhub Default Hub Driver for USB Microsoft Corporation c:\windows\system32\drivers\usbhub.sys
+ usbscan USB Scanner Driver Microsoft Corporation c:\windows\system32\drivers\usbscan.sys
+ USBSTOR USB Mass Storage Class Driver Microsoft Corporation c:\windows\system32\drivers\usbstor.sys
+ usbuhci UHCI USB Miniport Driver Microsoft Corporation c:\windows\system32\drivers\usbuhci.sys
+ VgaSave Controls the VGA display adapter to provide basic display capabilities. Microsoft Corporation c:\windows\system32\drivers\vga.sys
+ VolSnap Volume Shadow Copy Driver Microsoft Corporation c:\windows\system32\drivers\volsnap.sys
+ Wanarp Remote Access IP ARP Driver Microsoft Corporation c:\windows\system32\drivers\wanarp.sys
+ WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys
+ wdmaud MMSYSTEM Wave/Midi API mapper Microsoft Corporation c:\windows\system32\drivers\wdmaud.sys
+ WSTCODEC WDM WST Codec Driver Microsoft Corporation c:\windows\system32\drivers\wstcodec.sys
+ WudfPf Provide communciation services for UMDF components. Microsoft Corporation c:\windows\system32\drivers\wudfpf.sys
+ {6080A529-897E-4629-A488-ABA0C29B635E} Intel Graphics Platform (SoftBIOS) Driver for Windows 2000(R) & Windows XP(TM) Intel Corporation c:\windows\system32\drivers\ialmsbw.sys
+ {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} Intel Graphics Chipset (KCH) Driver for Windows 2000(R) & Windows XP(TM) Intel Corporation c:\windows\system32\drivers\ialmkchw.sys
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ autocheck autochk * Auto Check Utility Microsoft Corporation c:\windows\system32\autochk.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
+ Your Image File Name Here without a path Symbolic Debugger for Windows 2000 Microsoft Corporation c:\windows\system32\ntsd.exe
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
+ advapi32 Advanced Windows 32 Base API Microsoft Corporation c:\windows\system32\advapi32.dll
+ comdlg32 Common Dialogs DLL Microsoft Corporation c:\windows\system32\comdlg32.dll
+ gdi32 GDI Client DLL Microsoft Corporation c:\windows\system32\gdi32.dll
+ imagehlp Windows NT Image Helper Microsoft Corporation c:\windows\system32\imagehlp.dll
+ kernel32 Windows NT BASE API Client DLL Microsoft Corporation c:\windows\system32\kernel32.dll
+ lz32 LZ Expand/Compress API DLL Microsoft Corporation c:\windows\system32\lz32.dll
+ ole32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\ole32.dll
+ oleaut32 Microsoft Corporation c:\windows\system32\oleaut32.dll
+ olecli32 Object Linking and Embedding Client Library Microsoft Corporation c:\windows\system32\olecli32.dll
+ olecnv32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\olecnv32.dll
+ olesvr32 Object Linking and Embedding Server Library Microsoft Corporation c:\windows\system32\olesvr32.dll
+ olethk32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\olethk32.dll
+ rpcrt4 Remote Procedure Call Runtime Microsoft Corporation c:\windows\system32\rpcrt4.dll
+ shell32 Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ url Internet Shortcut Shell Extension DLL Microsoft Corporation c:\windows\system32\url.dll
+ urlmon OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ user32 Windows XP USER API Client DLL Microsoft Corporation c:\windows\system32\user32.dll
+ version Version Checking and File Installation Libraries Microsoft Corporation c:\windows\system32\version.dll
+ wininet Internet Extensions for Win32 Microsoft Corporation c:\windows\system32\wininet.dll
+ wldap32 Win32 LDAP API DLL Microsoft Corporation c:\windows\system32\wldap32.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
+ logonui.exe Windows Logon UI Microsoft Corporation c:\windows\system32\logonui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ crypt32chain Crypto API32 Microsoft Corporation c:\windows\system32\crypt32.dll
+ cryptnet Crypto Network Related API Microsoft Corporation c:\windows\system32\cryptnet.dll
+ cscdll Offline Network Agent Microsoft Corporation c:\windows\system32\cscdll.dll
+ igfxcui igfxsrvc Module Intel Corporation c:\windows\system32\igfxsrvc.dll
+ ScCertProp Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ Schedule Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ sclgntfy Secondary Logon Service Notification DLL Microsoft Corporation c:\windows\system32\sclgntfy.dll
+ SensLogn Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ termsrv Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ WgaLogon Windows Genuine Advantage Notification Microsoft Corporation c:\windows\system32\wgalogon.dll
+ wlballoon Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
HKCU\Control Panel\Desktop\Scrnsave.exe
+ C:\WINDOWS\System32\logon.scr Logon Screen Saver Microsoft Corporation c:\windows\system32\logon.scr
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
+ 000000000001 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000002 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000003 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000004 Microsoft Windows Rsvp 1.0 Service Provider Microsoft Corporation c:\windows\system32\rsvpsp.dll
+ 000000000005 Microsoft Windows Rsvp 1.0 Service Provider Microsoft Corporation c:\windows\system32\rsvpsp.dll
+ 000000000006 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000007 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000008 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000009 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000010 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000011 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000012 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000013 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000014 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000015 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000016 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000017 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000018 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000019 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000020 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000021 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000022 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000023 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
+ Network Location Awareness (NLA) Namespace Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ NTDS LDAP RnR Provider DLL Microsoft Corporation c:\windows\system32\winrnr.dll
+ Tcpip Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ Adobe PDF Port Acrobat ? PDF Port Adobe Systems Incorporated. c:\windows\system32\adobepdf.dll
+ BJ Language Monitor Langage Monitor for Canon Bubble-Jet Printer Microsoft Corporation c:\windows\system32\cnbjmon.dll
+ Local Port Local Spooler DLL Microsoft Corporation c:\windows\system32\localspl.dll
+ Microsoft Document Imaging Writer Monitor Microsoft? Document Imaging Microsoft Corporation c:\windows\system32\mdimon.dll
+ PJL Language Monitor PJL Language monitor Microsoft Corporation c:\windows\system32\pjlmon.dll
+ Standard TCP/IP Port Standard TCP/IP Port Monitor DLL Microsoft Corporation c:\windows\system32\tcpmon.dll
+ USB Monitor Standard Dynamic Printing Port Monitor DLL Microsoft Corporation c:\windows\system32\usbmon.dll
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
+ digest.dll Digest SSPI Authentication Package Microsoft Corporation c:\windows\system32\digest.dll
+ msapsspc.dll DPA Client for 32 bit platforms Microsoft Corporation c:\windows\system32\msapsspc.dll
+ msnsspc.dll MSN Internet Access Microsoft Corporation c:\windows\system32\msnsspc.dll
+ schannel.dll TLS / SSL Security Provider Microsoft Corporation c:\windows\system32\schannel.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
+ C:\WINDOWS\system32\fccCrrro File not found: C:\WINDOWS\system32\fccCrrro
+ msv1_0 Microsoft Authentication Package v1.0 Microsoft Corporation c:\windows\system32\msv1_0.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
+ scecli Windows Security Configuration Editor Client Engine Microsoft Corporation c:\windows\system32\scecli.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
+ kerberos Kerberos Security Package Microsoft Corporation c:\windows\system32\kerberos.dll
+ msv1_0 Microsoft Authentication Package v1.0 Microsoft Corporation c:\windows\system32\msv1_0.dll
+ schannel TLS / SSL Security Provider Microsoft Corporation c:\windows\system32\schannel.dll
+ wdigest Microsoft Digest Access Microsoft Corporation c:\windows\system32\wdigest.dll
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
+ LanmanWorkstation Microsoft Windows Network Microsoft Corporation c:\windows\system32\ntlanman.dll
+ RDPNP Microsoft Terminal Services Microsoft Corporation c:\windows\system32\drprov.dll
+ WebClient Web Client Network Microsoft Corporation c:\windows\system32\davclnt.dll

Wkssvc

In reply to Still a problem

“Wkssvc.exe is Trojan/Backdoor Sdbot.
Kill the process wkssvc.exe and remove wkssvc.exe from Windows startup.”

If you find this file, open Taskmanager, kill the process, then delete the file. If the file is not on your system, search the registry for wkssvc and delete the entries. You can use Autoruns to remove it from startup. When you get rid of the file, and those mentioned by bwilmot, clean the registry again in case any entries remain.

Note: It is a good idea to disconnect from the internet (physically remove Ethernet or other connector) while you do this. Otherwise, a malware file or reg entry may “call home” to re-infect you.

This one needs to go

In reply to re: Seanferd Autorun log

+ NPF npf NetGroup – Politecnico di Torino c:\windows\system32\drivers\npf.sys

It is part of a rootkit.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojntrootki.html

What next?

In reply to This one needs to go

Yes, I have this npf.sys file on my system and I have this registry entry: HKLM\SYSTEM\CurrentControlSet\Services\NPF
I am presuming that I should delete both completely. Right?
However, I don’t have this registry entry as noted on the Sophos site: HKLM\SOFTWARE\rtkit\
Does that mean anything?

Likely Norton

In reply to What next?

got rid of the main payload and left some traces behind.
Yes delete those two. You may also delete the file not found entries, except for the “about home” and one on display panning.
Turn off system restore until after your final scans.
Run another anti-rootkit program, here’s one (or the free Sophos);
http://majorgeeks.com/Panda_Anti-Rootkit_d5457.html
Download the latest norton definitions and scan from Safe Mode.

RE: PSAPI.DLL

In reply to Junk/trash characters stop access to desktop

Should I rename the PSAPI.DLL that is in the windows\system32\dllcache file?

I just renamed mine and restarted with no ill effects, I would. 😉

Have you removed Hidownload?

Did everything. Still a problem with psapi I think

In reply to RE: PSAPI.DLL

Removed Hidownload. Removed all the toolbars as listed in Hijack this. I renamed all the psapi.dlls except the one in Windows\system32.

However, when I went to unregister the psapi using this command line (regsvr32 /u C:\windows\system32\psapi.dll) I still get the message that the DllRegistry Server Entry point can’t be found.

Should I be concerned about this? Any next steps?

Thanks.

psapi won’t register = my mistake

In reply to Did everything. Still a problem with psapi I think

This file can’t be accessed by you, as it is in use by the system, even in safe mode. Thus, my suggestion is useless.

I have, however, seen that psapi.dll can be replaced by other software using an older version(BitDefender has been known to cause this problem, for example, as well as Motive SmartBridge, Hal Screen Reader,
BT Broadband Help (BT Yahoo Help),
and My Dolphin Screen Reader / Magnifier). So, the fact that you can’t register psapi is, in itself, not a problem. However, if the file version is wrong, this can cause problems, although I don’t know if your symptoms fit in this case. The version I have is this one:
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
with an MD5 checksum of
96E48C7EB9089D1DBF6F85CA11B264DF

If your file is of this version and hash, it is OK.

And

In reply to psapi won’t register = my mistake

http://www.softpedia.com/progDownload/MD5-Checker-Download-22900.html

is one of many free MD5-checking programs, if you need one.

Not sure whether the codes matched or not

In reply to And

I checked the psapi.dll file in my Windows\system32 folder and the MD5 checker said “The codes did not match.” However, the “number” for my psapi.dll is the same as Seanferd listed:

96E48C7EB9089D1DBF6F85CA11B264DF

Should I do something with this dll?

Well, it looks good

In reply to Not sure whether the codes matched or not

If you hadn’t pasted another number into the MD5 checker before you generated the hash for your psapi, it’ll say it doesn’t match, as it is comparing the generated hash to zero, essentially.

As to your file, it is valid and up to date. Your hash matches that of a valid XPSP2 psapi.

Why are you trying to

In reply to Did everything. Still a problem with psapi I think

unregister the file. The whole point of the exercise is to get it registerd.

< is the popup still there >

my fault

In reply to Why are you trying to

I’ve been given to understand that sometimes unregistration was required prior to re-registration for to process to work properly.

No it’s not :)

In reply to my fault

your fault. 🙂

Sometimes it gets a bit hard to work out just what is registered automatically and what needs to be unregistered and reregisterd. A lot of trial and error sometimes. 😉

We still haven’t found out if the Popup is still there. That was the original question. 😉

True Blue — popup still there

In reply to No it’s not :)

Yep, the unicode popup window is still there every time I boot or startup the computer. So…anything else for us to do?

Yep there is something to do ;)

In reply to True Blue — popup still there

Go to Start Run in the Open box type in secpol.msc
Navigate to Local Policies and Security Options. Scroll down to Interactive Logon: Message text for users attempting to logon. Right click on it and select Properties. If there is anything in the Text Box delete it.
Interactive Logon: Message title for users attempting to logon. Do as above.
< missed a bit >
Let us know how you get on. 😉

secpol.msc not on my computer

In reply to True Blue — popup still there

My OS is Windows XP Home Edition. What next?

Try it this way

In reply to True Blue — popup still there

http://www.bleepingcomputer.com/tutorials/tutorial100.html

Try this

In reply to Junk/trash characters stop access to desktop

Click Start, Run and type CONTROL USERPASSWORDS2, and click Ok. Select the user account from the list (the account to which you want to automatically logon). Uncheck Users must enter a user name and password to use this computer option, and click Ok. Type the user account password and complete the process.

< Restart the PC >

I’m willing to do this yet before I do….

In reply to Try this

I actually don’t remember what password I used when I created my personal account. But…I want to retain my ability to have administrator rights to my computer when I log on. Right now, I don’t have to type a password when I log on. Will I now need to have two passwords now? Also, can I “reuse” a password if I have inadvertently used it when I created the original account?

If there is no

In reply to I’m willing to do this yet before I do….

password leave it blank. Don’t interfere with the Administrator Account as you will only get errors. If this doesn’t work could you provide a detailed description of the Startup. Step by step.

[Author]

Replies