Hey there! I would gladly appreciate if any of you could help me out. I am currently being troubled by
a virus/malware? Not sure. I looked it up in the Task Manager its image name is
"winmgr.exe" / "microsoft.com"(ms-dos file) and its description is "SCSI Pass though Direct Setup"
the image name somehow changes from time to time but the description doesn't. I googled the
"winmgr" and the results say it's a malware or something. They recommended that I destroy it through some
programs. I tried most but failed.
(JRT = won't open | Rogue Killer = doesn't seem to see it | Spybot = didn't seem to see it | Unhackme = didn't seem to see it.).
What troubles me most is that it doesn't let me use Microsoft Security Essentials and Malwarebytes.
When I download other anti-virus programs and install it, it will say is not a valid Win 32 application.
Also, it fills up my memory drastically. From 184 GB free now I only have 9.99 GB. There's more! My
Administrator capabilities are being disregarded. Hope you guys could help.
Ran the "Silent Runners.vbs"
Operating System: Microsoft® Windows Vista™ Home Premium Service Pack 2 (32-bit)
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [TOSHIBA]
uTorrent = "C:\Users\Guest\AppData\Roaming\uTorrent\uTorrent.exe" /MINIMIZED [BitTorrent Inc.]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{326E768D-4182-46FD-9C16-1449A49795F4}\(Default) = Increase performance and video formats for your HTML5 <video>
-> {HKLM...CLSID} = DivX Plus Web Player HTML5 <video>
\InProcServer32\(Default) = C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll [DivX, LLC]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = Java Plug-In SSV Helper
\InProcServer32\(Default) = C:\Program Files\Java\jre7\bin\ssv.dll [Oracle Corporation]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = Java Plug-In 2 SSV Helper
\InProcServer32\(Default) = C:\Program Files\Java\jre7\bin\jp2ssv.dll [Oracle Corporation]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
{00020d75-0000-0000-c000-000000000046} = Microsoft Office Outlook Desktop Icon Handler
-> {HKLM...CLSID} = Microsoft Office Outlook
\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL [MS]
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} = Microsoft Office Metadata Handler
-> {HKLM...CLSID} = Microsoft Office Metadata Handler
\InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll [MS]
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} = Microsoft Office Thumbnail Handler
-> {HKLM...CLSID} = Microsoft Office Thumbnail Handler
\InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll [MS]
{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} = Microsoft Office OneNote Namespace Extension for Windows Desktop Search
-> {HKLM...CLSID} = Microsoft Office OneNote Namespace Extension for Windows Desktop Search
\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL [MS]
{42042206-2D85-11D3-8CFF-005004838597} = Microsoft Office HTML Icon Handler
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office12\msohevi.dll [MS]
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = WinRAR shell extension
-> {HKLM...CLSID} = WinRAR
\InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]
{0006F045-0000-0000-C000-000000000046} = Microsoft Office Outlook Custom Icon Handler
-> {HKLM...CLSID} = Outlook File Icon Extension
\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL [MS]
{AE424E85-F6DF-4910-A6A9-438797986431} = OpenOffice.org Property Handler
-> {HKLM...CLSID} = OpenOffice.org Property Handler
\InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\propertyhdl.dll [Apache Software Foundation]
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} = OpenOffice.org Column Handler
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\shlxthdl.dll [Apache Software Foundation]
{087B3AE3-E237-4467-B8DB-5A38AB959AC9} = OpenOffice.org Infotip Handler
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\shlxthdl.dll [Apache Software Foundation]
{63542C48-9552-494A-84F7-73AA6A7C99C1} = OpenOffice.org Property Sheet Handler
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\shlxthdl.dll [Apache Software Foundation]
{3B092F0C-7696-40E3-A80F-68D74DA84210} = OpenOffice.org Thumbnail Viewer
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\shlxthdl.dll [Apache Software Foundation]
{09A47860-11B0-4DA5-AFA5-26D86198A780} = EPP
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = c:\PROGRA~1\MI239C~1\shellext.dll [MS]
{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7} = Revo Uninstaller Pro Extension
-> {HKLM...CLSID} = RUShellExt Class
\InProcServer32\(Default) = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll [VS Revo Group]
{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = UnlockerShellExtension
-> {HKLM...CLSID} = UnlockerShellExtension
\InProcServer32\(Default) = C:\Program Files\Unlocker\UnlockerCOM.dll [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\
{B65F237C-AAFF-4df7-8872-91B65663E41F}\(Default) = SmartFaceVCP
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = SmartFaceVCP.dll [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
<<!>> AvastSvc.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> AvastUI.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avcenter.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avconfig.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avgcsrvx.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avgidsagent.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avgnt.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avgrsx.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avguard.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avgui.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avgwdsvc.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avp.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avscan.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> bdagent.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> ccuac.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> ComboFix.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> egui.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> hijackthis.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> instup.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> keyscrambler.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> mbam.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> mbamgui.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> mbampt.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> mbamscheduler.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> mbamservice.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> NisSrv.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> rstrui.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> spybotsd.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> wireshark.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> zlclient.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = {807563E5-5146-11D5-A672-00B0D022E945}
-> {HKLM...CLSID} = Microsoft Office InfoPath XML Mime Filter
\InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL [MS]
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\
<<!>> ms-help\CLSID = {314111c7-a502-11d2-bbca-00c04f8ec294}
-> {HKLM...CLSID} = HxProtocol Class
\InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll [MS]
<<!>> ms-itss\CLSID = {0A9007C0-4076-11D3-8789-0000F8105754}
-> {HKLM...CLSID} = Microsoft Infotech Storage Protocol for IE 4.0
\InProcServer32\(Default) = c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [MS]
<<!>> skype-ie-addon-data\CLSID = {91774881-D725-4E58-B298-07617B9B86A8}
-> {HKLM...CLSID} = Skype IE add-on Pluggable Protocol
\InProcServer32\(Default) = C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [Skype Technologies S.A.]
<<!>> skype4com\CLSID = {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D}
-> {HKLM...CLSID} = IEProtocolHandler Class
\InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL [Skype Technologies]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
EPP\(Default) = {09A47860-11B0-4DA5-AFA5-26D86198A780}
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = c:\PROGRA~1\MI239C~1\shellext.dll [MS]
WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}
-> {HKLM...CLSID} = WinRAR
\InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
UnlockerShellExtension\(Default) = {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}
-> {HKLM...CLSID} = UnlockerShellExtension
\InProcServer32\(Default) = C:\Program Files\Unlocker\UnlockerCOM.dll [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
EPP\(Default) = {09A47860-11B0-4DA5-AFA5-26D86198A780}
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = c:\PROGRA~1\MI239C~1\shellext.dll [MS]
WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}
-> {HKLM...CLSID} = WinRAR
\InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]
HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\
WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}
-> {HKLM...CLSID} = WinRAR
\InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]
HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\
igfxcui\(Default) = {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}
-> {HKLM...CLSID} = GraphicsShellExt Class
\InProcServer32\(Default) = C:\Windows\system32\igfxpph.dll [Intel Corporation]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = OpenOffice.org Column Handler
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\shlxthdl.dll [Apache Software Foundation]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = PDF Column Info
-> {HKLM...CLSID} = PDF Shell Extension
\InProcServer32\(Default) = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll [Adobe Systems, Inc.]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
RUShellExt\(Default) = {2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}
-> {HKLM...CLSID} = RUShellExt Class
\InProcServer32\(Default) = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll [VS Revo Group]
UnlockerShellExtension\(Default) = {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}
-> {HKLM...CLSID} = UnlockerShellExtension
\InProcServer32\(Default) = C:\Program Files\Unlocker\UnlockerCOM.dll [null data]
WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}
-> {HKLM...CLSID} = WinRAR
\InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]
HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\
WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}
-> {HKLM...CLSID} = WinRAR
\InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]
Default executables:
--------------------
.hta
HKLM\SOFTWARE\Classes\htafile\(Default) = HTML Application
HKLM\SOFTWARE\Classes\htafile\shell\open\command\(Default) = "%1" %* [file not found]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoViewContextMenu = (REG_DWORD) dword:0x00000000
{unrecognized setting}
NoRun = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Run menu from Start Menu}
NoFind = (REG_DWORD) dword:0x00000000
{unrecognized setting}
NoDesktop = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HideClock = (REG_DWORD) dword:0x00000000
{unrecognized setting}
NoFolderOptions = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Removes the Folder Options menu item from the Tools menu}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableTaskMgr = (REG_DWORD) dword:0x00000000
{unrecognized setting}
DisableRegistryTools = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}
LogonHoursAction = (REG_DWORD) dword:0x00000002
{unrecognized setting}
DontDisplayLogonHoursWarnings = (REG_DWORD) dword:0x00000001
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
Wallpaper = C:\Windows\system32\config\systemprofile\Documents\toytoys\bohol\pics\DSCF2250.JPG
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
Wallpaper = C:\Users\roxio\Documents\toytoys\bohol\pics\DSCF2250.JPG
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
SCRNSAVE.EXE = C:\Windows\system32\logon.scr [MS]
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
BridgeCS6ImportMediaOnArrival\
Provider = Adobe Bridge CS6
InvokeProgID = Adobe.adobebridgeCS6
InvokeVerb = launch
HKLM\SOFTWARE\Classes\Adobe.adobebridgeCS6\shell\launch\command\(Default) = C:\Program Files\Adobe\Adobe Bridge CS6\bridgeproxy.exe -v %1 [Adobe Systems, Inc.]
BridgeCS6NonVolumeHandler\
Provider = Adobe Bridge CS6
ProgID = Adobe.adobebridgeMTP_1
HKLM\SOFTWARE\Classes\Adobe.adobebridgeMTP_1\CLSID\(Default) = {1E6C711B-6D70-4a65-8AB6-745DC19BE2A6}
-> {HKLM...CLSID} = Adobe Bridge CS6
\LocalServer32\(Default) = C:\Program Files\Adobe\Adobe Bridge CS6\bridgeproxy.exe -m [Adobe Systems, Inc.]
DMFMADFolder\
Provider = Ulead DVD MovieFactory 5
ProgID = Shell.HWEventHandlerShellExecute
InitCmdLine = C:\Program Files\Ulead Systems\DVD MovieFactory for TOSHIBA\Ulead DVD MovieFactory 5\MovieHunter.exe
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}
-> {HKLM...CLSID} = Shell Execute Hardware Event Handler
\LocalServer32\(Default) = C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]
MPCPlayCDAudioOnArrival\
Provider = Media Player Classic
InvokeProgID = MediaPlayerClassic.Autorun
InvokeVerb = PlayCDAudio
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command\(Default) = "C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /cd [Gabest]
MPCPlayDVDMovieOnArrival\
Provider = Media Player Classic
InvokeProgID = MediaPlayerClassic.Autorun
InvokeVerb = PlayDVDMovie
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command\(Default) = "C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /dvd [Gabest]
MPCPlayMusicFilesOnArrival\
Provider = Media Player Classic
InvokeProgID = MediaPlayerClassic.Autorun
InvokeVerb = PlayMusicFiles
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\(Default) = "C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 [Gabest]
MPCPlayVideoFilesOnArrival\
Provider = Media Player Classic
InvokeProgID = MediaPlayerClassic.Autorun
InvokeVerb = PlayVideoFiles
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command\(Default) = "C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 [Gabest]
MSWMEncVCArrival\
Provider = Windows Media Encoder 9 Series
ProgID = Shell.HWEventHandlerShellExecute
InitCmdLine = C:\Program Files\Windows Media Components\Encoder\WMEnc.exe
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}
-> {HKLM...CLSID} = Shell Execute Hardware Event Handler
\LocalServer32\(Default) = C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]
Picasa2ImportPicturesOnArrival\
Provider = Picasa3
InvokeProgID = picasa2.autoplay
InvokeVerb = import
HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "C:\Program Files\Picasa2\Picasa3.exe" "%1" [Google Inc.]
TosDVDPlayHandler\
Provider = TOSHIBA DVD PLAYER
InvokeProgID = TosDvdPlayer
InvokeVerb = play
HKLM\SOFTWARE\Classes\TosDvdPlayer\shell\play\command\(Default) = "C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TosHDDVD.exe" [TOSHIBA Corporation]
VLCPlayCDAudioOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.CDAudio
InvokeVerb = Open
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file cdda:///%1 [VideoLAN]
VLCPlayDVDAudioOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.OPENFolder
InvokeVerb = Open
HKLM\SOFTWARE\Classes\VLC.OPENFolder\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" %1 [VideoLAN]
VLCPlayDVDMovieOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.DVDMovie
InvokeVerb = Open
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file dvd:///%1 [VideoLAN]
VLCPlayMusicFilesOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.OPENFolder
InvokeVerb = Open
HKLM\SOFTWARE\Classes\VLC.OPENFolder\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" %1 [VideoLAN]
VLCPlaySVCDMovieOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.SVCDMovie
InvokeVerb = Open
HKLM\SOFTWARE\Classes\VLC.SVCDMovie\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file vcd:///%1 [VideoLAN]
VLCPlayVCDMovieOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.VCDMovie
InvokeVerb = Open
HKLM\SOFTWARE\Classes\VLC.VCDMovie\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file vcd:///%1 [VideoLAN]
VLCPlayVideoFilesOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.OPENFolder
InvokeVerb = Open
HKLM\SOFTWARE\Classes\VLC.OPENFolder\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" %1 [VideoLAN]
WIA_{C151276C-5528-48BE-9B23-3A667236B992}\
Provider = Picasa3
CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24}
InitCmdLine = /WiaCmd;C:\Program Files\Picasa2\Picasa3.exe /StiDevice:%1 /StiEvent:%2;
-> {HKLM...CLSID} = WPDShextAutoplay
\LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS]
WIA_{EE918E8B-FA2D-476E-A091-6B543758EF7E}\
Provider = Picasa2
CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24}
InitCmdLine = /WiaCmd;C:\Program Files\Picasa2\PicasaMediaDetector.exe /StiDevice:%1 /StiEvent:%2;
-> {HKLM...CLSID} = WPDShextAutoplay
\LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS]
Windows Sidebar Gadgets: {++}
------------------------
C:\Users\roxio\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
%PROGRAMFILES%\windows sidebar\gadgets\Clock.gadget
%PROGRAMFILES%\windows sidebar\gadgets\SlideShow.Gadget
%PROGRAMFILES%\windows sidebar\gadgets\RSSFeeds.Gadget
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = %SystemRoot%\system32\NLAapi.dll [MS]
000000000002\LibraryPath = %SystemRoot%\system32\napinsp.dll [MS]
000000000003\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
000000000004\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
000000000005\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS]
000000000006\LibraryPath = %SystemRoot%\System32\winrnr.dll [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 34
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = &Research
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
ButtonText = Send to OneNote
MenuText = S&end to OneNote
CLSIDExtension = {48E73304-E1D6-4330-914C-F5F514E3486C}
-> {HKLM...CLSID} = Send to OneNote from Internet Explorer button
\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll [MS]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
ButtonText = Research
BandCLSID = {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
-> {HKLM...CLSID} = &Research
\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL [MS]
Miscellaneous IE Hijack Points
------------------------------
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Adobe Acrobat Update Service, AdobeARMservice, "C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe" [Adobe Systems Incorporated]
Microsoft Antimalware Service, MsMpSvc, "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [MS]
Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [MS]
Safe Mode Drivers & Services (subkey name, subkey default value):
-----------------------------------------------------------------
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\
<<!>> !SASCORE,
<<!>> MsMpSvc, Service
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\
<<!>> !SASCORE,
<<!>> MsMpSvc, Service
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Send To Microsoft OneNote Monitor\Driver = msonpmon.dll [MS]
---------- (launch time: 2014-04-30 22:28:33)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 573 seconds.
---------- (total run time: 1026 seconds)