Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help History is Reeating Itself


  • Please log in to reply
No replies to this topic

#1 marytwelveponies

marytwelveponies

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 14 December 2008 - 02:30 PM

Help me, please!

I am sick of reformatting and hunting down programs and drivers to backup. I use my PC for a variety of things but there are no conflicts or resource sharing that I'm aware of. I have added dual monitors on a video card, a hard drive and 2 RAM cards. The original was tiny. OS is XP Home. Had Norton in past but properly uninstalled (and since reformatted) to switch to McAfee. Also have evolved from Dial-Up to Satellite to present DSL.

Symptoms are oddly similar each time I have a problem. Some Internet Explorer 7 settings or trusted sites change (why would I ever add "about:blank" to the trusted sites list?) after having page errors and OCX errors. Explorer is closed for my protection.

I am good at identifying suspicious processes, etc. I never end anything, I have always just reformatted. I see an anonymous login by an unidentified process or application in security events though I cannot identify it in the task manager or other methods I have to list running processes. I have tons of empty hive keys and null entries. I have one program this can be explained for; I hate it but have no other to use so I shout off offensive parts because custom install omission causes other parts to not work right. My CPU gets full up and even though buffer overflow settings are recommended applied, I am afraid something is stealing spilt info or using it to get in. I have had unsolicited inbound attempts from untraceable very different IP addresses before. Finally, the icing on the cake right before TSHTF is when the security program I am running acts like it has a mind of its own or it begins to break down and not perform. I do not have Windows Firewall running ever, just security program purchased from vendor. There are many more symptoms, just start here and decide what to ask.

Here is a current Silent Runners.vbs
"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"H/PC Connection Agent" = ""Z:\Program Files\ActiveSync 4.5\Wcescomm.exe"" [MS]
"NVIDIA nTune" = ""Z:\Program Files\nTune\nTuneCmd.exe" clear" ["NVIDIA"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"mcagent_exe" = ""C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey" ["McAfee, Inc."]
"McENUI" = "C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide" ["McAfee, Inc."]
"McAfee Backup" = ""C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"" [null data]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{27B4851A-3207-45A2-B947-BE8AFE6163AB}\(Default) = "McAfee Phishing Filter"
-> {HKLM...CLSID} = "McAfee Phishing Filter"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\msk\mskapbho.dll" ["McAfee, Inc."]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java™ Plug-In SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\ssv.dll" ["Sun Microsystems, Inc."]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\(Default) = "scriptproxy"
-> {HKLM...CLSID} = "scriptproxy"
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan\scriptsn.dll" ["McAfee, Inc."]
{7E853D72-626A-48EC-A868-BA8D5E23E045}\(Default) = (no title provided)
-> {HKCU...CLSID} = "Windows Live Call HoverToCall class"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\htc.8.1.0178.00.dll" [file not found]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\(Default) = (no title provided)
-> {HKLM...CLSID} = "McAfee SiteAdvisor BHO"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll" ["McAfee, Inc."]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java™ Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"
-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobile Device"
\InProcServer32\(Default) = "Z:\PROGRA~1\ACTIVE~1.5\Wcesview.dll" [MS]
"{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}" = "RXDCExtShlExt extension"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Roxio\Virtual Drive 8\DC_ShellExt.dll" [null data]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\Windows Defender\MpShHook.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> RDM+\DLLName = "C:\Program Files\RDM+\notify.dll" [null data]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\virusscan\mcctxmnu.dll" ["McAfee, Inc."]
RXDCExtSvr\(Default) = "{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Roxio\Virtual Drive 8\DC_ShellExt.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\virusscan\mcctxmnu.dll" ["McAfee, Inc."]
RXDCExtSvr\(Default) = "{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Roxio\Virtual Drive 8\DC_ShellExt.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDeletePrinter" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoAddPrinter" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"NoDispBackgroundPage" = (REG_DWORD) dword:0x00000000
{Hide Desktop tab}

"NoDispScrSavPage" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDispCPL" = (REG_DWORD) dword:0x00000000
{Remove Display in Control Panel}

"NoDispAppearancePage" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"DisableTaskMgr" = (REG_DWORD) dword:0x00000000
{Remove Task Manager}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"HideShutdownScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Marytwelveponies\Application Data\nView_Wallpaper\PerMonitorWallpaper0.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

HPUnloadAutoplay\
"Provider" = "HP Photosmart Transfer Software"
"InvokeProgID" = "HpqUnApl.Autoplay"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Play\DropTarget\CLSID = "{E1A1C814-FD09-4c9d-BB4A-0394B836A1F0}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "Z:\Program Files\HP\Digital Imaging\Unload\HpqUnApl.exe" ["Hewlett-Packard"]

MediaCapture8Music\
"Provider" = "Media Import 8"
"InvokeProgID" = "RoxioMediaCapture8"
"InvokeVerb" = "Audio"
HKLM\SOFTWARE\Classes\RoxioMediaCapture8\shell\Audio\command\(Default) = "C:\Program Files\Roxio\Media Import 8\MediaCapture8.exe -audio %L" ["Sonic Solutions"]

MediaCapture8Photos\
"Provider" = "Media Import 8"
"InvokeProgID" = "RoxioMediaCapture8"
"InvokeVerb" = "Photo"
HKLM\SOFTWARE\Classes\RoxioMediaCapture8\shell\Photo\command\(Default) = "C:\Program Files\Roxio\Media Import 8\MediaCapture8.exe -photo %L" ["Sonic Solutions"]

MediaCapture8VideoCamera\
"Provider" = "Media Import 8"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Roxio\Media Import 8\MediaCapture8.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

MediaCapture8Videos\
"Provider" = "Media Import 8"
"InvokeProgID" = "RoxioMediaCapture8"
"InvokeVerb" = "Video"
HKLM\SOFTWARE\Classes\RoxioMediaCapture8\shell\Video\command\(Default) = "C:\Program Files\Roxio\Media Import 8\MediaCapture8.exe -video %L" ["Sonic Solutions"]

MPCPlayCDAudioOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayCDAudio"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /cd" ["Gabest"]

MPCPlayDVDMovieOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayDVDMovie"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /dvd" ["Gabest"]

MPCPlayMusicFilesOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayMusicFiles"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"]

MPCPlayVideoFilesOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayVideoFiles"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

RoxioCreator8PlayCDAudioOnArrival\
"Provider" = "Roxio Creator Classic"
"InvokeProgID" = "Creator8"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Creator8\shell\open\Command\(Default) = "C:\Program Files\Roxio\Creator Classic 8\creator8.exe" ["Sonic Solutions"]

RoxioSCAudioCDTask\
"Provider" = "Roxio Creator Audio"
"InvokeProgID" = "Roxio.RoxioCentral"
"InvokeVerb" = "AudioCDTask"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\Roxio Central\Main\Roxio_Central.exe" /Launch {1027424E-DBC9-408F-ABBD-EAFE2A60C7B3}" [null data]

RoxioSCCopyCD\
"Provider" = "Roxio Creator Copy"
"InvokeProgID" = "Roxio.RoxioCentral"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\Roxio Central\Main\Roxio_Central.exe" /Launch {1EB00EA0-F400-4283-8721-66F70DD609F4}" [null data]

RoxioSCCopyDisc\
"Provider" = "Roxio Creator Copy"
"InvokeProgID" = "Roxio.RoxioCentral"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\Roxio Central\Main\Roxio_Central.exe" /Launch {1EB00EA0-F400-4283-8721-66F70DD609F4}" [null data]

RoxioSCDataProject\
"Provider" = "Roxio Creator Data"
"InvokeProgID" = "Roxio.RoxioCentral"
"InvokeVerb" = "DataGuide"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\Roxio Central\Main\Roxio_Central.exe" /Launch Data" [null data]

RoxioSCDataTask\
"Provider" = "Roxio Creator Data"
"InvokeProgID" = "Roxio.RoxioCentral"
"InvokeVerb" = "DataTask"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\Roxio Central\Main\Roxio_Central.exe" /Launch {ED4BAA5E-6B20-4724-BE60-50510F2DA981}" [null data]

SonicDVDVideoArrival\
"Provider" = "Sonic CinePlayer"
"InvokeProgID" = "Sonic.CinePlayer.MediaFile"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\Sonic.CinePlayer.MediaFile\shell\play\command\(Default) = "C:\Program Files\Roxio\CinePlayer\CinePlayer.exe /play %1" ["Sonic Solutions"]


Startup items in "Marytwelveponies" & "All Users" startup folders:
------------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"HP Digital Imaging Monitor" -> shortcut to: "Z:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."]


Enabled Scheduled Tasks:
------------------------

"McDefragTask" -> launches: "c:\PROGRA~1\mcafee\mqc\QcConsol.exe "C:\WINDOWS\system32\defrag.exe" C: -f" ["McAfee, Inc."]
"McQcTask" -> launches: "c:\PROGRA~1\mcafee\mqc\QcConsol.exe 14 0" ["McAfee, Inc."]
"Windows Update" -> launches: "C:\WINDOWS\system32\wupdmgr.exe" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" = "McAfee SiteAdvisor"
-> {HKLM...CLSID} = "McAfee SiteAdvisor Toolbar"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll" ["McAfee, Inc."]

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users