Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Windows XP Taskbar Won't Change

  • Please log in to reply



    Retired Staff

  • Retired Staff
  • 11,365 posts
I still suspect this is the remnants of a spysheriff/smithfraud cleanup gone awry--let me get a malware expert in here
  • 0




    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello ShimiZaki

gerryf has invited me to assist.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy & paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Note : process.exe is detected by some antivirus programmes (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a programme used to stop system processes. Antivirus programmes cannot distinguish between "good" and "malicious" use of such programmes, therefore they may alert the user.
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hello there Custy, I really appericate your fourm team helping me, I think this is a really nice thing, and I can't tell you how much I apperciate this Help, taking your time to help me that is really nice thanks guys. But back to bussiness

Here we are Here is the Report:

Scan done at 9:15:39.39, Sat 05/13/2006
Run from C:\Documents and Settings\ob\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ob\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ob\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0



    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

Looks like the bad files for the infection are all gone.

Please right click on this Wallpaper and choose Save Target As...Save it on your Desktop. Double click on it to run it and choose Yes to add it to the registry. Delete that .reg file when you are done.

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy ALL THE TEXT contained in the code box below (starts with Files ….) to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger programme by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • Upon reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy & paste the content of c:\avenger.txt into your reply along with a fresh HJT log from normal mode, by using Add Reply

If you still have the problem, try this:

Repair/Replace a corrupt/damaged Luna Theme in Windows XP

Your Luna Theme is probably corrupt or missing.

1. Download Resources.zip from Kelly's Korner
  • If for some reason you can not download it directly from above, go HERE
  • Scroll down the page to #187.
  • On the right side you will see Restore Luna theme-Restore Classic theme.
  • Right-click on the Restore Luna theme link and select Save As and save it to your desktop.
  • Depending how your machine is set up, you will either see a Winzip file called Resources, or a WinXP Zip folder called Resources.
2. Whichever it is, unzip the resources.zip file and find the file named Luna.msstyles... the file size will be 4,089 kbytes.

3. Move this file to C:\Windows\Resources\Themes\Luna (don't move it anywhere else!)

4. You may already have the same Luna file listed in this folder, but you must replace it with the new one.

5. REBOOT your system

6. Go to Display Properties and you should be able to choose the XP theme again

Note: If more that one file in C:\Window\Resources is corrupted, you could also very well replace all the files

If still no better, continue.....

Download FixSF.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser.

FixSF.reg Download Link We will run it shortly.

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Go to your desktop and double click on the FixSF.reg file that you downloaded earlier. When it asks if you would like to merge the information, press the Yes button and then the OK button.

It could be possible, after reboot that the system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.

If your background is abnormal go to Start>Control Panel>Display>Desktop>Customize Desktop>Web and remove the file in the Web Pages list, then OK out of display.

Any better?
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hello there, since my last reboot I have not gotten the Insfproc.exe Error.. I belive that problem is solved. But There is still a problem, Kelly's resource zip was my first solution I tryed using for fixing my taskbar problem, I re-did what you asked me to do. Replace my files in my Resource Folder. I did all of it, But there's that minor problem. The Luna.msstyles the Old File replaces it's self. I'll Try to Replace the New One, from the old one, and if I sit there and watch... The Old just comes back and replaces it's self automatically.

Here is the avenger txt. But I don't know how to do this "along with a fresh HJT log from normal mode, by using Add Reply" I don't understand what you mean really.:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:


Script file located at: \??\C:\Documents and Settings\xewpjhdb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger


Beginning to process script file:

File C:\Windows\System32\Insfproc.exe deleted successfully.

Completed script processing.


Finished! Terminate.
  • 0



    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
hello again

No better then? OK, don't concern yourself with the HJT log, but please continue as below.


Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Reboot into Safe Mode: please see here if you are not sure how to do this.

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder.

Restart normally and post the contents of WinPFind.txt
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Here we are :

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 3/12/2006 6:25:00 PM 16384 C:\auxsetup.exe
UPX! 12/13/2005 9:03:42 PM 62412795 C:\GtkRadiantSetup-1.3.12-Raven.exe
UPX! 10/1/2004 7:15:02 AM 56320 C:\kgsonyall.exe
UPX! 3/12/2006 6:24:52 PM 6656 C:\vdicmdrv.dll
UPX! 3/12/2006 6:24:56 PM 7168 C:\vdremote.dll
UPX! 3/12/2006 6:24:56 PM 5120 C:\vdsvrlnk.dll
UPX! 3/12/2006 6:27:02 PM 758784 C:\VirtualDub.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PEC2 3/19/2004 4:35:10 PM 41397 C:\WINDOWS\DFRG.MSC
PEC2 10/26/2004 4:38:24 PM 716800 C:\WINDOWS\DivX.dll
PECompact2 10/26/2004 4:38:24 PM 716800 C:\WINDOWS\DivX.dll

Items found in C:\WINDOWS\hosts

PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\LegitCheckControl.dll
PECompact2 12/8/2005 6:20:26 PM 2714976 C:\WINDOWS\MRT.exe
aspack 12/8/2005 6:20:26 PM 2714976 C:\WINDOWS\MRT.exe
aspack 8/4/2004 12:56:38 AM 708096 C:\WINDOWS\ntdll.dll
Umonitor 8/4/2004 12:56:46 AM 657920 C:\WINDOWS\rasdlg.dll
winsync 3/19/2004 4:44:18 PM 1309184 C:\WINDOWS\WBDBASE.DEU

Checking %System% folder...
UPX! 7/5/2002 4:12:06 PM 27136 C:\WINDOWS\SYSTEM32\AuthDVD.DLL
aspack 7/22/2005 8:59:04 PM 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 9/28/2005 3:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 9/28/2005 3:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
UPX! 2/18/2003 11:58:36 AM 90112 C:\WINDOWS\SYSTEM32\dprsx.dll
PTech 2/14/2006 9:20:14 AM 550120 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 5/3/2006 10:26:22 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 5/3/2006 10:26:22 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 5/7/2006 9:05:12 AM 775680 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 5/7/2006 9:05:12 AM 775680 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 5/7/2006 9:05:12 AM 775680 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 5/7/2006 9:05:12 AM 775680 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
5/13/2006 12:20:34 PM S 2048 C:\WINDOWS\bootstat.dat
5/13/2006 10:13:28 AM H 9066 C:\WINDOWS\p7grl
5/11/2006 9:49:58 PM H 54156 C:\WINDOWS\QTFont.qfn
4/29/2006 8:10:18 PM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
4/29/2006 8:10:18 PM RH 0 C:\WINDOWS\assembly\pubpol1.dat
4/29/2006 8:24:48 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1b.dat
4/29/2006 8:24:50 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1c.dat
3/22/2006 5:17:30 PM S 14054 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB908531.cat
3/23/2006 12:15:38 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911562.cat
3/17/2006 3:24:26 AM S 12455 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911567.cat
3/30/2006 4:03:56 AM S 22339 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912812.cat
3/21/2006 11:19:48 PM S 15945 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB913580.cat
4/3/2006 9:03:16 PM S 124622 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem2.CAT
3/20/2006 1:43:18 PM S 7900 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CAT
5/13/2006 12:20:24 PM H 8192 C:\WINDOWS\system32\config\default.LOG
5/13/2006 12:20:56 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
5/13/2006 12:20:36 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
5/13/2006 12:21:16 PM H 69632 C:\WINDOWS\system32\config\software.LOG
5/13/2006 12:21:00 PM H 1032192 C:\WINDOWS\system32\config\system.LOG
5/10/2006 7:01:08 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
3/15/2006 9:29:50 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\64246c33-7755-45bc-8df0-395d6013fdf3
3/15/2006 9:29:50 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
5/13/2006 12:00:00 PM H 252 C:\WINDOWS\Tasks\B39E084B959DB8CB.job
5/13/2006 12:19:26 PM H 6 C:\WINDOWS\Tasks\SA.DAT
4/26/2006 7:52:54 AM HS 0 C:\WINDOWS\Temp\4zi21z2n.TMP

Checking for CPL files...
5/25/2004 9:06:58 AM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 2:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
3/20/2006 1:43:16 PM 372736 C:\WINDOWS\SYSTEM32\PhysX.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/28/2005 2:31:50 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ADOBER~1.LNK
3/19/2005 10:41:10 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
3/19/2005 6:12:22 PM 1518 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
3/19/2005 3:05:52 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
3/19/2005 10:41:10 AM HS 84 C:\Documents and Settings\ob\Start Menu\Programs\Startup\desktop.ini
9/3/2005 1:30:38 PM 650 C:\Documents and Settings\ob\Start Menu\Programs\Startup\Xfire.lnk

Checking files in %USERPROFILE%\Application Data folder...
6/28/2005 2:30:04 AM 1556 C:\Documents and Settings\ob\Application Data\AdobeDLM.log
3/19/2005 3:05:52 AM HS 62 C:\Documents and Settings\ob\Application Data\desktop.ini
6/28/2005 2:30:02 AM 0 C:\Documents and Settings\ob\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
{E9F5B111-CACC-4FD4-81FD-4EB4FD6765A3} = C:\Program Files\DivX\Dr.DivX\EncodeDivXExt.dll
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
{12B23346-6BD8-4812-BF8C-75E7C386ACB8} = C:\Program Files\GiPo@Utilities\GiPo@MoveOnBoot\mboot.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
{BB83FD23-AC96-472D-8AA2-7D8560A61D1A} =
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

{46D570D9-71C8-44E5-A76C-AADFE94442CA} =
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

= %SystemRoot%\system32\SHELL32.dll
= %SystemRoot%\system32\SHELL32.dll
= %SystemRoot%\system32\SHELL32.dll
= %SystemRoot%\system32\SHELL32.dll
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
UberButton Class = C:\Program Files\Yahoo!\Common\yiesrvc.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
PCTools Site Guard = C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}
YahooTaggedBM Class = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}
PCTools Browser Monitor = C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
ButtonText = Spyware Doctor :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
ButtonText = Yahoo! Services :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM95\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :

SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
MessengerPlus3 "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AGEIA PhysX SysTray C:\Program Files\AGEIA Technologies\TrayIcon.exe
THGuard "C:\Program Files\TrojanHunter 4.5\THGuard.exe"

IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1





MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
AIM C:\Program Files\AIM95\aim.exe -cnetwait.odl
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
MessengerPlus3 "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
Skype "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized




[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]





{17492023-C23A-453E-A040-C7C580BBF700} 1

{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


dontdisplaylastusername 0
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0




PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\Userinit.exe
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 5/13/2006 12:46:51 PM
  • 0



    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

The WinPfind log is negative, although I notice that you have MSN Messenger plus installed. The file msgplus.exe is distributed as a third party MSN extension. However it is also spyware if installed with the sponsor programme it offers to install. If this optional sponsor programme was installed, this process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising pop-ups.

I suggest that you uninstall it, reboot normally, and download a fresh copy, but this time read the EULA and do not grant permission for the third party software.

See this link for further information: http://msmvps.com/bl...4/08/89789.aspx

I did a case like this not too long ago and I can't remember the solution. It has something to do with Windows classic style.

Did you complete all of the fixes I gave you two posts ago?

If you right click on START > PROPERTIES and just check that all is correct in that area.

Edited by Crustyoldbloke, 13 May 2006 - 01:27 PM.

  • 0




  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Yes, I have did the last two post, and completed them. Though, I have never had a problem with Msnplus. I've had before I've even got this spyware.. Almost had this Msn for a year, and I got this spyware a while back, so I'm not sure,

But I will go ahead and uninstall it...

The last case you did, do you still have the Old Archive of it ? Or the old Fourm post ?

  • 0



    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

Did you do this?

If you right click on START > PROPERTIES and just check that all is correct in that area.

I wish I could remember the fix or the victims name, but sadly I can't and I am not going to trawl through 7000 posts. I do recall using the Luna Theme.
  • 0





  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Ha Yea.. I tryed looking under taskbar there were so many..

Sure did, right clicked on start and went to properties and made sure everything was set, and it was.
I'll be looking for that post though mean while.

  • 0



    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
I wonder of this might work:


Click the above link and save it to your desktop. Double click on it and choose YES
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 22 posts
No, Still no Go.. :whistling: I am wondering though. I was fourm Jumping on this site. Should I do what is suggested here:

http://www.geekstogo...9&hl=Luna theme

The Last Post..Wannbe1 made.

  • 0



    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
The repair won't do any harm but you may have to re apply SP2 afterwards unless you have a later version of XP with SP2 already included on the CD.

Also option #2 on the SmitfraudFix might help.
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Yea, just tryed to Repair, Still didn't work.. I'll try the Smitfraud fix next. Do you have any other suggestions we might can do ?

Edited by ShimiZaki, 14 May 2006 - 11:17 AM.

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP