As a computer programmer, I never get malware installed on my computer and when I do, I usually can get rid of it. But this one has got me.

About a week ago, I started getting popups when running Firefox.

The popups are launch with explorer.exe, not with IE and they randomly launch while using IE, Firefox and Maxthon browsers. They don't launch while using Opera however.

The popups are blank probably because they are either blocked by my host file or another one of my security programs (NOD32, SpySweeper, Spybot, SpywareBlaster, Sygate Pro).

The dialog box on the header displays "Advertisment - NSIS Media"
mis-spelled.

Malware Info:

Location- C:\Program Files\Common Files\NSIS
Files in the folder- uninst.exe, ns24.dll

Actions that I have tried:

1.Ran the "uninst.exe" in the above folder, it says NSIS Media Extention is uninstalled and computer must reboot. I reboot, then the problem is still there but now there is another file in the same folder "ns48.dll".

Each time I run the "uninst.exe" another file appears in that same
folder. (ns68.dll, example ns+two random numbers+dll).

2. Turn Off System Restore and Deleted the above folder in safe mode and emptied the Recycle Bin. Used the Registry Editor and manually deleted all keys, subkeys and values for NSIS. The folder and files still come back after reboot.

3. Scanned my computer with NOD32, SpySweeper, Ad-Aware, Spybot, TrojanHunter, BitDefender online, McAfee online, TrendMicro HouseCall online, Symantec online, McAfee Stinger. Nothing was found except for the "uninst.exe" by TrojanHunter it said it was "Adware.PurityScan.312" and removed it, but it still came back after reboot.

4. Ran HijackThis and nothing was found.

5. Check running programs with ProcessExplorer and that how I found out that it uses explorer.exe to launch, but still can't find the string. Nothing else shows up in the Task Manager.


I know this has to be either a hiden trojan or hiden worm. I have no idea how it got installed or how it got passed by security programs.


I have searched all of the web trying to find some info, but there is not much there that can help.


Any help would be appreciated.


Thanks.:icon_thum

Since you know it has attached itself to explorer, did you try regedit to find any reg. keys for Explorer's browser feature that they could expolit?

P.S. Of course, as you know that you should make a backup copy of all reg. keys before you make any changes!

stop running the uninstall in that folder....reason think of the uninstal.exe as trojan.exe and each time you run it..you reinstall or restart it. that's my suspicion.
can u go into safe mode and unregister the dll?
does it show up in msconfig?
can u stop it from running automatically with msconfig...does it pop these screens up as soon as u open a browser..or is there a particuliar webpage or website that pops this nsis message up?

without googling I have no idea what that nsis is...but i'd imagine it was something to do with a nullsoft installer software..other than that I can't think of anything else it could be associated with unless norton antivirus

the two random numbers u mention are definitely calls to certain funtions within the dll. they can be as simple as calling an icon from the dll or calling the messagebox window u report seeing.

there are two programs for examing the dll file...one is well known and works with most 32bit dll files the other only works on 16bit dll files. this is probably a 32 bit dll file.

but yeah searching the registry for 'uninst.exe' or 'nsis' is good idea....anything that runs has to be launched from somewhere...usually it will be done in the registry and if u can find and delete the key that calls this file it won't associate itself with explorer anymore or run on its own.

its a lot of hard work manually searching ur registry urself..make sure u have show all file extensions ticked even hidden and system files and keeping hitting 'f3' to cycle through searches in ur registry editor until u find all instances of it.

startup monitor or startup cop should show u what registry key is calling this...i thought hijack this did too..if it does than it would be easy to delete this key...sometimes as u know there may be another program with an indiscreet name that is called to recreate the trojan..example:

something calling uninstal.dat or someothername.cab to be recreated or renamed each time the system is booted.

did u google 'nsis' and the uinstal.exe?

Edit I see u done all or most of the above.

Now just delete the uninstal.exe and dll file ur self..don't try double-clicking on the 'uninstal.exe' as that may be what's reinstalling the trojan...a troj disguised an an uninstaller for its self...clever.

if u don't remember installing this..get rid of it..odds are u don't need it..if u do have problems with a particuliar program after removing it..u can always reinstall whatever application it is that needs it if one needs it but i bet u won't.

Ok guys the good news, the objects in the NSIS folder have been deleted for good.
I went into safe mode and deleted the dlls and the uninst.exe, then I simply Denied permissions on that folder set only to read. I can't delete the folder or the objects will come back.


The bad news, for some unknown reasons, I'm still getting popups from NSIS Media.

Yes something is still launching explorer.exe to display the blank popups. But so far no other computer problems.

Rescanned my computer in Safe Mode with all of the scanners plus I installed SUPERAntiSpyware but it didn't find anything either.

This must be something new because of the lack of info.


Thanks for the help.:icon_prof

They seem to be trying to help a lot of people with something that comes up with NSIS all over it here -

http://forums.spywareinfo.com/index.php?act=Search&CODE=show&searchid=8dd590da07c6d15ed5c0a44fd4e2410b&search_in=posts&result_type=topics&highlite=%2Bnsis

I linked to the search page there for NSIS

Ok, I had to reinstall Windows to remove this malware. But I found out what caused it.

I installed Foxie Browser Suit with Security Firewall. The Firewall was a worm.

Do NOT install Foxie Browser Suit it's a fake program with a worm that uses the firewall.exe to download more malware.


Here is my posts on Wilders Security Forum- http://www.wilderssecurity.com/showthread.php?t=138307

Foxie's websites-getfoxie.com , spreadfoxie.com
Don't install unless you want to reinstall Windows.


Thanks.:icon_thum

That one's scary. Hope those guys you submitted it to figure it out.

i use to have the same problem with NSIS. i heard that you could find it in the Add/Remove Programs. so i tried it and to my suprise there it was. so i uninstalled it but while i was uninstalling it, "uninst.exe' made a hidden launch. i'm almost possitive that its a worm that launchs once it is uninstalled to reinstall it self. luckly i have Kaspersky Lab Anti-Virus that nailed the launch before it could continue. I stoped it and now i havent had any problems. haven't seen NSIS in a while. i first noticed that a week ago that soemthing kept making a hidden launch of "exploer.exe". kaspersky caught 90% of the time but a few slipped through. i was getting sick of it so i decided to do soemthing (i no i'm lazy). i checked out the forums that came up from google and most had no idea what to do. some said that someone could get rid of it by simply uninstalling it from add/remove programs. i think you can just make sure that uninst.exe cant launch itself. i sure thats y it keeps appearing on your computer even after you think u get rid of it.

I sent out copies of this malware to Sunbelt's CounterSpy, Symantec (Norton), Nod32, Kaspersky, McAfee, AVG, Avast, BitDefender, Ewido's AntiSpyware, Microsoft's Windows Defender, SpyBot S&D and Lavasoft's Ad-Aware. I couldn't find a way to send it to Webroot SpySweeper or PC Tools Spyware Doctor.


The only ones that replied are Symantec- said it was an unknown internet worm and said they are working on detection and removal. They reccommended that anyone infected with this to do a system recovery with your Windows disks. Because the damage is unknown at this time.

Sunbelt's CounterSpy- Also said that it was an unknown malware program maybe a worm or a virus or trojan downloader. Still working on classification and detection.

Ewido said they could find any problems but there are still working on it.


Thanks.:icon_thum

:icon_thum kudos, on the discovery and for following up on it, littlebits.

Ok, I had to reinstall Windows to remove this malware. But I found out what caused it.
I installed Foxie Browser Suit with Security Firewall. The Firewall was a worm.
Do NOT install Foxie Browser Suit it's a fake program with a worm that uses the firewall.exe to download more malware.
Here is my posts on Wilders Security Forum- http://www.wilderssecurity.com/showthread.php?t=138307
Foxie's websites-getfoxie.com , spreadfoxie.com
Don't install unless you want to reinstall Windows.
Thanks.:icon_thum
so meaning you reinstalled your windows littlebits?

i thinks its really late from my side:

i got "almost" same problem, its something like
spyware= "trustinbar.exe" and it has own folder in my C:\ drive
my AVG first detected it, so put in vault
then i run windows defender= still same result, so i click delete or something
(AD-aware did not detected)

not yet finished
then i run SPYBOT S&D, same result, i immunized

i thot its really finished, then few days after, my AVG detected it again

so i run again same as above, same result as above

so i did same as you, i look for its folder, then try to delete it, no luck
then safe mode, same=no luck to delete it

what i did is:
(im getting a little knowledge in HJT, only for my pc scan)
SAFE mode:
i run CCLEANER, run window washer,
run
AVG- deleted that "trustinbar.exe" and connected to it
SPYBOT S&D- scan and fixed problem and immunized all

i run HJT, checked all the file connected to that "trustinbar.exe" and fixed them

then i looked that folder, then i try to delete that and VOILA it works:icon_thum

so then, for to be sure i run again CCLEANER, run window washer

(remember)im still in SAFE MODE, i Disable System-Restore>>>Reboot>>>Renable System-Store
(the purpose for this is, so that some malware that are leaving remnants in C:\System Volume Information will be flush and surely will not comeback)

then i looked that folder, then i try to delete that and VOILA it works:icon_thum


so for the others getting "same" problem, maybe try to follow what i did regarding "disable system restore"

:icon_sunn infoseeker :icon_sunn

Infoseeker, you problem was much easier to solve since it is a known adware program.

http://service.symantec.com.tw/avcenter/venc/data/adware.trustinbar.html

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453098075

I'm glad you got rid of it without having to reinstall Windows. Hijack This would have got rid of it also.

However the NSIS malware is an unknown worm or virus, the safe mode doesn't work with it because it changes your Windows system files and can't be detected even by Hijack This.

Update: Symantec has identified part of the malware infection, It installs in your "Hard Drive\Program Files\Mozilla Firefox\chrome" the file is "NSIS.jar" (an exe in a java file). It bypasses your firewall and makes copies of itself in many different folders and enbeds itself into windows system files. Because no matter how you delete it, it will come back unless you know where all the files that are infected are located. One of the system files that is know to be infected is "svchost.exe" Microsoft Service Host Process. Once it infects this system file, it has complete access to connect to the internet and do its nasty work.

It's possible that dsncaching.net is the malware's server where it gets its nasties. Adding dsncaching.net to your host file might block part of the infection.

The overall damage is still unknown at this time, it could steal your passwords, private info and no telling what else.

A system recovery was the best option for me.


Thanks.:icon_salu

After much blood, sweat, tears, trial and error (i wasn't going to let it beat me because I DID NOT want to reload), I have figured out what was causing my NSIS media pop-ups.

In my %win%\system32 directory, I had the following 2 files:
krnsvr32.dll
wmdmb32.dll

Neither of these are Windows files and mine are dated 2001. I couldn't delete them, but I was able to MOVE them (accomplishes the same thing huh??) to a temp folder, then rename them. Once this was completed, I manually removed the NSIS stuff (folder and registry entries) ... rebooted and it was gone. I put the files back ... reboot .... it's back.

Hope this will help some of you.

Also, if you are one of the people who "uninstalled" it ... you had better check because the folder location (maybe) and the file names change!!

Ah, bless you wattsja, and your children, and your children's children .....

I have been working on this problem for weeks (you can read my exercises in futility in the Winamp support forums on this subject,) yet no matter what I did, the NSIS folder was always returned on reboot, with a new dll file (NSxx) and the uninstall worm (let's call a spade a spade.)

Having failed all other attempts, and with all suggestions failing, I elected to open the existing NS DLL in a text utility, and changing a few characters to hopefully corrupt the file. This stopped the popups, but I wanted this thing GONE. I was just going to wait for one of the anti-spyware folks to get on the stick with this problem and offer a fix or a removal tool or something, rather than risk having it insinuate itself further into my registry by my attempts to remove it.

Your suggestion seems to have worked perfectly! I found those two files, with the same date stamp, and I 86'd them to a limbo file as you suggested. I had to use JVC to unload registry entries under the NSIS Media Extension heading, as it seems to find every media related piece of software on the drives, and then unload NSIS media references and keys with a registry tool, but I'm happy to say for the first time in a long time, that damn NSIS folder and the self-perpetuating DLL are gone! Thanks for figuring it out. God knows I couldn't.

Problem now is, did it linger elsewhere? This is the rottenest piece of malware I've ever seen, and has defied all other attempts to purge it, even though the amount of infections seems rather small from Google searches. My fear is that something like this could be used for something far more malicious than simply getting a few blank pop-up windows past our blockers. Most of the people who have had this seem fairly savvy, so this got past our firewalls and virus protection and spyware blockers, and then when installed, couldn't be found, let alone removed. Let's hope someone nails this down definitively so a protection can be put in place, and we know where it came from. Thanks again.

I've been following this thread, and others, with interest since I too have been plagued with this nasty little trojan for almost 2 weeks now.

As mtaylor0617 points out, a great many people infected with this aren't novice users but are actually pretty computer savy. I've been using computers since the mid 70's and I've got this thing, but can't for the life of me figure out from where. I've seen Foxie bandied about as an almost certain carrier but I've never downloaded or installed it, so I'm stumped. I just built this system so there are only a small list of programs that I've gotten online: Firefox, Thunderbird, Open Office, AVG Free Edition, Zone Alarm, Adobe Acrobat Reader, Photobie, QuickTime Player, Frostwire, Painkiller demo 1, and the Prey demo. That's it. I'm not sure if I want to go into the registry and systen files to surgically remove this thing until I know what program was carrying it in the first place. I'm hoping that one othe antivirus or spyware companies will have an eureka moment soon and provide and explanation. I'll give it another week. For now I guess I'll put up with the Party Poker pop ups.

The NSIS malware is related to the Nullsoft Scriptable Install System- http://nsis.sourceforge.net/Main_Page
It is an open source project where anyone can create their own installers. Many popular programs are using this system to install their products. This means either there is a bug in the Nullsoft Scriptable Install System to allow other malware to install or some bad programmers are using this system to inject malware into their products. I have read all of the internet about this strange NSIS malware, some of the people that got infected didn't install anything but trusted programs but many of these trusted programs used the Nullsoft Scriptable Install System.

Like myself, at the time I got infected with it there were only a few programs that I installed. Two of which used the Nullsoft installer, one was Foxie. I had Nod32 all modules enabled and Webroot SpySweeper running with all shields. Sygate Pro firewall on stealth mode. But I screw up by letting Foxie connect with its firewall.
I also had SpywareBlaster updated to restrict bad products and Spybot's Immunize activated.


It really is a mystery how that malware got passed all this protection.



Thanks.:icon_salu

I'm a Maxthon user, and have been for a number of years. I always have their excellent suite of ad and pop-up blockers enabled, as well as the ActiveX blocker.

Just prior to this NSIS prob, I had a small problem in opening my IE browser. This had a small effect on the Maxthon, but I could easily work around it. In any event, we don't like our computers operating not up to snuff if we can help it, and I resolved to troubleshoot the IE glitch. Fearing that I might make things worse (not impossible!) I downloaded the Firefox browser for the first time, as it had an independent engine, and I didn't want to lose Internet access. I used it just long enough to configure it to some degree, and check it out while I had it on my drive. I am almost certain that this is when I first started getting those blank NSIS media popups. I think at the time, I just figured it was a "Firefox thing," (their blockers weren't as effective, for instance,) and didn't worry about it too much. It was when I went back to Maxthon and IE and got the popups that I first started going, "uh-oh!"

I thought there was a general problem with known browser PU-blockers causing this, so while I was trying to deal with it from the browser end, I didn't realize for quite a few days that this NSIS crap had been installed on my drive. I have never had a piece of malware, a worm, or virus that has caused me any problem. I've had stuff turn up, sure, with scans, but never anything that had been doing any damage yet. This was my first real infection, and it was a doozy, not so much for what it did (hopefully the popups were the extent of its purpose) but because it seemed almost supernatural in its ability to remain on the drive. When you look at my scan from JVC registry cleaner when removing "NSIS Media Extension" from the startup menu via the registry (on the Winamp forum) you can see how many keys were involved. Mostly A/V media software, but even image software like Google's Picassa. None of these keys or entries even MENTIONS NSIS, and I rely on the JVC to tell me they had been compromised. Then, there's the basic NSIS media keys (titled as such) that need to be purged from the registry.

I am wondering, from all that I've read so far, if a small amount of Firefox browser install files had this infection for a short period of time. I say small amount, as this thing doesn't appear to be running wild, at least yet, unless there are a lot of people out there who accept popups as part of everyday life on the web. In any event, one of the first things I did was uninstall Firefox and take every reference out of the registry. It didn't help at the time, but I still have the feeling that this is where it came from. I can understand, Sick Boy, how you may not want to attack system or registry files without having all information available, but moving and renaming those two files in the system folder really did solve the problem. Whether that would work without also wiping out the registry entries, I don't know, but if you want to do something as minimally as possible to try and stop the popups, that might be the way to go, (and delete the NSIS folder too.) I suspect that NS**.dll file HAS to be present for the whole package to work, which is why so much time was spent on designing this monster in such a way that you can't delete it, or even rename it. (Well, you CAN rename it, but then there is another NS**.dll sitting beside your renamed DLL on the next reboot. Grrrr.)

Good luck anyway, and hope you can send this thing to Malware Hell before too long. Don't know if you're noticing this too, but in addition to the popups, I also had a much slower computer; a lot of disk activity, as if an intense process was running in the background all the time, although I couldn't find it even with real-time system process monitors. I think it was hooked into SVCHOST.EXE in some way, so it probably looked legit to me. As soon as I got rid of this, my machine went back to normal operating and boot-up speeds.

I've had this pesky malware on my system for a couple of days now.
Of the software listed by Sick Boy I'm running Firefox, Thunderbird, Open Office, Adobe Acrobat Reader, and QuickTime Player.
The most recent ones to be updated were Open Office (to 2.0.3) and Firefox Allow Right Click extension, both a couple of days before the NSIS Media popups started to appear.
They show up whenever I use Firefox (my default browser) after a variable delay of several minutes. Yesterday they only showed up a few times, today it's more like every 10 minutes.
Hope this helps someone to track it down.

and definitely from "Foxie" in my case. I've tried pretty much everything mentioned here. I also wrote a little VBScript to delete the NSIS folder on startup but the popups continue. I'm beginning to think the folder and the dll may have little to do with the real infection. On another forum someone mentioned that the folder seemes to be created on shutdown rather than on startup which may be the case. I've seen different registry entries, one refers to something called "flockstd" I believe. The thing certainly seems to have infected one or more system files and there doesn't seem to be any obvious place in the registry where it's getting called. I referred it to Mark at SysInternals, the guy who outed the Sony rootkit but with incredible bad timing, they just got bought by Microsoft so I doubt I'll be hearing from him. It's good to know that some of the AV companies are looking into it.

Whoever wrote this damned thing knew what they were doing. That raises the question - if the purpose is to serve ads, why is it so easy to block the ad content itself when the rest of it is so sophisticated? It makes me worry that the real purpose is something more sinister - but then again, why call attention to it with the ad windows? As you can see this is driving me crazy. At this point, I think the best way to nail it down would be installing Foxie on a clean system with RegMon, FileMon and every other surveillance gizmo running and try to find out what it's doing when it gets its hooks into a system.

I agree with you Nathan Detroit. I tend to think that the ad serving part of this little beast might be a cover for something else. This has all the hallmarks of something more malicious. Most adware tends to be sneaky, and hard to remove, but it doesn't usually propegate itself throughout your system when you try to uninstall it. That particular feature is more virus-like. Some people have had success getting rid of the popups using the supplied uninstaller, some haven't. The ones that still get popups are reporting that this thing is pretty invasive. I think that the ones that aren't getting popups anymore probably assume that they've fixed the problem and haven't gone in to check if this thing is still lurking. I just find it hard to believe that something that sneaky and persistent would actually disarm itself with its own uninstaller. I think that mtaylor0617 may have discovered how to break this thing, but it's hard to tell without knowing exactly what it's doing.

As i previously posted on another forum. A few weeks ago i encountered the NSIS media popups. i could not stop it with pop-up blockers or antispywares. i read all about this problem on google but nothing helped me remove it completely exept for the reinstalling of windows. However, i did not want to use this method so i started experamenting with my own methods. I heard that the fake "uninst" accually just reinstalls NSIS on your computer. i also heard when it reinstalls it, it does it at shutdown. So i intiated the "uninst" method they give you but when it got to the point that it requested me to reboot, i turned my computer off the unsafe way by holding the button down. When it booted up again i found the .dll file in the NSIS folder in common files was removed. So i made sure it was completely removed but i found the extension in the chrome folder under mozzila firefox in program files which is nsis(2 random numbers).jar i believe. i moved this file to t a temporary folder and renamed it. I then deleted it and emptied the recycle bin. I initiated Cleanup.exe and then clicked do not log off. (You can download cleanup at thier website just search it on google.) Then i turned my computer off the unsafe way once again my holding down the button. When i rebooted i let the disk checking complete and it said it had trunicated an invaled I.E file. It loaded everything normally after and i no longer have any NSIS media popups or files that i can find. I want everyone to know about this and i hope it works for you guys to.:icon_thum please repost and tell me if it works for you. Thanks

I got to wondering if this thing was bypassing the normal I/O methods out to the internet.
So I monitored it on the Router as well as the PC's firewall, and it seems to be going via the normal route (i.e. the PC's firewall picked up the same things as the router) to 216.55.181.78 using port 80, which the PC's firewall claims is "servedby.mediaplace.tv" - apologies guys if you have nothing to do with it.
I've also found that it sends it's I/O from "firefox.exe" which is why the firewall lets it through.
Also I don't get any popups until I start either firefox, or thunderbird.
When I started thunderbird on its own and the first popup appeared I found that there was a "firefox.exe" process running which is about half the size of the one running now as I type this (using the firefox browser) - not sure of the significance of that yet.

I've found how it attaches to Firefox (at least one of it's ways - hopefully the only one)
In C:\Program Files\Mozilla Firefox\Chrome\browser.manifest it's added an extra line at the bottom
"content nsis jar:nsis.jar!/content/nsis/ xpcnativewrappers=yes" which tells firefox to load it from "C:\Program Files\Mozilla Firefox\Chrome\nsis.jar" when it starts.

It attaches to explorer.exe at startup with this entry "{097F10A7-487F-4457-AB1F-827C59479A72}"="NSIS Media Extension" in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]. My guess is that from here it can register itself to monitor any number of things including system shut downs (which is probably why people have found they need to crash the system after the uninstall to get rid of it).

How did it get on my system ? I don't know. The only thing I'm running that bypasses most of the normal security and accesses advertising sites is MSN, so I wonder if it came via that route.

Hello!

I just found this thread doing a Google search on "NSIS media" because I've been getting these pop-ups. Like others, I ran Spy Sweeper (I'm losing faith in this program, considering you can't even report to them) & Ad-Aware ... found nothing. Norton's found a trojan which I deleted, I'm guessing that was it, but the pop-ups still remain. I got it from Foxie Suite, too. I use to think it was a nice little program, it blocked ads on websites, etc. But, I just did a system restore and downloaded the newest version from getfoxie.com Looks like I'm going to have to do another, but I feel this still doesn't solve the problem if someone else uses the same technique (looks like I have no choice). I want to know how to prevent it from happening again, BLOCKED! What a big mistake, but how was I to know ... I thought it was from a few Realplayer & Quicktime codec I installed, guess not. I considered myself an average PC, maybe a little above average, I don't know how to edit my registry and find all these files like programmers here.

This thing is scary! My question, how are they able to still do this legally. We know one of the culprits. So they're free to just put a virus on your PC, no problems. Then on the Foxie site you try and contact them by clicking "Knowledge Base" "Click here to submit an Idea." you get a link to "everybody deface it, that sux, noobs" & "o-d own this shit". Give me a break, shut this guy down, already!

By the way, I'm just using Firefox.

Man, this thing has me depressed. I feel unsecured, I want my system safe...and if you can't relie on Norton's or these Spyware programs ... an average PC user is screwed. I hope they find a solution for us average folk. I don't know how well know this site is: http://www.grc.com/SecurityNow.htm but I was thinking of reporting it to them, if possible.

-Seiji

Did you guys see the entry for Foxie at Wikipedia? I think it's worth posting here.


Foxie

From Wikipedia, the free encyclopedia


Foxie is an Internet Explorer shell, meaning it uses the Trident rendering engine used in Internet Explorer. Its stated purpose is to "bridge the gap between Internet Explorer and Mozilla FireFox" essentially installing a selected set of Firefox features that work on top of Internet Explorer instead of installing an entirely new browser. The name probably derives from a merging of Firefox and IE, a popular acronym for Internet Explorer.

Foxie is NOT related to Mozilla Firefox or Microsoft. It has been added to the rogue programs list on several malware websites and removed from download.com for having added malware. The website that hosts the files for download is dnscaching.net a known malware website that host other edited malware infected applications such as media players, BitTorrent programs, P2P File Sharing programs, game programs and many others.

The latest version of Foxie comes with a so-called Security Firewall which really is an Internet Worm that downloads malware. As the first sign of infection, you will get popups with Firefox and IE browsers. They will display "Advertisement - NSIS Media" by launching from windows explorer.

http://en.wikipedia.org/wiki/Foxie

I've posted my experience with NSIS media to the related WINAMP article:
http://forums.winamp.com/showthread.php?s=&postid=1991842#post1991842

Following is the same article (I recommend you to read the posts in that article):
--------------------------------------------------------------------------------------------------
I keep getting those NSIS Media advertisement popups for the last few days. The only new thing I have installed is the latest version of eMule. By the way, I am a very careful user, and very very picky about what I install to my machine. I always have anti-virus, firewall and anti-spyware active and do regular checks.

Anyway you know the story, this NSIS thing is very sneaky, and does not show up in any protection software. I only fear that it may be a ticking time bomb and may have more serious effects after some time.

I tried everything mentioned in this forum so far. Here are the results:

1) Deleting or changing the permissions of the Common Files/NSIS directory and contents does not work, one has to find the original source.

2) Removing the signature from Firefox chrome or removing the shell extension from explorer does not work, after restart they are installed right back.

3) krnsvr32.dll & wmdmb32.dll are not always the source. I, for example, do not have neither. I've also checked for any other suspicious dll files in system32 dir. Comparing the contents with a previous snapshot does not reveal any suspicious dlls.

4) uninstall.exe in the NSIS dir will not do anything either. I actually did not click it at all for a while, but cleared all suspicious files/registry entries etc. Since NSIS kept coming back, I tried the "uninstall" and "hard reboot" technique mentioned in many posts. Yes, it does work for the very first boot after the "hard reboot" (meaning you will not see the NSIS directory or the registry entries you have cleaned), but reboot your computer once again using regular method and NSIS will show up.

5) SpySweep, AdAware or SpyBot does not find anything at all.

6) RegSrch, FindIt and lm2fix logs (carried out as mentioned in this thread) does not reveal any suspicious entries (there are of course registry entries but when deleted they come back the next time I reboot). Neither does DLLCompare.

7) The ClassID and nsxx.dll names do not reveal any other entry in the registry (other than the ones already mentioned in the posts above).

8) I make sure I work in safe mode, clear all caches, clear the recycle bin and disable system restore. So any backdoors are already closed.

9) And of course my WindowsXP, Office, etc are all up-to-date with security patches.

So, there is no solution for me right now. It is driving me crazy but I don't think I can spend more time on this. Just hoping that it does not do anything other than the popups.

Here are two other things I think may be related but still a long shot:

a. I've been using LiteStep for a long time now. The reason we are experiencing a very small number of infections may be the fact that it is only affecting LiteStep users. Are the other people suffering in this forum using LiteStep or just plain old Explorer?

b. My Nero Burning Rom has not been working for the last few days. The timing coincides with NSIS popups. Everything other than Burning Rom (Nero Express or other Nero software that came with the same package) is working fine. Burning Rom crashes right after the splash screen. I tried repair option and since it did not work I re-installed Nero. Still the same problem... Since it has problems even after a re-install I suspect it is clashing with something at the runtime. That is why I think this symptom may be related to NSIS...

c. My wife has a separate administrative login on this same machine, but she is not using LiteStep. Nero Burning ROM runs fine when I log into her account. I did not work long enough in her account to see any NSIS popups, so do not know if her account is also affected (should be, she is using the very same Firefox installation).

As I have stated, LiteStep and Nero Burning Rom cross-diagnostics may be totally unrelated. It may very well be coincidence.

Let's keep posting...

Hi guys
I had the same problem with the NSIS popups and it was really bugging me cause i usually never get stuff like that. I tried spybot adaware and virus checks but nothing worked.
So I download and installed Windows Defender Beta 2 updated the definations and ran a check.
It came up with 2 items which were Bearshare related, one of which i deleted (sry cant remember which).
After a restart Hey Presto no more Popups.

I have managed to get rid of it (I hope!) – thanks to the various people who suggested running the uninstaller and then powering off the PC when it asks you to reboot.
I did that, then checked to see what was left.
In the Firefox Chrome folder, nsis.jar was still there and the code to load it (in browser.manifest). So I cleaned those two up, then checked the registry.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\App Management\ARPCache\NSISMedia] was still left so I deleted that.
[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS] was still there but only a single entry was left “OptOut” value “1”, which I hope translates as “don't ever install on this machine again”, so I left it.
Then I crashed the system once more, did a normal reboot, checked again and so far everything has stayed gone.

Foxie's not the only way this thing invades a system. It got onto my system but Foxie's never been loaded, nor have I installed anything immediately before. I've still no evidence as to how it got there, but my next step to keep this and similar things out is to replace MSN with something which doesn't habitually access advertising sites and bypass security.

To help those for whom this method isn't working.
My first try was to remove the code which linked to Firefox and I delete this entry "{097F10A7-487F-4457-AB1F-827C59479A72}"="NSIS Media Extension" from [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]. I then crashed the system and rebooted, and it came back. My suspicion is that it can reinstall itself on closedown AND on startup. I never got to find out where it hooks in on the startup though because the “uninstaller” method seems to have got rid of it.

I believe I've gotten rid of it, too. I actually tried the uninstall and after that just did a search for NSIS. The only thing left was the nsis.jar in the chrome folder. I dragged it to another folder, renamed it, and then used TuneUp Utilities 2006 Tuneup Shredder to delete it. I then ran CCleaner: http://www.download.com/CCleaner/3000-2144_4-10547048.html?tag=lst-0-1 then did a hard shut down. I rebooted to see if it showed up again. Doing a second search for NSIS, all I got was A~NSISU_.EXE-22605888.pf in C:WINDOWS/prefetch, which I'm not sure if I should delete. I didn't find krnsvr32.dll or wmdmb32.dll.

Well, that's my story. I'm still not sure if it's all gone, but I'm not getting anymore pop-ups.

Look what I found in my browser.manifest in Firefox. Location "C:\Program Files\Mozilla Firefox\chrome\browser.manifest". This is after I removed the NSIS Malware with a Non-Destrictive Recovery. I don't have the NSIS malware anymore, but I haven't used Firefox since I did the Recovery thank God. I just deleted this lines. This could be the source of the infection. So far everyone who has got infected used Firefox. I'm going to slick with Maxthon for now on.

chrome://pippki/content/PageInfoOverlay.xul
content nsis jar:nsis.jar!/content/nsis/ xpcnativewrappers=yes

content nsis jar:nsis.jar!/content/nsis/ xpcnativewrappers=yes

content nsis jar:nsis.jar!/content/nsis/ xpcnativewrappers=yes

content nsis jar:nsis.jar!/content/nsis/ xpcnativewrappers=yes

content nsis jar:nsis.jar!/content/nsis/ xpcnativewrappers=yes

content nsis jar:nsis.jar!/content/nsis/ xpcnativewrappers=yes


Thanks.:icon_thum

Firefox keeps crashing on me when surfing myspace You think it might be related?

By the way, Spy Sweeper does have a report feature. Just click "options" then there is a program tab at the top. You'll see a report spyware button.

I'm thinking about another browser and I might do a whole system restore ... AGAIN. Any recommendations?

By the way, anyone know a good website that exposes rouge programs?

While doing my daily Google search on this problem I finally found an antivirus company, Sophos, that has identified this POS. http://www.sophos.com/virusinfo/analyses/nsismedianetwork_J1u0jKFl.html

Apparently they have a 30 day free trial of their antivirus software, so I'll take one for the team here and try it out. I'll report back soon with news of my success (or failure).

Well that's great that someone is finally on the stick with this thing, but jeez ... they make it sound so BENIGN.

"monitors browser activity?" oh, pooh-pooh, big deal. I was dealing with this thing for over a month and it really messed with my head. I'm constantly checking running processes and suspicious looking files as well as constantly checking my programs folder for the reemergence of that dreaded folder. I download every new freeware anti-spy app that comes down the pike, but I'm convinced now that (Sophos aside) only a heuristic scanner would have done any good, as virus definitions are useless for this thing, as it stands.

Most of the popups I received were blank pages, but there was ONE, that I did see, and it looked like a legit site for some kind of miraculous registry cleaner. I sure hope it wasn't Sophos, but I zapped it too soon to study the details.

Let us know, Sick Boy, how you make out with this thing. I'm reasonably certain I've purged it from my system, but I would really like to run an executable scan that looks specifically for files related just to be on the safe side. I still don't feel things are quite "right," and I'm not sure it that's real or paranoia. See what this type of thing does to a man?

In the meantime, I'm running "Cyberhawk," (free at Snap Files) a completely heuristic real-time scanner that doesn't rely on definitions - it is supposed to simply look for suspicious files or activity. We'll see how that goes, (24 hours and it just sits there in the tray, not talking to me,) and I also downloaded two free files from Major Geeks designed to hunt out rootkits: "IceSword," and "GMER."

Haven't installed those last two yet, but found it funny (not "ha-ha" funny) that the first two new freeware files in Major Geeks RSS feed were rootkit hunters.

Hope you all get rid of this thing soon.

I downloaded and ran Sophos. The good news is that it detected NSIS Media Extensions no problem at all. The bad news is that I'm still getting popups regardless of whether I leave the detected files quarantined or I try to get Sophos to clean the files. Basically useless. Whatever removal tools are built into Sophos are just getting bitch slapped by this thing. The result's the same as if I tried some of the manual methods mentioned earlier. Back to the drawing board.

I think I might try just try your solution, mtaylor0617. After that I'll try running Sophos again because it did, at least, detect it, which is more than I can say for all the other antivirus/spyware removal prograns I've tried thus far.

Jee-ZUSS!

I'm beginning to think this thing arrived on earth with a recent meteorite strike or something.

Did it at least identify the files it claims are associated with NSIS? I trust that the Sophos people (who want to sell their product, presumably) didn't simply scour the registry looking for "NSIS Media Extension" entries, cuz most of us who have had this thing coulda' told them that doesn't work. :icon_scra

I know that when I tried to "look inside" the NS dll (with my limited abilities to do so,) I found the name of the original file was "mediastub.dll" or something like that, although I could never find that animal on my drives.

While doing my daily Google search on this problem I finally found an antivirus company, Sophos, that has identified this POS. http://www.sophos.com/virusinfo/analyses/nsismedianetwork_J1u0jKFl.html

Apparently they have a 30 day free trial of their antivirus software, so I'll take one for the team here and try it out. I'll report back soon with news of my success (or failure).

Ok the Description of this on Sophos does NOT match what this malware is. For instance, it is NOT just adware, adware is not that hard to remove this NSIS thing is more of a trojan downloader or a worm. And it certainly isn't what the (IDE) says it is. I downloaded this (IDE) file and it is a part of Cool Web Search (CWS). If it is a new unknown (CWS) malware, it would explain why it is so hard to get rid of, but HijackThis should have found it and it didn't. I don't believe this is the malware that we are talking about.


Update: Some people used HiJackFree from http://www.emsisoft.com/ and got rid of this NSIS malware.

It is freeware that is much like HiJackThis but has extra info, like Tricky startup. It doesn't remove anything but can tell you where some dll file(s) or regristry key(s) are located where you can manually delete them.

direct download- http://tmp.emsisoft.com/a2hijackfree/a2hijackfree.exe



Thanks.:icon_thum

Like everyone else, this has pissed me off royally. I don't use FireFox and I only get the popup rarely but knowing it's there bugs me. I notice that ZoneAlarm asks for permission for Windows Explorer (not IE) to access the net before the popup appears. I'm running sysinternals "Process Explorer" (PE) and I can see the dlls attatched to Explorer. Most are MS but four have no company name. PE will list the printable strings in the dll and look what turns up in wmudrv.dll:

<HTML>
<HEAD>
<TITLE>Advertisment</TITLE>
<SCRIPT TYPE="text/javascript">function handleError() {return true;}window.onerror = handleError;</SCRIPT>
</HEAD>
<BODY style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%;" scroll="no" oncontextmenu="return false" onLoad="window.focus();">
<SCRIPT TYPE="text/javascript">document.write(dialogArguments);</SCRIPT>
</BODY>
</HTML>

I saw a reference to this thing being partly Javascript in another forum and I'm guessing the "NSIS Media" gets added on the fly to the popups.

This dll is referenced in one of the other no company name files msrvdrv.dll - both are in the almost empty System32 folder. I may be wrong but I suspect that these two are part of the problem. Google shows no info on either one but they've definitely got their hooks in Explorer. netbios.dll and dhcpsvc.dll also sho no company names in PE though they are supposed to be MS files so I'm suspicious of them as well. I'm going to try deleting the first two and their registry info and pulling fresh copys of the latter two from my Windows CD as well as deleting the NSIS junk and see what happens. Whether this will get everything I don't know. I'm a lowly VB coder so I don't know why the "pros" wouldn't have found this if it were that simple so I'm not optimistic but it's seems worth a shot. I'll report back - assuming my computer will run after the "surgery."

I have been following various ideas for removing NSIS and I finally took the plunge last night by using the ungraceful shutdown method. This did not work for me. I also tried to remove NSIS via uninstall, still no luck. Here is what I did:

1. Uninstalled Firefox.
2. Manually removed all reminence of Firefox directories and registry.
3. Ran some cleanup programs.
4. Uninstalled NSIS from the normal Windows remove programs area.

I ran Internet Explorer all day at work and no pop ups and NSIS files have not returned.

Interesting note: Many believe the worm had other intentions besides the popups. I believe this also, because my laptop would not stay connected at work connected to the work Ethernet. I suspect what the worm was trying to do was detected by corporate security measures and my port kept getting shut down. Also, I am positive I got the worm from downloading extensions from Firefox. I am not sure which one it was as I downloaded several. It might have been one of the weather extensions.

I hope this helps someone else. Good luck on removing your NSIS enemy.

Hi All
Been reading this forum with interest. Thought i might share my nsis probs with you all as well, even though my problems a little differnt, I believe them to be related. For me even getting a new harddrive and new copy of xp pro, then doing a clean install and only doing windows updates did not fix the problem. Before or after the windows update.
I have had the annoying windows pop up for some months now (Allways with the heading "ms message") but my firewall blocked them so i ignored them, untill reading this forum i didnt relate this problem with nsis, installing sp2 killed the pop ups.
My nsis prob started 5 july I know the exact date because this is when eve online (a game i play or played) did a major patch. After the patch my config would keep resetting back to default so i eventually uninstalled the game and did a reinstall, this is when i first saw "nsis error installer corrupted"
The download isnt corrupted i had been using the same download and playing the game for some time before i encounted this problem, but i downloaded it again just incase.
To Fix this problem this is what i have tried

cleaning the registry
Running adaware spybot, and nortons to check for probs
Manually deleting all referances to nsis in safe mode
Downloading nsis from nullsoft and reinstalling
redownloading the original game file i was trying to install
running the file using the ncrc switch command
checking some other downloads that use the nsis installer (they too would not work either)
Ran checks on all my hardware, ram 1 gig and good, video, hard drive, mainboard, all near new and all came up good.
Just in case stuff was getting corrupted i put in new harddrive and differnt stick of ram
Took out my vid card and ran it on the onboard video and did a clean install of windows, redownloaded my game file from the internet, and reinstalled everything.
Still no changes
So i did the above again this time reinstalling everything then downloading and reinstalling the game file of the net.
Suprise suprise, no change, and the pop ups allways came back, so i decided it had to be a direct attack on my ip. So then i unplugged my cable from the wall forcing a disconnect from providers modem, plugged it back in at the end of my reinstall of windows, no pop ups. ok i thought i,m getting somewhere, tried to reinstall all my drivers and another new download of game, didnt work, and pop ups started to come back.
So as a last resort i went and brought a new copy of xp pro, wiped my hard drive using fdisk, made a dos partition formated it, then deleted the partition and formated it again, then reinstalled win xp, straight away the annoying pop ups came back, installing sp2 once again killed them
Wich brings me to now
I Still have the nsis error and cant install anything that uses the nsis installer.
I Have discontinued my subscription with the game because after 2 weeks of reading every forum i can find on nsis errors i can only find one thing in common, noone knows how to fix it or where it came from for sure. Some ppl seem to have been lucky and fixed it easily without knowing what they did, all i can say to them is the pop ups may be gone but dont put money on not seeing your nsis problems again.

Dont know if this helps anyone
Bud

Too early to declare victory with an undead zombie like this but so far after a cople of restarts, the dreaded NSIS folder has not returned for the first time since this started and no popups (though as I said, I got them very rarely). I should note that one of the dlls (WMUDRV.DLL) if you check its properties, calls itself "explorer.exe" in it's internal name so I suspect that is what ZoneAlarm was seeing when it got ready to launch a popup. I should have taken notes but basically here's what I did:

Using Process Explorer from sysinternals.com, I highlighted explorer.exe and checked the lower pane for the dll's attatched to it - that's where I spotted wmudrv.dll and msrvdrv.dll and got started on this tack. If these are indeed the culprits then all you should need to do is look for them in your Windows folder (mine were in system32 but I'm running 98SE since my Win 2000 system died). I did a registry search (try Googling regsrch.vbs - finds them all at once) and found I believe four refs:

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{EC108D8 9-8CE7-4FEC-B6AD-ED74BFADAFA6}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM32\\WMUDRV.DLL"

[HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{E0287 FF0-E4A7-4F6D-9790-5C63853713DB}\1.0\0\win32]
@="C:\\WINDOWS\\SYSTEM32\\WMUDRV.DLL"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{8AB18AD C-402A-4B52-A63A-155F45C07F4E}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM32\\MSRVDRV.DLL"

[HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{8DC4D 512-53AF-4784-8521-B0ECEDB17EAD}\1.0\0\win32]
@="C:\\WINDOWS\\SYSTEM32\\MSRVDRV.DLL"

I deleted these and looked for any other refs to the GUIDs/Class IDs as well but I don't thiink I found any. I located and deleted all the relevant NSIS keys in the registry. My startup script had already deleted the NSIS folder. The two dlls themselves are still loaded so they can't be deleted. I found a utility to mark them for deletion on startup but I ended up booting into DOS mode and deleting them, fearing that they might do someting before they got deleted on startup That's pretty much it if I recall correctly.

Notes: msrvdrv contains the string:

"c:\Cydoor_shell_project\000000000\Release\Monitor\ Release\adw.pdb"

I didn't find this file but cydoor is a well known spy/malware thing and I'm not sure what the relationship here is. Also, I had installed two versions of "Foxie." One never worked and was quickly uninstalled. Later I installed the (then) latest version (1.4 I think). and uninstalled it too since I saw no tabs in the browser and the spyware "remover" called for a couple of dll functions that apparently aren't in the Win98 versions. I only noticed the NSIS stuff after the second install but I can't swear it wasn't there before. It seems that this thing comes in somewhat different versions perhaps from what folks are saying and perhaps from various sources and it may behave differently on different systems so your mileage may definitely vary.

WARNING
Editing the registry can damage your system yada, yada, you know the drill. I can't be responsible for your machine blowing up if you try this - always back up first etc.

I'll give it a day or so and try to report back on how this is working. I'm intrigued that Sophos didn't kill it, which makes me doubt my own fix but who knows. If I'd been running 2000, I'd have tried it and been very disappointed. Good luck and be careful out there!

Note 2: Forgot to mention at this point I haven't done anything with the netbios.dll or dhcpsvc.dll - as I said, they're supposed to be legit though I found some vague references that indicated they could be compromised by some malware. I decided to be conservative and leave them alone for now.

Hi Again
As stated before i dont know if my problem was exactly the same as everyone elses here but after 2 and a half weeks i found a workaround. Because of what i read here i thought i'd try things in safe mode again
I Downloaded the file i was having trouble with in safe mode, and installed it in safe mode, suprised to find it worked perfectly
Hope this helps someone
NSIS is still there but giving me no grief now :)

Hi to all,
I`m new here and also not an expert as many of you.
I have tryied to write since yesterday night but could`t send the reply. Hope this time will do it.
About the NSIS, I want to let you know I only use IE and AVAST AV, well I found it about 3 days ago in my
Home pc and in my office pc, If you want to know what I did? well as I told you I am not so expert so first I went to the
IE tools menu and erased the cookies and Temporary files, OFF COURSE it did not work, then I just found a the program in
the Control Panel
Add-Remove, so I unninstalled, well, did not any thing else. I have used my computers for more than
24 hours now and it have not showed up again...... Any way for what I have read from you I think it is still around.....

But what I think is important first than all is to really find out where did it come from, noone seems to really know,
I was trying to send you a reply since yesterday, but today I found what BUD MEISTER wrote "My nsis prob started 5 july
I know the exact date because this is when eve online (a game i play or played) did a major patch. After
the patch my config would keep resetting back to default so i eventually uninstalled the game and did a reinstall, this
is when i first saw "nsis error installer corrupted"

this confirm what I was writting before, that makes me think I got it when I downloaded the demo game "Chicken Invaders 2"
from Yahoo because I did it first in my office and then in my home, and almost immediatly it began showing up in both
computers, it has not appeared in any other of the 5 computers in my office and we don`t use even a firewall and remember
I only use IE and AVAST AV....

Where did it come from???

Hi all
I actually downloaded, wow, and another game, both running a time based trial like eve, and both using nsis installer, couldnt install either. Dont know if they contained the corrupt installer as well ,or the existing installer was still in use, all i know for sure is i can only download and install things using the nsis installer in safe mode. This seems to work well for all of them.
To the ppl still getting pop ups, do you all have sp2 installed on a legal copy of xp, because as soon as i swapped my umm demo version of windows :) , for a full registerd copy of xp pro and installed sp2 the pop ups stopped. They continued after sp1, but sp2 stopped em completly, but as stated nsis prob is still there, i just work around it now :(

After several warm and cold reboots, NSIS is still gone. Knock on wood I think I killed it. I'd be interested in hearing if anyone else has the same two dlls I found. It almost sounds like this thing is spreading. Most of the early references mentioned Foxie or a FireFox pluigin. Now it's appearing ing games? I don't know what the connection is with the NullSoft installer unless there's something about it that makes it easier to slip this thing in.

After several warm and cold reboots, NSIS is still gone. Knock on wood I think I killed it. I'd be interested in hearing if anyone else has the same two dlls I found. It almost sounds like this thing is spreading. Most of the early references mentioned Foxie or a FireFox pluigin. Now it's appearing ing games? I don't know what the connection is with the NullSoft installer unless there's something about it that makes it easier to slip this thing in.

Maybe you have discovered how to get rid of this NSIS malware. There are many others who got the infection from various programs but I do believe they all used an Nullsoft Script Installer System.
Maybe there is a vurnability in the installers allowing this malware to install.

One guy reported that after he installed OpenOffice.org, he started seeing the NSIS Media popups.
But it appears that this malware needs Firefox in order to work. Most cases were linked to Firefox extentions.

I wished I had a copy of those dll files to submit.


Thanks.:icon_salu

One guy reported that after he installed OpenOffice.org, he started seeing the NSIS Media popups.
But it appears that this malware needs Firefox in order to work. Most cases were linked to Firefox extentions.
[

how many of you who experienced this malware had firefox extensions installed...and what extensions were they? As firefox is open source and its extensions open source and the nullsoft installer open source and some firefox extensions aren't officially recognised or approved extensions if there even is such a thing as an official, safe, trusted list of extensions...its quite possible a 3rd party site with a custom installer modified to install a wanted extension with some unwanted or mentioned functionality..i.e., 'the trojan horse'//we give u a cool extensiona nd while we give you what you want we also give you a little something extra special from us.

I tried searching for those 2 .dll files and didn't have them on my system. I guess some people have them and some don't. I'm still get the popups, but less frequently, and often when I do get them they are small, blank, and non-resizable. I think I'm also starting to experience the slowdowns that other people have mentioned.

Sick Boy, save HiJackFree http://tmp.emsisoft.com/a2hijackfree/a2hijackfree.exe to your pc and run it, you don't have to install it. Don't do anything except save the report at the top left it has an option to save report to an xml file. Save it, copy it and post it here and I will see if I can see any problems.


Thanks.:icon_salu

Ok, thanks littlebits. Here it is:

<?xml version="1.0" encoding="Windows-1252" ?>
- <a2hijackfreelog>
<version>1.20</version>
<datecreated>2006-07-26 09:37</datecreated>
<language>en-us</language>
<ie_version>6.0.2900.2180</ie_version>
<os>XP</os>
<os_version>5.1.2600</os_version>
<os_csd>Service Pack 2</os_csd>
<programpath>I:\Program Files</programpath>
<startuppath>I:\Documents and Settings\Alfred\Start Menu\Programs\Startup</startuppath>
<systempath>I:\WINDOWS\system32</systempath>
<winpath>I:\WINDOWS</winpath>
- <autoruns>
- <autorun category="registry">
<name>ehTray</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run</location>
<filepath>%winpath%\ehome\ehtray.exe</filepath>
</autorun>
- <autorun category="registry">
<name>ATICCC</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run</location>
<filepath>%programpath%\ATI Technologies\ATI.ACE\cli.exe runtime -Delay</filepath>
</autorun>
- <autorun category="registry">
<name>CTDVDDET</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run</location>
<filepath>%programpath%\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE</filepath>
</autorun>
- <autorun category="registry">
<name>RCSystem</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run</location>
<filepath>%programpath%\Creative\Shared Files\Module Loader\DLLML.exe RCSystem * -Startup</filepath>
</autorun>
- <autorun category="registry">
<name>AudioDrvEmulator</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run</location>
<filepath>%programpath%\Creative\Shared Files\Module Loader\DLLML.exe -1 AudioDrvEmulator %programpath%\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll</filepath>
</autorun>
- <autorun category="registry">
<name>CTHelper</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run</location>
<filepath>CTHELPER.EXE</filepath>
</autorun>
- <autorun category="registry">
<name>CTxfiHlp</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run</location>
<filepath>CTXFIHLP.EXE</filepath>
</autorun>
- <autorun category="registry">
<name>UpdReg</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run</location>
<filepath>%winpath%\UpdReg.EXE</filepath>
</autorun>
- <autorun category="registry">
<name>PinnacleDriverCheck</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run</location>
<filepath>%systempath%\PSDrvCheck.exe -CheckReg</filepath>
</autorun>
- <autorun category="registry">
<name>NeroFilterCheck</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run</location>
<filepath>%systempath%\NeroCheck.exe</filepath>
</autorun>
- <autorun category="registry">
<name>TkBellExe</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run</location>
<filepath>%programpath%\Common Files\Real\Update_OB\realsched.exe -osboot</filepath>
</autorun>
- <autorun category="registry">
<name>SunJavaUpdateSched</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run</location>
<filepath>%programpath%\Java\jre1.5.0_06\bin\jusched.exe</filepath>
</autorun>
- <autorun category="registry">
<name>Windows Defender</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run</location>
<filepath>%programpath%\Windows Defender\MSASCui.exe -hide</filepath>
</autorun>
- <autorun category="registry">
<name>Zone Labs Client</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run</location>
<filepath>%programpath%\Zone Labs\ZoneAlarm\zlclient.exe</filepath>
</autorun>
- <autorun category="registry">
<name>AVG7_CC</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run</location>
<filepath>I:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP</filepath>
</autorun>
- <autorun category="registry">
<name>CTFMON.EXE</name>
<location>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run</location>
<filepath>%systempath%\ctfmon.exe</filepath>
</autorun>
- <autorun category="registry">
<name>Creative Detector</name>
<location>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run</location>
<filepath>%programpath%\Creative\MediaSource\Detector\CTDete ct.exe /R</filepath>
</autorun>
- <autorun category="registry">
<name>ATI DeviceDetect</name>
<location>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run</location>
<filepath>%programpath%\ATI Multimedia\main\ATIDtct.EXE</filepath>
</autorun>
- <autorun category="startupfiles">
<location>win.ini</location>
<name>load</name>
<filepath />
</autorun>
- <autorun category="startupfiles">
<location>win.ini</location>
<name>run</name>
<filepath />
</autorun>
- <autorun category="startupfiles">
<location>win.ini</location>
<name>shell</name>
<filepath>Explorer.exe</filepath>
</autorun>
- <autorun category="startupfiles">
<location>win.ini</location>
<name>scrnsave.exe</name>
<filepath>%systempath%\logon.scr</filepath>
</autorun>
- <autorun category="autostartmenu">
<location>I:\Documents and Settings\All Users\Start Menu\Programs\Startup\</location>
<name>Logitech SetPoint</name>
</autorun>
- <autorun category="tricky">
<name>CTFMON.EXE</name>
<location>HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Run\</location>
<filepath>%systempath%\CTFMON.EXE</filepath>
</autorun>
- <autorun category="tricky">
<name>AVG7_Run</name>
<location>HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Run\</location>
<filepath>I:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE</filepath>
</autorun>
- <autorun category="tricky">
<name>Shell</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</location>
<filepath>Explorer.exe</filepath>
</autorun>
- <autorun category="tricky">
<name>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>%winpath%\inf\unregmp2.exe /ShowWMP</filepath>
</autorun>
- <autorun category="tricky">
<name>{26923b43-4d38-484f-9b9e-de460746276c}</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>%systempath%\system32\shmgrate.exe OCInstallUserConfigIE</filepath>
</autorun>
- <autorun category="tricky">
<name>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP</filepath>
</autorun>
- <autorun category="tricky">
<name>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>%systempath%\system32\shmgrate.exe OCInstallUserConfigOE</filepath>
</autorun>
- <autorun category="tricky">
<name>KB910393</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>rundll32.exe advpack.dll,LaunchINFSection %winpath%\INF\EasyCDBlock.inf,PerUserInstall</filepath>
</autorun>
- <autorun category="tricky">
<name>{2C7339CF-2B09-4501-B3F3-F3508C9228ED}</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>%systempath%\system32\regsvr32.exe /s /n /i:/UserInstall %systempath%\system32\themeui.dll</filepath>
</autorun>
- <autorun category="tricky">
<name>{407408d4-94ed-4d86-ab69-a7f649d112ee}</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>%systempath%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systempath%\inf\mcdftreg.inf</filepath>
</autorun>
- <autorun category="tricky">
<name>{44BBA840-CC51-11CF-AAFA-00AA00B6015C}</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>%programpath%\Outlook Express\setup50.exe /APP:OE /CALLER:WINNT /user /install</filepath>
</autorun>
- <autorun category="tricky">
<name>{44BBA842-CC51-11CF-AAFA-00AA00B6015B}</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>rundll32.exe advpack.dll,LaunchINFSection %winpath%\INF\msnetmtg.inf,NetMtg.Install.PerUser. NT</filepath>
</autorun>
- <autorun category="tricky">
<name>{4b218e3e-bc98-4770-93d3-2731b9329278}</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>%systempath%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systempath%\inf\ie.inf</filepath>
</autorun>
- <autorun category="tricky">
<name>{5945c046-1e7d-11d1-bc44-00c04fd912be}</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>rundll32.exe advpack.dll,LaunchINFSection %winpath%\INF\msmsgs.inf,BLC.QuietInstall.PerUser</filepath>
</autorun>
- <autorun category="tricky">
<name>{6BF52A52-394A-11d3-B153-00C04F79FAA6}</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>rundll32.exe advpack.dll,LaunchINFSection %winpath%\INF\wmp.inf,PerUserStub</filepath>
</autorun>
- <autorun category="tricky">
<name>{7790769C-0471-11d2-AF11-00C04FA35D02}</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>%programpath%\Outlook Express\setup50.exe /APP:WAB /CALLER:WINNT /user /install</filepath>
</autorun>
- <autorun category="tricky">
<name>{89820200-ECBD-11cf-8B85-00AA005B4340}</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>regsvr32.exe /s /n /i:U shell32.dll</filepath>
</autorun>
- <autorun category="tricky">
<name>{89820200-ECBD-11cf-8B85-00AA005B4383}</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>%systempath%\system32\ie4uinit.exe</filepath>
</autorun>
- <autorun category="tricky">
<name>{89B4C1CD-B018-4511-B0A1-5476DBF70820}</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\</location>
<filepath>%systempath%\Rundll32.exe %systempath%\mscories.dll,Install</filepath>
</autorun>
- <autorun category="tricky">
<name>VBScript Script File</name>
<location>HKEY_CLASSES_ROOT\vbsfile\shell\open\command\</location>
<filepath>%systempath%\System32\WScript.exe %1 %*</filepath>
</autorun>
- <autorun category="tricky">
<name>VBScript Encoded Script File</name>
<location>HKEY_CLASSES_ROOT\vbefile\shell\open\command\</location>
<filepath>%systempath%\System32\WScript.exe %1 %*</filepath>
</autorun>
- <autorun category="tricky">
<name>JScript Script File</name>
<location>HKEY_CLASSES_ROOT\jsfile\shell\open\command\</location>
<filepath>%systempath%\System32\WScript.exe %1 %*</filepath>
</autorun>
- <autorun category="tricky">
<name>JScript Encoded Script File</name>
<location>HKEY_CLASSES_ROOT\jsefile\shell\open\command\</location>
<filepath>%systempath%\System32\WScript.exe %1 %*</filepath>
</autorun>
- <autorun category="tricky">
<name>Windows Script Host Settings File</name>
<location>HKEY_CLASSES_ROOT\wshfile\shell\open\command\</location>
<filepath>%systempath%\System32\WScript.exe %1 %*</filepath>
</autorun>
- <autorun category="tricky">
<name>Windows Script File</name>
<location>HKEY_CLASSES_ROOT\wsffile\shell\open\command\</location>
<filepath>%systempath%\System32\WScript.exe %1 %*</filepath>
</autorun>
- <autorun category="tricky">
<name>Application</name>
<location>HKEY_CLASSES_ROOT\exefile\shell\open\command\</location>
<filepath>%1 %*</filepath>
</autorun>
- <autorun category="tricky">
<name>MS-DOS Application</name>
<location>HKEY_CLASSES_ROOT\comfile\shell\open\command\</location>
<filepath>%1 %*</filepath>
</autorun>
- <autorun category="tricky">
<name>MS-DOS Batch File</name>
<location>HKEY_CLASSES_ROOT\batfile\shell\open\command\</location>
<filepath>%1 %*</filepath>
</autorun>
- <autorun category="tricky">
<name>Screen Saver</name>
<location>HKEY_CLASSES_ROOT\scrfile\shell\open\command\</location>
<filepath>%1 /S</filepath>
</autorun>
- <autorun category="tricky">
<name>Shortcut to MS-DOS Program</name>
<location>HKEY_CLASSES_ROOT\piffile\shell\open\command\</location>
<filepath>%1 %*</filepath>
</autorun>
- <autorun category="tricky">
<name>SCRNSAVE.EXE</name>
<location>HKEY_CURRENT_USER\Control Panel\Desktop\</location>
<filepath>%systempath%\logon.scr</filepath>
</autorun>
- <autorun category="tricky">
<name>BootExecute</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Session Manager\</location>
<filepath>autocheck autochk *</filepath>
</autorun>
- <autorun category="tricky">
<name>PostBootReminder</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\</location>
<filepath>%systempath%\system32\SHELL32.dll</filepath>
</autorun>
- <autorun category="tricky">
<name>CDBurn</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\</location>
<filepath>%systempath%\system32\SHELL32.dll</filepath>
</autorun>
- <autorun category="tricky">
<name>WebCheck</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\</location>
<filepath>%systempath%\system32\webcheck.dll</filepath>
</autorun>
- <autorun category="tricky">
<name>SysTray</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\</location>
<filepath>%systempath%\stobject.dll</filepath>
</autorun>
- <autorun category="tricky">
<name>UPnPMonitor</name>
<location>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\</location>
<filepath>%systempath%\upnpui.dll</filepath>
</autorun>
</autoruns>
- <addons>
- <addon category="bho">
<clsid>{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}</clsid>
<name>Adobe PDF Reader Link Helper</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\</location>
<filepath>%programpath%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll</filepath>
</addon>
- <addon category="bho">
<clsid>{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}</clsid>
<name>SSVHelper Class</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\</location>
<filepath>%programpath%\Java\jre1.5.0_06\bin\ssv.dll</filepath>
</addon>
- <addon category="shellexecutehooks">
<clsid>{AEB6717E-7E19-11d0-97EE-00C04FD91972}</clsid>
<name>URL Exec Hook</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\</location>
<filepath>shell32.dll</filepath>
</addon>
- <addon category="shellexecutehooks">
<clsid>{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}</clsid>
<name>Microsoft AntiMalware ShellExecuteHook</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\</location>
<filepath>I:\PROGRA~1\WIFD1F~1\MpShHook.dll</filepath>
</addon>
- <addon category="shellexecutehooks">
<clsid>{5BACC17E-BDF7-405B-BC68-ECB506395118}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\</location>
<filepath />
</addon>
- <addon category="shellextension">
<clsid>{00022613-0000-0000-C000-000000000046}</clsid>
<name>Multimedia File Property Sheet</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>mmsys.cpl</filepath>
</addon>
- <addon category="shellextension">
<clsid>{176d6597-26d3-11d1-b350-080036a75b03}</clsid>
<name>ICM Scanner Management</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>icmui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{1F2E5C40-9550-11CE-99D2-00AA006E086C}</clsid>
<name>Security Shell Extension</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>rshx32.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{3EA48300-8CF6-101B-84FB-666CCB9BCD32}</clsid>
<name>OLE Docfile Property Page</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>docprop.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{40dd6e20-7c17-11ce-a804-00aa003ca9f6}</clsid>
<name>Shell extensions for sharing</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>ntshrui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{41E300E0-78B6-11ce-849B-444553540000}</clsid>
<name>PlusPack CPL Extension</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\themeui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{42071712-76d4-11d1-8b24-00a0c9068ff3}</clsid>
<name>Display Adapter CPL Extension</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>deskadp.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{42071713-76d4-11d1-8b24-00a0c9068ff3}</clsid>
<name>Display Monitor CPL Extension</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>deskmon.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{42071714-76d4-11d1-8b24-00a0c9068ff3}</clsid>
<name>Display Panning CPL Extension</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>deskpan.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{4E40F770-369C-11d0-8922-00A024AB2DBB}</clsid>
<name>Security Shell Extension</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>dssec.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}</clsid>
<name>Compatibility Page</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>SlayerXP.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{56117100-C0CD-101B-81E2-00AA004AE837}</clsid>
<name>Shell Scrap DataHandler</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>shscrap.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{59099400-57FF-11CE-BD94-0020AF85B590}</clsid>
<name>Disk Copy Extension</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>diskcopy.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{59be4990-f85c-11ce-aff7-00aa003ca9f6}</clsid>
<name>Shell extensions for Microsoft Windows Network objects</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>ntlanui2.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{5DB2625A-54DF-11D0-B6C4-0800091AA605}</clsid>
<name>ICM Monitor Management</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\System32\icmui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{675F097E-4C4D-11D0-B6C1-0800091AA605}</clsid>
<name>ICM Printer Management</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\icmui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{764BF0E1-F219-11ce-972D-00AA00A14F56}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath />
</addon>
- <addon category="shellextension">
<clsid>{77597368-7b15-11d0-a0c2-080036af3f03}</clsid>
<name>Web Printer Shell Extension</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>printui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{7988B573-EC89-11cf-9C00-00AA00A14F56}</clsid>
<name>Microsoft Disk Quota UI</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>dskquoui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath />
</addon>
- <addon category="shellextension">
<clsid>{85BBD920-42A0-1069-A2E4-08002B30309D}</clsid>
<name>Briefcase</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>syncui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{88895560-9AA2-1069-930E-00AA0030EBC8}</clsid>
<name>HyperTerminal Icon Ext</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\hticons.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{BD84B380-8CA2-1069-AB1D-08000948F534}</clsid>
<name>Fonts</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>fontext.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{DBCE2480-C732-101B-BE72-BA78E9AD5B27}</clsid>
<name>ICC Profile</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\icmui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}</clsid>
<name>Security Shell Extension</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>rshx32.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}</clsid>
<name>Shell extensions for sharing</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>ntshrui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{f92e8c40-3d33-11d2-b1aa-080036a75b03}</clsid>
<name>Display TroubleShoot CPL Extension</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>deskperf.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{7444C717-39BF-11D1-8CD9-00C04FC29D45}</clsid>
<name>CryptPKO Class</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\cryptext.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{7444C719-39BF-11D1-8CD9-00C04FC29D45}</clsid>
<name>CryptSig Class</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\cryptext.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{7007ACC7-3202-11D1-AAD2-00805FC1270E}</clsid>
<name>Network Connections</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\NETSHELL.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{992CFFA0-F557-101A-88EC-00DD010CCC48}</clsid>
<name>Network Connections</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\NETSHELL.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{E211B736-43FD-11D1-9EFB-0000F8757FCD}</clsid>
<name>Scanners Cameras</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>wiashext.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}</clsid>
<name>Scanners Cameras</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>wiashext.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{905667aa-acd6-11d2-8080-00805f6596d2}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>wiashext.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{3F953603-1008-4f6e-A73A-04AAC7A992F1}</clsid>
<name>Scanners Cameras</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>wiashext.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{83bbcbf3-b28a-4919-a5aa-73027445d672}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>wiashext.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{F0152790-D56E-4445-850E-4F3117DB740C}</clsid>
<name>Remote Sessions CPL Extension</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\remotepg.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{1D2680C9-0E2A-469d-B787-065558BC7D43}</clsid>
<name>Fusion Cache</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\mscoree.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{60254CA5-953B-11CF-8C96-00AA00B8708C}</clsid>
<name>Shell Extension For Windows Script Host</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\wshext.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{2206CDB2-19C1-11D1-89E0-00C04FD7A829}</clsid>
<name>Microsoft OLE DB Service Component Data Links</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%programpath%\Common Files\System\Ole DB\oledb32.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}</clsid>
<name>Scheduling UI icon handler</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\mstask.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}</clsid>
<name>Scheduling UI property sheet handler</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\mstask.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{D6277990-4C6A-11CF-8D87-00AA0060F5BF}</clsid>
<name>Scheduled Tasks</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\mstask.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}</clsid>
<name>Set Program Access and Defaults</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{5F327514-6C5E-4d60-8F16-D07FA08A78ED}</clsid>
<name>Auto Update Property Sheet Extension</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\wuaucpl.cpl</filepath>
</addon>
- <addon category="shellextension">
<clsid>{0DF44EAA-FF21-4412-828E-260A8728E7F1}</clsid>
<name>Taskbar and Start Menu</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath />
</addon>
- <addon category="shellextension">
<clsid>{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}</clsid>
<name>Search</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}</clsid>
<name>Help and Support</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}</clsid>
<name>Windows Security</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}</clsid>
<name>Run...</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}</clsid>
<name>Internet</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}</clsid>
<name>E-mail</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{D20EA4E1-3957-11d2-A40B-0C5020524152}</clsid>
<name>Fonts</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{D20EA4E1-3957-11d2-A40B-0C5020524153}</clsid>
<name>Administrative Tools</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{596AB062-B4D2-4215-9F74-E9109B0A8153}</clsid>
<name>Previous Versions Property Page</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\twext.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{9DB7A13C-F208-4981-8353-73CC61AE2783}</clsid>
<name>Previous Versions</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\twext.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}</clsid>
<name>Audio Media Properties Handler</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shmedia.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}</clsid>
<name>Video Media Properties Handler</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shmedia.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{E4B29F9D-D390-480b-92FD-7DDB47101D71}</clsid>
<name>Wav Properties Handler</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shmedia.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{87D62D94-71B3-4b9a-9489-5FE6850DC73E}</clsid>
<name>Avi Properties Handler</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shmedia.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{A6FD9E45-6E44-43f9-8644-08598F5A74D9}</clsid>
<name>Midi Properties Handler</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shmedia.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{c5a40261-cd64-4ccf-84cb-c394da41d590}</clsid>
<name>Video Thumbnail Extractor</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shmedia.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{5E6AB780-7743-11CF-A12B-00AA004AE837}</clsid>
<name>Microsoft Internet Toolbar</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{22BF0C20-6DA7-11D0-B373-00A0C9034938}</clsid>
<name>Download Status</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{91EA3F8B-C99B-11d0-9815-00C04FD91972}</clsid>
<name>Augmented Shell Folder</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{6413BA2C-B461-11d1-A18A-080036B11A03}</clsid>
<name>Augmented Shell Folder 2</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{F61FFEC1-754F-11d0-80CA-00AA005B4383}</clsid>
<name>BandProxy</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{7BA4C742-9E81-11CF-99D3-00AA004AE837}</clsid>
<name>Microsoft BrowserBand</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{30D02401-6A81-11d0-8274-00C04FD5AE38}</clsid>
<name>Search Band</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{169A0691-8DF9-11d1-A1C4-00C04FD75D13}</clsid>
<name>In-pane search</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{07798131-AF23-11d1-9111-00A0C98BA67D}</clsid>
<name>Web Search</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{AF4F6510-F982-11d0-8595-00AA004CD6D8}</clsid>
<name>Registry Tree Options Utility</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{01E04581-4EEE-11d0-BFE9-00AA005B4383}</clsid>
<name>Address</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{A08C11D2-A228-11d0-825B-00AA005B4383}</clsid>
<name>Address EditBox</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{00BB2763-6A77-11D0-A535-00C04FD7D062}</clsid>
<name>Microsoft AutoComplete</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{7376D660-C583-11d0-A3A5-00C04FD706EC}</clsid>
<name>TridentImageExtractor</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{6756A641-DE71-11d0-831B-00AA005B4383}</clsid>
<name>MRU AutoComplete List</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}</clsid>
<name>Custom MRU AutoCompleted List</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{7e653215-fa25-46bd-a339-34a2790f3cb7}</clsid>
<name>Accessible</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{acf35015-526e-4230-9596-becbe19f0ac9}</clsid>
<name>Track Popup Bar</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{00BB2764-6A77-11D0-A535-00C04FD7D062}</clsid>
<name>Microsoft History AutoComplete List</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{03C036F1-A186-11D0-824A-00AA005B4383}</clsid>
<name>Microsoft Shell Folder AutoComplete List</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{00BB2765-6A77-11D0-A535-00C04FD7D062}</clsid>
<name>Microsoft Multiple AutoComplete List Container</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{ECD4FC4E-521C-11D0-B792-00A0C90312E1}</clsid>
<name>Shell Band Site Menu</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}</clsid>
<name>Shell DeskBarApp</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{ECD4FC4C-521C-11D0-B792-00A0C90312E1}</clsid>
<name>Shell DeskBar</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{ECD4FC4D-521C-11D0-B792-00A0C90312E1}</clsid>
<name>Shell Rebar BandSite</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{DD313E04-FEFF-11d1-8ECD-0000F87A470C}</clsid>
<name>User Assist</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}</clsid>
<name>Global Folder Settings</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{EFA24E61-B078-11d0-89E4-00C04FC9E26E}</clsid>
<name>Favorites Band</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{0A89A860-D7B1-11CE-8350-444553540000}</clsid>
<name>Shell Automation Inproc Service</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}</clsid>
<name>Shell DocObject Viewer</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}</clsid>
<name>Microsoft Browser Architecture</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{FBF23B40-E3F0-101B-8488-00AA003E56F8}</clsid>
<name>Internet Shortcut</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{3C374A40-BAE4-11CF-BF7D-00AA006946EE}</clsid>
<name>Microsoft Url History Service</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{FF393560-C2A7-11CF-BFF4-444553540000}</clsid>
<name>History</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{7BD29E00-76C1-11CF-9DD0-00A0C9034933}</clsid>
<name>Temporary Internet Files</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{7BD29E01-76C1-11CF-9DD0-00A0C9034933}</clsid>
<name>Temporary Internet Files</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{CFBFAE00-17A6-11D0-99CB-00C04FD64497}</clsid>
<name>Microsoft Url Search Hook</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}</clsid>
<name>IE4 Suite Splash Screen</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{67EA19A0-CCEF-11d0-8024-00C04FD75D13}</clsid>
<name>CDF Extension Copy Hook</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{131A6951-7F78-11D0-A979-00C04FD705A2}</clsid>
<name>ISFBand OC</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{9461b922-3c5a-11d2-bf8b-00c04fb93661}</clsid>
<name>Search Assistant OC</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}</clsid>
<name>The Internet</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{871C5380-42A0-1069-A2EA-08002B30309D}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{EFA24E64-B078-11d0-89E4-00C04FC9E26E}</clsid>
<name>Explorer Band</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shdocvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\sendmail.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\sendmail.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{88C6C381-2E85-11D0-94DE-444553540000}</clsid>
<name>ActiveX Cache Folder</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\occache.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{E6FB5E20-DE35-11CF-9C87-00AA005127ED}</clsid>
<name>WebCheck</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\webcheck.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}</clsid>
<name>Subscription Mgr</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\webcheck.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{F5175861-2688-11d0-9C5E-00AA00A45957}</clsid>
<name>Subscription Folder</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\webcheck.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{08165EA0-E946-11CF-9C87-00AA005127ED}</clsid>
<name>WebCheckWebCrawler</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\webcheck.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}</clsid>
<name>WebCheckChannelAgent</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\webcheck.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}</clsid>
<name>TrayAgent</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\webcheck.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{7D559C10-9FE9-11d0-93F7-00AA0059CE02}</clsid>
<name>Code Download Agent</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\webcheck.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}</clsid>
<name>ConnectionAgent</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\webcheck.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{D8BD2030-6FC9-11D0-864F-00AA006809D9}</clsid>
<name>PostAgent</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\webcheck.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}</clsid>
<name>WebCheck SyncMgr Handler</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\webcheck.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{352EC2B7-8B9A-11D1-B8AE-006008059382}</clsid>
<name>Shell Application Manager</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\appwiz.cpl</filepath>
</addon>
- <addon category="shellextension">
<clsid>{0B124F8F-91F0-11D1-B8B5-006008059382}</clsid>
<name>Installed Apps Enumerator</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\appwiz.cpl</filepath>
</addon>
- <addon category="shellextension">
<clsid>{CFCCC7A0-A282-11D1-9082-006008059382}</clsid>
<name>Darwin App Publisher</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\appwiz.cpl</filepath>
</addon>
- <addon category="shellextension">
<clsid>{e84fda7c-1d6a-45f6-b725-cb260c236066}</clsid>
<name>Shell Image Verbs</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shimgvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}</clsid>
<name>Shell Image Data Factory</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shimgvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}</clsid>
<name>Shell Autoplay for Slideshow</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath />
</addon>
- <addon category="shellextension">
<clsid>{3F30C968-480A-4C6C-862D-EFC0897BB84B}</clsid>
<name>GDI+ file thumbnail extractor</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\shimgvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{9DBD2C50-62AD-11d0-B806-00C04FD706EC}</clsid>
<name>Summary Info Thumbnail handler (DOCFILES)</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\shimgvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{EAB841A0-9550-11cf-8C16-00805F1408F3}</clsid>
<name>HTML Thumbnail Extractor</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\shimgvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}</clsid>
<name>Shell Image Property Handler</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\shimgvw.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{CC6EEFFB-43F6-46c5-9619-51D571967F7D}</clsid>
<name>Web Publishing Wizard</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\netplwiz.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{add36aa8-751a-4579-a266-d66f5202ccbb}</clsid>
<name>Print Ordering via the Web</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\netplwiz.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{6b33163c-76a5-4b6c-bf21-45de9cd503a1}</clsid>
<name>Shell Publishing Wizard Object</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\netplwiz.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{58f1f272-9240-4f51-b6d4-fd63d1618591}</clsid>
<name>Get a Passport Wizard</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\netplwiz.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{7A9D77BD-5403-11d2-8785-2E0420524153}</clsid>
<name>User Accounts</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath />
</addon>
- <addon category="shellextension">
<clsid>{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}</clsid>
<name>CompressedFolder</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\zipfldr.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{BD472F60-27FA-11cf-B8B4-444553540000}</clsid>
<name>Compressed (zipped) Folder Right Drag Handler</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\zipfldr.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}</clsid>
<name>Compressed (zipped) Folder SendTo Target</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\zipfldr.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{f39a0dc0-9cc8-11d0-a599-00c04fd64433}</clsid>
<name>Channel</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\cdfview.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}</clsid>
<name>Channel Shortcut</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\cdfview.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}</clsid>
<name>Channel Handler Object</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\cdfview.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{f3da0dc0-9cc8-11d0-a599-00c04fd64437}</clsid>
<name>Channel Menu Handler Object</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\cdfview.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}</clsid>
<name>Channel Shortcut Property Pages</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\cdfview.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{692F0339-CBAA-47e6-B5B5-3B84DB604E87}</clsid>
<name>Extensions Manager Folder</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\extmgr.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{63da6ec0-2e98-11cf-8d82-444553540000}</clsid>
<name>Microsoft FTP Folder</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\msieftp.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{883373C3-BF89-11D1-BE35-080036B11A03}</clsid>
<name>Microsoft DocProp Shell Ext</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\docprop2.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{A9CF0EAE-901A-4739-A481-E35B73E47F6D}</clsid>
<name>Microsoft DocProp Inplace Edit Box Control</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\docprop2.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{8EE97210-FD1F-4B19-91DA-67914005F020}</clsid>
<name>Microsoft DocProp Inplace ML Edit Box Control</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\docprop2.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}</clsid>
<name>Microsoft DocProp Inplace Droplist Combo Control</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\docprop2.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{6A205B57-2567-4A2C-B881-F787FAB579A3}</clsid>
<name>Microsoft DocProp Inplace Calendar Control</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\docprop2.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}</clsid>
<name>Microsoft DocProp Inplace Time Control</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\docprop2.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{8A23E65E-31C2-11d0-891C-00A024AB2DBB}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\dsquery.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\dsquery.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\dsquery.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{F020E586-5264-11d1-A532-0000F8757D7E}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\dsquery.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{0D45D530-764B-11d0-A1CA-00AA00C16E65}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\dsuiext.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{62AE1F9A-126A-11D0-A14B-0800361B1103}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\dsuiext.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{ECF03A33-103D-11d2-854D-006008059367}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\mydocs.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{ECF03A32-103D-11d2-854D-006008059367}</clsid>
<name>MyDocs Drop Target</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\mydocs.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{4a7ded0a-ad25-11d0-98a8-0800361b1103}</clsid>
<name>MyDocs menu and properties</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\mydocs.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{750fdf0e-2a26-11d1-a3ea-080036587f03}</clsid>
<name>Offline Files Menu</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\System32\cscui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{10CFC467-4392-11d2-8DB4-00C04FA31A66}</clsid>
<name>Offline Files Folder Options</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\System32\cscui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}</clsid>
<name>Offline Files Folder</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\System32\cscui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{143A62C8-C33B-11D1-84FE-00C04FA34A14}</clsid>
<name>Microsoft Agent Character Property Sheet Handler</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%winpath%\msagent\agentpsh.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}</clsid>
<name>DfsShell Class</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\dfsshlex.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{60fd46de-f830-4894-a628-6fa81bc0190d}</clsid>
<name>DropTarget Object for Photo Printing Wizard</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\photowiz.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{7A80E4A8-8005-11D2-BCF8-00C04F72C717}</clsid>
<name>ExtractIcon Class</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\System32\mmcshext.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}</clsid>
<name>Cabinet File</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>cabview.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{32714800-2E5F-11d0-8B85-00AA0044F941}</clsid>
<name>For People...</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%programpath%\Outlook Express\wabfind.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{640167b4-59b0-47a6-b335-a6b3c0695aea}</clsid>
<name>Portable Media Devices</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\audiodev.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{cc86590a-b60a-48e6-996b-41d25ed39a1e}</clsid>
<name>Portable Media Devices Menu</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\audiodev.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{8DD448E6-C188-4aed-AF92-44956194EB1F}</clsid>
<name>WMP Burn Audio CD Launcher</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\wmpshell.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}</clsid>
<name>WMP Play As Playlist Launcher</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\wmpshell.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}</clsid>
<name>WMP Add To Playlist Launcher</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\wmpshell.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{e82a2d71-5b2f-43a0-97b8-81be15854de8}</clsid>
<name>ShellLink for Application References</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\dfshim.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}</clsid>
<name>Shell Icon Handler for Application References</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\dfshim.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{5E2121EE-0300-11D4-8D3B-444553540000}</clsid>
<name>SimpleShlExt Class</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%programpath%\ATI Technologies\ATI.ACE\atiacmxx.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{BB7DF450-F119-11CD-8465-00AA00425D90}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%programpath%\msaccrt\Access 97\soa800.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{B327765E-D724-4347-8B16-78AE18552FC3}</clsid>
<name>NeroDigitalIconHandler Class</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%programpath%\Common Files\Ahead\Lib\NeroDigitalExt.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{7F1CF152-04F8-453A-B34C-E609530A9DC8}</clsid>
<name>NeroDigitalPropSheetHandler Class</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%programpath%\Common Files\Ahead\Lib\NeroDigitalExt.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{e57ce731-33e8-4c51-8354-bb4de9d215d1}</clsid>
<name>Universal Plug and Play Devices</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\upnpui.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}</clsid>
<name>RealOne Player Context Menu Class</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%programpath%\Real\RealPlayer\rpshell.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}</clsid>
<name>AVG7 Shell Extension Class</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%programpath%\Grisoft\AVG Free\avgse.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}</clsid>
<name>AVG7 Find Extension Class</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%programpath%\Grisoft\AVG Free\avgse.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%programpath%\OpenOffice.org 2.0\program\shlxthdl.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{087B3AE3-E237-4467-B8DB-5A38AB959AC9}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%programpath%\OpenOffice.org 2.0\program\shlxthdl.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{63542C48-9552-494A-84F7-73AA6A7C99C1}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%programpath%\OpenOffice.org 2.0\program\shlxthdl.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{3B092F0C-7696-40E3-A80F-68D74DA84210}</clsid>
<name />
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%programpath%\OpenOffice.org 2.0\program\shlxthdl.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{D44E22BD-2D2C-4F13-BF1B-2DB458FD0C2C}</clsid>
<name>KernelExt Class</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\krnsvr32.dll</filepath>
</addon>
- <addon category="shellextension">
<clsid>{21569614-B795-46b1-85F4-E737A8DC09AD}</clsid>
<name>Shell Search Band</name>
<location>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\</location>
<filepath>%systempath%\system32\browseui.dll</filepath>
</addon>
- <lsp>
<name>000000000001</name>
<location>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\Protocol_Catalog9\Catalog_E ntries\</location>
<filepath>%systempath%\system32\mswsock.dll</filepath>
</lsp>
- <lsp>
<name>000000000002</name>
<location>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\Protocol_Catalog9\Catalog_E ntries\</location>
<filepath>%systempath%\system32\mswsock.dll</filepath>
</lsp>
- <lsp>
<name>000000000003</name>
<location>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\Protocol_Catalog9\Catalog_E ntries\</location>
<filepath>%systempath%\system32\mswsock.dll</filepath>
</lsp>
- <lsp>
<name>000000000004</name>
<location>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\Protocol_Catalog9\Catalog_E ntries\</location>
<filepath>%systempath%\system32\mswsock.dll</filepath>
</lsp>
- <lsp>
<name>000000000005</name>
<location>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\Protocol_Catalog9\Catalog_E ntries\</location>
<filepath>%systempath%\system32\rsvpsp.dll</filepath>
</lsp>
- <lsp>
<name>000000000006</name>
<location>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\Protocol_Catalog9\Catalog_E ntries\</location>
<filepath>%systempath%\system32\rsvpsp.dll</filepath>
</lsp>
- <lsp>
<name>000000000007</name>
<location>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\Protocol_Catalog9\Catalog_E ntries\</location>
<filepath>%systempath%\system32\mswsock.dll</filepath>
</lsp>
- <lsp>
<name>000000000008</name>
<location>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\Protocol_Catalog9\Catalog_E ntries\</location>
<filepath>%systempath%\system32\mswsock.dll</filepath>
</lsp>
- <lsp>
<name>000000000009</name>
<location>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\Protocol_Catalog9\Catalog_E ntries\</location>
<filepath>%systempath%\system32\mswsock.dll</filepath>
</lsp>
- <lsp>
<name>000000000010</name>
<location>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\Protocol_Catalog9\Catalog_E ntries\</location>
<filepath>%systempath%\system32\mswsock.dll</filepath>
</lsp>
- <lsp>
<name>000000000011</name>
<location>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\Protocol_Catalog9\Catalog_E ntries\</location>
<filepath>%systempath%\system32\mswsock.dll</filepath>
</lsp>
- <lsp>
<name>000000000012</name>
<location>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\Protocol_Catalog9\Catalog_E ntries\</location>
<filepath>%systempath%\system32\mswsock.dll</filepath>
</lsp>
- <lsp>
<name>000000000013</name>
<location>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\Protocol_Catalog9\Catalog_E ntries\</location>
<filepath>%systempath%\system32\mswsock.dll</filepath>
</lsp>
- <lsp>
<name>000000000014</name>
<location>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\Protocol_Catalog9\Catalog_E ntries\</location>
<filepath>%systempath%\system32\mswsock.dll</filepath>
</lsp>
</addons>
- <services>
- <service>
<name>Microsoft ACPI Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ACPI</location>
<filepath>%systempath%\DRIVERS\ACPI.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Microsoft Kernel Acoustic Echo Canceller</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\aec</location>
<filepath>%systempath%\drivers\aec.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>AFD</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\AFD</location>
<filepath>\SystemRoot\System32\drivers\afd.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Alerter</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Alerter</location>
<filepath>%systempath%\system32\svchost.exe -k LocalService</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Application Layer Gateway Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ALG</location>
<filepath>%systempath%\System32\alg.exe</filepath>
<state>Running</state>
</service>
- <service>
<name>Application Management</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\AppMgmt</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Stopped</state>
</service>
- <service>
<name>ASAPIW2K</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ASAPIW2k</location>
<filepath>%systempath%\drivers\ASAPIW2k.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>ASP.NET State Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\aspnet_state</location>
<filepath>%systempath%\Microsoft.NET\Framework\v2.0.50727\as pnet_state.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>RAS Asynchronous Media Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\AsyncMac</location>
<filepath>%systempath%\DRIVERS\asyncmac.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Standard IDE/ESDI Hard Disk Controller</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\atapi</location>
<filepath>%systempath%\DRIVERS\atapi.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>ATI Smart</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ATI Smart</location>
<filepath>%systempath%\ati2sgag.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>ATI T200 Unified AVStream service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ATIAVAIW</location>
<filepath>%systempath%\DRIVERS\atinavt2.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>ATM ARP Client Protocol</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Atmarpc</location>
<filepath>%systempath%\DRIVERS\atmarpc.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Windows Audio</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\AudioSrv</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Audio Stub Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\audstub</location>
<filepath>%systempath%\DRIVERS\audstub.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>AVG7 Alert Manager Server</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Avg7Alrt</location>
<filepath>I:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe</filepath>
<state>Running</state>
</service>
- <service>
<name>AVG7 Kernel</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Avg7Core</location>
<filepath>\SystemRoot\System32\Drivers\avg7core.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>AVG7 Wrap Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Avg7RsW</location>
<filepath>\SystemRoot\System32\Drivers\avg7rsw.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>AVG7 Resident Driver XP</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Avg7RsXP</location>
<filepath>\SystemRoot\System32\Drivers\avg7rsxp.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>AVG7 Update Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Avg7UpdSvc</location>
<filepath>I:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe</filepath>
<state>Running</state>
</service>
- <service>
<name>AVG E-mail Scanner</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\AVGEMS</location>
<filepath>I:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe</filepath>
<state>Running</state>
</service>
- <service>
<name>AVG Network Redirector</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\AvgTdi</location>
<filepath>\SystemRoot\System32\Drivers\avgtdi.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Background Intelligent Transfer Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\BITS</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Computer Browser</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Browser</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Closed Caption Decoder</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\CCDECODE</location>
<filepath>%systempath%\DRIVERS\CCDECODE.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>CD-ROM Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Cdrom</location>
<filepath>%systempath%\DRIVERS\cdrom.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Indexing Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\CiSvc</location>
<filepath>%systempath%\system32\cisvc.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>ClipBook</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ClipSrv</location>
<filepath>%systempath%\system32\clipsrv.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>.NET Runtime Optimization Service v2.0.50727_X86</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\clr_optimization_v2.0.50727_32</location>
<filepath>%winpath%\Microsoft.NET\Framework\v2.0.50727\mscor svw.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>COM+ System Application</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\COMSysApp</location>
<filepath>%systempath%\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}</filepath>
<state>Running</state>
</service>
- <service>
<name>Creative Service for CDROM Access</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Creative Service for CDROM Access</location>
<filepath>%systempath%\CTsvcCDA.EXE</filepath>
<state>Running</state>
</service>
- <service>
<name>Cryptographic Services</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\CryptSvc</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Creative AC3 Software Decoder</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ctac32k</location>
<filepath>%systempath%\drivers\ctac32k.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Creative Audio Driver (WDM)</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ctaud2k</location>
<filepath>%systempath%\drivers\ctaud2k.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Creative DVD-Audio Device Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ctdvda2k</location>
<filepath>%systempath%\drivers\ctdvda2k.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Creative Proxy Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ctprxy2k</location>
<filepath>%systempath%\drivers\ctprxy2k.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Creative SoundFont Management Device Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ctsfm2k</location>
<filepath>%systempath%\drivers\ctsfm2k.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>DCOM Server Process Launcher</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\DcomLaunch</location>
<filepath>%systempath%\system32\svchost -k DcomLaunch</filepath>
<state>Running</state>
</service>
- <service>
<name>DHCP Client</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Dhcp</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Disk Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Disk</location>
<filepath>%systempath%\DRIVERS\disk.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Logical Disk Manager Administrative Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\dmadmin</location>
<filepath>%systempath%\System32\dmadmin.exe /com</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Logical Disk Manager Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\dmio</location>
<filepath>%systempath%\drivers\dmio.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Logical Disk Manager</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\dmserver</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Microsoft Kernel DLS Syntheiszer</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\DMusic</location>
<filepath>%systempath%\drivers\DMusic.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>DNS Client</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Dnscache</location>
<filepath>%systempath%\system32\svchost.exe -k NetworkService</filepath>
<state>Running</state>
</service>
- <service>
<name>Microsoft Kernel DRM Audio Descrambler</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\drmkaud</location>
<filepath>%systempath%\drivers\drmkaud.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Media Center Receiver Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ehRecvr</location>
<filepath>%winpath%\eHome\ehRecvr.exe</filepath>
<state>Running</state>
</service>
- <service>
<name>Media Center Scheduler Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ehSched</location>
<filepath>%winpath%\eHome\ehSched.exe</filepath>
<state>Running</state>
</service>
- <service>
<name>E-mu Plug-in Architecture Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\emupia</location>
<filepath>%systempath%\drivers\emupia2k.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Error Reporting Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ERSvc</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Event Log</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Eventlog</location>
<filepath>%systempath%\system32\services.exe</filepath>
<state>Running</state>
</service>
- <service>
<name>COM+ Event System</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\EventSystem</location>
<filepath>%systempath%\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Fast User Switching Compatibility</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\FastUserSwitchingCompatibility</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>FltMgr</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\FltMgr</location>
<filepath>%systempath%\DRIVERS\fltMgr.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Volume Manager Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Ftdisk</location>
<filepath>%systempath%\DRIVERS\ftdisk.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Game Port Enumerator</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\gameenum</location>
<filepath>%systempath%\DRIVERS\gameenum.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Generic Packet Classifier</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Gpc</location>
<filepath>%systempath%\DRIVERS\msgpc.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Creative 20X HAL Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ha20x2k</location>
<filepath>%systempath%\drivers\ha20x2k.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Help and Support</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\helpsvc</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>HID Input Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\HidServ</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Microsoft HID Class Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\hidusb</location>
<filepath>%systempath%\DRIVERS\hidusb.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>HTTP</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\HTTP</location>
<filepath>%systempath%\Drivers\HTTP.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>HTTP SSL</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\HTTPFilter</location>
<filepath>%systempath%\System32\svchost.exe -k HTTPFilter</filepath>
<state>Stopped</state>
</service>
- <service>
<name>i8042 Keyboard and PS/2 Mouse Port Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\i8042prt</location>
<filepath>%systempath%\DRIVERS\i8042prt.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>CD-Burning Filter Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Imapi</location>
<filepath>%systempath%\DRIVERS\imapi.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>IMAPI CD-Burning COM Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ImapiService</location>
<filepath>%systempath%\imapi.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>IPv6 Windows Firewall Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Ip6Fw</location>
<filepath>%systempath%\DRIVERS\Ip6Fw.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>IP Traffic Filter Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\IpFilterDriver</location>
<filepath>%systempath%\DRIVERS\ipfltdrv.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>IP in IP Tunnel Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\IpInIp</location>
<filepath>%systempath%\DRIVERS\ipinip.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>IP Network Address Translator</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\IpNat</location>
<filepath>%systempath%\DRIVERS\ipnat.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>IPSEC driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\IPSec</location>
<filepath>%systempath%\DRIVERS\ipsec.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>IrDA Protocol</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\irda</location>
<filepath>%systempath%\DRIVERS\irda.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>IR Enumerator Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\IRENUM</location>
<filepath>%systempath%\DRIVERS\irenum.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Infrared Monitor</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Irmon</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Microsoft Serial Infrared Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\irsir</location>
<filepath>%systempath%\DRIVERS\irsir.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>PnP ISA/EISA Bus Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\isapnp</location>
<filepath>%systempath%\DRIVERS\isapnp.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Keyboard Class Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Kbdclass</location>
<filepath>%systempath%\DRIVERS\kbdclass.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Keyboard HID Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\kbdhid</location>
<filepath>%systempath%\DRIVERS\kbdhid.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Microsoft Kernel Wave Audio Mixer</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\kmixer</location>
<filepath>%systempath%\drivers\kmixer.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Logitech SetPoint PS/2 Mouse Filter Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\L8042mou</location>
<filepath>%systempath%\DRIVERS\L8042mou.Sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Server</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\lanmanserver</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Workstation</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\lanmanworkstation</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>LightScribeService Direct Disc Labeling Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\LightScribeService</location>
<filepath>%programpath%\Common Files\LightScribe\LSSrvc.exe</filepath>
<state>Running</state>
</service>
- <service>
<name>TCP/IP NetBIOS Helper</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\LmHosts</location>
<filepath>%systempath%\system32\svchost.exe -k LocalService</filepath>
<state>Running</state>
</service>
- <service>
<name>Logitech SetPoint Mouse Filter Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\LMouKE</location>
<filepath>%systempath%\DRIVERS\LMouKE.Sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Media Center Extender Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\McrdSvc</location>
<filepath>%winpath%\ehome\mcrdsvc.exe</filepath>
<state>Running</state>
</service>
- <service>
<name>Messenger</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Messenger</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Stopped</state>
</service>
- <service>
<name>MHN</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\MHN</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Stopped</state>
</service>
- <service>
<name>MHN driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\MHNDRV</location>
<filepath>%systempath%\DRIVERS\mhndrv.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>NetMeeting Remote Desktop Sharing</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\mnmsrvc</location>
<filepath>%systempath%\mnmsrvc.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Mouse Class Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Mouclass</location>
<filepath>%systempath%\DRIVERS\mouclass.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>BDA MPE Filter</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\MPE</location>
<filepath>%systempath%\DRIVERS\MPE.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>WebDav Client Redirector</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\MRxDAV</location>
<filepath>%systempath%\DRIVERS\mrxdav.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>MRXSMB</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\MRxSmb</location>
<filepath>%systempath%\DRIVERS\mrxsmb.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Distributed Transaction Coordinator</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\MSDTC</location>
<filepath>%systempath%\msdtc.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Windows Installer</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\MSIServer</location>
<filepath>%systempath%\msiexec.exe /V</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Microsoft Streaming Service Proxy</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\MSKSSRV</location>
<filepath>%systempath%\drivers\MSKSSRV.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Microsoft Streaming Clock Proxy</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\MSPCLOCK</location>
<filepath>%systempath%\drivers\MSPCLOCK.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Microsoft Streaming Quality Manager Proxy</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\MSPQM</location>
<filepath>%systempath%\drivers\MSPQM.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Microsoft System Management BIOS Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\mssmbios</location>
<filepath>%systempath%\DRIVERS\mssmbios.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Microsoft Streaming Tee/Sink-to-Sink Converter</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\MSTEE</location>
<filepath>%systempath%\drivers\MSTEE.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Microsoft MPU-401 MIDI UART Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ms_mpu401</location>
<filepath>%systempath%\drivers\msmpu401.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Mup</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Mup</location>
<filepath />
<state>Running</state>
</service>
- <service>
<name>NABTS/FEC VBI Codec</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NABTSFEC</location>
<filepath>%systempath%\DRIVERS\NABTSFEC.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>NDIS System Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NDIS</location>
<filepath />
<state>Running</state>
</service>
- <service>
<name>Microsoft TV/Video Connection</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NdisIP</location>
<filepath>%systempath%\DRIVERS\NdisIP.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Remote Access NDIS TAPI Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NdisTapi</location>
<filepath>%systempath%\DRIVERS\ndistapi.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>NDIS Usermode I/O Protocol</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Ndisuio</location>
<filepath>%systempath%\DRIVERS\ndisuio.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Remote Access NDIS WAN Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NdisWan</location>
<filepath>%systempath%\DRIVERS\ndiswan.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>NetBIOS Interface</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NetBIOS</location>
<filepath>%systempath%\DRIVERS\netbios.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>NetBios over Tcpip</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NetBT</location>
<filepath>%systempath%\DRIVERS\netbt.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Network DDE</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NetDDE</location>
<filepath>%systempath%\system32\netdde.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Network DDE DSDM</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NetDDEdsdm</location>
<filepath>%systempath%\system32\netdde.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Net Logon</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Netlogon</location>
<filepath>%systempath%\system32\lsass.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Network Connections</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Netman</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Network Location Awareness (NLA)</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Nla</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>NT LM Security Support Provider</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NtLmSsp</location>
<filepath>%systempath%\system32\lsass.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Removable Storage</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NtmsSvc</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Stopped</state>
</service>
- <service>
<name>IPX Traffic Filter Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NwlnkFlt</location>
<filepath>%systempath%\DRIVERS\nwlnkflt.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>IPX Traffic Forwarder Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NwlnkFwd</location>
<filepath>%systempath%\DRIVERS\nwlnkfwd.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Creative OS Services Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ossrv</location>
<filepath>%systempath%\drivers\ctoss2k.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Parallel port driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Parport</location>
<filepath>%systempath%\DRIVERS\parport.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>PCI Bus Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\PCI</location>
<filepath>%systempath%\DRIVERS\pci.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>PCLEPCI</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\PCLEPCI</location>
<filepath>%systempath%\drivers\pclepci.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Plug and Play</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\PlugPlay</location>
<filepath>%systempath%\system32\services.exe</filepath>
<state>Running</state>
</service>
- <service>
<name>IPSEC Services</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\PolicyAgent</location>
<filepath>%systempath%\system32\lsass.exe</filepath>
<state>Running</state>
</service>
- <service>
<name>WAN Miniport (PPTP)</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\PptpMiniport</location>
<filepath>%systempath%\DRIVERS\raspptp.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Processor Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Processor</location>
<filepath>%systempath%\DRIVERS\processr.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Protected Storage</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ProtectedStorage</location>
<filepath>%systempath%\system32\lsass.exe</filepath>
<state>Running</state>
</service>
- <service>
<name>QoS Packet Scheduler</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\PSched</location>
<filepath>%systempath%\DRIVERS\psched.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Direct Parallel Link Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Ptilink</location>
<filepath>%systempath%\DRIVERS\ptilink.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>PxHelp20</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\PxHelp20</location>
<filepath>%systempath%\Drivers\PxHelp20.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Remote Access Auto Connection Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\RasAcd</location>
<filepath>%systempath%\DRIVERS\rasacd.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Remote Access Auto Connection Manager</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\RasAuto</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Stopped</state>
</service>
- <service>
<name>WAN Miniport (IrDA)</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Rasirda</location>
<filepath>%systempath%\DRIVERS\rasirda.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>WAN Miniport (L2TP)</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Rasl2tp</location>
<filepath>%systempath%\DRIVERS\rasl2tp.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Remote Access Connection Manager</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\RasMan</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Remote Access PPPOE Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\RasPppoe</location>
<filepath>%systempath%\DRIVERS\raspppoe.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Direct Parallel</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Raspti</location>
<filepath>%systempath%\DRIVERS\raspti.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Rdbss</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Rdbss</location>
<filepath>%systempath%\DRIVERS\rdbss.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Terminal Server Device Redirector Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\rdpdr</location>
<filepath>%systempath%\DRIVERS\rdpdr.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Remote Desktop Help Session Manager</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\RDSessMgr</location>
<filepath>%systempath%\sessmgr.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Digital CD Audio Playback Filter Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\redbook</location>
<filepath>%systempath%\DRIVERS\redbook.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Routing and Remote Access</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\RemoteAccess</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Remote Registry</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\RemoteRegistry</location>
<filepath>%systempath%\system32\svchost.exe -k LocalService</filepath>
<state>Running</state>
</service>
- <service>
<name>Remote Procedure Call (RPC) Locator</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\RpcLocator</location>
<filepath>%systempath%\system32\locator.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Remote Procedure Call (RPC)</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\RpcSs</location>
<filepath>%systempath%\system32\svchost -k rpcss</filepath>
<state>Running</state>
</service>
- <service>
<name>QoS RSVP</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\RSVP</location>
<filepath>%systempath%\system32\rsvp.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Security Accounts Manager</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\SamSs</location>
<filepath>%systempath%\system32\lsass.exe</filepath>
<state>Running</state>
</service>
- <service>
<name>Smart Card</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\SCardSvr</location>
<filepath>%systempath%\System32\SCardSvr.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Task Scheduler</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Schedule</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Secdrv</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Secdrv</location>
<filepath>%systempath%\DRIVERS\secdrv.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Secondary Logon</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\seclogon</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>System Event Notification</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\SENS</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Serenum Filter Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\serenum</location>
<filepath>%systempath%\DRIVERS\serenum.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Serial port driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Serial</location>
<filepath>%systempath%\DRIVERS\serial.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Windows Firewall/Internet Connection Sharing (ICS)</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\SharedAccess</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Shell Hardware Detection</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ShellHWDetection</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>BDA Slip De-Framer</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\SLIP</location>
<filepath>%systempath%\DRIVERS\SLIP.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Microsoft Kernel Audio Splitter</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\splitter</location>
<filepath>%systempath%\drivers\splitter.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Print Spooler</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Spooler</location>
<filepath>%systempath%\system32\spoolsv.exe</filepath>
<state>Running</state>
</service>
- <service>
<name>System Restore Filter Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\sr</location>
<filepath>%systempath%\DRIVERS\sr.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>srescan</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\srescan</location>
<filepath>%systempath%\ZoneLabs\srescan.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>System Restore Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\srservice</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Srv</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Srv</location>
<filepath>%systempath%\DRIVERS\srv.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>SSDP Discovery Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\SSDPSRV</location>
<filepath>%systempath%\system32\svchost.exe -k LocalService</filepath>
<state>Running</state>
</service>
- <service>
<name>Windows Image Acquisition (WIA)</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\stisvc</location>
<filepath>%systempath%\system32\svchost.exe -k imgsvc</filepath>
<state>Stopped</state>
</service>
- <service>
<name>BDA IPSink</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\streamip</location>
<filepath>%systempath%\DRIVERS\StreamIP.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Software Bus Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\swenum</location>
<filepath>%systempath%\DRIVERS\swenum.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Microsoft Kernel GS Wavetable Synthesizer</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\swmidi</location>
<filepath>%systempath%\drivers\swmidi.sys</filepath>
<state>Stopped</state>
</service>
- <service>
<name>MS Software Shadow Copy Provider</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\SwPrv</location>
<filepath>%systempath%\dllhost.exe /Processid:{378C7F41-286A-4F85-826A-34BCDB37933D}</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Microsoft Kernel System Audio Device</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\sysaudio</location>
<filepath>%systempath%\drivers\sysaudio.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Performance Logs and Alerts</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\SysmonLog</location>
<filepath>%systempath%\system32\smlogsvc.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Telephony</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\TapiSrv</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>TCP/IP Protocol Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Tcpip</location>
<filepath>%systempath%\DRIVERS\tcpip.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Terminal Device Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\TermDD</location>
<filepath>%systempath%\DRIVERS\termdd.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Terminal Services</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\TermService</location>
<filepath>%systempath%\System32\svchost -k DComLaunch</filepath>
<state>Running</state>
</service>
- <service>
<name>Themes</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Themes</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Telnet</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\TlntSvr</location>
<filepath>%systempath%\tlntsvr.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Distributed Link Tracking Client</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\TrkWks</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>ULi M526X Ethernet NT Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ULI5261XP</location>
<filepath>%systempath%\DRIVERS\ULILAN51.SYS</filepath>
<state>Running</state>
</service>
- <service>
<name>ULi AGP Bus Filter Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\uliagpkx</location>
<filepath>%systempath%\DRIVERS\agpkx.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Windows User Mode Driver Framework</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\UMWdf</location>
<filepath>%systempath%\wdfmgr.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Microcode Update Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Update</location>
<filepath>%systempath%\DRIVERS\update.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Universal Plug and Play Device Host</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\upnphost</location>
<filepath>%systempath%\system32\svchost.exe -k LocalService</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Uninterruptible Power Supply</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\UPS</location>
<filepath>%systempath%\System32\ups.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Microsoft USB Generic Parent Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\usbccgp</location>
<filepath>%systempath%\DRIVERS\usbccgp.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Microsoft USB 2.0 Enhanced Host Controller Miniport Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\usbehci</location>
<filepath>%systempath%\DRIVERS\usbehci.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>USB2 Enabled Hub</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\usbhub</location>
<filepath>%systempath%\DRIVERS\usbhub.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Microsoft USB Open Host Controller Miniport Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\usbohci</location>
<filepath>%systempath%\DRIVERS\usbohci.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Microsoft USB PRINTER Class</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\usbprint</location>
<filepath>%systempath%\DRIVERS\usbprint.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>USB Mass Storage Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\USBSTOR</location>
<filepath>%systempath%\DRIVERS\USBSTOR.SYS</filepath>
<state>Stopped</state>
</service>
- <service>
<name>vsdatant</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\vsdatant</location>
<filepath>%systempath%\vsdatant.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>TrueVector Internet Monitor</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\vsmon</location>
<filepath>%systempath%\ZoneLabs\vsmon.exe -service</filepath>
<state>Running</state>
</service>
- <service>
<name>Volume Shadow Copy</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\VSS</location>
<filepath>%systempath%\System32\vssvc.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Windows Time</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\W32Time</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Remote Access IP ARP Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Wanarp</location>
<filepath>%systempath%\DRIVERS\wanarp.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>Microsoft WINMM WDM Audio Compatibility Driver</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\wdmaud</location>
<filepath>%systempath%\drivers\wdmaud.sys</filepath>
<state>Running</state>
</service>
- <service>
<name>WebClient</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\WebClient</location>
<filepath>%systempath%\system32\svchost.exe -k LocalService</filepath>
<state>Running</state>
</service>
- <service>
<name>Windows Defender Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\WinDefend</location>
<filepath>%programpath%\Windows Defender\MsMpEng.exe</filepath>
<state>Running</state>
</service>
- <service>
<name>Windows Management Instrumentation</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\winmgmt</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Portable Media Serial Number Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\WmdmPmSN</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Windows Management Instrumentation Driver Extensions</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Wmi</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Stopped</state>
</service>
- <service>
<name>WMI Performance Adapter</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\WmiApSrv</location>
<filepath>%systempath%\wbem\wmiapsrv.exe</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Security Center</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\wscsvc</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>World Standard Teletext Codec</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\WSTCODEC</location>
<filepath>%systempath%\DRIVERS\WSTCODEC.SYS</filepath>
<state>Stopped</state>
</service>
- <service>
<name>Automatic Updates</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\wuauserv</location>
<filepath>%systempath%\system32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Wireless Zero Configuration</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\WZCSVC</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Running</state>
</service>
- <service>
<name>Network Provisioning Service</name>
<location>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\xmlprov</location>
<filepath>%systempath%\System32\svchost.exe -k netsvcs</filepath>
<state>Stopped</state>
</service>
</services>
- <ports>
- <port>
<number>135</number>
<protocol>TCP</protocol>
<processid>1024</processid>
<filepath>?</filepath>
</port>
- <port>
<number>445</number>
<protocol>TCP</protocol>
<processid>4</processid>
<filepath>?</filepath>
</port>
- <port>
<number>1025</number>
<protocol>TCP</protocol>
<processid>464</processid>
<filepath>%programpath%\ATI Technologies\ATI.ACE\cli.exe</filepath>
</port>
- <port>
<number>1036</number>
<protocol>TCP</protocol>
<processid>2976</processid>
<filepath>?</filepath>
</port>
- <port>
<number>1044</number>
<protocol>TCP</protocol>
<processid>3848</processid>
<filepath>%programpath%\ATI Technologies\ATI.ACE\cli.exe</filepath>
</port>
- <port>
<number>1045</number>
<protocol>TCP</protocol>
<processid>1580</processid>
<filepath>%programpath%\ATI Technologies\ATI.ACE\cli.exe</filepath>
</port>
- <port>
<number>1058</number>
<protocol>TCP</protocol>
<processid>3076</processid>
<filepath>%programpath%\Mozilla Firefox\firefox.exe</filepath>
</port>
- <port>
<number>1059</number>
<protocol>TCP</protocol>
<processid>3076</processid>
<filepath>%programpath%\Mozilla Firefox\firefox.exe</filepath>
</port>
- <port>
<number>10110</number>
<protocol>TCP</protocol>
<processid>3324</processid>
<filepath>%programpath%\Grisoft\AVG Free\avgemc.exe</filepath>
</port>
- <port>
<number>139</number>
<protocol>TCP</protocol>
<processid>4</processid>
<filepath>?</filepath>
</port>
- <port>
<number>1992</number>
<protocol>TCP</protocol>
<processid>0</processid>
<filepath>?</filepath>
</port>
- <port>
<number>1993</number>
<protocol>TCP</protocol>
<processid>0</processid>
<filepath>?</filepath>
</port>
- <port>
<number>1994</number>
<protocol>TCP</protocol>
<processid>0</processid>
<filepath>?</filepath>
</port>
- <port>
<number>2039</number>
<protocol>TCP</protocol>
<processid>0</processid>
<filepath>?</filepath>
</port>
- <port>
<number>2047</number>
<protocol>TCP</protocol>
<processid>0</processid>
<filepath>?</filepath>
</port>
- <port>
<number>445</number>
<protocol>UDP</protocol>
<processid>4</processid>
<filepath>?</filepath>
</port>
- <port>
<number>500</number>
<protocol>UDP</protocol>
<processid>752</processid>
<filepath>%systempath%\lsass.exe</filepath>
</port>
- <port>
<number>1027</number>
<protocol>UDP</protocol>
<processid>1260</processid>
<filepath>?</filepath>
</port>
- <port>
<number>1067</number>
<protocol>UDP</protocol>
<processid>1260</processid>
<filepath>?</filepath>
</port>
- <port>
<number>1079</number>
<protocol>UDP</protocol>
<processid>1260</processid>
<filepath>?</filepath>
</port>
- <port>
<number>1500</number>
<protocol>UDP</protocol>
<processid>1260</processid>
<filepath>?</filepath>
</port>
- <port>
<number>3776</number>
<protocol>UDP</protocol>
<processid>3976</processid>
<filepath>?</filepath>
</port>
- <port>
<number>4500</number>
<protocol>UDP</protocol>
<processid>752</processid>
<filepath>%systempath%\lsass.exe</filepath>
</port>
- <port>
<number>123</number>
<protocol>UDP</protocol>
<processid>1160</processid>
<filepath>%systempath%\svchost.exe</filepath>
</port>
- <port>
<number>1900</number>
<protocol>UDP</protocol>
<processid>3760</processid>
<filepath>?</filepath>
</port>
- <port>
<number>2050</number>
<protocol>UDP</protocol>
<processid>2240</processid>
<filepath>%programpath%\Internet Explorer\iexplore.exe</filepath>
</port>
- <port>
<number>123</number>
<protocol>UDP</protocol>
<processid>1160</processid>
<filepath>%systempath%\svchost.exe</filepath>
</port>
- <port>
<number>137</number>
<protocol>UDP</protocol>
<processid>4</processid>
<filepath>?</filepath>
</port>
- <port>
<number>138</number>
<protocol>UDP</protocol>
<processid>4</processid>
<filepath>?</filepath>
</port>
- <port>
<number>1900</number>
<protocol>UDP</protocol>
<processid>3760</processid>
<filepath>?</filepath>
</port>
</ports>
- <processes>
- <process>
<name>[System Process]</name>
<processid>0</processid>
<filepath />
<threads>1</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>System</name>
<processid>4</processid>
<filepath />
<threads>66</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>smss.exe</name>
<processid>620</processid>
<filepath>%systempath%\</filepath>
<threads>3</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>csrss.exe</name>
<processid>668</processid>
<filepath />
<threads>11</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>winlogon.exe</name>
<processid>696</processid>
<filepath>%systempath%\</filepath>
<threads>25</threads>
<priority>High</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>services.exe</name>
<processid>740</processid>
<filepath>%systempath%\</filepath>
<threads>15</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>lsass.exe</name>
<processid>752</processid>
<filepath>%systempath%\</filepath>
<threads>19</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>Ati2evxx.exe</name>
<processid>912</processid>
<filepath>%systempath%\</filepath>
<threads>4</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>svchost.exe</name>
<processid>928</processid>
<filepath>%systempath%\</filepath>
<threads>16</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>svchost.exe</name>
<processid>1024</processid>
<filepath />
<threads>10</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>MsMpEng.exe</name>
<processid>1120</processid>
<filepath>%programpath%\Windows Defender\</filepath>
<threads>18</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>svchost.exe</name>
<processid>1160</processid>
<filepath>%systempath%\</filepath>
<threads>75</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>svchost.exe</name>
<processid>1260</processid>
<filepath />
<threads>6</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>svchost.exe</name>
<processid>1372</processid>
<filepath />
<threads>7</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>vsmon.exe</name>
<processid>1472</processid>
<filepath>%systempath%\ZoneLabs\</filepath>
<threads>21</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>spoolsv.exe</name>
<processid>1820</processid>
<filepath>%systempath%\</filepath>
<threads>12</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>Ati2evxx.exe</name>
<processid>2040</processid>
<filepath>%systempath%\</filepath>
<threads>5</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>Explorer.EXE</name>
<processid>212</processid>
<filepath>%winpath%\</filepath>
<threads>13</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>ehtray.exe</name>
<processid>456</processid>
<filepath>%winpath%\ehome\</filepath>
<threads>3</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>cli.exe</name>
<processid>464</processid>
<filepath>%programpath%\ATI Technologies\ATI.ACE\</filepath>
<threads>16</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>CTDVDDET.EXE</name>
<processid>472</processid>
<filepath>%programpath%\Creative\Sound Blaster X-Fi\DVDAudio\</filepath>
<threads>1</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>DLLML.exe</name>
<processid>480</processid>
<filepath>%programpath%\Creative\Shared Files\Module Loader\</filepath>
<threads>10</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>CTHELPER.EXE</name>
<processid>496</processid>
<filepath>%winpath%\</filepath>
<threads>2</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>CTXFIHLP.EXE</name>
<processid>508</processid>
<filepath>%systempath%\</filepath>
<threads>6</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>CTXFISPI.EXE</name>
<processid>604</processid>
<filepath>%systempath%\</filepath>
<threads>7</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>realsched.exe</name>
<processid>644</processid>
<filepath>%programpath%\Common Files\Real\Update_OB\</filepath>
<threads>4</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>ehmsas.exe</name>
<processid>648</processid>
<filepath>%winpath%\eHome\</filepath>
<threads>3</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>jusched.exe</name>
<processid>660</processid>
<filepath>%programpath%\Java\jre1.5.0_06\bin\</filepath>
<threads>1</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>MSASCui.exe</name>
<processid>400</processid>
<filepath>%programpath%\Windows Defender\</filepath>
<threads>19</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>zlclient.exe</name>
<processid>824</processid>
<filepath>%programpath%\Zone Labs\ZoneAlarm\</filepath>
<threads>6</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>avgcc.exe</name>
<processid>756</processid>
<filepath>%programpath%\Grisoft\AVG Free\</filepath>
<threads>8</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>ctfmon.exe</name>
<processid>976</processid>
<filepath>%systempath%\</filepath>
<threads>1</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>CTDetect.exe</name>
<processid>1076</processid>
<filepath>%programpath%\Creative\MediaSource\Detector\</filepath>
<threads>1</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>ATIDtct.EXE</name>
<processid>1108</processid>
<filepath>%programpath%\ATI Multimedia\main\</filepath>
<threads>1</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>KEM.exe</name>
<processid>1996</processid>
<filepath>%programpath%\Logitech\SetPoint\</filepath>
<threads>2</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>KHALMNPR.EXE</name>
<processid>2052</processid>
<filepath>%programpath%\Logitech\SetPoint\</filepath>
<threads>13</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>NotiMan.exe</name>
<processid>2188</processid>
<filepath>%programpath%\Creative\ShareDLL\CADI\</filepath>
<threads>2</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>avgamsvr.exe</name>
<processid>3264</processid>
<filepath>%programpath%\Grisoft\AVG Free\</filepath>
<threads>9</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>avgupsvc.exe</name>
<processid>3300</processid>
<filepath>%programpath%\Grisoft\AVG Free\</filepath>
<threads>3</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>avgemc.exe</name>
<processid>3324</processid>
<filepath>%programpath%\Grisoft\AVG Free\</filepath>
<threads>9</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>CTsvcCDA.EXE</name>
<processid>3336</processid>
<filepath>%systempath%\</filepath>
<threads>2</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>ehRecvr.exe</name>
<processid>3360</processid>
<filepath>%winpath%\eHome\</filepath>
<threads>15</threads>
<priority>BelowNormal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>ehSched.exe</name>
<processid>3372</processid>
<filepath>%winpath%\eHome\</filepath>
<threads>12</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>LSSrvc.exe</name>
<processid>3476</processid>
<filepath>%programpath%\Common Files\LightScribe\</filepath>
<threads>2</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>svchost.exe</name>
<processid>3760</processid>
<filepath />
<threads>10</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>mcrdsvc.exe</name>
<processid>3976</processid>
<filepath />
<threads>5</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>dllhost.exe</name>
<processid>2652</processid>
<filepath>%systempath%\</filepath>
<threads>13</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>alg.exe</name>
<processid>2976</processid>
<filepath />
<threads>5</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>cli.exe</name>
<processid>1580</processid>
<filepath>%programpath%\ATI Technologies\ATI.ACE\</filepath>
<threads>14</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>cli.exe</name>
<processid>3848</processid>
<filepath>%programpath%\ATI Technologies\ATI.ACE\</filepath>
<threads>15</threads>
<priority>Normal</priority>
<visible>No</visible>
<caption />
</process>
- <process>
<name>firefox.exe</name>
<processid>3076</processid>
<filepath>%programpath%\Mozilla Firefox\</filepath>
<threads>17</threads>
<priority>Normal</priority>
<visible>Yes</visible>
<caption>Zeropaid.com - File Sharing Software, Information News - Mozilla Firefox</caption>
</process>
- <process>
<name>iexplore.exe</name>
<processid>2240</processid>
<filepath>%programpath%\Internet Explorer\</filepath>
<threads>9</threads>
<priority>Normal</priority>
<visible>Yes</visible>
<caption>a-squared HiJackFree Analysis - Microsoft Internet Explorer</caption>
</process>
- <process>
<name>a2hijackfree.exe</name>
<processid>2584</processid>
<filepath>I:\Documents and Settings\Alfred\Desktop\</filepath>
<threads>4</threads>
<priority>Normal</priority>
<visible>Yes</visible>
<caption>a-squared HiJackFree</caption>
</process>
</processes>
</a2hijackfreelog>

Well, after giving it much thought and after reading different experiences on this and other threads, I decided to go after this thing hammer and tong. I deleted all references to NSIS on my hard drive and in my registry, I moved and renamed those 2 .dlls (which weren't there yesterday, oddly enough), and rebooted. No popups so far and still no trace of it on my hard disk. I'm still not 100% confident that some part of this little infection isn't lurking somewhere, but we'll see. Even it it's gone I'd still like to know where I got it from and whether or not the Nullsoft installer has some sort of dangerous exploit that allowed this thing in. I'll let you all know if this has done the trick or not over the next day or so.

That sure is a large report, I'm still reading over it.
I hope you got rid of the malware, you will know after several reboots.


Thanks.:icon_thum

I think it's safe to say at this point that NOTHING about this bastard is consistent. None of us have been able to identify a common piece of software or action that assists us in tracking the source. In my own case for example, I can find nothing that mirrors anything anyone has DL'd on to their drives other than Firefox. But not everyone used Firefox. I have seen indications in my own weeks of exploration that seem to indicate that Install Shield is at fault. Then that a legit nsis installer or nullsoft installer is to blame. Then there is evidence that it has cracked into explorer.exe for some people. When I was trying to purge the NS**.dll from the NSIS folder in early days, I once found that the replacement DLL installed by the malware was timestamped at shutdown.
"Aha!" I thought, a new avenue of investigation, but several days late, yet another replacement DLL was installed at boot-up. Nothing about this thing can be pinned down, catalogued, and filed away under standard categories. I'm reminded of the movie "Andromeda Strain," although I hope that's not simply being reactionary.

I have had the same Rogers primary email account for many years, and have never had a single character of spam on that account. Last week, I started getting deluged with illiterate messages for Viagra, from spoofed addresses, and with Viagra spelled different each time. Vljagara, Vljaggara .... and so on. (Note the second letter is not an "I," but a lower case "L" All spoofed addys, and everything in the subject and body was always spelled different, making it impossible to make a rule in Outllook or OE, and I was using a SPAM zapper for the first time in my life.

Turns out (re a Symantec bulletin I received) that these emails carried a dangerous Trojan, Haxdoor O, and what I was receiving was the email (which formerly looked quite professional and had a zip file with invoice information contained) after Roger/Yahoo had intercepted it and rendered a severe beating, ripping all the bad stuff out and sending me the tattered remains. See what paranoia will do. Probably not related to the NSIS, but who knows. See what growing paranoia will do.

Some of you may find this of interest. It's not our boy, but it does illustrate that Firefox is getting hit. Food for thought.

Trojan piggybacks on Firefox
New Trojan installs itself as Firefox extension, according to a security advisory by McAfee.
By Dawn Kawamoto
Staff Writer, CNET News.com
Published: July 26, 2006, 8:33 AM PDT

A new Trojan horse making the rounds has been installing itself as a Firefox extension, according to security company McAfee.

The FormSpy Trojan attacks computers that have already been infected with the Downloader-AXM Trojan, according to a security advisory McAfee issued Tuesday. Once FormSpy is executed, it installs itself as a component of the Firefox Web browser.

The FormSpy spyware then gleans sensitive information, such as credit card and bank account numbers, from the user's browser and forwards it to a malicious Web site. But this Trojan is capable of other tricks, as well, McAfee noted.

The main executable is also capable of sniffing passwords from traffic for ICQ (the "I seek you" program that alerts users to the presence of acquaintances online), FTP (file transfer protocol), IMAP (Internet message access protocol, an e-mail management program) and POP3 (post office protocol, a data format for e-mail), McAfee warned.

Although the FormSpy Trojan is circulating, it is considered a low risk, McAfee said. What's more, people may have already taken steps to mitigate the earlier Downloader-AXM Trojan that is needed for the FormSpy Trojan to take hold.

Well, I'm new here..but I think i found a way to erase the NSIS Media pop-up adware program out..

run your anti spyware/adware programs (adaware works good for this one with the current defs) then uninstall the program via the add/remove list (I know what you are thinking..hear me out and keep following...this is life here..and with life, anything is possible!) when asked to restart click the X to close the window...do not click OK or Cancel..that will not confirm or deny which seems to confuse the program not not load it's back-up reinstall program (so when you do the next step it doesnt reload what loading safe mode disables) and (DUH!) when you click the X and the pc restarts, DO NOT LET IT LOAD INTO WINDOWS NORMALLY! load safe mode (if you don't know how, here is two methods..when the pc starts, keep pushing F8 BEFORE the windows XP load/boot screen starts. then click safe mode with networking OR just click the X in the restart windows window after uninstalling NSIS Media via add/remove programs and just hold the RIGHT Shift button until windows loads the logon screen (yes itll look stupid) and login and just restart! VOILA! should be done

Hi all. I'm new here but I found this interesting tidbit in a mozillazine forum and thought I'd share. Don't know if it works but may be worth a try.

PicAFlic
Joined: 26 Jun 2006
Cicero, NY PostPosted: Jul Wed 26th 2006 5:04pm
It came back after I rebooted my computer normally. BUT! I found out how to get rid of it!!!! Download TrojanHunter and do a Full Scan. It will find a Trojan connected to your explorer.exe file and it will rename it and delete it! And now I'm freeeeee!!!!!!!!!! So spread the news!!!!!!!!!!

PicAFlic
Joined: 26 Jun 2006
Cicero, NY PostPosted: Jul Wed 26th 2006 5:17pm
I even made a website showing and telling what to do. You can go ahead and post my site around on other forums.

http://www.freewebs.com/picaflic/

I'm trying it even as we speak. Will try to get back and let everyone know how this turns out. You guys have been great. Thanks for the hard work.

Earlier in the thread, did someone say this may be connected to the guys from CWS?

Doesn't this NSIS thing remind you of CWS in the way it morphs to reply to different methods used to clean it?


The difficulty of removing CWS from a user's system has grown from slightly tricky in the first variant to virtually impossible for the latest few. Some of the variants even used methods of hiding and running themselves that had never been used before in any other spyware strains.

http://www.spywareinfo.com/~merijn/cwschronicles.html

Remember how that guy Merijn developed the tool CWS Shredder specifically to clean CWS? He kept it updated so it could clean any variant. Here's a wild thought. What if this was still the old CWS, but they made it anonymous, and started to use the NSIS installer to plant it.

Hi all. I'm new here but I found this interesting tidbit in a mozillazine forum and thought I'd share. Don't know if it works but may be worth a try.

PicAFlic
Joined: 26 Jun 2006
Cicero, NY PostPosted: Jul Wed 26th 2006 5:04pm
It came back after I rebooted my computer normally. BUT! I found out how to get rid of it!!!! Download TrojanHunter and do a Full Scan. It will find a Trojan connected to your explorer.exe file and it will rename it and delete it! And now I'm freeeeee!!!!!!!!!! So spread the news!!!!!!!!!!

PicAFlic
Joined: 26 Jun 2006
Cicero, NY PostPosted: Jul Wed 26th 2006 5:17pm
I even made a website showing and telling what to do. You can go ahead and post my site around on other forums.

http://www.freewebs.com/picaflic/

I'm trying it even as we speak. Will try to get back and let everyone know how this turns out. You guys have been great. Thanks for the hard work.

Thanks for the idea, but one of the first things I did after the infection- installed TrojanHunter and did a full system scan. TrojanHunter found nothing. Because this don't always work.


Thanks.:icon_thum

I'm pretty confident at this point that I killed the damned thing. Looking back later, I realized that a post in another forum had mentioned deleting two dlls. At the time, it meant nothing since I didn't have them on my system. Now I realize that the dlls probably have different names or mutate like the name of the NSxx.dll. I'd suggest using Process Explorer (mentioned before) or a similar app that will show the dlls hooked to the Explorer process. If the ones I found aren't there, look for others. Be suspicious of anything not marked Microsoft or something you recognize. Google (you can search a dll name from inside Process Explorer) before deleting willy nilly and backup up the registry first (and know how to restore it if Windows won't boot of course). I'm guessing that if your NSIS is like mine or the one the person in the other forum had, there will be two rogue dlls there, whatever they're named. Of course, there well may be other variants but the core code probably (hopefully) hasn't mutated, changing that key characteristic.

Regarding the "uninstaller," I killed it using ctrl-alt-delete without using the 'X' before it could reboot. Unfortunately, I don't remember what I did after that but it didn't work. It may well be possible through some combination of safe mode, etc. to kill it that way, certainly worth a try.

I'm virtually certain now that mine came via "Foxie" but it is probably embedded in several apps by now. I's like bird flu - if it ever can install just by hitting a web page a lot of people will be hit. The security community doesn't really seem to have taken notice yet or we should have seen headlines and an official cure so I suppose it's still relatively rare - who knows. At any rate, if you weren't already, be very wary of any executable you download and don't count on AV/AS apps to catch this bugger. Set a restore point if you have XP or there's an app called "test-run" that's supposed to create a dummy registry to test installs on 98.

I've been reading posts about these NSIS stuff. I really can't identify what causes it to start those annoing popups and what create new nsxx.dll and uninstall.exe files.
I tried to solve it following the "methods" mentioned here and at www.wilderssecurity.com/showthread.php?p=803252.
Well, also I experiment to create 2 txt files renaming them (nsxx.dll / uninstall.exe) and replace those found inside NSIS directory (Program files/ common...).... and that probably "satisfy that unknown malware" (for now) "The thing" stops from creatong new ones every boot ! at least I know that even a 0KB file with those names is enough. And those files probably do nothing !!!
Also, I received an auto-update of firefox. Hoping it was a fix for the "NSIS issue", I restarted firefox to realize that there's nothing to do with firefox.
Checking the update history, the date of the update was december, 31, 1969 !!! ??? I removed Firefox. Downloaded the full package again (and did't install it yet...), well I had to delete the remaining firefox dir after uninstall... (inside the chrome dir was a nsis.jar again!!!)... I lso did all those registry and file searches and erase them with AShampoo Plus.
Ok, hoping to find something new today, I've been using IE and everything "was" ok, until I started Thunderbird. Those NSIS popups went back.
-- Well... Is there any hidden malware inside windows kernel or some Microsoft stuff? where's that %#$)#*%????
By now I'm making backup of all my files from my windows/system partition and planning to re-intall everything... but leaving the problem unsolved???I'm also planning to make a clean reinstall/format mostly because one of those "popups" installed a trojan that I erased with AVG.
I think that's something related to bitcomet / torrent downloaders, open doors on routers / dsl modems or any "startup virus", MBR??? ...
I still have no idea what can it be... maybe when I reinstall windows and all my stuff I'll find out. My System is working fine now. if I let thunderbird alone.
-- These popups are not just "popups"!!! --
If it's that easy to mess up with a whole system I think it need a fix, patch, remover, whatever.... now!

Regarding the HijackFree listing, I may have missed it but I don't think it includes the HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\
keys - that's where mine (dlls) were located.

Well, trojan hunter worked for me. They must have just got new updates becuase it was not recognized early when i got the infection. So i am spreading the news everyone should download and run trojan hunter so we can finally be free from this bug! Thanks again PicAFile:icon_thum

as someone who hasn't had any problems with the NSIS installer bug(touch wood) yet
this thread is very interesting to read, and see how this malaware starts out
good luck to you all :)

I've posted before with all the steps I have tried and how I was unsuccessful after all. I actually chose to live with it for a while and see if someone comes up with a solution. However weird things kept happening on my computer without any new installs:

1. Nero Burning ROM still did not work after a complete reinstall.
2. HP Quick Play service gave an error after each restart: It says it has to terminate.
3. I realized that my virus signatures for McAffee Enterprise 8.0i were not getting updated regularly. When I ran the update tool by hand, it crashed.
4. And of course, I kept getting those NSIS Media popups once in a while.

The problem with anti-virus was the top priority, although I found a way to fix it by googling the problem. (I had to reregister a DLL to repopulate the registry, which means something went wrong with the registry, I think NSIS was growing its roots into the registry and it resulted in errors with killed QPService execution and McAffee Framework Service).

Finally, I tried TrojanHunter. It did not find anything in the memory, yet it found the CommonFiles\NSIS\uninst.exe as usual and another DLL in the Windows\System32. That DLL (named mssvide.dll) was marked with Adware.Cydoor.100 and was the key to NSIS removal. Looks like the DLL files may have different names and can mutate under different systems. So best way is to run TrojanHunter under system32 and delete any suspicious DLLs.

After I removed the DLL file with TrojanHunter, I went through the regular list of precautions:
- Clear caches, clear cookies
- Turn off system restore
- Clear NSIS directory
- Clean Registry from NSIS related entries and the shell execute hook
- Empty Trash Can
- Boot into safe mode once more
- Reboot

I tested the system by going through a number of reboots, surfing with Firefox and IE, and running all the programs I regularly run. So far, after like 10-15 reboots and 4 hours of normal operation, NSIS did not come back.

Looks like the very new version of TrojanHunter can clean this thing. Thanks for the hint!

I'm glad that Trojan Hunter worked for you, but I'm not sure if it has identified the file properly.

Cydoor Adware has been removed from most malware detection since April, 2005 . Cydoor cleaned up their program to only display online ads while running a ad-supported application ( like iMesh 5 & Kazaa). Cydoor is no longer included to be malware on versions after May. 2005. Older versions Of Cydoor are still detected but very rare to find unless you install an old program dated before April, 2005.

http://www.pctools.com/mrc/infections/id/Cydoor/

I don't think that what TrojanHunter found is Cydoor, but another malware program. In some cases, TrojanHunter might remove this malware but not all casses. It is a great idea to try TrojanHunter just to see but sure to update the definitions first. Also it might to be a good idea to try other applications (Anti-Virus, Anti-Spyware, Anti-Malware, HiJackThis, etc.) just be sure to update them first.

This NSIS Media Malware installs itself and many different locations on your pc, and creates different named dll files. It is even possible that it injects itself into important Windows dll files to make itself undetectable.

The NSIS Media Malware has been classified by some Anti-Virus venders to be a Trojan Downloader, but most of the info is still unknown. A Trojan Downloader by itself doesn't do much harm, but it will attempt to download more and more malware to your pc and install it without notification. It will open back doors through your Firewall undetected to connect to malware servers. This activity is usually not reported in your Task Manger. Most of the time that something does get detected by your Anti-Virus or Anti-Spyware program, it is what the trojan downloaded not the trojan itself.

Here are some links-

http://www.avira.com/en/threats/section/fulldetails/id_vir/1839/dr_dldr.nsis.agent.p.html

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FNSIS%2EA&VSect=P

http://www.viruslist.com/en/viruses/encyclopedia?virusid=69334


Thanks.:icon_salu

hi,
I suffered (horribly) nsis adds for a week, it came with emule 1.2.5 downloaded from download.com (using nullsoft installer as reported here earlier).Both F-secure antivirus and Ad-aware se failed to find or remove anything so today i restored windows to good old times before Emule. Problem solved it seems.
Anyways, the point being here is that what ever nsis does, it's already wide spread, which makes it interesting that none of all add-remove proggies find it nor remove it despite it has been around for a while now. My estimation on "wide spread" comes from 1.2 million downloads of emule++ 1.2.5 in download.com, so as it is spreading from other sources too there must be lots of people getting "Advertisments".. One curious thing also is that nsis is localized, it showed adds in my mother tongue, Finnish..One even showing the flag of Finland:D
Someone has put a lot of time and effort on this..

hi,
I suffered (horribly) nsis adds for a week, it came with emule 1.2.5 downloaded from download.com (using nullsoft installer as reported here earlier).Both F-secure antivirus and Ad-aware se failed to find or remove anything so today i restored windows to good old times before Emule. Problem solved it seems.
Anyways, the point being here is that what ever nsis does, it's already wide spread, which makes it interesting that none of all add-remove proggies find it nor remove it despite it has been around for a while now. My estimation on "wide spread" comes from 1.2 million downloads of emule++ 1.2.5 in download.com, so as it is spreading from other sources too there must be lots of people getting "Advertisments".. One curious thing also is that nsis is localized, it showed adds in my mother tongue, Finnish..One even showing the flag of Finland:D
Someone has put a lot of time and effort on this..
You installed a malware version of eMule by Openwares. Always read user reviews before you download from download.com.
http://www.download.com/eMule-/3000-2166_4-10541345.html

Get the offical eMule http://www.emule-project.net

Thanks.:icon_salu

You installed a malware version of eMule by Openwares. Always read user reviews before you download from download.com.
http://www.download.com/eMule-/3000-2166_4-10541345.html

Get the offical eMule http://www.emule-project.net

Thanks.:icon_salu

yep, didn't read reviews..still lots of people have downloaded it, having read the warning or not...anyway, lesson learned, and thanks for the link to emule-project;)

Here's something I don't understand about NSIS related malware. Are we saying all these infections have the same company of origin, or is it a lot of different spyware companies using the NSIS installer as an infection tool? If it's the latter it's pretty hard to accept one cleaning method as the cure-all in all cases, isn't it?

Here's something I don't understand about NSIS related malware. Are we saying all these infections have the same company of origin, or is it a lot of different spyware companies using the NSIS installer as an infection tool?

Since NSIS is open-source, any software vender can implant malware into the installers. Most obvious software venders are Openwares.org and dnscaching.net both are connected to the Foxie Browser Security Suit. But I'm such there are many more who do the same.


If it's the latter it's pretty hard to accept one cleaning method as the cure-all in all cases, isn't it?

Yes, since this trojan can be modified, (the locations, dll files, exe files and jar files) of the malware can be different. So their is no one cure all for this NSIS Media Malware.

As soon as all the AntiVirus, AntiSpyware and Anti-Trojan softwares can detect this malware, it can change again.

The best way to prevent it, is to only install software from Trusted venders.
Check the installers, if they are NSIS then be carefull.


Thanks.:icon_salu

1. Looks that only Trojan Hunter found and clean this "NSIS thing". Why?
2. How many "invisible processes" are not detected by Trojan Hunter?
3. Any downloaded file must be checked with T.H. before install?
4. It looks like those "visible" NSIS popus gone, but leaves some open questions.
4.1. How many "non visible" processes are running and ar not detected by "trojan killers", "anti-virus", etc???
4.2 . Today we have "some" anoying "ad/spy/mal/-wares" problems, but with the continuous increase of processor speed, larger amounts of ram, bigger storage devices, faster connection speeds, 64bit processes, etc.. etc... it sems to me that it's just a matter of time to some now "unimagined" kind of infection spreads itself world wide in a matter of hours, minutes, seconds...

For those people, they can use widely available installer/exe to include their malwares during installation. That's why I use detection software like PrevX Home, so that they could be intercepted before anything they try to install on my system!

They are doing it for the money, it will get worst! So, be very careful!

I've been affected by this too, and may have found something that helps...?

Using some of the solutions in this thread, I have eliminated the pop-ups and system slow down, but from time to time when I am surfing the Internet or using a program the active program window will change (not to another program, but just sort of a frozen state for a second) before popping back to whatever program I was using. I alt-tabbed while this happened and discovered on the program list the items "Form_Honeypot" and "Form_Main" under the Spy Sweeper logo.

Using the PrevX thing, I discovered that whatever this thing is has infiltrated Spy Sweeper under the name "ssu.exe"... it cannot be deleted, and when I moved it to my Symantec Anti-Virus quarantine it immediately re-installed itself.

PrevX also confirmed that it's hijacked the svchost.exe file, but passed through it is as safe, even though PrevX recognizes that it's creating tons of malware activity and embedded in various programs and such.

At first I just wanted to eliminate the pop-ups, but now I realize that this thing is much, much stronger than that and is extremely powerful.

ETA: It also uses "wrsshp.exe" under Spy Sweeper as well. I guess there's some tie-in where in affects Spy Sweeper and Hewlett Packard (thus the ss and hp parts)

This thread has been a real help, especially Guitarist2556's post. But I have a 2nd problem that popped up at the same time as the NSIS and I wonder if they are related and if anyone else has had the same issue. Every time I try to load any page on the internet PeerGuardian blocks URLs from some place that begin "court21.3.e systems, inc.". I had to disable PeerGuardian to get here to post this message.
So like I say, has anyone else had this problem? Or is it just me?

This thread has been a real help, especially Guitarist2556's post. But I have a 2nd problem that popped up at the same time as the NSIS and I wonder if they are related and if anyone else has had the same issue. Every time I try to load any page on the internet PeerGuardian blocks URLs from some place that begin "court21.3.e systems, inc.". I had to disable PeerGuardian to get here to post this message.
So like I say, has anyone else had this problem? Or is it just me?
It's probably some left over malware for this NSIS Media.
Look at your PeerGuardian History under Blocked, find the IP ranges and ports for what's getting blocked.

Also check your host file for malware.


Thanks.:icon_thum

It's probably some left over malware for this NSIS Media.
Look at your PeerGuardian History under Blocked, find the IP ranges and ports for what's getting blocked.

Also check your host file for malware.

Thanks for responding so quickly. But I'm afraid you're over my head just a bit. I know a few things about computers but I also don't know a few things, so please bear with me. I see the blocked ranges in PG's history, but do I need to do anything? And how do I check my host file for malware?

This is interesing...I disabled PeerGuardian long enough to install the latest block-list update and now it's allowing the "court21..." addresses it was previously blocking. I wonder if the malware is sneaky enough to somehow trick PeerGuardian or if it's no longer an IP range that needs to be blocked.

Thanks for responding so quickly. But I'm afraid you're over my head just a bit. I know a few things about computers but I also don't know a few things, so please bear with me. I see the blocked ranges in PG's history, but do I need to do anything? And how do I check my host file for malware?

This is interesing...I disabled PeerGuardian long enough to install the latest block-list update and now it's allowing the "court21..." addresses it was previously blocking. I wonder if the malware is sneaky enough to somehow trick PeerGuardian or if it's no longer an IP range that needs to be blocked.

Maybe the IP ranges that were getting blocked were from an old blocklist.

If you have Spybot S&D or Ad-Aware SE installed, they will scan your host file for you. Just update them first. On Ad-Aware options- scanning- be sure to select scan my host file.

Just watch your computer closely just in case some malware is still present.

It would hurt to download Ewido Anti-Malware and scan your system.


Thanks.:icon_salu

Google has started warning users if they are about to visit a webpage that could harm their computer.
http://news.bbc.co.uk/go/rss/-/1/hi/technology/5251742.stm

this is from a novice.
I did the following disk cleanup, delete cookies/temp internet files , cleared windows\temp.
flushed the DNS cache , cleared the SSL state , cleared auto complete and clear passwords.
cleared the JAVA cache. Then I ran NSIS\unist. Then I ran defrag.

The NSIS floder in common files was gone. After several re-boots it has not returned and no pop-ups for 2 days.

Like I said I am a novice..... but it can't hurt.

I don't use and never have used firefox

I have managed to get rid of it (I hope!) – thanks to the various people who suggested running the uninstaller and then powering off the PC when it asks you to reboot.
I did that, then checked to see what was left.
In the Firefox Chrome folder, nsis.jar was still there and the code to load it (in browser.manifest). So I cleaned those two up, then checked the registry.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\App Management\ARPCache\NSISMedia] was still left so I deleted that.
[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS] was still there but only a single entry was left “OptOut” value “1”, which I hope translates as “don't ever install on this machine again”, so I left it.
Then I crashed the system once more, did a normal reboot, checked again and so far everything has stayed gone.

Foxie's not the only way this thing invades a system. It got onto my system but Foxie's never been loaded, nor have I installed anything immediately before. I've still no evidence as to how it got there, but my next step to keep this and similar things out is to replace MSN with something which doesn't habitually access advertising sites and bypass security.

To help those for whom this method isn't working.
My first try was to remove the code which linked to Firefox and I delete this entry "{097F10A7-487F-4457-AB1F-827C59479A72}"="NSIS Media Extension" from [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]. I then crashed the system and rebooted, and it came back. My suspicion is that it can reinstall itself on closedown AND on startup. I never got to find out where it hooks in on the startup though because the “uninstaller” method seems to have got rid of it.


This method has worked. But after I uninstalled it was still there. I uninstalled again unplugged my network connection and restarted in safe mode. Then it wasn't there. Then followed the rest of the above instructions. When I re-started in normal mode, I was unable to open Firefox. So I just reinstalled Firefox over the old one, all settings were same - bookmarks etc. And I haven't had NSIS since.

THANKS!

So far so good. 24 hours and it hasn't resurfaced. Thanks for the help Littlebits. I'm going to try out Ewido.

follow up. It's been a few days and no return of NSIS
thanks again to TomC26

Webroot spy Sweeper found "trojan horse: NSIS Media extension" put it into quarentine and i deleted it.
Scanned again and found nothing.
Scanned again and it was back.
FYI

Webroot spy Sweeper found "trojan horse: NSIS Media extension" put it into quarentine and i deleted it.
Scanned again and found nothing.
Scanned again and it was back.
FYI
Webroot just added this new NSIS Malware to their Threat Research Center.

Webroot SpySweeper and Steganos AntiSpyware 2006(a licensed SpySweeper clone powered by Webroot) will detect NSIS Malware now. Removing the NSIS Malware may require scanning your computer in safe mode.

Details- http://research.spysweeper.com/search.php?serialnumber=XZ382YGP


Thanks.:icon_thum

I too generally keep the best care possible of my machine, but this one caught me unawares. I knew I should've been suspicious of that Foxie Suite -- the damn thing installed itself without even consulting me, after all. I didn't even download it on purpose.

Anyway, this forum has been invaluable to me in solving the problem; thanks, for that. I tried most of the methods listed here (and elsewhere), and the one that actually worked was simply running the uninstall EXE in the Program Files\Common Files folder and doing a hard shutdown when prompted to restart. Then, as suggested, it was simply a matter of renaming and deep-deleting the nsis.jar file located in my Firefox folder and getting rid of any residual NSIS registry keys in regedit.

Incidently, I didn't find any of the other malicious DLLs, EXEs, etc. mentioned, possibly because I didn't try to remove the thing until I had researched the problem. I did try getting rid of the files in Safe Mode with no luck, originally, but fortunately that didn't "spread" the problem as it seems to have done with some people.

But I'm rambling. Simple solution to the problem: run the unintall file and do a hard shutdown when prompted to restart. Then it's just a matter of getting rid of the other bits and pieces. Anyway, thanks again, everyone.

Ok guys, I have registered for this forum just to be able to post clean solution for the NSIS problem, so give me some credit for it, will ya?

1. I work over 15 years in the IT industry so you can take this post as credible.
2. I got NSIS Media popups when I found some interactive games on NickJr web site for my daughter.
3. After reading posts on this and some other forums, first I tried a number of different anti-spyware programs and none of them detected this nasty program.
4. I discovered that the reason why NSIS Media cannot be detected is that it IS NOT a addware program or worm! It is legitimate program which is required in order to use certain applications such as NickJr's web based games in my case.
5. TO REMOVE NSIS MEDIA FROM YOUR COMPUTER, SIMPLY GO TO CONTROL PANEL AND REMOVE NSIS MEDIA EXTENTION USING WINDOWS ADD/REMOVE PROGRAMS FEATURE!!!

It worked for me and it'll work for you too! No need to even think about the registry. It amazes me that no one tried the above first. Good luck.

Ok guys, I have registered for this forum just to be able to post clean solution for the NSIS problem, so give me some credit for it, will ya?

1. I work over 15 years in the IT industry so you can take this post as credible.
2. I got NSIS Media popups when I found some interactive games on NickJr web site for my daughter.
3. After reading posts on this and some other forums, first I tried a number of different anti-spyware programs and none of them detected this nasty program.
4. I discovered that the reason why NSIS Media cannot be detected is that it IS NOT a addware program or worm! It is legitimate program which is required in order to use certain applications such as NickJr's web based games in my case.
5. TO REMOVE NSIS MEDIA FROM YOUR COMPUTER, SIMPLY GO TO CONTROL PANEL AND REMOVE NSIS MEDIA EXTENTION USING WINDOWS ADD/REMOVE PROGRAMS FEATURE!!!

It worked for me and it'll work for you too! No need to even think about the registry. It amazes me that no one tried the above first. Good luck.
If you had read all of the previous posts, you would have seen this was the first thing I tried to do.
It didn't work for me and also didn't work for many others. If you had read the description of this malware, you would have known that it is a Trojan Downloader and has just added to many malware scanners for detection and removal. Please read all of the previous posts.


Thanks.:icon_thum

If you had read all of the previous posts, you would have seen this was the first thing I tried to do.
It didn't work for me and also didn't work for many others. If you had read the description of this malware, you would have known that it is a Trojan Downloader and has just added to many malware scanners for detection and removal. Please read all of the previous posts.


Thanks.:icon_thum

What I am suggesting to do is NOT exactly the first thing you tried to do. According to your post, the first thing you did was executing uninst.exe and then you manually deleted the nsis folder. I am suggesting not to do anything manually but go straight to Control Panel Add/Remove software and let Windows to uninstall NSIS Media Extension. It'll work for sure if you were not messing with the registry or if you manually deleted NSIS folders as you did.

All I know is that uninstalling NSIS Media Extension via Add/Remove programs WORKED for me. Please note that I did not try to do anything manually. Even system restore was not turned off. After I uninstalled NSIS Media from Control Panel, all popups are gone and also NSIS Media folder in Common Files is not there anymore.

Don't you find it a little bit strange that none of the leading antivirus companies know anything about NSIS Media nor have solution for removal? It is simply because NSIS media is legitimate extension required to run certain applications and can be uninstalled via Control Panel unless something else was corrupted which may very well be in your case. You said all your popups were blank which makes me think that something was corrupted on NSIS installation on your machine. I have firewall too but never got a blank popup with NSIS media.

Folks, don't do anything with the registry and don't try to remove it manually. Simply go to Add/Remove programs, click on NSIS Media Extension and click on Remove.

What I did was Add/Remove programs, then instead of clicking on "ok" i clicked on the x in the corner and that seemed to work. i did it two days ago and no popups since.

Well, after what i have read here, I was able to remove the NSIS off my computer. As I see from the other posters they where all using FireFox as well. I found my problem withing a skin I downloaded from FireFox. Im not sure if the rest of you downloaded any skins, but mine was from a skin called "chrome". Dont know if this will help any of you out, just thought I would throw my two cents into this :)




KneeMassacre

"Just tell your teamates you couldnt get the clutch cuz you were stoned, they'll understand! Counter-Strike, My Anti drug!"

As a former victim, I don't recommend to anyone infected with this malware attempt to uninstall it using either of the two methods. It's just too risky, as this simply launches the thing into one's registry over a variety of installed apps, most of which appear to be media related.

Some say this method worked for them, and I'm glad, but make SURE it's gone. My first uninstall simply moved the NSIS folder from the root Program Files folder into Program Files/Common Files in an attempt to dupe the user into believing it was eliminated. Check your registries for "NSIS media" and/or "NSISmedia" to be certain. If you have fully purged this from your systems, you will get zero returns on such a search.

I got rid of popups with an uninstall too, (and maybe cuz I uninstalled my recent Firefox installation and went back to Maxthon,) but this NSIS Media was still everywhere on my system, and I wanted it ALL gone. I believe that it lurks on your system, probably waiting for a legit NSIS install to activate it again. My main concern is not popups, but the notion that this code could have done just about anything it wanted on my system once I caught it. I'm STILL waiting for a definitive answer on the source of the infection, as the only thing I had in common with anyone else (post Googling) is a recent (and legitimately sourced) Filrefox install.

It is uninvited software. It does it's best to 'force" a reboot on uninstall. It reinstalls itself without permission, and renames files to avoid detection. It insinuates itself into multiple registry entries of authorized installed applications. Referring to this as "legitimate software" is nothing short of folly.

Indifferent. Don't get angry at me, but I have a personal question, I just have to ask.

You see I've hung around a lot of spyware removal message boards in my day, I've seen a lot of these "Relax, easy peasy, just click into add/remove", messages before when discussing the removal of difficult advertising malware.

So here's the question. Are you with a company which we would refer to as spyware, but you would refer to as advertising? This is what usually turns out to be the case.

As a former victim, I don't recommend to anyone infected with this malware attempt to uninstall it using either of the two methods. It's just too risky, as this simply launches the thing into one's registry over a variety of installed apps, most of which appear to be media related.

Some say this method worked for them, and I'm glad, but make SURE it's gone. My first uninstall simply moved the NSIS folder from the root Program Files folder into Program Files/Common Files in an attempt to dupe the user into believing it was eliminated. Check your registries for "NSIS media" and/or "NSISmedia" to be certain. If you have fully purged this from your systems, you will get zero returns on such a search.

I got rid of popups with an uninstall too, (and maybe cuz I uninstalled my recent Firefox installation and went back to Maxthon,) but this NSIS Media was still everywhere on my system, and I wanted it ALL gone. I believe that it lurks on your system, probably waiting for a legit NSIS install to activate it again. My main concern is not popups, but the notion that this code could have done just about anything it wanted on my system once I caught it. I'm STILL waiting for a definitive answer on the source of the infection, as the only thing I had in common with anyone else (post Googling) is a recent (and legitimately sourced) Filrefox install.

It is uninvited software. It does it's best to 'force" a reboot on uninstall. It reinstalls itself without permission, and renames files to avoid detection. It insinuates itself into multiple registry entries of authorized installed applications. Referring to this as "legitimate software" is nothing short of folly.

I've checked the computer again and there is no folder called NSIS media anywhere after I uninstalled it through Control Panel. There is one registry entry which calls NSIS Media uninst.exe and which points to now non-existent NSIS media folder so it is useless. There used to be several NSIS Media registry entries before I ran uninstall. Most programs will leave at least one registry entry after uninstall so the one from NSIS media pointing to a non-existing directory and file does not worry me at all.
It is true that NSIS is uninvited software but there are so many of them (Google toolbar, Yahoo messenger, etc) so NSIS is not special.

Also, I am not using FireFox browser so I don't think it is browser specific.

People, maybe you all are just overreacting. Most of us are annoyed when we see unwanted popups on the screen and somehow we automatically think about malware and worms. Sometime the simplest solution is the one we are looking for. It worked for me and for some other people who tried it first. It does not cost you to try uninstalling it using Control Panel. If NSIS is a worm then your machine is already infected and uninstall won’t do anything what you already don’t have.

The fact is that I have no NSIS folders on my machine anymore, no popups, and I am again happy camper.

Let me clear up some things, first there is a legimate program called NSIS Media Extension which is used with the Nulsoft installer package. You can use your Control Panel- Add or Remove Programs and it will uninstall.

Second, there is the NSIS Malware which pretends to be "NSIS Media Extension" and is installed with the open-source Nulsoft installer. It is a Trojan Downloader, running the uninstaller for this malware just installs more malware each time your computer get restarted.

Although some scanners have started detecting it, some still can't completely clean it.

Webroot SpySweeper's detection:


Profile - NSIS Media ExtensionName NSIS Media Extension New Threat
Unique Code XZ382YGP
Type Trojan Horse
Severity Very High
Description
NSIS Media Extension is a remote access Trojan that that may allow a hacker to gain unrestricted access to your computer when you are online.
Characteristics
NSIS Media Extension may manage files on your computer, including creating, deleting, renaming, viewing, or transferring files to or from your computer. It can utilize a program manager that allows a hacker to install, execute, open, or close programs. The hacker can gain remote control of your cursor and keyboard and can even send mass e-mails from your infected computer. It can run in the background, hiding its presence.
Method of Infection
NSIS Media Extension is usually disguised as a harmless software program and is generally distributed as an e-mail attachment. Opening the attachment may cause an auto-installation process that loads the Trojan onto your computer without your knowledge or consent.
Consequences
This Trojan may open a port on your computer that may enable a hacker to gain remote control of your computer. Additional Comments: It is recommended that you change all of your passwords after removing this program. If you bank online, you might consider changing your credit card and bank account numbers. You should also monitor your credit card and bank statements carefully over the next several months for signs of fraudulent activity.

The part about changing your passwords is very important, just after I first got infected, I started getting Failed delivery messages in my Yahoo mail for messages that I never had sent. I changed my password and I haven't got any more.



Thanks.:icon_salu

Trojonhunter with latest updates sorts it ... you can get a free 30 day trial from majorgeeks.com

How do you people get this pop ups in your computer? lol

I have used Firefox with Adblock for a year now...and i have yet to se a ad appearing on my screen!

Hi,
This easy removal thing bugged me.
Guess what.....Ttried it and it did remove the pop-ups... BUT it was a ploy. It was to get you to run an executable so it could INFECT.
Check your explorer.exe on your OS. I noted it crashed and restarted a few times.
Scanned with ZoneLabs NaV etc nothing.
However Trojon Hunter found that the explorer.exe file was indeed infected.
I removed it and will be keeping it running for the next 40 days (freeware) to see if it is gone.

Also how did it get there and by pass all the security. Possible Firefox module update imho was the culprit...

Regards
Jet

If you see any thing thats a bit odd please point them out & suggest an action.. Had this for about a week now, done most of the suggestions, moved it , renamed it, alterd the script, now it pops up without a title..lol, yes i am a novice, bu i really appreciate the help..
Logfile of HijackThis v1.99.1
Scan saved at 9:08:36 PM, on 21/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.641\Hijac kThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.microsoft.com/results.aspx?mkt=en-US&setlang=en-US&q=media+updates
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qca8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153322698812
O17 - HKLM\System\CCS\Services\Tcpip\..\{26F2A2E7-6497-45DA-97F6-63AE1761B66D}: NameServer = 67.69.184.87,67.69.184.236
O17 - HKLM\System\CS1\Services\Tcpip\..\{26F2A2E7-6497-45DA-97F6-63AE1761B66D}: NameServer = 67.69.184.87,67.69.184.236
O17 - HKLM\System\CS2\Services\Tcpip\..\{26F2A2E7-6497-45DA-97F6-63AE1761B66D}: NameServer = 67.69.184.87,67.69.184.236
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

The only thing I see that might be bad is:

O17 - HKLM\System\CCS\Services\Tcpip\..\{26F2A2E7-6497-45DA-97F6-63AE1761B66D}: NameServer = 67.69.184.87,67.69.184.236
O17 - HKLM\System\CS1\Services\Tcpip\..\{26F2A2E7-6497-45DA-97F6-63AE1761B66D}: NameServer = 67.69.184.87,67.69.184.236
O17 - HKLM\System\CS2\Services\Tcpip\..\{26F2A2E7-6497-45DA-97F6-63AE1761B66D}: NameServer = 67.69.184.87,67.69.184.236

If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know your IP or Domain? '67.69.184.87,67.69.184.236' If not, remove these entries.


Thanks. :icon_salu

I have been dealing with this for about 3 days now and I kept looking it up on Goggle but no one had any solutions that worked. What I did to remove it completely is the following:

Fisrt I went into C:\Program Files\Common Files and securely wiped the folder named NSIS, then I went to C:\Program Files\Mozilla Firefox and wiped the CHROME Folder because a file named nsis.jar was in there. Then reboot into SAFE MODE and go to ADD/Remove and if the uninstaller is there click uninstall. It may say that it has already been uninstalled and ask if you want to remove it from the list. Say yes of course. Then reboot back into windows and check the paths above to see if the folders and/or files are gone and check the ADD/REMOVE also. Now since I removed or wiped the CHROME folder in the Firefox folder, Firefox would not work so I simply reinstalled the latest version and then rechecked everything and all was good. NO MORE NSIS!!!!! All my settings and favs were still intact also. Hope this helps.

I have been dealing with this for about 3 days now and I kept looking it up on Goggle but no one had any solutions that worked. What I did to remove it completely is the following:

Fisrt I went into C:\Program Files\Common Files and securely wiped the folder named NSIS, then I went to C:\Program Files\Mozilla Firefox and wiped the CHROME Folder because a file named nsis.jar was in there. Then reboot into SAFE MODE and go to ADD/Remove and if the uninstaller is there click uninstall. It may say that it has already been uninstalled and ask if you want to remove it from the list. Say yes of course. Then reboot back into windows and check the paths above to see if the folders and/or files are gone and check the ADD/REMOVE also. Now since I removed or wiped the CHROME folder in the Firefox folder, Firefox would not work so I simply reinstalled the latest version and then rechecked everything and all was good. NO MORE NSIS!!!!! All my settings and favs were still intact also. Hope this helps.

Thanks a lot man in a box

It seems to have worked,has anyone else tried this and has there been any comeback? I've changed to the opera browser now,hope to have more luck. Hope to hear from you all soon

After deleting. the file it comming back and as my last post shows i tried the TRojan hunter, but as well deleted the Chrome file & closed the auto updates to Firefox extensions. ten days no probs..

PS thnx littlebits...

Just a little update, the NSIS Malware has been linked to many programs at download.com published by Openwares.

http://www.download.com/Openwares/3260-20_4-6244969.html

Don't download these programs just read some of the user reviews, many say that these programs installed the NSIS Malware to their computers. So why hasn't download.com removed them yet?:icon_scra



Thanks.:icon_salu

Hi I tried every suggestion so far and nothing has worked and I wanna give trojanhunter a chance but whenever I download a trial version it tells me that the time is up and I need to pay.

Did you every find a solution to this problem?? I seem to have just discovered it myself using a keylogger - not sure how long it has been there.

Thanks.



I've been affected by this too, and may have found something that helps...?

Using some of the solutions in this thread, I have eliminated the pop-ups and system slow down, but from time to time when I am surfing the Internet or using a program the active program window will change (not to another program, but just sort of a frozen state for a second) before popping back to whatever program I was using. I alt-tabbed while this happened and discovered on the program list the items "Form_Honeypot" and "Form_Main" under the Spy Sweeper logo.

Using the PrevX thing, I discovered that whatever this thing is has infiltrated Spy Sweeper under the name "ssu.exe"... it cannot be deleted, and when I moved it to my Symantec Anti-Virus quarantine it immediately re-installed itself.

PrevX also confirmed that it's hijacked the svchost.exe file, but passed through it is as safe, even though PrevX recognizes that it's creating tons of malware activity and embedded in various programs and such.

At first I just wanted to eliminate the pop-ups, but now I realize that this thing is much, much stronger than that and is extremely powerful.

ETA: It also uses "wrsshp.exe" under Spy Sweeper as well. I guess there's some tie-in where in affects Spy Sweeper and Hewlett Packard (thus the ss and hp parts)

Man In Box and Littlebits - you are right. I ALSO found something else. I searched my PC for any file saved on the date that I became infected. And I found a file called "Broswer.manifest" I am sure that is related to the "Nsis.jar" file in the chrome folder.

Deleting the C:\Program Files\Mozilla Firefox\CHROME Folder is important.

Mine was originally infected by downloading an update to Firefox browser.

Thanks for your help.

NEW VARIANT ON THE LOOSE!!!

Summary: delete c:\windows\system32\wmidtex.dll and c:\windows\system32\webhits.dll

I've tried almost every single suggestion on this board, AND on other boards to get rid of NSIS, and nothing
was working for me!!! Trojan Hunter would find NSIS, but it would crash and report exception before being
able to remove it! Manually unsafe-rebooting after deleting files also didn't work. I would manually delete C:\Program Files\Common Files\NSIS\* but it would reappear after every reboot! Even if I was rebooting in safe mode.

Finally, after someone else on this board suggested ProcessExplorere, I downloaded it and started tracking every dll loaded by explorer.exe. In my hunt, I would delete a suspicious looking dll, reboot, and see if NSIS folder and registry entries (under ShellExecuteHook) would reappear. Naturally, I deleted some harmless windows dll's in the process. But I hit paydirt after removing wmidtex.dll and webhits.dll (I can't say for sure which is the culprit since I deleted them both at the same time). Next reboot -- no more NSIS folders! No more ShellExecuteHooks!!! Some other users reported a different set of dll's to remove -- their is a different variant. What is in common is that ALL these trojan files are dated from 2001.

So, try what everyone else has suggest first. If that doesn't work, maybe you were infected with the new variant I just described. This NSIS trojan is a pain in the ass and very good at disguising.

I will report back in a few days to see if NSIS folder comes back or what. I am stumped even now as to how I got infected, as I'm an extremely sophisticated user/programmer and use firefox exclusively. It took me basically a whole day to figure out how to remove this goddamn NSIS trojan!

I've read many reports of Firefox users getting infected from downloading or updating Firefox extensions.
It's unknown if this is a security hole in Firefox or if users are downloading third-party extensions from sources other than Mozilla's website.

So far every report that I've read of the NSIS Trojan is related to Firefox. I haven't used Firefox since
I got infected.

I don't believe Firefox is is any longer more secure than IE. Just as Firefox gets more popular, there will be
more malware designed to attack it.

The worst part about Firefox is that most Anti-Virus and Anti-Spyware protects only protect IE.

Malware can get into Firefox's cache and not get detected. Restart your pc and the malware installs.



Thanks.:icon_thum

I was using Firefox, however, I never installed Foxie so that could not have been the infection vector for me (the only extension I use is adblock -- which is completely safe; I'm running it right now and I have no NSIS).

The /chome/ folder inside firefox is just a location used by the trojan -- much similar to /common files. When I was infected I had completely uninstalled and removed firefox, but the files still kept coming back under /common files/. This mean that this trojan can work completely independent of the presence of firefox (if it's there, it will take advantage of it).

littlebits, so if you no longer use Firefox, which is your browser of choice now? I hope it's not IE, because switching from Firefox to IE would be like switching from a boat with a few holes (firefox) to an all-out, five-alarm fire on a sinking boat (IE).

Perhaps we should all adopt Opera now? (Or: Opera on OS X!) :)

littlebits, so if you no longer use Firefox, which is your browser of choice now? I hope it's not IE, because switching from Firefox to IE would be like switching from a boat with a few holes (firefox) to an all-out, five-alarm fire on a sinking boat (IE).

Perhaps we should all adopt Opera now? (Or: Opera on OS X!) :)

I do use Opera mostly, but some of my websites will only work with IE or an IE add on browser.

Opera or Firefox won't always display web pages correctly. On some websites, in order to use the features you have to use IE or an IE add on.

On those websites I use Maxthon, it works great but has added security features much like Firefox.
http://www.maxthon.com

First I secure IE with all Windows updates, then IE-SPYAD and SpywareBlaster.
http://www.spywarewarrior.com/uiuc/resource.htm

Then I use Spybot S&D to lock down IE and Immunize.

No matter what browser you use you should add these security features to IE because it is part of Windows Operating System. Some people don't understand that the explorer.exe (Windows Explorer) has the same browser connections and settings as IE and can't be disabled or your pc won't work. explorer.exe is a required process.

Just check your Taskmanager and you will see explorer.exe is running, if your end task, then you will lose
your taskbar, parts of your desktop and start menu.

Because using another browser doesn't mean that you're safe.



Thanks.:icon_thum

Hi everyone, just went through my personal NSIS-purgatory... thanks for all your recommendations. I finally got rid of the thing following Guitarist's suggestions as close as I could (forcing shut down after uninstalling), this seems to be the procedure that works for most people. I've also switched from Firefox to Opera which I hope has less vulnerabilities (or is at least not a target for this kind of attacks). I'm glad I did, Opera is very nice once you realise how many cool features it has. It needs some tweaking to configure it to suit your needs but it is worth the effort.

So the NSIS folder does not appear anymore in the common files folder, I've deleted all the NSIS related stuff I could find in the registry, Firefox (including the Chrome folder) is gone... how can I be sure this bastard won't cause me any more trouble? Is there anything else I should check, perhaps monitor during the next few weeks?

Thanks again for all your help. Good luck to all who still have to wrestle with this thing.

ElEstratega, make sure there are no strange keys in registry location

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\ShellExecuteHooks

(If you have a key named "(Default)", that's OK. Be suspicious of anything else, especially if it's
a long string of characters and numbers -- that's a CLID).

Thanks OJDrinker, I just did. I found the following key and deleted it...

{AEB6717E-7E19-11d0-97EE-00C04FD91972}

Pardon my ignorance but, what is a CLID?

Someone just asked me in private how I got infected with NSIS but I suppose it can be of general interest so I post it here...The problem is my HDD died and I had to reinstall every program I use around the same time. But most probably it came with a piece of DVD-ripping software from Openwares which I got from download.com.

Hi friends,

I'm just gathering information about how the people are getting infected with NSIS... Could you guys please post comments on http://sspayt.blogspot.com// . There is a good outcome for these comments...

If u r infected Just answer following questions

1) How did u get infected?

2) If u don't know how the infection happened then just think what are the programs you downloaded recently and list the programs u downloaded..?

3) What are the problems you have faced because of this infection?(Like pop-ups..etc.,)

in the comments section of the blog entry..

Thanks,
Sspayt

Well, I've already told my story in the above posts.

Known ways computers got infected with NSIS Malware.

1. Installed Foxie Browser (http://en.wikipedia.org/wiki/Foxie)
2. Installed various programs from Openwares.org (http://en.wikipedia.org/wiki/Openwares.org)
3. Installed various Openwares programs from Download.com (http://www.download.com/Openwares/3260-20_4-6244969.html)
4. Installed third-party Firefox extensions, plugins and themes from Download.com and other various sources.
5. Maybe from a security hole in Firefox. Could be from using an outdated version.

However there are still many unknown ways that this NSIS Malware is spread.



Thanks.:icon_thum

Thanks littlebits.. I'm just trying to get all the ways... So this is always good to know the ways of malwares spread.. so lets wait n see how many different ways NSIS spread..

Thanks
Sspayt

NSIS media – Advertisement can be removed now – OS: Windows Xp Pro SP2
================================================== =======

I have tried all methods mentioned in all forums, I have tried over 12 the most popular antispywares and antivirus programs. But no success. In succeeded in following way.
Really it is shameful that Not even a single antispyware and antivirus program was able to uprooted this Trojan, though many claims that their antispware or antivirus removes NSIS media Trojan but this is absolutely not true. Many people say , run Trojan Hunter. I ran it with latest updates but no success. I have tried all, I say all.
----------------------------------------

There might be different approaches, but I approached in following way successfully:

Fist of all note that:

NSIS Trojan though can come through Firefox extensions but this is not the only the single source of NSIS problem but mostly It may come from freewares and in particular from the files downloaded from Cracks sites, Torrents and P2P programs.

Follow following steps:

1- Uninstall completely Firefox and also delete Firefox and its profile folder which is located at C:\Documents and Settings\username\Application Data. You can save Profile but without the files given in Extensions and chrome folder. This step No.1 is only necessary if you think that NSIS problem is coming from Firefox or not. To check this, go to Chrome and extensions folders of Mozilla Firefox and frequently check a file named NSIS.* NSIS.Jar or any file that’s name starts from NSIS. If u find that file then you MUST implement the step No. 1. and vice versa.
2- There is big chance that NSIS came through a bad software. So Think about the program u installed after which This problem started. Before Uninstalling that suspected program, for the time being, cancel its Autostart, and only run autostarts program that u 100% trust. Otherwise after complete cleaning of NSIS Trojan, any bad autostart program will reinstall NSIS again and u will be cought in a closed loop. That what happened with me.
3- My computer was infected by NSIS media by NSIS.Jar file of Firefox extension. But after removing the firefox 1.506; Installed Firefox 2.0 which is very very secure and accepts only trusted extensions. So at the end of this trouble shooting u can install Firefox 2.0. do not install other old versions. Here uou can use your Firefox profile again (if u like) that was saved in step no.1. Second NSIS media Trojan infection was coming from Roboforms 6.7.8 which was used from a torrent. Most probably it Roboform.dll was infected (deliberately by any devil).
4- I succeed to clean NSIS Trojan more that 20 times but Whenever I restarted PC, NSIS folder was again there in common folder files. But when I stopped autostart of Roboform. NSIS did not return. Note that genuine roboform software is very clean and does not have any infection. So donot be afraid from genuine softs but from cracked and torrent loaded softs.
5- Now download a software “Smarty uninstaller – latest version. And run it. Locate program in it “NSIS Media Extension” but do not do any thing now:
6- Now go to C:\progam files\common folder and delete it – I prefer to clean it with 3-passes secure deletion by Track eraser Pro and any shredder.
7- Now quickly go to already opened Smartly Uninstaller and right click on it and in context menu, click “Delete Registry entries. This will clean NSIS relevant registry entries. Before doing this step, be sure that NSIS folder is not again written in common files folder; if so delete it again. However smarty uninstaller will not delete one registry (I do not know why). Go to following registry folder and delete a line manually that has inside name NSIS. Be careful! Do not delete following reg folder but only and only NSIS entry in it, if u find. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks.
8- Disable all suspected sutostarts.
9- Now use JVC Tools’ registry cleaner and clean registry. At the end of cleaning, select all, and clean. This is safe prog so do not be afraid. – This step is for extra precaustion and is optional.
10- Now watch for some time If NSIS folder is coming again or not. If it comes again then its mean, there is already a software loaded in memory by mostly by autostart. In this case, disable all suspected autostart programs and restart computer and revise all the steps given above. Now finally, Run CCleaner (a freeware) with secure deltetion option. After that right click on recycle Bin and empty it with CCleaner context menu command. Donot restart but shutdown your PC now. And now u can start it again. Good Luck.
11- This MUST solve your problem finally. U can contact me for any further help at [email protected] It will be my pleasure to help you. We humans at the apex are kids of one father and mother. We must help each other but SINCERELY.

Regards

Canjopak

Some very useful softs which are always helpful to solve problems: ( This is just recommendation).

Registry Workshop
JVC tools 2006
Smarty Uninstaller 2006
Your Uninstaller 2006
IP-Tools
TCP Optimizer – free
MySpeed PC - free
Advanced Process termination ver 2.1– free of DIAMONDCS – Strongest killer in the market. But there new version is though beautiful but very bad. Just use ver 2.1.

Port Explorer – of DiamondCS
Process viewer – Free (of DiamondCS)
CCleaner - free
Track Eraser Pro
Regrun (only for expert users) – A great soft
Process explorer, and autorun of Sysinternals
Extended Task manager

=============================================

This is an easy to follow tutorial that worked for me

http://www.schrockinnovations.com/removensismedia.php

Hi, guys. I am not a computer genius like most of the people who have offered solutions. But I got rid of NSIS (knock on wood) by combining a few of the sections here. Littlebits, thanks for all of your information and patient explanation for those of us who barely know what we are doing. It helped. Here is what I did. Let me know if you have tried this, and still had problems, because it probably means I will too:

WARNINGS: DON"T USE THE UNINSTALLER!!! Not even from control panel, in safemode or otherwise. I think the more times you use it the harder it is to get rid of, and in the end it doesn't work. It will be only a temporary fix, other problems happen. DO NOT DELETE THE NSIS FOLDER IN C:\Progam FILES|Common Files. it will only come right back.

2. Download the 30 day trial of Trojan Hunter from http://www.misec.net/. Install it. Almost imediately it should say it found a file in Windows/system32/ that starts with "wmd" that is connected to explorer.exe via registry, just as everybody has indicated. I think it was .dll file. It wiill attempt to clean and quarantine it. However, it will say that it cannot quarantine the file till you restart. So restart the computer into normal mode once. After everything has started up, restart again into safe mode. DO NOT ATTEMPT TO DELETE THE QUARANTINED FILE UNTIL YOU ARE IN SAFE MODE.

2. Go into safe mode. First, start Trojan Hunter and delete thequantined file. Then, while still in safemode, uninstall firefox. If you prefer, delete the entire folder of "Mozilla Firefox". I didn't, but I did delete the residual "chrome" folder. Then go to C:\Program Files\Common Files\NSIS. DO NOT DELETE THE ENTIRE FOLDER!!! EVEN IF YOU DO IT IN SAFE MODE, IT WILL COME RIGHT BACK!!. For sure, so don't do it. However, delete all files IN that folder. Then, right click on the folder and go to the permissions. You have to turn on a few options, but delete all users from the permissions of that folder EXCEPT the administrators. Then make it a read-only file folder. Now rename the folder to something like "JUNK."

3. While still in safe mode, delete everything in the folder C:\Documents and settings\>user<\Local Settings\Temp (for anyone REALLY new to this you have to enble hidden folders to se the "local settings" folder) Thee have also been mention of three ther files : A~NSISu_.exe, krnsvr32.dll, and wmdmb32.dll. I think that wmdmb32.dll is what the trojan hunter eliminated. If you can find any of these files on your hardrive, delete them as well. Furthermore, think back to any programs that you may have downloaded from keptical sources, and furthermore anything you downloaded from Download.com, since much this trojan started there. Delete them while in safe mode.

4. Restart computer in normal mode. Go to www.mozilla.com and reinstall FireFox. I recommend only getting firefox from the Mozilla website, because there have apparently been problems with getting it from download.com.

Anyway, after I did the abov steps, I restarted the computer nce more and left Mozilla FireFox open fo about 12 hours straight. No pop ups. It hs been twenty-four hours now, no problems. Hope this helps.

Corianton

Hi, just wanted to report that I am still NSIS free using the above described method. Also, I think that i got infected by downloading some dvd-ripper Openwares from Download.com. Its the only thing I can think of. Also, there is no reason to switch to Opera if you follow the above method, or to reboot your computer. If you donwload the latest FireFox FROM the actual Mozilla website, you will be fine.

Also, I recommend doing the things that were mentioned above regarding the registry. Run "regedit" from the "run" feature on the start bar, then got to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\ShellExecuteHooks" If there is a key there titled "default" it is fine, but bware of anything else, especially long strings of letter/number combos (as OJdrinker indicated above) I deleted the other two that showed up in mine. Also, Use the "find" feature under the "edit" menu. Type in "NSIS" in the finder field and click search. It should show a few other instances of NSIS Media extension under the "Uninstaller" tab. Those keys are directed to files that hould have been deleted using my method above, so they are theoretically harmless, but I would remove them from the registry altogether.

Finally, I noticed there were still some keys related to some of the suspicious programs i had deleted previously, so I removed those keys as well, to be safe.

I think that is it. For those who are thinking "His explanations seemed to be aimed towards complte idiots", that is because they are, in a way. There are a lot of people with no or relatively no experience with this stuff suffering from the NSIS bug. They are probably trying trials or paying some "Geek Squad" to fix this problem, when they could actually do it on their own. So forgive my wordy explanations.

Corianton

Apologies for my previous post saying it had gone, it came back but not untill i had shut down a couple of times? weird, but anyway a free trial of trojan hunter identified it and removed it and thats it totally gone now.

Thanks for all the info on this thread, its been most usefull.

A note to LITTLEBITS ! you listed three possible sources of infection from your installation date logs, and the only one I have in common is jet audio which i installed a couple of weeks back because itunes 7 was such a disaster! i think i got it from download.com cnet since thats where I go for most things i am unsure of.....

anyway thanks again

:icon_salu
1. Open folder C:\Program Files\Common Files\NSIS
2. Cut all files from that folder to "Desktop"
3. Make two files in the folder by "right click > new> text document
4. rename both files to:
-- ns10.dll --
and
-- uninst.exe --
make sure you have option to see your files extensions to aboid double extension names.
>in "Folder Options" > "View" > "Hide extensions for known file types" must be UNchecked.
5. now you have two files in folder with exectly the same name that was before, which was installed
without your permission by NSIS media, so make these files READ ONLY,
by right click on file > Properties > Check box "Read only" make checked.
6 Make folder "NSIS" = Read Only (step 5)
7. If you can not delete files from your desktop you moved earlier in step (2) then rename them to
anything without extension.
8. Restart the computer and delete these files from Desktop permanently.

Remember do not delete NSIS folder or you will have it back again, no ad-blocking software nore Utility will fix it for you. "Windows Live OneCare" actually will prevent from installing it, so I recomend it.
:icon_salu

I send spy sweeper an e-mail re: NSIS . They sent me a program "nsisremove.exe" via e-mail attachment. I ran the program and no pop-ups for 4 days now. The NSIS folder in common files is gone and has not returned after many re-boots. I think they got it. My computer is running alot better too. FYI

Does anyone have a working removal tool? A standalone removal tool would be a plus.