Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected... I think? [RESOLVED]


  • This topic is locked This topic is locked

#1
SpaceCowboy706

SpaceCowboy706

    Trusted Tech

  • Member
  • PipPipPipPip
  • 1,175 posts
Having some issues with my pc. when it starts up i get this error message.. http://members.cox.n...706/virus/1.JPG when i go to my computer i get the screen that looks like this... http://members.cox.n...706/virus/2.JPG and when i open the c: drive i can see a ton files in there like this... http://members.cox.n...706/virus/3.JPG

These changes all started a couple days ago when my sygate firewall started popping up a bunch of warning messages about stuff trying to get out and stuff trying to get in. <sorry don't remember what they were saying as i just ckicked block> so since i don't use internet explorer i just set it for a fake proxy server so it couldn't connect to the internet and continued on surfing with mozilla for a bit... then I did a Super Antispyware complete system scan and it found nothing and then a AVG complete scan and it also found nothing. I currently have Internet explorer blocked with sygate, (still using the fake proxy server for it as well, so im not bombarded with constant pop-ups) and i have the free version of Super Antispyware i got from the downloads section. I am using windows XP Pro all updated and i have scanned with Hijack this and have pasted the log below. Please give me a hand here if you can:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:59 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:1<----------------------------------I added this.
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 1720 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.




Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
SpaceCowboy706

SpaceCowboy706

    Trusted Tech

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,175 posts
Did as instructed and here is my hijack log again and my combofix log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:37 AM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:1
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\flfewjdb.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: flfewjdb - C:\WINDOWS\SYSTEM32\flfewjdb.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 2004 bytes

------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 08-02-14.2 - 2008-02-14 6:59:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1606 [GMT -6:00]
Running from: C:\Documents and Settings\<myname>\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\hidusbb.sys
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\rqrrqrs.dll
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\<myname>\Application Data\AVSystemCare
C:\Documents and Settings\<myname>\Application Data\AVSystemCare\Logs\threats.log
C:\Documents and Settings\<myname>\Application Data\AVSystemCare\Logs\update.log
C:\Documents and Settings\<myname>\Favorites\Online Security Guide.lnk
C:\Documents and Settings\<myname>\My Documents\YSTEM3~1
C:\Documents and Settings\<myname>\My Documents\YSTEM3~1\?ystem32\
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M0611NetInstaller.exe
C:\WINDOWS\mbols~1
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\CMMGR32.EXE
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\hidusbb.sys
C:\WINDOWS\system32\efcbywt.dll
C:\WINDOWS\system32\flfewjdb.dll
C:\WINDOWS\system32\flfewjdb.dll . . . . failed to delete
C:\WINDOWS\system32\flfewjdb.dllbox
C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\ggjlm.ini2
C:\WINDOWS\system32\gzmrt.dll
C:\WINDOWS\system32\jbpssfss.dll
C:\WINDOWS\system32\lmcyqjll.ini
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\nsvB.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rqrrqrs.dll
C:\WINDOWS\system32\ssfsspbj.ini
C:\WINDOWS\system32\thbutepp.dll
C:\WINDOWS\system32\wdrivveo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_HIDUSBB
-------\hidusbb


((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-11 13:19 . 2008-02-14 07:03 163,904 --a------ C:\WINDOWS\system32\flfewjdb.dll
2008-02-11 12:39 . 2008-02-11 12:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NeptunesAdve
2008-02-11 10:24 . 2008-02-11 10:24 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-02-11 10:24 . 2008-02-11 10:24 <DIR> d--hs---- C:\AVSystemCare
2008-02-11 10:24 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-02-11 10:18 . 2008-02-11 10:18 36,864 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-02-08 08:46 . 2008-02-08 08:46 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\CyberLink
2008-02-08 08:45 . 2008-02-08 08:45 <DIR> d-------- C:\Program Files\CyberLink
2008-02-08 08:45 . 2008-02-08 08:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-07 06:56 . 2008-02-07 06:56 324 --a------ C:\WINDOWS\game.ini
2008-02-07 06:55 . 2008-02-07 06:55 <DIR> d-------- C:\Program Files\Activision
2008-02-05 11:34 . 2008-02-05 11:34 <DIR> d-------- C:\Program Files\Adssite Games Collection
2008-02-05 11:34 . 2008-02-05 11:34 80,090 --a------ C:\WINDOWS\system32\adssite-remove.exe
2008-02-05 11:34 . 2008-02-05 11:34 40,724 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe
2008-02-05 10:49 . 2004-08-18 02:34 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-02-01 19:37 . 2008-02-08 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-01 19:31 . 2008-02-01 19:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 17:30 . 2008-02-01 19:43 <DIR> d-------- C:\Virus Removal Kit
2008-02-01 16:34 . 2008-02-12 07:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-01 16:34 . 2008-02-11 10:39 <DIR> d-------- C:\Documents and Settings\Purina\Application Data\SUPERAntiSpyware.com
2008-02-01 16:34 . 2008-02-01 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-01 16:29 . 2008-02-01 16:29 <DIR> d-------- C:\Program Files\Sygate
2008-02-01 16:29 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-02-01 16:29 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-02-01 16:29 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-02-01 16:29 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-02-01 16:29 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-02-01 16:29 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-02-01 16:29 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-02-01 16:14 . 2008-02-01 16:14 50,688 --a------ C:\ATF_Cleaner.exe
2008-02-01 15:21 . 2008-02-01 16:28 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-02-01 11:10 . 2008-02-01 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-01 11:09 . 2008-02-01 17:47 <DIR> d--hs---- C:\WINDOWS\UHVyaW5uYQ
2008-02-01 11:09 . 2008-02-01 17:19 <DIR> d-------- C:\WINDOWS\system32\tip4
2008-02-01 11:09 . 2008-02-01 17:45 <DIR> d-------- C:\WINDOWS\system32\lis6
2008-02-01 11:09 . 2008-02-01 11:09 <DIR> d-------- C:\WINDOWS\system32\kps5
2008-02-01 11:09 . 2008-02-01 11:09 <DIR> d-------- C:\WINDOWS\system32\hs9
2008-02-01 11:09 . 2008-02-01 11:09 <DIR> d-------- C:\Temp\gTiis19
2008-02-01 11:09 . 2008-02-01 11:09 <DIR> d-------- C:\Temp\cXzz9
2008-02-01 11:09 . 2008-02-14 06:59 <DIR> d-------- C:\Temp
2008-01-30 13:10 . 2008-01-30 13:10 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\PlayFirst
2008-01-30 13:10 . 2008-01-30 13:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-29 16:25 . 2008-01-29 16:25 <DIR> d-------- C:\Documents and Settings\Purina\Application Data\Gamelab
2008-01-29 12:14 . 2008-01-29 12:14 <DIR> d-------- C:\Documents and Settings\Purina\Application Data\BloodTies
2008-01-25 18:53 . 2008-01-25 18:53 <DIR> d---s---- C:\Documents and Settings\Purina\UserData
2008-01-24 17:32 . 2008-01-24 17:32 <DIR> d-------- C:\Program Files\eDimensional USB audio
2008-01-24 17:32 . 2006-12-18 16:46 5,783,552 --a------ C:\WINDOWS\system\CM108.cpl
2008-01-24 17:32 . 2006-12-21 17:05 1,294,336 --a------ C:\WINDOWS\system32\drivers\CM108.sys
2008-01-24 17:32 . 2001-11-23 12:08 712,704 --a------ C:\WINDOWS\system32\a3d108pu.dll
2008-01-24 17:32 . 2001-11-23 12:08 712,704 --a------ C:\WINDOWS\system32\a3d.dll
2008-01-24 17:32 . 2004-04-14 11:28 315,392 --a------ C:\WINDOWS\system\fltr108.dll
2008-01-24 17:32 . 2006-10-02 19:02 262,144 --a------ C:\WINDOWS\Cmi108Uninstall.exe
2008-01-24 17:32 . 2006-10-13 10:02 249,856 --a------ C:\WINDOWS\system32\CM108rm.exe
2008-01-24 17:32 . 2005-03-07 14:29 45,056 --a------ C:\WINDOWS\system32\CM108rm.dll
2008-01-24 17:32 . 2006-03-09 17:45 32,768 --a------ C:\WINDOWS\system32\c108prop.dll
2008-01-24 17:32 . 2008-02-02 02:36 596 --a------ C:\WINDOWS\system\Cm108.ini
2008-01-24 17:31 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-01-24 17:31 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-01-24 17:18 . 2008-01-24 17:18 <DIR> d-------- C:\Documents and Settings\Purina\Application Data\Leadertech
2008-01-24 17:17 . 2008-01-24 17:17 <DIR> d-------- C:\Program Files\Logitech
2008-01-24 17:17 . 2008-01-24 17:18 <DIR> d-------- C:\Program Files\Common Files\Logishrd
2008-01-24 17:17 . 2008-01-24 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-01-24 17:17 . 2008-01-24 17:17 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-24 17:17 . 2008-01-24 17:17 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-01-23 22:51 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-01-23 22:51 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-01-23 22:51 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-01-23 22:51 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-01-23 22:51 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-01-23 22:51 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-01-23 22:51 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-01-23 09:20 . 2008-01-23 09:20 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\Eyeblaster
2008-01-22 06:41 . 2008-01-22 06:41 <DIR> d-------- C:\WINDOWS\Sun
2008-01-21 19:48 . 2008-01-21 19:48 <DIR> dr------- C:\Documents and Settings\Purina\Application Data\Brother
2008-01-20 20:22 . 2008-01-24 17:47 4 --a------ C:\WINDOWS\system32\GVTunner.ref
2008-01-19 21:35 . 2008-01-19 21:35 <DIR> d-------- C:\Program Files\iTunes
2008-01-19 21:35 . 2008-01-19 21:35 <DIR> d-------- C:\Program Files\iPod
2008-01-19 21:34 . 2008-01-19 21:34 <DIR> d-------- C:\Program Files\QuickTime
2008-01-19 14:55 . 2008-01-19 14:55 <DIR> d-------- C:\Program Files\LightScribe Diagnostic Utility
2008-01-19 14:44 . 2008-01-19 14:44 <DIR> d-------- C:\Program Files\LightScribeTemplateLabeler
2008-01-19 12:35 . 2008-01-21 19:22 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\gtk-2.0
2008-01-19 12:35 . 2008-01-19 12:35 <DIR> d-------- C:\Documents and Settings\<myname>\.thumbnails
2008-01-19 12:34 . 2008-01-19 12:34 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-01-19 12:34 . 2008-01-21 19:26 <DIR> d-------- C:\Documents and Settings\<myname>\.gimp-2.4
2008-01-18 22:14 . 2008-02-08 16:45 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-18 18:23 . 2008-01-18 18:23 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\Ahead
2008-01-18 18:03 . 2008-01-18 18:03 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\Reallusion
2008-01-18 17:52 . 2008-01-18 17:52 <DIR> d-------- C:\Program Files\Reallusion
2008-01-18 17:50 . 2008-01-18 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-01-18 17:36 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-18 17:36 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-18 17:36 . 2008-01-18 17:36 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-01-18 17:36 . 2008-01-18 17:36 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-01-18 17:34 . 2007-02-01 13:19 1,520,640 --a------ C:\WINDOWS\system32\BrWia07a.dll
2008-01-18 17:34 . 2006-12-12 11:28 52,224 --a------ C:\WINDOWS\system32\drivers\BrSerIf.sys
2008-01-18 17:34 . 2007-01-26 14:06 45,568 --a------ C:\WINDOWS\system32\BrUsi07a.dll
2008-01-18 17:34 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-01-18 17:34 . 2006-09-03 09:53 11,904 --a------ C:\WINDOWS\system32\drivers\BrUsbSer.sys
2008-01-18 17:34 . 2008-01-18 17:34 225 --a------ C:\WINDOWS\Brpfx04a.ini
2008-01-18 17:34 . 2008-01-18 17:34 93 --a------ C:\WINDOWS\brpcfx.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 05:37 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-12 19:09 --------- d-----w C:\Program Files\Real
2008-02-11 16:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 14:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 17:13 --------- d-----w C:\Documents and Settings\<myname>\Application Data\LimeWire
2008-01-24 23:47 24,944 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys
2008-01-15 21:22 --------- d-----w C:\Documents and Settings\Purina\Application Data\Move Networks
2008-01-12 18:09 --------- d-----w C:\Documents and Settings\Purina\Application Data\Apple Computer
2008-01-12 18:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-12 18:08 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-12 18:08 --------- d-----w C:\Program Files\Apple Software Update
2008-01-12 18:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-11 21:18 --------- d-----w C:\Documents and Settings\Purina\Application Data\Pirateville
2008-01-09 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2008-01-09 14:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-01-08 18:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-08 02:02 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\ATI
2008-01-02 22:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-01-02 22:24 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-01-02 22:24 --------- d-----w C:\Program Files\Common Files\Real
2007-12-29 14:42 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-12-29 03:49 --------- d-----w C:\Documents and Settings\Purina\Application Data\Ventrilo
2007-12-29 02:10 --------- d-----w C:\Program Files\Curse
2007-12-29 01:38 --------- d-----w C:\Documents and Settings\Purina\Application Data\Thunderbird
2007-12-29 01:11 --------- d-----w C:\Program Files\Common Files\xing shared
2007-12-29 01:09 --------- d-----w C:\Program Files\Java
2007-12-29 01:08 --------- d-----w C:\Program Files\Common Files\Java
2007-12-29 00:57 --------- d-----w C:\Program Files\Ventrilo
2007-12-29 00:54 --------- d-----w C:\Program Files\Ahead
2007-12-29 00:53 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-29 00:52 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-29 00:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-12-29 00:50 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-29 00:32 --------- d-----w C:\Program Files\Warcraft
2007-12-29 00:02 --------- d-----w C:\Documents and Settings\<myname>\Application Data\ATI
2007-12-29 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-12-28 23:58 --------- d-----w C:\Program Files\ATI Technologies
2007-12-28 23:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-28 23:56 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2007-12-28 23:43 --------- d-----w C:\Program Files\Realtek
2007-12-28 23:39 --------- d-----w C:\Program Files\Gigabyte
2007-12-28 23:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-28 23:36 15,600 ----a-w C:\WINDOWS\gdrv.sys
2007-12-28 23:33 --------- d-----w C:\Documents and Settings\<myname>\Application Data\InstallShield
2007-12-28 23:31 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-28 23:29 --------- d-----w C:\Program Files\Intel
2007-12-28 22:23 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-14 07:03 163904 --a------ C:\WINDOWS\system32\flfewjdb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 13:46 255528]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\flfewjdb]
flfewjdb.dll 2008-02-14 07:03 163904 C:\WINDOWS\system32\flfewjdb.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^<myname>^Start Menu^Programs^Startup^Product Registration.lnk]
path=C:\Documents and Settings\<myname>\Start Menu\Programs\Startup\Product Registration.lnk
backup=C:\WINDOWS\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
--------- 2007-03-23 13:14 663552 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CM108Sound]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
--------- 2007-01-26 15:58 65536 C:\Program Files\Brother\ControlCenter3\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
--a------ 2007-12-06 12:58 480256 C:\Program Files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro]
--a------ 2007-07-26 15:05 20480 C:\Program Files\Gigabyte\ET5Pro\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2007-01-29 21:10 46632 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-17 07:15 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-17 07:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-07-17 17:39 55824 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-12-05 12:30 2295072 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:56 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2007-01-29 21:12 30248 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ptask]
C:\Program Files\AVSystemCare\ptask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-10-16 18:30 16855552 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-10-25 09:03 210472 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-12-28 19:11 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WallpaperChanger]
--a------ 2005-11-08 13:13 321536 C:\Program Files\Wallpaper Master\Wallpaper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

R3 CM1083264;C-Media CM108 Like Sound UDAX Interface;C:\WINDOWS\system32\drivers\CM108.sys [2006-12-21 17:05]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2006-12-12 11:28]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2006-09-03 09:53]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-12-28 17:36]
S3 GVTDrv;GVTDrv;C:\WINDOWS\system32\Drivers\GVTDrv.sys [2008-01-24 17:47]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5Pro\markfun.w32 [2007-08-21 11:49]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-02-12 19:13:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 07:08:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\flfewjdb.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180]
-> C:\WINDOWS\system32\flfewjdb.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2008-02-14 7:10:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-14 13:10:19


--------------------------------------------------------------------------------------------------------------------------------------


I no longer get the error message when windows starts up http://members.cox.n...706/virus/1.JPG .... and when i go to my computer i no longer get the "SYSTEM WARNING" message, but the C: drive icon is still a big red "X" so im not sure what that means {like it is seen here: http://members.cox.n...06/virus/2.JPG} and all of the mysterious files have disappeared from within the c: drive as well. I disabled the proxy server and it seems now all the pop ups have gone away as well. It appears that all the problems i posted have been taken care of now except the big red "X" on the c: drive, so does that mean there is still something wrong or can i just change the drive icon back to what it was before?

Edited by SpaceCowboy706, 14 February 2008 - 07:34 AM.

  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
There is a bit left, so I wouldn't make any changes yet. Can get you clean by today if you wish


CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\WINDOWS\SYSTEM32\flfewjdb.dll"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • C:\WINDOWS\SYSTEM32\flfewjdb.dll

  • Click Open.
  • Click Post.
Thank you!



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\atl71.dll
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\SYSTEM32\flfewjdb.dll
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\rightonadz-uninst.exe

Folder::
C:\Program Files\Dot1XCfg
C:\WINDOWS\UHVyaW5uYQ
C:\WINDOWS\system32\tip4
C:\WINDOWS\system32\lis6
C:\WINDOWS\system32\kps5
C:\WINDOWS\system32\hs9
C:\Temp\gTiis19
C:\Temp\cXzz9
C:\Temp
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\AVSystemCare

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log
  • 0

#5
SpaceCowboy706

SpaceCowboy706

    Trusted Tech

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,175 posts
The file you had me look for to upload was "flfewjdb.dll" and the one i found was actually "flfewjdb.dllbox".... hope that doesn't matter?

anyways did as instructed and here is the logs:

ComboFix 08-02-14.2 - <myname>2008-02-14 18:27:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1602 [GMT -6:00]
Running from: C:\Documents and Settings\<myname>\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\<myname>\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\atl71.dll
C:\WINDOWS\SYSTEM32\flfewjdb.dll
C:\WINDOWS\system32\rightonadz-uninst.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\AVSystemCare
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Program Files\Dot1XCfg
C:\Temp
C:\Temp\gTiis19\lTig.log
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\atl71.dll
C:\WINDOWS\system32\flfewjdb.dllbox
C:\WINDOWS\system32\hs9
C:\WINDOWS\system32\hs9\corab2130.exe
C:\WINDOWS\system32\kps5
C:\WINDOWS\system32\kps5\covstadcom7.exe
C:\WINDOWS\system32\lis6
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\system32\tip4
C:\WINDOWS\UHVyaW5uYQ

.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-11 12:39 . 2008-02-11 12:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NeptunesAdve
2008-02-08 08:46 . 2008-02-08 08:46 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\CyberLink
2008-02-08 08:45 . 2008-02-08 08:45 <DIR> d-------- C:\Program Files\CyberLink
2008-02-08 08:45 . 2008-02-08 08:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-07 06:56 . 2008-02-07 06:56 324 --a------ C:\WINDOWS\game.ini
2008-02-07 06:55 . 2008-02-07 06:55 <DIR> d-------- C:\Program Files\Activision
2008-02-05 11:34 . 2008-02-05 11:34 <DIR> d-------- C:\Program Files\Adssite Games Collection
2008-02-05 10:49 . 2004-08-18 02:34 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-02-01 19:37 . 2008-02-08 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-01 19:31 . 2008-02-01 19:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 17:30 . 2008-02-14 07:12 <DIR> d-------- C:\Virus Removal Kit
2008-02-01 16:34 . 2008-02-12 07:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-01 16:34 . 2008-02-11 10:39 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\SUPERAntiSpyware.com
2008-02-01 16:34 . 2008-02-01 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-01 16:29 . 2008-02-01 16:29 <DIR> d-------- C:\Program Files\Sygate
2008-02-01 16:29 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-02-01 16:29 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-02-01 16:29 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-02-01 16:29 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-02-01 16:29 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-02-01 16:29 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-02-01 16:29 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-02-01 16:14 . 2008-02-01 16:14 50,688 --a------ C:\ATF_Cleaner.exe
2008-02-01 11:10 . 2008-02-01 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-01-30 13:10 . 2008-01-30 13:10 <DIR> d-------- C:\Documents and Settings\Purina\Application Data\PlayFirst
2008-01-30 13:10 . 2008-01-30 13:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-29 16:25 . 2008-01-29 16:25 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\Gamelab
2008-01-29 12:14 . 2008-01-29 12:14 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\BloodTies
2008-01-25 18:53 . 2008-01-25 18:53 <DIR> d---s---- C:\Documents and Settings\<myname>\UserData
2008-01-24 17:32 . 2008-01-24 17:32 <DIR> d-------- C:\Program Files\eDimensional USB audio
2008-01-24 17:32 . 2006-12-18 16:46 5,783,552 --a------ C:\WINDOWS\system\CM108.cpl
2008-01-24 17:32 . 2006-12-21 17:05 1,294,336 --a------ C:\WINDOWS\system32\drivers\CM108.sys
2008-01-24 17:32 . 2001-11-23 12:08 712,704 --a------ C:\WINDOWS\system32\a3d108pu.dll
2008-01-24 17:32 . 2001-11-23 12:08 712,704 --a------ C:\WINDOWS\system32\a3d.dll
2008-01-24 17:32 . 2004-04-14 11:28 315,392 --a------ C:\WINDOWS\system\fltr108.dll
2008-01-24 17:32 . 2006-10-02 19:02 262,144 --a------ C:\WINDOWS\Cmi108Uninstall.exe
2008-01-24 17:32 . 2006-10-13 10:02 249,856 --a------ C:\WINDOWS\system32\CM108rm.exe
2008-01-24 17:32 . 2005-03-07 14:29 45,056 --a------ C:\WINDOWS\system32\CM108rm.dll
2008-01-24 17:32 . 2006-03-09 17:45 32,768 --a------ C:\WINDOWS\system32\c108prop.dll
2008-01-24 17:32 . 2008-02-02 02:36 596 --a------ C:\WINDOWS\system\Cm108.ini
2008-01-24 17:31 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-01-24 17:31 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-01-24 17:18 . 2008-01-24 17:18 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\Leadertech
2008-01-24 17:17 . 2008-01-24 17:17 <DIR> d-------- C:\Program Files\Logitech
2008-01-24 17:17 . 2008-01-24 17:18 <DIR> d-------- C:\Program Files\Common Files\Logishrd
2008-01-24 17:17 . 2008-01-24 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-01-24 17:17 . 2008-01-24 17:17 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-24 17:17 . 2008-01-24 17:17 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-01-23 22:51 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-01-23 22:51 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-01-23 22:51 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-01-23 22:51 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-01-23 22:51 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-01-23 22:51 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-01-23 22:51 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-01-23 09:20 . 2008-01-23 09:20 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\Eyeblaster
2008-01-22 06:41 . 2008-01-22 06:41 <DIR> d-------- C:\WINDOWS\Sun
2008-01-21 19:48 . 2008-01-21 19:48 <DIR> dr------- C:\Documents and Settings\<myname>\Application Data\Brother
2008-01-20 20:22 . 2008-01-24 17:47 4 --a------ C:\WINDOWS\system32\GVTunner.ref
2008-01-19 21:35 . 2008-01-19 21:35 <DIR> d-------- C:\Program Files\iTunes
2008-01-19 21:35 . 2008-01-19 21:35 <DIR> d-------- C:\Program Files\iPod
2008-01-19 21:34 . 2008-01-19 21:34 <DIR> d-------- C:\Program Files\QuickTime
2008-01-19 14:55 . 2008-01-19 14:55 <DIR> d-------- C:\Program Files\LightScribe Diagnostic Utility
2008-01-19 14:44 . 2008-01-19 14:44 <DIR> d-------- C:\Program Files\LightScribeTemplateLabeler
2008-01-19 12:35 . 2008-01-21 19:22 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\gtk-2.0
2008-01-19 12:35 . 2008-01-19 12:35 <DIR> d-------- C:\Documents and Settings\<myname>\.thumbnails
2008-01-19 12:34 . 2008-01-19 12:34 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-01-19 12:34 . 2008-01-21 19:26 <DIR> d-------- C:\Documents and Settings\<myname>\.gimp-2.4
2008-01-18 22:14 . 2008-02-08 16:45 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-18 18:23 . 2008-01-18 18:23 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\Ahead
2008-01-18 18:03 . 2008-01-18 18:03 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\Reallusion
2008-01-18 17:52 . 2008-01-18 17:52 <DIR> d-------- C:\Program Files\Reallusion
2008-01-18 17:50 . 2008-01-18 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-01-18 17:36 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-18 17:36 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-18 17:36 . 2008-01-18 17:36 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-01-18 17:36 . 2008-01-18 17:36 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-01-18 17:34 . 2007-02-01 13:19 1,520,640 --a------ C:\WINDOWS\system32\BrWia07a.dll
2008-01-18 17:34 . 2006-12-12 11:28 52,224 --a------ C:\WINDOWS\system32\drivers\BrSerIf.sys
2008-01-18 17:34 . 2007-01-26 14:06 45,568 --a------ C:\WINDOWS\system32\BrUsi07a.dll
2008-01-18 17:34 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-01-18 17:34 . 2006-09-03 09:53 11,904 --a------ C:\WINDOWS\system32\drivers\BrUsbSer.sys
2008-01-18 17:34 . 2008-01-18 17:34 225 --a------ C:\WINDOWS\Brpfx04a.ini
2008-01-18 17:34 . 2008-01-18 17:34 93 --a------ C:\WINDOWS\brpcfx.ini
2008-01-18 17:34 . 2008-01-18 17:34 50 --a------ C:\WINDOWS\system32\bridf07a.dat
2008-01-18 17:33 . 2006-12-28 13:39 176,128 --a------ C:\WINDOWS\system32\BroSNMP.dll
2008-01-18 17:33 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-01-18 17:33 . 2007-01-25 17:16 94,208 -ra------ C:\WINDOWS\system32\BrDctF2.dll
2008-01-18 17:33 . 2007-01-15 21:54 12,288 -ra------ C:\WINDOWS\system32\BrDctF2S.dll
2008-01-18 17:33 . 2007-01-15 16:09 12,288 -ra------ C:\WINDOWS\system32\BrDctF2L.dll
2008-01-18 17:33 . 2001-11-15 01:00 6,224 --------- C:\WINDOWS\CVRPAGE.BMP
2008-01-18 17:33 . 2008-01-18 17:34 86 --a------ C:\WINDOWS\Brfaxrx.ini
2008-01-18 17:33 . 2003-11-28 18:57 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-01-18 17:29 . 2008-01-18 17:29 <DIR> d-------- C:\Program Files\Nuance
2008-01-18 17:29 . 2008-01-18 17:52 <DIR> d-------- C:\Program Files\Brother
2008-01-18 17:29 . 2007-01-18 13:51 163,840 --a------ C:\WINDOWS\system32\NSSearch.dll
2008-01-18 17:29 . 2007-02-15 13:54 131,072 --a------ C:\WINDOWS\brunin03.dll
2008-01-18 17:29 . 2002-11-26 13:43 106,496 --a------ C:\WINDOWS\system32\BrMuSNMP.dll
2008-01-18 17:29 . 2006-07-07 12:40 73,728 --a------ C:\WINDOWS\system32\BRCrypt.dll
2008-01-18 17:29 . 2007-04-27 17:13 61,440 --a------ C:\WINDOWS\system32\BrMfNt.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 21:29 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-12 19:09 --------- d-----w C:\Program Files\Real
2008-02-11 16:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 14:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 17:13 --------- d-----w C:\Documents and Settings\<myname>\Application Data\LimeWire
2008-01-24 23:47 24,944 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys
2008-01-15 21:22 --------- d-----w C:\Documents and Settings\<myname>\Application Data\Move Networks
2008-01-15 15:06 --------- d-----w C:\Documents and Settings\Purina\Application Data\Wildfire
2008-01-14 14:24 --------- d-----w C:\Program Files\Wallpaper Master
2008-01-12 18:09 --------- d-----w C:\Documents and Settings\Purina\Application Data\Apple Computer
2008-01-12 18:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-12 18:08 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-12 18:08 --------- d-----w C:\Program Files\Apple Software Update
2008-01-12 18:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-11 21:18 --------- d-----w C:\Documents and Settings\Purina\Application Data\Pirateville
2008-01-09 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2008-01-09 14:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-01-08 18:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-08 02:02 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\ATI
2008-01-02 22:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-01-02 22:24 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-01-02 22:24 --------- d-----w C:\Program Files\Common Files\Real
2007-12-29 14:42 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-12-29 03:49 --------- d-----w C:\Documents and Settings\<myname>\Application Data\Ventrilo
2007-12-29 02:10 --------- d-----w C:\Program Files\Curse
2007-12-29 01:38 --------- d-----w C:\Documents and Settings\<myname>\Application Data\Thunderbird
2007-12-29 01:11 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-29 01:11 --------- d-----w C:\Program Files\Common Files\xing shared
2007-12-29 01:09 --------- d-----w C:\Program Files\Java
2007-12-29 01:08 --------- d-----w C:\Program Files\Common Files\Java
2007-12-29 00:57 --------- d-----w C:\Program Files\Ventrilo
2007-12-29 00:54 --------- d-----w C:\Program Files\Ahead
2007-12-29 00:53 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-29 00:52 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-29 00:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-12-29 00:50 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-29 00:32 --------- d-----w C:\Program Files\Warcraft
2007-12-29 00:02 --------- d-----w C:\Documents and Settings\<myname>\Application Data\ATI
2007-12-29 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-12-28 23:58 --------- d-----w C:\Program Files\ATI Technologies
2007-12-28 23:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-28 23:56 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2007-12-28 23:43 --------- d-----w C:\Program Files\Realtek
2007-12-28 23:39 --------- d-----w C:\Program Files\Gigabyte
2007-12-28 23:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-28 23:36 15,600 ----a-w C:\WINDOWS\gdrv.sys
2007-12-28 23:33 --------- d-----w C:\Documents and Settings\<myname>\Application Data\InstallShield
2007-12-28 23:31 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-28 23:29 --------- d-----w C:\Program Files\Intel
2007-12-28 22:23 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-21 14:39 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 13:46 255528]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\flfewjdb]
flfewjdb.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^<myname>^Start Menu^Programs^Startup^Product Registration.lnk]
path=C:\Documents and Settings\Purina\Start Menu\Programs\Startup\Product Registration.lnk
backup=C:\WINDOWS\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
--------- 2007-03-23 13:14 663552 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CM108Sound]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
--------- 2007-01-26 15:58 65536 C:\Program Files\Brother\ControlCenter3\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
--a------ 2007-12-06 12:58 480256 C:\Program Files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro]
--a------ 2007-07-26 15:05 20480 C:\Program Files\Gigabyte\ET5Pro\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2007-01-29 21:10 46632 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-17 07:15 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-17 07:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-07-17 17:39 55824 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-12-05 12:30 2295072 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:56 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2007-01-29 21:12 30248 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ptask]
C:\Program Files\AVSystemCare\ptask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-10-16 18:30 16855552 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-10-25 09:03 210472 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-12-28 19:11 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WallpaperChanger]
--a------ 2005-11-08 13:13 321536 C:\Program Files\Wallpaper Master\Wallpaper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

R3 CM1083264;C-Media CM108 Like Sound UDAX Interface;C:\WINDOWS\system32\drivers\CM108.sys [2006-12-21 17:05]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2006-12-12 11:28]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2006-09-03 09:53]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-12-28 17:36]
S3 GVTDrv;GVTDrv;C:\WINDOWS\system32\Drivers\GVTDrv.sys [2008-01-24 17:47]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5Pro\markfun.w32 [2007-08-21 11:49]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-02-12 19:13:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 18:29:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-14 18:29:53
ComboFix-quarantined-files.txt 2008-02-15 00:29:52
ComboFix2.txt 2008-02-14 13:10:21


----------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:27 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:1
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: flfewjdb - flfewjdb.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 1935 bytes
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Looking good

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\Program Files\AVSystemCare

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\flfewjdb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ptask]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also post a new HijackThis log and tell me how your PC is running

Edited by Rorschach112, 15 February 2008 - 08:24 AM.

  • 0

#7
SpaceCowboy706

SpaceCowboy706

    Trusted Tech

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,175 posts
ComboFix 08-02-14.2 - <myname> 2008-02-16 14:07:56.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1662 [GMT -6:00]
Running from: C:\Documents and Settings\<myname>\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\<myname>\Desktop\CFScript.txt.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-11 12:39 . 2008-02-11 12:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NeptunesAdve
2008-02-08 08:46 . 2008-02-08 08:46 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\CyberLink
2008-02-08 08:45 . 2008-02-08 08:45 <DIR> d-------- C:\Program Files\CyberLink
2008-02-08 08:45 . 2008-02-08 08:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-07 06:56 . 2008-02-07 06:56 324 --a------ C:\WINDOWS\game.ini
2008-02-07 06:55 . 2008-02-07 06:55 <DIR> d-------- C:\Program Files\Activision
2008-02-05 11:34 . 2008-02-05 11:34 <DIR> d-------- C:\Program Files\Adssite Games Collection
2008-02-05 10:49 . 2004-08-18 02:34 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-02-01 19:37 . 2008-02-08 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-01 19:31 . 2008-02-01 19:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 17:30 . 2008-02-14 07:12 <DIR> d-------- C:\Virus Removal Kit
2008-02-01 16:34 . 2008-02-12 07:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-01 16:34 . 2008-02-11 10:39 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\SUPERAntiSpyware.com
2008-02-01 16:34 . 2008-02-01 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-01 16:29 . 2008-02-01 16:29 <DIR> d-------- C:\Program Files\Sygate
2008-02-01 16:29 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-02-01 16:29 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-02-01 16:29 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-02-01 16:29 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-02-01 16:29 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-02-01 16:29 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-02-01 16:29 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-02-01 16:14 . 2008-02-01 16:14 50,688 --a------ C:\ATF_Cleaner.exe
2008-02-01 11:10 . 2008-02-01 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-01-30 13:10 . 2008-01-30 13:10 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\PlayFirst
2008-01-30 13:10 . 2008-01-30 13:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-29 16:25 . 2008-01-29 16:25 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\Gamelab
2008-01-29 12:14 . 2008-01-29 12:14 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\BloodTies
2008-01-25 18:53 . 2008-01-25 18:53 <DIR> d---s---- C:\Documents and Settings\<myname>\UserData
2008-01-24 17:32 . 2008-01-24 17:32 <DIR> d-------- C:\Program Files\eDimensional USB audio
2008-01-24 17:32 . 2006-12-18 16:46 5,783,552 --a------ C:\WINDOWS\system\CM108.cpl
2008-01-24 17:32 . 2006-12-21 17:05 1,294,336 --a------ C:\WINDOWS\system32\drivers\CM108.sys
2008-01-24 17:32 . 2001-11-23 12:08 712,704 --a------ C:\WINDOWS\system32\a3d108pu.dll
2008-01-24 17:32 . 2001-11-23 12:08 712,704 --a------ C:\WINDOWS\system32\a3d.dll
2008-01-24 17:32 . 2004-04-14 11:28 315,392 --a------ C:\WINDOWS\system\fltr108.dll
2008-01-24 17:32 . 2006-10-02 19:02 262,144 --a------ C:\WINDOWS\Cmi108Uninstall.exe
2008-01-24 17:32 . 2006-10-13 10:02 249,856 --a------ C:\WINDOWS\system32\CM108rm.exe
2008-01-24 17:32 . 2005-03-07 14:29 45,056 --a------ C:\WINDOWS\system32\CM108rm.dll
2008-01-24 17:32 . 2006-03-09 17:45 32,768 --a------ C:\WINDOWS\system32\c108prop.dll
2008-01-24 17:32 . 2008-02-02 02:36 596 --a------ C:\WINDOWS\system\Cm108.ini
2008-01-24 17:31 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-01-24 17:31 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-01-24 17:18 . 2008-01-24 17:18 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\Leadertech
2008-01-24 17:17 . 2008-01-24 17:17 <DIR> d-------- C:\Program Files\Logitech
2008-01-24 17:17 . 2008-01-24 17:18 <DIR> d-------- C:\Program Files\Common Files\Logishrd
2008-01-24 17:17 . 2008-01-24 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-01-24 17:17 . 2008-01-24 17:17 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-24 17:17 . 2008-01-24 17:17 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-01-23 22:51 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-01-23 22:51 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-01-23 22:51 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-01-23 22:51 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-01-23 22:51 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-01-23 22:51 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-01-23 22:51 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-01-23 09:20 . 2008-01-23 09:20 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\Eyeblaster
2008-01-22 06:41 . 2008-01-22 06:41 <DIR> d-------- C:\WINDOWS\Sun
2008-01-21 19:48 . 2008-01-21 19:48 <DIR> dr------- C:\Documents and Settings\<myname>\Application Data\Brother
2008-01-20 20:22 . 2008-01-24 17:47 4 --a------ C:\WINDOWS\system32\GVTunner.ref
2008-01-19 21:35 . 2008-01-19 21:35 <DIR> d-------- C:\Program Files\iTunes
2008-01-19 21:35 . 2008-01-19 21:35 <DIR> d-------- C:\Program Files\iPod
2008-01-19 21:34 . 2008-01-19 21:34 <DIR> d-------- C:\Program Files\QuickTime
2008-01-19 14:55 . 2008-01-19 14:55 <DIR> d-------- C:\Program Files\LightScribe Diagnostic Utility
2008-01-19 14:44 . 2008-01-19 14:44 <DIR> d-------- C:\Program Files\LightScribeTemplateLabeler
2008-01-19 12:35 . 2008-01-21 19:22 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\gtk-2.0
2008-01-19 12:35 . 2008-01-19 12:35 <DIR> d-------- C:\Documents and Settings\<myname>\.thumbnails
2008-01-19 12:34 . 2008-01-19 12:34 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-01-19 12:34 . 2008-01-21 19:26 <DIR> d-------- C:\Documents and Settings\<myname>\.gimp-2.4
2008-01-18 22:14 . 2008-02-08 16:45 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-18 18:23 . 2008-01-18 18:23 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\Ahead
2008-01-18 18:03 . 2008-01-18 18:03 <DIR> d-------- C:\Documents and Settings\<myname>\Application Data\Reallusion
2008-01-18 17:52 . 2008-01-18 17:52 <DIR> d-------- C:\Program Files\Reallusion
2008-01-18 17:50 . 2008-01-18 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-01-18 17:36 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-18 17:36 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-18 17:36 . 2008-01-18 17:36 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-01-18 17:36 . 2008-01-18 17:36 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-01-18 17:34 . 2007-02-01 13:19 1,520,640 --a------ C:\WINDOWS\system32\BrWia07a.dll
2008-01-18 17:34 . 2006-12-12 11:28 52,224 --a------ C:\WINDOWS\system32\drivers\BrSerIf.sys
2008-01-18 17:34 . 2007-01-26 14:06 45,568 --a------ C:\WINDOWS\system32\BrUsi07a.dll
2008-01-18 17:34 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-01-18 17:34 . 2006-09-03 09:53 11,904 --a------ C:\WINDOWS\system32\drivers\BrUsbSer.sys
2008-01-18 17:34 . 2008-01-18 17:34 225 --a------ C:\WINDOWS\Brpfx04a.ini
2008-01-18 17:34 . 2008-01-18 17:34 93 --a------ C:\WINDOWS\brpcfx.ini
2008-01-18 17:34 . 2008-01-18 17:34 50 --a------ C:\WINDOWS\system32\bridf07a.dat
2008-01-18 17:33 . 2006-12-28 13:39 176,128 --a------ C:\WINDOWS\system32\BroSNMP.dll
2008-01-18 17:33 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-01-18 17:33 . 2007-01-25 17:16 94,208 -ra------ C:\WINDOWS\system32\BrDctF2.dll
2008-01-18 17:33 . 2007-01-15 21:54 12,288 -ra------ C:\WINDOWS\system32\BrDctF2S.dll
2008-01-18 17:33 . 2007-01-15 16:09 12,288 -ra------ C:\WINDOWS\system32\BrDctF2L.dll
2008-01-18 17:33 . 2001-11-15 01:00 6,224 --------- C:\WINDOWS\CVRPAGE.BMP
2008-01-18 17:33 . 2008-01-18 17:34 86 --a------ C:\WINDOWS\Brfaxrx.ini
2008-01-18 17:33 . 2003-11-28 18:57 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-01-18 17:29 . 2008-01-18 17:29 <DIR> d-------- C:\Program Files\Nuance
2008-01-18 17:29 . 2008-01-18 17:52 <DIR> d-------- C:\Program Files\Brother
2008-01-18 17:29 . 2007-01-18 13:51 163,840 --a------ C:\WINDOWS\system32\NSSearch.dll
2008-01-18 17:29 . 2007-02-15 13:54 131,072 --a------ C:\WINDOWS\brunin03.dll
2008-01-18 17:29 . 2002-11-26 13:43 106,496 --a------ C:\WINDOWS\system32\BrMuSNMP.dll
2008-01-18 17:29 . 2006-07-07 12:40 73,728 --a------ C:\WINDOWS\system32\BRCrypt.dll
2008-01-18 17:29 . 2007-04-27 17:13 61,440 --a------ C:\WINDOWS\system32\BrMfNt.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 01:54 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-12 19:09 --------- d-----w C:\Program Files\Real
2008-02-11 16:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 14:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 23:47 24,944 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys
2008-01-15 21:22 --------- d-----w C:\Documents and Settings\<myname>\Application Data\Move Networks
2008-01-15 15:06 --------- d-----w C:\Documents and Settings\<myname>\Application Data\Wildfire
2008-01-14 14:24 --------- d-----w C:\Program Files\Wallpaper Master
2008-01-12 18:09 --------- d-----w C:\Documents and Settings\<myname>\Application Data\Apple Computer
2008-01-12 18:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-12 18:08 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-12 18:08 --------- d-----w C:\Program Files\Apple Software Update
2008-01-12 18:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-11 21:18 --------- d-----w C:\Documents and Settings\<myname>\Application Data\Pirateville
2008-01-09 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2008-01-09 14:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-01-08 18:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-08 02:02 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\ATI
2008-01-02 23:18 --------- d-----w C:\Program Files\LimeWire
2008-01-02 22:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-01-02 22:24 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-01-02 22:24 --------- d-----w C:\Program Files\Common Files\Real
2007-12-29 14:42 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-12-29 03:49 --------- d-----w C:\Documents and Settings\<myname>\Application Data\Ventrilo
2007-12-29 02:10 --------- d-----w C:\Program Files\Curse
2007-12-29 01:38 --------- d-----w C:\Documents and Settings\<myname>\Application Data\Thunderbird
2007-12-29 01:11 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-29 01:11 --------- d-----w C:\Program Files\Common Files\xing shared
2007-12-29 01:09 --------- d-----w C:\Program Files\Java
2007-12-29 01:08 --------- d-----w C:\Program Files\Common Files\Java
2007-12-29 00:57 --------- d-----w C:\Program Files\Ventrilo
2007-12-29 00:54 --------- d-----w C:\Program Files\Ahead
2007-12-29 00:53 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-29 00:52 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-29 00:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-12-29 00:50 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-29 00:32 --------- d-----w C:\Program Files\Warcraft
2007-12-29 00:02 --------- d-----w C:\Documents and Settings\<myname>\Application Data\ATI
2007-12-29 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-12-28 23:58 --------- d-----w C:\Program Files\ATI Technologies
2007-12-28 23:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-28 23:56 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2007-12-28 23:43 --------- d-----w C:\Program Files\Realtek
2007-12-28 23:39 --------- d-----w C:\Program Files\Gigabyte
2007-12-28 23:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-28 23:36 15,600 ----a-w C:\WINDOWS\gdrv.sys
2007-12-28 23:33 --------- d-----w C:\Documents and Settings\<myname>\Application Data\InstallShield
2007-12-28 23:31 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-28 23:29 --------- d-----w C:\Program Files\Intel
2007-12-28 22:23 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-21 14:39 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 13:46 255528]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-28 19:11 185896]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^<myname>^Start Menu^Programs^Startup^Product Registration.lnk]
path=C:\Documents and Settings\<myname>\Start Menu\Programs\Startup\Product Registration.lnk
backup=C:\WINDOWS\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
--------- 2007-03-23 13:14 663552 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CM108Sound]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
--------- 2007-01-26 15:58 65536 C:\Program Files\Brother\ControlCenter3\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
--a------ 2007-12-06 12:58 480256 C:\Program Files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro]
--a------ 2007-07-26 15:05 20480 C:\Program Files\Gigabyte\ET5Pro\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2007-01-29 21:10 46632 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-17 07:15 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-17 07:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-07-17 17:39 55824 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-12-05 12:30 2295072 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:56 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2007-01-29 21:12 30248 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-10-16 18:30 16855552 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-10-25 09:03 210472 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-12-28 19:11 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WallpaperChanger]
--a------ 2005-11-08 13:13 321536 C:\Program Files\Wallpaper Master\Wallpaper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

R3 CM1083264;C-Media CM108 Like Sound UDAX Interface;C:\WINDOWS\system32\drivers\CM108.sys [2006-12-21 17:05]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2006-12-12 11:28]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2006-09-03 09:53]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-12-28 17:36]
S3 GVTDrv;GVTDrv;C:\WINDOWS\system32\Drivers\GVTDrv.sys [2008-01-24 17:47]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5Pro\markfun.w32 [2007-08-21 11:49]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-02-12 19:13:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 14:09:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-16 14:10:13
ComboFix-quarantined-files.txt 2008-02-16 20:10:11
ComboFix2.txt 2008-02-15 00:29:53
ComboFix3.txt 2008-02-14 13:10:21


................................................................................
.................................................................................
......

Malwarebytes' Anti-Malware 1.03
Database version: 367

Scan type: Quick Scan
Objects scanned: 21828
Time elapsed: 1 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{89cc26bc-9256-4cca-a7f3-b9d6c48dba71} (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rabio.rabiobho (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rabio.rabiobho.1 (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{923ca88a-ae69-49af-bf65-9a3123b14ccb} (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8c36d71b-0a48-4d38-9def-2a2a2669d0c9} (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Rabio.RabioBHO (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Rabio.DLL (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\kernelexe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dot1XCfg (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ugac (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)


................................................................................
.................................................................................
..........................................................................


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:16:56 PM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:1
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 2001 bytes


................................................................................
.................................................................................
.............................................................

Everything seems to be running fine except the Big red "X" icon over my c: drive, not sure what thats about?
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok we got rid of the malware, lets see if we can fix the icon problem

Open Notepad and Copy (Control+C) and Paste (Control+V) the following code into the Notepad window.


@ECHO OFF
If exist DrvIconQuery.txt Del DrvIconQuery.txt
Echo Report>>DrvIconQuery.txt
Echo %date% %time% >>DrvIconQuery.txt
Echo.>>DrvIconQuery.txt
@ECHO Working.......
Reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /s >> DrvIconQuery.txt
start notepad DrvIconQuery.txt


Click on 'File' then 'Save As'
In the Save in drop down box select Desktop
In the File name box type in FixService.bat
In the Save as type drop down box select All Files
Close Notepad.

Now, find FixService.bat on your Desktop and Double click it
A window will open and close, do not be concerned this is normal.


Make sure you attach the report in your reply
  • 0

#9
SpaceCowboy706

SpaceCowboy706

    Trusted Tech

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,175 posts
Report
Sun 02/17/2008 20:35:30.82


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
IconUnderline REG_NONE 03000000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
TaskbarSizeMove REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
Type REG_SZ group
Text REG_SZ @shell32.dll,-30498
Bitmap REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,4
HelpID REG_SZ shell.hlp#51140

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ClassicViewState
Type REG_SZ checkbox
Text REG_SZ @shell32.dll,-30506
HKeyRoot REG_DWORD 0x80000001
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName REG_SZ ClassicViewState
CheckedValue REG_DWORD 0x0
UncheckedValue REG_DWORD 0x1
DefaultValue REG_DWORD 0x0
HelpID REG_SZ shell.hlp#51076

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ControlPanelInMyComputer
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\HideMyComputerIcons
Text REG_SZ @shell32.dll,-30497
Type REG_SZ checkbox
ValueName REG_SZ {21EC2020-3AEA-1069-A2DD-08002B30309D}
CheckedValue REG_DWORD 0x0
UncheckedValue REG_DWORD 0x1
DefaultValue REG_DWORD 0x1
HKeyRoot REG_DWORD 0x80000001
HelpID REG_SZ shell.hlp#51150

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DesktopProcess
Type REG_SZ checkbox
Text REG_SZ @shell32.dll,-30507
HKeyRoot REG_DWORD 0x80000001
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName REG_SZ SeparateProcess
CheckedValue REG_DWORD 0x1
UncheckedValue REG_DWORD 0x0
DefaultValue REG_DWORD 0x0
HelpID REG_SZ shell.hlp#51079

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DesktopProcess\Policy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DesktopProcess\Policy\SeparateProcess
<NO NAME> REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DisableThumbCache
Type REG_SZ checkbox
Text REG_SZ @shell32.dll,-30517
HKeyRoot REG_DWORD 0x80000001
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName REG_SZ DisableThumbnailCache
CheckedValue REG_DWORD 0x1
UncheckedValue REG_DWORD 0x0
DefaultValue REG_DWORD 0x0
HelpID REG_SZ shell.hlp#51155

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\FolderSizeTip
Type REG_SZ checkbox
Text REG_SZ @shell32.dll,-30514
HKeyRoot REG_DWORD 0x80000001
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName REG_SZ FolderContentsInfoTip
CheckedValue REG_DWORD 0x1
UncheckedValue REG_DWORD 0x0
DefaultValue REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\FriendlyTree
Type REG_SZ checkbox
Text REG_SZ @shell32.dll,-30511
HKeyRoot REG_DWORD 0x80000001
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName REG_SZ FriendlyTree
CheckedValue REG_DWORD 0x1
UncheckedValue REG_DWORD 0x0
HelpID REG_SZ shell.hlp#51149
DefaultValue REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden
Text REG_SZ @shell32.dll,-30499
Type REG_SZ group
Bitmap REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,4
HelpID REG_SZ shell.hlp#51131

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Text REG_SZ @shell32.dll,-30501
Type REG_SZ radio
CheckedValue REG_DWORD 0x2
ValueName REG_SZ Hidden
DefaultValue REG_DWORD 0x2
HKeyRoot REG_DWORD 0x80000001
HelpID REG_SZ shell.hlp#51104

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Text REG_SZ @shell32.dll,-30500
Type REG_SZ radio
CheckedValue REG_DWORD 0x1
ValueName REG_SZ Hidden
DefaultValue REG_DWORD 0x2
HKeyRoot REG_DWORD 0x80000001
HelpID REG_SZ shell.hlp#51105

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
Type REG_SZ checkbox
Text REG_SZ @shell32.dll,-30503
HKeyRoot REG_DWORD 0x80000001
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName REG_SZ HideFileExt
CheckedValue REG_DWORD 0x1
UncheckedValue REG_DWORD 0x0
DefaultValue REG_DWORD 0x1
HelpID REG_SZ shell.hlp#51101

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NetCrawler
Type REG_SZ checkbox
Text REG_SZ @shell32.dll,-30509
HKeyRoot REG_DWORD 0x80000001
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName REG_SZ NoNetCrawling
CheckedValue REG_DWORD 0x0
UncheckedValue REG_DWORD 0x1
DefaultValue REG_DWORD 0x0
HelpID REG_SZ shell.hlp#51147

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NetCrawler\Policy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NetCrawler\Policy\NoNetCrawling
<NO NAME> REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\PersistBrowsers
Type REG_SZ checkbox
Text REG_SZ @shell32.dll,-30513
HKeyRoot REG_DWORD 0x80000001
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName REG_SZ PersistBrowsers
CheckedValue REG_DWORD 0x1
UncheckedValue REG_DWORD 0x0
HelpID REG_SZ shell.hlp#51152
DefaultValue REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowCompColor
Type REG_SZ checkbox
Text REG_SZ @shell32.dll,-30512
HKeyRoot REG_DWORD 0x80000001
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName REG_SZ ShowCompColor
CheckedValue REG_DWORD 0x1
UncheckedValue REG_DWORD 0x0
DefaultValue REG_DWORD 0x1
HelpID REG_SZ shell.hlp#51130

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPath
Type REG_SZ checkbox
Text REG_SZ @shell32.dll,-30504
HKeyRoot REG_DWORD 0x80000001
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
ValueName REG_SZ FullPath
CheckedValue REG_DWORD 0x1
UncheckedValue REG_DWORD 0x0
DefaultValue REG_DWORD 0x0
HelpID REG_SZ shell.hlp#51100

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPathAddress
Type REG_SZ checkbox
Text REG_SZ @shell32.dll,-30505
HKeyRoot REG_DWORD 0x80000001
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
ValueName REG_SZ FullPathAddress
CheckedValue REG_DWORD 0x1
UncheckedValue REG_DWORD 0x0
DefaultValue REG_DWORD 0x1
HelpID REG_SZ shell.hlp#51107

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowInfoTip
Type REG_SZ checkbox
Text REG_SZ @shell32.dll,-30502
HKeyRoot REG_DWORD 0x80000001
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName REG_SZ ShowInfoTip
CheckedValue REG_DWORD 0x1
UncheckedValue REG_DWORD 0x0
DefaultValue REG_DWORD 0x1
HelpID REG_SZ shell.hlp#51102

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SimpleSharing
Type REG_SZ checkbox
Text REG_SZ @shell32.dll,-30518
HKeyRoot REG_DWORD 0x80000002
RegPath REG_SZ System\CurrentControlSet\Control\LSA
ValueName REG_SZ ForceGuest
CheckedValue REG_DWORD 0x1
UncheckedValue REG_DWORD 0x0
HelpID REG_SZ shell.hlp#51154
DefaultValue REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Type REG_SZ checkbox
Text REG_SZ @shell32.dll,-30508
WarningIfNotDefault REG_SZ @shell32.dll,-28964
HKeyRoot REG_DWORD 0x80000001
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName REG_SZ ShowSuperHidden
CheckedValue REG_DWORD 0x0
UncheckedValue REG_DWORD 0x1
DefaultValue REG_DWORD 0x0
HelpID REG_SZ shell.hlp#51103

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden
<NO NAME> REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets
Text REG_SZ Managing pairs of Web pages and folders
Type REG_SZ group
Bitmap REG_SZ C:\WINDOWS\system32\\SHELL32.DLL,4
HelpID REG_SZ TBD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets\AUTO
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer
Text REG_SZ Show and manage the pair as a single file
Type REG_SZ radio
CheckedValue REG_DWORD 0x0
ValueName REG_SZ NoFileFolderConnection
DefaultValue REG_DWORD 0x0
HKeyRoot REG_DWORD 0x80000001
HelpID REG_SZ TBD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets\NOHIDE
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer
Text REG_SZ Show both parts but manage as a single file
Type REG_SZ radio
CheckedValue REG_DWORD 0x2
ValueName REG_SZ NoFileFolderConnection
DefaultValue REG_DWORD 0x0
HKeyRoot REG_DWORD 0x80000001
HelpID REG_SZ TBD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets\NONE
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer
Text REG_SZ Show both parts and manage them individually
Type REG_SZ radio
CheckedValue REG_DWORD 0x1
ValueName REG_SZ NoFileFolderConnection
DefaultValue REG_DWORD 0x0
HKeyRoot REG_DWORD 0x80000001
HelpID REG_SZ TBD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\WebViewBarricade
Type REG_SZ checkbox
Text REG_SZ @shell32.dll,-30510
HKeyRoot REG_DWORD 0x80000001
RegPath REG_SZ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ValueName REG_SZ WebViewBarricade
CheckedValue REG_DWORD 0x1
UncheckedValue REG_DWORD 0x0
HelpID REG_SZ shell.hlp#51148
DefaultValue REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey\15
RegisteredApp REG_SZ Mail

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey\16
Association REG_SZ .cda

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey\17
ShellExecute REG_SZ ::{20D04FE0-3AEA-1069-A2D8-08002B30309D}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey\18
ShellExecute REG_SZ calc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey\7
Association REG_SZ http

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations
XMLLookup REG_SZ http://shell.windows...ass...x&Ext=%s
Application REG_SZ http://shell.windows...edir.asp?Ext=%s
intl REG_SZ http://shell.windows...ass...x&Ext=%s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID
5B239F5D-635D-4fab-883D-9BC28BC10C4C REG_SZ
<NO NAME> REG_SZ
FFDE5359-5502-4f1a-8395-EFCAEEE02D3D REG_SZ
BBEB08F8-9126-4e20-AAD3-70B470144C7E REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files
*setup*.exe REG_SZ
*instal*.exe REG_SZ
*setup*.bat REG_SZ
*instal*.bat REG_SZ
*setup*.cmd REG_SZ
*instal*.cmd REG_SZ
*setup*.com REG_SZ
*instal*.com REG_SZ
Y?kle* REG_SZ
Felrak.exe REG_SZ
Imposta.exe REG_SZ
KUR.exe REG_SZ
Ayarla.exe REG_SZ
sfc2.ico REG_SZ
evanims REG_SZ
00000001.tmp REG_SZ
updmoney.exe REG_SZ
hs\media\y\11399\11399_cd_fp.jpg REG_SZ
hs\media\y\9953\9953_cd_fp.jpg REG_SZ
hs\media\y\9951\9951_cd_fp.jpg REG_SZ
hs\media\y\9964\9964_cd_fp.jpg REG_SZ
hs\media\y\9968\9968_cd_fp.jpg REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeHandlers\MusicFilesContentHandler
DefaultIcon REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-225

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeHandlers\MusicFilesContentHandler\EventHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeHandlers\MusicFilesContentHandler\EventHandlers\MediaArrival

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeHandlers\MusicFilesContentHandler\FriendlyName
Content REG_SZ music files
IconLabel REG_SZ Music files (WMA/MP3)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeHandlers\PicturesContentHandler
DefaultIcon REG_EXPAND_SZ shimgvw.dll,3

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeHandlers\PicturesContentHandler\EventHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeHandlers\PicturesContentHandler\EventHandlers\DeviceArrival
ShowPicturesOnArrival REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeHandlers\PicturesContentHandler\EventHandlers\MediaArrival
ShowPicturesOnArrival REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeHandlers\PicturesContentHandler\FriendlyName
Content REG_SZ picture files
IconLabel REG_SZ Pictures

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeHandlers\VideoFilesContentHandler
DefaultIcon REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-224

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeHandlers\VideoFilesContentHandler\EventHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeHandlers\VideoFilesContentHandler\EventHandlers\MediaArrival

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeHandlers\VideoFilesContentHandler\FriendlyName
Content REG_SZ video files
IconLabel REG_SZ Video

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeSniffers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeSniffers\MusicFilesContentSniffer
ContentTypeHandler REG_SZ MusicFilesContentHandler
RelPattern REG_MULTI_SZ *.wma\0HIFI\*\*.wma\0*.mp3\0HIFI\*\*.mp3\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeSniffers\PicturesContentSniffer
ContentTypeHandler REG_SZ PicturesContentHandler
RelPattern REG_MULTI_SZ *.bmp\0DCIM\*\*.bmp\0*.jpg\0DCIM\*\*.jpg\0*.gif\0DCIM\*\*.gif\0DC*\*.jpg\0*.tif\0MSSONY\*\*.tif\0IM*\*.jpg\0CAMERA01\*.jpg\0DC*\BR*\*.jpg\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeSniffers\VideoFilesContentSniffer
ContentTypeHandler REG_SZ VideoFilesContentHandler
RelPattern REG_MULTI_SZ *.mpg\0VIDEO\*.mpg\0*.mpeg\0VIDEO\*.mpeg\0*.asf\0VIDEO\*.asf\0MSSONY\*\*.mpg\0MSSONY\*\*.mpeg\0*.wmv\0VIDEO\*.wmv\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceClasses

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceClasses\{CC7BFB41-F175-11D1-A392-00E0291F3959}
DeviceHandlers REG_SZ VideoCameraDeviceHandler
Label REG_SZ @C:\Program Files\Movie Maker\wmmres.dll,-61827
Icons REG_MULTI_SZ C:\WINDOWS\System32\shell32.dll,-317\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\Camera
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-309\0\0
Label REG_SZ Digital Camera

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\CellPhone
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-310\0\0
Label REG_SZ Cell Phone

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\CFStorage
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-303\0\0
Label REG_SZ CompactFlash Reader/Writer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\ClikDrive
Label REG_SZ Clik! Drive
NoSoftEject REG_SZ 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\FaxDevice
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-196\0\0
Label REG_SZ Fax Machine

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\ImageMate
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-229\0\0
NoMediaIcons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-229\0\0
Label REG_SZ ImageMate
NoSoftEject REG_SZ 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\JazDrive
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-312\0\0
Label REG_SZ Jaz Drive

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\MemoryStick
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-305\0\0
Label REG_SZ Memory Stick
NoSoftEject REG_SZ 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\MemoryStick-MG
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-233\0\0
Label REG_SZ Memory Stick - MG
NoSoftEject REG_SZ 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\OpticalDrive
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-301\0\0
Label REG_SZ Optical Drive

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\PCMCIAStorage
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-306\0\0
Label REG_SZ PCMCIA Storage Device

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\PocketPC
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-314\0\0
Label REG_SZ Pocket PC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\PortableAudioPlayer
Label REG_SZ Portable Audio Player
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-299\0\0
NoSoftEject REG_SZ 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\Printer
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-17\0\0
Label REG_SZ Printer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\Scanner
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-315\0\0
Label REG_SZ Scanner

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\SMStorage
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-308\0\0
Label REG_SZ SmartMedia Reader/Writer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\TapeDrive
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-300\0\0
Label REG_SZ Tape Drive

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\VideoCamera
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-317\0\0
Label REG_SZ Digital Video Camera

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\ZipDrive100
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-230\0\0
Label REG_SZ Zip Drive 100

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceGroups\ZipDrive250
Icons REG_MULTI_SZ %SystemRoot%\system32\shell32.dll,-230\0\0
Label REG_SZ Zip Drive 250

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceHandlers\GenericVolumeHandler

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceHandlers\GenericVolumeHandler\ContentTypes
MusicFilesContentSniffer REG_SZ
PicturesContentSniffer REG_SZ
VideoFilesContentSniffer REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceHandlers\GenericVolumeHandler\EventHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceHandlers\GenericVolumeHandler\EventHandlers\DeviceArrival
GenericVolumeArrival REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceHandlers\GenericVolumeHandler\EventHandlers\MediaArrival
GenericVolumeArrival REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceHandlers\RNDeviceHandler

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceHandlers\RNDeviceHandler\EventHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceHandlers\RNDeviceHandler\EventHandlers\DeviceArrival
RNDeviceArrival REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceHandlers\VideoCameraDeviceHandler

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceHandlers\VideoCameraDeviceHandler\EventHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceHandlers\VideoCameraDeviceHandler\EventHandlers\DeviceArrival
VideoCameraArrival REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\AutorunINFLegacyArrival
MSOpenFolder REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\GenericVolumeArrival
MSGenericVolumeArrival REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\HandleCDBurningOnArrival
MSCDBurningOnArrival REG_SZ
MSWMPBurnCDOnArrival REG_SZ
NeroAutoPlay2LaunchNeroStartSmart REG_SZ
NeroAutoPlay2DataDisc REG_SZ
NeroAutoPlay2CDAudio REG_SZ
RPCDBurningOnArrival REG_SZ
LightScribeOnArrivalAP REG_SZ
iTunesBurnCDOnArrival REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\HandleDVDBurningONArrival
LightScribeOnArrivalAP REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\MixedContentOnArrival
MSOpenFolder REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\PlayCDAudioOnArrival
MSPlayCDAudioOnArrival REG_SZ
MSOpenFolder REG_SZ
MSRipCDAudioOnArrival REG_SZ
NeroAutoPlay2CopyCD REG_SZ
RPPlayCDAudioOnArrival REG_SZ
iTunesShowSongsOnArrival REG_SZ
iTunesPlaySongsOnArrival REG_SZ
iTunesImportSongsOnArrival REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\PlayDVDMovieOnArrival
MSPlayDVDMovieOnArrival REG_SZ
MSOpenFolder REG_SZ
RPPlayDVDMovieOnArrival REG_SZ
PDVDPlayDVDMovieOnArrival REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\PlayMusicFilesOnArrival
MSOpenFolder REG_SZ
MSPlayMediaOnArrival REG_SZ
NeroAutoPlay2PlayAudioCD REG_SZ
RPPlayMediaOnArrival REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\PlayVideoFilesOnArrival
MSOpenFolder REG_SZ
MSPlayMediaOnArrival REG_SZ
RPPlayMediaOnArrival REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\RNDeviceArrival
RPDeviceOnArrival REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\ShowPicturesOnArrival
MSWiaEventHandler REG_SZ
MSShowPicturesOnArrival REG_SZ
MSPrintPicturesOnArrival REG_SZ
MSOpenFolder REG_SZ
NeroAutoPlay2ViewPhotos REG_SZ
PaperPort11AutoPlay REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\VideoCameraArrival
MSVideoCameraArrival REG_SZ
NeroAutoPlay2VideoCapture REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\iTunesBurnCDOnArrival
<NO NAME> REG_SZ
Action REG_SZ Create a CD
DefaultIcon REG_SZ C:\Program Files\iTunes\iTunes.exe,-128
InvokeProgID REG_SZ iTunes.BurnCD
InvokeVerb REG_SZ burn
Provider REG_SZ iTunes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\iTunesImportSongsOnArrival
<NO NAME> REG_SZ
Action REG_SZ Import songs
DefaultIcon REG_SZ C:\Program Files\iTunes\iTunes.exe,-128
InvokeProgID REG_SZ iTunes.ImportSongsOnCD
InvokeVerb REG_SZ import
Provider REG_SZ iTunes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\iTunesPlaySongsOnArrival
<NO NAME> REG_SZ
Action REG_SZ Play audio CD
DefaultIcon REG_SZ C:\Program Files\iTunes\iTunes.exe,-128
InvokeProgID REG_SZ iTunes.PlaySongsOnCD
InvokeVerb REG_SZ play
Provider REG_SZ iTunes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\iTunesShowSongsOnArrival
<NO NAME> REG_SZ
Action REG_SZ Show songs
DefaultIcon REG_SZ C:\Program Files\iTunes\iTunes.exe,-128
InvokeProgID REG_SZ iTunes.ShowSongsOnCD
InvokeVerb REG_SZ showsongs
Provider REG_SZ iTunes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\LightScribeOnArrivalAP
Provider REG_SZ LightScribe Direct Disc Labeling
InvokeVerb REG_SZ LabelLightScribeDisc
InvokeProgID REG_SZ LightScribe.AutoPlayHandler
DefaultIcon REG_SZ C:\Program Files\Common Files\LightScribe\LsLauncher.exe
Action REG_SZ Label a LightScribe Disc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSCDBurningOnArrival
DefaultIcon REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-5
Action REG_SZ @%SystemRoot%\system32\SHELL32.dll,-17169
Provider REG_SZ @%SystemRoot%\system32\SHELL32.dll,-17170
InvokeProgID REG_SZ Folder
InvokeVerb REG_SZ open

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSOpenFolder
DefaultIcon REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-5
Action REG_SZ @%SystemRoot%\system32\SHELL32.dll,-17154
Provider REG_SZ @%SystemRoot%\system32\SHELL32.dll,-17155
InvokeProgID REG_SZ Folder
InvokeVerb REG_SZ open

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSPlayCDAudioOnArrival
Action REG_SZ @wmploc.dll,-6503
Provider REG_SZ @wmploc.dll,-6502
InvokeProgID REG_SZ WMP.AudioCD
InvokeVerb REG_SZ play
DefaultIcon REG_EXPAND_SZ %ProgramFiles%\Windows Media Player\wmplayer.exe,0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSPlayDVDMovieOnArrival
Action REG_SZ @wmploc.dll,-6504
Provider REG_SZ @wmploc.dll,-6502
InvokeProgID REG_SZ WMP.DVD
InvokeVerb REG_SZ play
DefaultIcon REG_EXPAND_SZ %ProgramFiles%\Windows Media Player\wmplayer.exe,0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSPlayMediaOnArrival
Action REG_SZ @wmploc.dll,-1800
Provider REG_SZ @wmploc.dll,-6502
InvokeProgid REG_SZ WMP.PlayMedia
InvokeVerb REG_SZ play
DefaultIcon REG_SZ C:\Program Files\Windows Media Player\wmplayer.exe,0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSPrintPicturesOnArrival
DefaultIcon REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-17
Action REG_SZ @%SystemRoot%\system32\SHELL32.dll,-17158
Provider REG_SZ @%SystemRoot%\system32\SHELL32.dll,-17159
InvokeProgID REG_SZ Applications\shimgvw.dll
InvokeVerb REG_SZ print

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSPromptEachTime
DefaultIcon REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-3
Action REG_SZ Prompt each time
Provider REG_SZ Windows Explorer
ProgID REG_SZ Shell.Autoplay
InitCmdLine REG_SZ PromptEachTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSPromptEachTimeNoContent
DefaultIcon REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-3
Action REG_SZ Prompt each time - No Content
Provider REG_SZ Windows Explorer
ProgID REG_SZ Shell.Autoplay
InitCmdLine REG_SZ PromptEachTimeNoContent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSRipCDAudioOnArrival
Action REG_SZ @wmploc.dll,-6506
Provider REG_SZ @wmploc.dll,-6502
InvokeProgID REG_SZ WMP.RipCD
InvokeVerb REG_SZ Rip
DefaultIcon REG_EXPAND_SZ %ProgramFiles%\Windows Media Player\wmplayer.exe,0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSShowPicturesOnArrival
DefaultIcon REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-249
Action REG_SZ @%SystemRoot%\system32\SHELL32.dll,-17156
Provider REG_SZ @%SystemRoot%\system32\SHELL32.dll,-17157
InvokeProgID REG_SZ Shell.AutoplayForSlideShow.1
InvokeVerb REG_SZ open

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSTakeNoAction
DefaultIcon REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-338
Action REG_SZ @%SystemRoot%\system32\SHELL32.dll,-17168
Provider REG_SZ <TakeNoAction>
ProgID REG_SZ Shell.AutoplaySpecial

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSVideoCameraArrival
InitCmdLine REG_SZ "C:\Program Files\Movie Maker\moviemk.exe" /RECORD
ProgID REG_SZ Shell.HWEventHandlerShellExecute
DefaultIcon REG_SZ C:\Program Files\Movie Maker\moviemk.exe,0
CLSIDForCancel REG_SZ {AB007EC8-E2D4-4664-ACD9-1D059681F3DE}
Action REG_SZ @C:\Program Files\Movie Maker\wmmres.dll,-61826
Provider REG_SZ @C:\Program Files\Movie Maker\wmmres.dll,-61424

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSWiaEventHandler
ProgID REG_SZ WiaDevMgr
Action REG_SZ @%systemroot%\System32\wiaacmgr.exe,-276
Provider REG_SZ @%systemroot%\System32\wiaacmgr.exe,-101
DefaultIcon REG_EXPAND_SZ %systemroot%\System32\wiaacmgr.exe,-2
InvokeProgID REG_SZ WIA.AutoplayDropHandler.1
InvokeVerb REG_SZ open

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSWMDMHandler
Action REG_SZ Transfer Files
CLSIDForCancel REG_SZ {91778246-9BE4-4713-A651-E833B853CC30}
DefaultIcon REG_EXPAND_SZ %ProgramFiles%\Windows Media Player\wmplayer.exe,0
InitCmdLine REG_EXPAND_SZ "%ProgramFiles%\Windows Media Player\wmplayer.exe" /prefetch:3 /task:PortableDevice
ProgID REG_SZ Shell.HWEventHandlerShellExecute
Provider REG_SZ @wmploc.dll,-6502

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSWMPBurnCDOnArrival
Action REG_SZ @wmploc.dll,-6505
Provider REG_SZ @wmploc.dll,-6502
InvokeProgid REG_SZ WMP.BurnCD
InvokeVerb REG_SZ Burn
DefaultIcon REG_EXPAND_SZ %ProgramFiles%\Windows Media Player\wmplayer.exe,0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\NeroAutoPlay2CDAudio
Action REG_SZ Make Audio CD
DefaultIcon REG_SZ C:\Program Files\Common Files\Ahead\Lib\apreg.dll,-2006
Provider REG_SZ Nero Express
InvokeProgID REG_SZ Nero.AutoPlay2
InvokeVerb REG_SZ HandleCDBurningOnArrival_CDAudio

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\NeroAutoPlay2CopyCD
Action REG_SZ Copy CD
DefaultIcon REG_SZ C:\Program Files\Common Files\Ahead\Lib\apreg.dll,-2024
Provider REG_SZ Nero Express
InvokeProgID REG_SZ Nero.AutoPlay2
InvokeVerb REG_SZ PlayCDAudioOnArrival_CopyCD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\NeroAutoPlay2DataDisc
Action REG_SZ Make Data Disc
DefaultIcon REG_SZ C:\Program Files\Common Files\Ahead\Lib\apreg.dll,-2002
Provider REG_SZ Nero Express
InvokeProgID REG_SZ Nero.AutoPlay2
InvokeVerb REG_SZ HandleCDBurningOnArrival_DataDisc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\NeroAutoPlay2LaunchNeroStartSmart
Action REG_SZ Create Your Own Disc
DefaultIcon REG_SZ C:\Program Files\Common Files\Ahead\Lib\apreg.dll,-2026
Provider REG_SZ Nero StartSmart
InvokeProgID REG_SZ Nero.AutoPlay2
InvokeVerb REG_SZ HandleCDBurningOnArrival_LaunchNeroStartSmart

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\NeroAutoPlay2PlayAudioCD
Action REG_SZ Play Audio
DefaultIcon REG_SZ C:\Program Files\Common Files\Ahead\Lib\apreg.dll,-2008
Provider REG_SZ Nero Media Player
InvokeProgID REG_SZ Nero.AutoPlay2
InvokeVerb REG_SZ PlayMusicFilesOnArrival_PlayAudioCD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\NeroAutoPlay2VideoCapture
Action REG_SZ Capture Video
DefaultIcon REG_SZ C:\Program Files\Common Files\Ahead\Lib\apreg.dll,-2014
Provider REG_SZ NeroVision Express
ProgID REG_SZ Shell.HWEventHandlerShellExecute
InitCmdLine REG_SZ "C:\Program Files\Ahead\NeroVision\NeroVision.exe" /New:VideoCapture

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\NeroAutoPlay2ViewPhotos
Action REG_SZ View Your Photos
DefaultIcon REG_SZ C:\Program Files\Common Files\Ahead\Lib\apreg.dll,-2022
Provider REG_SZ Nero PhotoSnap Viewer
InvokeProgID REG_SZ Nero.AutoPlay2
InvokeVerb REG_SZ ShowPicturesOnArrival_ViewPhotos

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\PaperPort11AutoPlay
Action REG_SZ Open folder to view files
DefaultIcon REG_SZ C:\Program Files\ScanSoft\PaperPort\PaprPort.exe,0
InvokeProgID REG_SZ PaperPort.AutoplayHandler
InvokeVerb REG_SZ open
Provider REG_SZ PaperPort 11

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\PDVDPlayDVDMovieOnArrival
Action REG_SZ Play DVD Video
DefaultIcon REG_SZ C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe,0
InvokeProgID REG_SZ DVD
InvokeVerb REG_SZ PlayWithPowerDVD
Provider REG_SZ PowerDVD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\RPCDBurningOnArrival
Action REG_SZ Burn CD
Provider REG_SZ RealPlayer
InvokeProgID REG_SZ RealPlayer.CDBurn.6
InvokeVerb REG_SZ open
DefaultIcon REG_SZ "C:\Program Files\Real\RealPlayer\RealPlay.exe",0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\RPDeviceOnArrival
Action REG_SZ Manage the device
Provider REG_SZ RealPlayer
ProgID REG_SZ RealPlayer.HWEventHandler
DefaultIcon REG_SZ "C:\Program Files\Real\RealPlayer\RealPlay.exe",0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\RPPlayCDAudioOnArrival
Action REG_SZ Play or save music from audio CD
Provider REG_SZ RealPlayer
InvokeProgID REG_SZ RealPlayer.AudioCD.6
InvokeVerb REG_SZ play
DefaultIcon REG_SZ "C:\Program Files\Real\RealPlayer\RealPlay.exe",0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\RPPlayDVDMovieOnArrival
Action REG_SZ Play DVD Video
Provider REG_SZ RealPlayer
InvokeProgID REG_SZ RealPlayer.DVD.6
InvokeVerb REG_SZ play
DefaultIcon REG_SZ "C:\Program Files\Real\RealPlayer\RealPlay.exe",0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\RPPlayMediaOnArrival
Action REG_SZ Play Media Files
Provider REG_SZ RealPlayer
InvokeProgID REG_SZ RealPlayer.AutoPlay.6
InvokeVerb REG_SZ open
DefaultIcon REG_SZ "C:\Program Files\Real\RealPlayer\RealPlay.exe",0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
UseGlobalSettings REG_DWORD 0x1
Percent REG_DWORD 0xa
NukeOnDelete REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\c
VolumeSerialNumber REG_DWORD 0x24a084d5
IsUnicode REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\e
VolumeSerialNumber REG_DWORD 0x806b4b71
IsUnicode REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
BrowseNewProcess REG_SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\AudioBurnHandlers
<NO NAME> REG_SZ {8dd448e6-c188-4aed-af92-44956194eb1f}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\AudioBurnHandlers\{8dd448e6-c188-4aed-af92-44956194eb1f}
verb REG_SZ WMPBurnAsAudioCD
SupportedFileTypes REG_SZ *.WMA;*.MP3;*.WAV

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\ExcludedFS
UDF REG_SZ
CDUDF REG_SZ
CDUDFRW REG_SZ
UDFREADR REG_SZ
UDF1.50 REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\Flags
desk.cpl REG_DWORD 0x1
access.cpl REG_DWORD 0x1
hdwwiz.cpl REG_DWORD 0x1
keymgr.cpl REG_DWORD 0x1
inetcpl.cpl REG_DWORD 0x1
joy.cpl REG_DWORD 0x1
main.cpl REG_DWORD 0x1
intl.cpl REG_DWORD 0x1
mmsys.cpl REG_DWORD 0x1
sapi.cpl REG_DWORD 0x1
sysdm.cpl REG_DWORD 0x1
telephon.cpl REG_DWORD 0x1
timedate.cpl REG_DWORD 0x1
powercfg.cpl REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\Accessibility_Options
IconIndex REG_DWORD 0x6e
Info REG_SZ Customizes accessibility features for your computer.
Module REG_EXPAND_SZ %SystemRoot%\system32\access.cpl
Name REG_SZ Accessibility Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\Add-Remove_Programs
IconIndex REG_DWORD 0x5dc
Info REG_SZ Installs and removes programs and Windows components.
Module REG_EXPAND_SZ %SystemRoot%\system32\appwiz.cpl
Name REG_SZ Add/Remove Programs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\Date-Time
IconIndex REG_DWORD 0xc8
Info REG_SZ Changes date, time, and time-zone information.
Module REG_EXPAND_SZ %SystemRoot%\system32\timedate.cpl
Name REG_SZ Date/Time

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\Dialing_Options
IconIndex REG_DWORD 0x64
Info REG_SZ Configures telephone dialing rules for your location.
Module REG_EXPAND_SZ %SystemRoot%\system32\telephon.cpl
Name REG_SZ Dialing Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\Display_Properties
IconIndex REG_DWORD 0x64
Info REG_SZ Customizes your desktop display and screen saver.
Module REG_EXPAND_SZ %SystemRoot%\system32\desk.cpl
Name REG_SZ Display

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\Internet_Options
IconIndex REG_DWORD 0x1187
Info REG_SZ Configures your Internet display and connections settings.
Module REG_EXPAND_SZ %SystemRoot%\system32\inetcpl.cpl
Name REG_SZ Internet Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\Printers
IconIndex REG_DWORD 0x12c
Info REG_SZ Adds, removes and changes settings for printers.
Module REG_EXPAND_SZ %SystemRoot%\system32\main.cpl
Name REG_SZ Printers and Faxes
<NO NAME> REG_SZ {2227A280-3AEA-1069-A2DE-08002B30309D}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
<NO NAME> REG_SZ Taskbar and Start Menu

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
<NO NAME> REG_SZ Folder Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{7007ACC7-3202-11D1-AAD2-00805FC1270E}
<NO NAME> REG_SZ Network Connections

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D20EA4E1-3957-11d2-A40B-0C5020524152}
<NO NAME> REG_SZ Fonts

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D20EA4E1-3957-11d2-A40B-0C5020524153}
<NO NAME> REG_SZ Administrative Tools

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D6277990-4C6A-11CF-8D87-00AA0060F5BF}
<NO NAME> REG_SZ Scheduled Tasks

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{E211B736-43FD-11D1-9EFB-0000F8757FCD}
<NO NAME> REG_SZ Scanners & Cameras

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CSSFilters
oavredirect REG_SZ {999937BC-30FE-11D4-BA52-00C04F6843FA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}
<NO NAME> REG_SZ Computer Search Results Folder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}
<NO NAME> REG_SZ
Removal Message REG_SZ @mydocs.dll,-900

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}
<NO NAME> REG_SZ Recycle Bin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}
<NO NAME> REG_SZ Search Results Folder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DocFolderPaths
Purina REG_SZ C:\Documents and Settings\Purina\My Documents

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c\DefaultIcon
<NO NAME> REG_SZ %SystemRoot%\system32\shell32.dll,131

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation
KillList REG_SZ %1;explorer.exe;dvdplay.exe;mplay32.exe;msohtmed.exe;quikview.exe;rundll.exe;rund
ll32.exe;taskman.exe;bck32api.dll;
CutList REG_MULTI_SZ Application File\0MFC Application\0\0
AddRemoveApps REG_SZ SETUP.EXE;INSTALL.EXE;ISUNINST.EXE;UNWISE.EXE;UNWISE32.EXE;ST5UNST.EXE;RUNDLL32.
EXE;MSOOBE.EXE;LNKSTUB.EXE
AddRemoveNames REG_SZ Documentation;Help;Install;More Info;Readme;Read me;Read First;Setup;Support;What's New;Remove

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\ShellFindInDirectory
<NO NAME> REG_SZ {F020E586-5264-11d1-A532-0000F8757D7E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\RealSearch
<NO NAME> REG_SZ {A06B0DBC-8272-4D72-A366-B8090BBE1871}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\RealSearch\0
<NO NAME> REG_SZ For Internet &Audio/Video...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\RealSearch\0\DefaultIcon
<NO NAME> REG_SZ C:\Program Files\Real\RealPlayer\rpshellsearch.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch
<NO NAME> REG_SZ {169A0691-8DF9-11d1-A1C4-00C04FD75D13}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\0
<NO NAME> REG_SZ For &Files or Folders...
LocalizedString REG_EXPAND_SZ @%SystemRoot%\system32\SHELL32.dll,-23232
RunInProcess REG_SZ 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\0\DefaultIcon
<NO NAME> REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-134
HotIcon REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-50
GrayIcon REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-51

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\0\HelpText
<NO NAME> REG_SZ Search for files or folders
LocalizedString REG_EXPAND_SZ @%SystemRoot%\system32\SHELL32.dll,-23296

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\0\SearchGUID
<NO NAME> REG_SZ {169A0691-8DF9-11d1-A1C4-00C04FD75D13}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\0\SearchGUID\UrlNavNew
<NO NAME> REG_EXPAND_SZ ::{e17d4fc0-5564-11d1-83f2-00a0c90dc849}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\1
<NO NAME> REG_SZ For &Computers
LocalizedString REG_EXPAND_SZ @%SystemRoot%\system32\SHELL32.dll,-23233

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\1\DefaultIcon
<NO NAME> REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-135
HotIcon REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-52
GrayIcon REG_EXPAND_SZ %SystemRoot%\system32\SHELL32.dll,-53

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch\1\HelpText
<NO NAME> REG_SZ Search for computers on the network
LocalizedString REG_EXPAND_SZ @%SystemRoot%\system32\SHELL32.dll,-23297

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\ShellSearch
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Driveicons]


Then double click on the fix.reg file, when it prompts to merge click "Yes".



Reboot and tell me how your PC is running now
  • 0

#11
SpaceCowboy706

SpaceCowboy706

    Trusted Tech

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,175 posts
red X is gone from the hard drive icon now and everything is runnin like a champ. Thanks allot for all your help man. You rock!
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Perfect, a few things to do

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP