Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack


  • This topic is locked This topic is locked
8 replies to this topic

#1 Bahhh

Bahhh

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 03 March 2011 - 08:33 PM

Hi there, thanks to all the great people who help out on here. I'm usually ok with keeping my PC running ok but met my match with a browser hijacker this week.

Running XP on a PC
Hijack effects both Chrome and IE, not sure about Firefox.
Ran AVG and Malware Bytes, didn't come up with anything but AVG has sounded alarm like 3 times recently and removed something on it's own.
Random redirection to stupid shopping and medical sites on probably 1/5th of attempts to open sites from search engine(google).

I have had a BSOD problem in the past but I'm not sure if they are related. It was telling me a graphics card driver was sticking in an infinite feedback loop. Solved it with a system restore.

Here is the DDS...

Thanks in advance! You are a great group of people :)


DDS (Ver_10-12-12.02) - NTFSx86
Run by Drew at 17:46:59.93 on Thu 03/03/2011
internet explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2069 [GMT -7:00]

AV: AVG Internet Security *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Drew\My Documents\Downloads\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\PROGRA~1\MEDIAM~1\MEDIAM~2.EXE
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\My Documents\Downloads\dds.scr
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

============== Running Processes ===============

C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Drew\My Documents\Downloads\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\PROGRA~1\MEDIAM~1\MEDIAM~2.EXE
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Drew\My Documents\Downloads\dds.scr
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter

============== Pseudo HJT Report ===============


SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_CURRENT_USER\software\microsoft\internet explorer\main
Disable Script Debugger REG_SZ yes
Anchor Underline REG_SZ yes
Cache_Update_Frequency REG_SZ Once_Per_Session
Display Inline Images REG_SZ yes
Do404Search REG_BINARY 01000000
Save_Session_History_On_Exit REG_SZ no
Show_FullURL REG_SZ no
Show_StatusBar REG_SZ yes
Show_ToolBar REG_SZ yes
Show_URLinStatusBar REG_SZ yes
Show_URLToolBar REG_SZ yes
Use_DlgBox_Colors REG_SZ yes
Search Bar REG_SZ http://www.google.com/ie
XMLHTTP REG_DWORD 1 (0x1)
UseClearType REG_SZ yes
SearchMigrated REG_DWORD 1 (0x1)
SearchMigratedDefaultName REG_SZ Google
SearchMigratedDefaultURL REG_SZ http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
Expand Alt Text REG_SZ no
Move System Caret REG_SZ no
NoUpdateCheck REG_DWORD 1 (0x1)
NscSingleExpand REG_DWORD 0 (0x0)
DisableScriptDebuggerIE REG_SZ yes
Error Dlg Displayed On Every Error REG_SZ no
Page_Transitions REG_DWORD 1 (0x1)
FavIntelliMenus REG_SZ no
Enable Browser Extensions REG_SZ yes
UseThemes REG_DWORD 1 (0x1)
EnableSearchPane REG_DWORD 0 (0x0)
Force Offscreen Composition REG_DWORD 0 (0x0)
NotifyDownloadComplete REG_SZ yes
AllowWindowReuse REG_DWORD 1 (0x1)
Friendly http errors REG_SZ yes
SmoothScroll REG_DWORD 1 (0x1)
Enable AutoImageResize REG_SZ yes
Play_Animations REG_SZ yes
Play_Background_Sounds REG_SZ yes
Show image placeholders REG_DWORD 0 (0x0)
Print_Background REG_SZ no
AutoSearch REG_DWORD 4 (0x4)
FullScreen REG_SZ no
Window_Placement REG_BINARY 2c00000002000000030000000083ffff0083ffffffffffffffffffff590000002b0000007903000083020000
CompatibilityFlags REG_DWORD 0 (0x0)
SearchMigratedInstalled REG_DWORD 1 (0x1)
ShowedCheckBrowser REG_SZ Yes
Check_Associations REG_SZ no
RunOnceHasShown REG_DWORD 1 (0x1)
AutoHide REG_SZ yes
Use FormSuggest REG_SZ yes
AddToFavoritesExpanded REG_DWORD 0 (0x0)

HKEY_CURRENT_USER\software\microsoft\internet explorer\main\Default Feeds

HKEY_CURRENT_USER\software\microsoft\internet explorer\main\FeatureControl

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main
Enable_Disk_Cache REG_SZ yes
Cache_Percent_of_Disk REG_BINARY 0a000000
Delete_Temp_Files_On_Exit REG_SZ yes
Anchor_Visitation_Horizon REG_BINARY 01000000
Use_Async_DNS REG_SZ yes
Placeholder_Width REG_BINARY 1a000000
Placeholder_Height REG_BINARY 1a000000
CompanyName REG_SZ Microsoft Corporation
Custom_Key REG_SZ MICROSO
Wizard_Version REG_SZ 6.0.2600.0000
Default_Secondary_Page_URL REG_MULTI_SZ \0\0
Extensions Off Page REG_SZ about:NoAdd-ons
Security Risk Page REG_SZ about:SecurityRisk
Check_Associations REG_SZ yes

HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\ErrorThresholds

HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\FeatureControl

HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\UrlTemplate

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings
User Agent REG_SZ Mozilla/4.0 (compatible; MSIE 7.0; Win32)
IE5_UA_Backup_Flag REG_SZ 5.0
NoNetAutodial REG_DWORD 1 (0x1)
MigrateProxy REG_DWORD 1 (0x1)
EmailName REG_SZ IEUser@
AutoConfigProxy REG_SZ wininet.dll
MimeExclusionListForCache REG_SZ multipart/mixed multipart/x-mixed-replace multipart/x-byteranges
WarnOnPost REG_BINARY 01000000
UseSchannelDirectly REG_BINARY 01000000
EnableHttp1_1 REG_DWORD 1 (0x1)
PrivacyAdvanced REG_DWORD 0 (0x0)
EnableNegotiate REG_DWORD 1 (0x1)
ProxyEnable REG_DWORD 0 (0x0)
EnableAutodial REG_DWORD 1 (0x1)
SecureProtocols REG_DWORD 160 (0xa0)
PrivDiscUiShown REG_DWORD 1 (0x1)
WarnonZoneCrossing REG_DWORD 0 (0x0)
WarnOnIntranet REG_DWORD 1 (0x1)
ProxyHttp1.1 REG_DWORD 1 (0x1)
ShowPunycode REG_DWORD 0 (0x0)
EnablePunycode REG_DWORD 1 (0x1)
UrlEncoding REG_DWORD 0 (0x0)
DisableIDNPrompt REG_DWORD 0 (0x0)
CertificateRevocation REG_DWORD 0 (0x0)
DisableCachingOfSSLPages REG_DWORD 0 (0x0)
WarnonBadCertRecving REG_DWORD 1 (0x1)
WarnOnPostRedirect REG_DWORD 1 (0x1)
ProxyOverride REG_SZ *.local
GlobalUserOffline REG_DWORD 0 (0x0)

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\5.0

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Cache

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Connections

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Lockdown_Zones

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\P3P

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Protocols

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\ZoneMap

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Zones

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

Error: Key: software\microsoft\internet explorer\search does not exist!

usearchurl,(default) = hxxp://www.google.com/search?q=%s

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

Error: Key: software\microsoft\internet explorer\search does not exist!

SteelWerX Registry Console Tool 2.0URLSearchHooks: H - No File
Written by Bobbi Flekman 2006 ©URLSearchHooks: H - No File
HKEY_CURRENT_USER\software\microsoft\internet explorer\urlsearchhooksURLSearchHooks: H - No File
SteelWerX Registry Console Tool 2.0URLSearchHooks: H - No File
Written by Bobbi Flekman 2006 ©URLSearchHooks: H - No File
Error: Key: software\microsoft\internet explorer\urlsearchhooks does not exist!URLSearchHooks: H - No File
SteelWerX Registry Console Tool 2.0URLSearchHooks: H - No File
Written by Bobbi Flekman 2006 ©URLSearchHooks: H - No File
HKEY_USERS\.default\software\microsoft\internet explorer\urlsearchhooksURLSearchHooks: H - No File
{A3BC75A2-1F87-4686-AA43-5347D756017C}URLSearchHooks: H - No File

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
AutoRestartShell REG_DWORD 1 (0x1)
DefaultUserName REG_SZ Drew
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ Explorer.exe
ShutdownWithoutLogon REG_SZ 0
System REG_SZ
Userinit REG_SZ c:\WINDOWS\system32e\userinit.exe,
VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota REG_DWORD -1 (0xffffffff)
allocatecdroms REG_SZ 0
allocatedasd REG_SZ 0
allocatefloppies REG_SZ 0
cachedlogonscount REG_SZ 10
forceunlocklogon REG_DWORD 0 (0x0)
passwordexpirywarning REG_DWORD 14 (0xe)
scremoveoption REG_SZ 0
AllowMultipleTSSessions REG_DWORD 1 (0x1)
UIHost REG_EXPAND_SZ logonui.exe
LogonType REG_DWORD 1 (0x1)
Background REG_SZ 0 0 0
DebugServerCommand REG_SZ no
SFCDisable REG_DWORD 0 (0x0)
WinStationsDisabled REG_SZ 0
HibernationPreviouslyEnabled REG_DWORD 1 (0x1)
ShowLogonOptions REG_DWORD 0 (0x0)
AltDefaultUserName REG_SZ Drew
AltDefaultDomainName REG_SZ BASE
DefaultDomainName REG_SZ BASE

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\SpecialAccounts

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Credentials

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon
ParseAutoexec REG_SZ 1
ExcludeProfileDirs REG_SZ Local Settings;Temporary Internet Files;History;Temp
BuildNumber REG_DWORD 2600 (0xa28)

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows
DebugOptions REG_SZ 2048
Documents REG_SZ
DosPrint REG_SZ no
load REG_SZ
NetMessage REG_SZ no
NullPort REG_SZ None
Programs REG_SZ com exe bat pif cmd
Device REG_SZ HP Deskjet D2600 series,winspool,Ne03:
BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - No File
BHO: <NO NAME> - No File
BHO: NoExplorer - No File
BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: <NO NAME> - No File
BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: <NO NAME> - No File
BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No File
BHO: <NO NAME> - No File
BHO: NoExplorer - No File
BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{9030D464-4C02-4ABF-8ECC-5164760863C6} - No File
BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
BHO: NoExplorer - No File
BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: NoExplorer - No File
BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - No File
BHO: NoExplorer - No File
BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
BHO: <NO NAME> - No File
BHO: NoExplorer - No File
urun: [Google Update] "c:\Documents and Settings\Drew\Local Settings\Application Data\Google\Updatee\GoogleUpdate.exe" /c
urun: [JumiController] c:\Program Files\Jumie\Jumi.exe
mrun: [AVG9_TRAY] c:\PROGRA~1\AVG\AVG9e\avgtray.exe
mrun: [QuickTime Task] "c:\Program Files\QuickTimee\QTTask.exe" -atboottime
mrun: [iTunesHelper] "c:\Program Files\iTunese\iTunesHelper.exe"
mrun: [nmctxth] "c:\Program Files\Common Files\Pure Networks Shared\Platforme\nmctxth.exe"
mrun: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 9.0\Readere\Reader_sl.exe"
mrun: [Adobe ARM] "c:\Program Files\Common Files\Adobe\ARM\1.0e\AdobeARM.exe"
mrun: [IgfxTray] c:\WINDOWS\system32e\igfxtray.exe
mrun: [HotKeysCmds] c:\WINDOWS\system32e\hkcmd.exe
mrun: [Persistence] c:\WINDOWS\system32e\igfxpers.exe
mrun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
c:\DOCUME~1\Drew\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Documents and Settings\Drew\Application Data\Dropbox\bine\Dropbox.exe

ie: SteelWerX Registry Console Tool 2.0
ie: Written by Bobbi Flekman 2006 ©

ie: HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext

ie: HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\Add to Google Photos Screensa&ver
ie: <NO NAME> REG_SZ res://c:\WINDOWS\system32e\GPhotos.scr/200
ie: Contexts REG_DWORD 34 (0x22)

ie: {SteelWerX Registry Console Tool 2.0
ie: {Written by Bobbi Flekman 2006 ©

ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions

ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{219C3416-8CB2-491a-A3C7-D9FCDDC9D600}
ie: { ButtonText - REG_SZ Blog This
ie: { HotIcon - REG_SZ c:\Program Files\Windows Live\Writere\WriterBrowserExtension.dll,201
ie: { Icon - REG_SZ c:\Program Files\Windows Live\Writere\WriterBrowserExtension.dll,201
ie: { Default Visible - REG_SZ Yes
ie: { MenuText - REG_SZ &Blog This in Windows Live Writer

ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}
ie: { MenuText - REG_SZ @xpsp3res.dll,-20001
ie: { Exec - REG_SZ %windir%\Network Diagnostic\xpnetdiag.exe

ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ie: { ButtonText - REG_SZ Messenger
ie: { Default Visible - REG_SZ Yes
ie: { Exec - REG_SZ c:\Program Files\Messengere\msmsgs.exe
ie: { HotIcon - REG_SZ c:\Program Files\Messengere\msmsgs.exe,302
ie: { Icon - REG_SZ c:\Program Files\Messengere\msmsgs.exe,301
ie: { MenuText - REG_SZ Windows Messenger
ie: { ToolTip - REG_SZ Windows Messenger
IE: { CLSID - REG_SZ {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - {1fba04ee-3024-11d2-8f1f-0000f87abd16}\inprocserver32 does not exist!
IE: { ClsidExtension - REG_SZ {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - {5f7b1267-94a9-47f5-98db-e99415f33aec}\inprocserver32 does not exist!
IE: { CLSID - REG_SZ {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - {1fba04ee-3024-11d2-8f1f-0000f87abd16}\inprocserver32 does not exist!
IE: { CLSID - REG_SZ {1FBA04EE-3024-11D2-8F1F-0000F87ABD16} - {1fba04ee-3024-11d2-8f1f-0000f87abd16}\inprocserver32 does not exist!



SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{5ED80217-570B-4DA9-BF44-BE107C0EC166}
SystemComponent REG_DWORD 0 (0x0)
Installer REG_SZ MSICD

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{5ED80217-570B-4DA9-BF44-BE107C0EC166}\Contains

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{5ED80217-570B-4DA9-BF44-BE107C0EC166}\Contains\Files
c:\WINDOWS\Downloaded Program Filese\wlscBase.dll REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{5ED80217-570B-4DA9-BF44-BE107C0EC166}\DownloadInformation
CODEBASE REG_SZ http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
INF REG_SZ c:\WINDOWS\Downloaded Program Filese\wlscBase.inf

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{5ED80217-570B-4DA9-BF44-BE107C0EC166}\InstalledVersion
<NO NAME> REG_SZ 1,11,8942,1
LastModified REG_SZ Thu, 15 Oct 2009 05:44:10 GMT

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8AD9C840-044E-11D1-B3E9-00805F499D93}
<NO NAME> REG_SZ Java Runtime Environment 1.6.0
Installer REG_SZ MSICD

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\Contains

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation
CODEBASE REG_SZ http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
INF REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InstalledVersion
<NO NAME> REG_SZ 1.6.0.14

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
<NO NAME> REG_SZ Java Runtime Environment 1.6.0
Installer REG_SZ MSICD

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\Contains

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\DownloadInformation
CODEBASE REG_SZ http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
INF REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\InstalledVersion
<NO NAME> REG_SZ 1.6.0.7

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
<NO NAME> REG_SZ Java Runtime Environment 1.6.0
Installer REG_SZ MSICD

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\Contains

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\DownloadInformation
CODEBASE REG_SZ http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
INF REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\InstalledVersion
<NO NAME> REG_SZ 1.6.0.14

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
<NO NAME> REG_SZ Java Runtime Environment 1.6.0
Installer REG_SZ MSICD

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\Contains

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation
CODEBASE REG_SZ http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
INF REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InstalledVersion
<NO NAME> REG_SZ 1.6.0.14

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\Contains

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\Contains\Files
c:\Program Files\WebExe\ieatgpc.dll REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\DownloadInformation
CODEBASE REG_SZ
INF REG_SZ c:\Program Files\WebExe\ieatgpc.inf

HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\InstalledVersion
LastModified REG_SZ

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters
NameServer REG_SZ
CLSID - REG_SZ {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
CLSID - REG_SZ {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
CLSID - REG_SZ {4746C79A-2042-4332-8650-48966E44ABA8} -
ssodl: wpdshserviceobj - {aaa288ba-9a4c-45b0-95d7-94d524869db5} - c:\WINDOWS\system32e\WPDShServiceObj.dll

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
d; /.* /!d; s//securityproviders: /
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
d;/^((authentication|notification) packages) .* /i!d; s//lsa: 1 = /
Authentication Packages REG_MULTI_SZ msv1_0
Bounds REG_BINARY 0030000000200000
d;/^((authentication|notification) packages) .* /i!d; s//lsa: 1 = /
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest
ImpersonatePrivilegeUpgradeToolHasRun REG_DWORD 1 (0x1)
LsaPid REG_DWORD 808 (0x328)
SecureBoot REG_DWORD 1 (0x1)
auditbaseobjects REG_DWORD 0 (0x0)
crashonauditfail REG_DWORD 0 (0x0)
disabledomaincreds REG_DWORD 0 (0x0)
everyoneincludesanonymous REG_DWORD 0 (0x0)
fipsalgorithmpolicy REG_DWORD 0 (0x0)
forceguest REG_DWORD 1 (0x1)
fullprivilegeauditing REG_BINARY 00
limitblankpassworduse REG_DWORD 1 (0x1)
lmcompatibilitylevel REG_DWORD 0 (0x0)
nodefaultadminowner REG_DWORD 1 (0x1)
nolmhash REG_DWORD 0 (0x0)
restrictanonymous REG_DWORD 0 (0x0)
restrictanonymoussam REG_DWORD 1 (0x1)
d;/^((authentication|notification) packages) .* /i!d; s//lsa: 1 = /
Notification Packages REG_MULTI_SZ scecli

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Data

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\GBG

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\JD

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\MSV1_0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Skew1

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems
windows REG_EXPAND_SZ %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\WINDOWS\system32\driverse\AVGIDSxx.sys [2010-5-11 25168]
R0 AvgRkx86;avgrkx86.sys;c:\WINDOWS\system32\driverse\avgrkx86.sys [2009-2-28 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\WINDOWS\system32\driverse\avgldx86.sys [2009-2-28 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\WINDOWS\system32\driverse\avgmfx86.sys [2009-2-28 29584]
R1 AvgTdiX;AVG Network Redirector;c:\WINDOWS\system32\driverse\avgtdix.sys [2009-2-28 243024]
R2 avg9emc;AVG E-mail Scanner;c:\Program Files\AVG\AVG9e\avgemc.exe [2010-6-22 921952]
R2 avg9wd;AVG WatchDog;c:\Program Files\AVG\AVG9e\avgwdsvc.exe [2010-6-22 308136]
R2 AVGIDSAgent;AVG9IDSAgent;c:\Program Files\AVG\AVG9\Identity Protection\Agent\Bine\AVGIDSAgent.exe [2010-6-22 5897808]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XPe\AVGIDSDriver.sys [2010-5-11 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XPe\AVGIDSFilter.sys [2010-5-11 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XPe\AVGIDSShim.sys [2010-5-11 26192]
R3 jumi;%Jumi%;c:\WINDOWS\system32\driverse\jumi.sys [2010-6-3 13112]
S2 gupdate1c9aa8cff812f1d;Google Update Service (gupdate1c9aa8cff812f1d);c:\Program Files\Google\Updatee\GoogleUpdate.exe [2009-3-21 133104]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\Program Files\AVG\AVG9\Toolbare\ToolbarBroker.exe [2010-5-11 517448]
S3 pnetmdm;PdaNet Modem;c:\WINDOWS\system32\driverse\pnetmdm.sys [2010-6-1 9472]

=============== File Associations ===============

64.bit.Doubles.file="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
7-Zip.zip="c:\Program Files\7-Zipe\7zFM.exe" "%1"
8.bit.signed.file="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
acrobat="c:\Program Files\Adobe\Reader 9.0\Readere\AcroRd32.exe" /u "%1"
AcroExch.acrobatsecuritysettings.1="c:\Program Files\Adobe\Reader 9.0\Readere\AcroRd32.exe" "%1"
AcroExch.Document="c:\Program Files\Adobe\Reader 9.0\Readere\AcroRd32.exe" "%1"
AcroExch.Document.7="c:\Program Files\Adobe\Reader 9.0\Readere\AcroRd32.exe" "%1"
AcroExch.FDFDoc="c:\Program Files\Adobe\Reader 9.0\Readere\AcroRd32.exe" "%1"
AcroExch.pdfxml.1="c:\Program Files\Adobe\Reader 9.0\Readere\AcroRd32.exe" "%1"
AcroExch.XDPDoc="c:\Program Files\Adobe\Reader 9.0\Readere\AcroRd32.exe" "%1"
AcroExch.XFDFDoc="c:\Program Files\Adobe\Reader 9.0\Readere\AcroRd32.exe" "%1"
acwfile=%SystemRoot%\system32\accwiz.exe %1
AIFFFile="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
AIR.InstallerPackage=c:\PROGRA~1\COMMON~1\ADOBEA~1\Versions\1.0e\ADOBEA~1.EXE "%1"
Amiga.8SVX.file="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
Apple.sound.file="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
Application.Manifest=rundll32.exe dfshim.dll,ShOpenVerbApplication %1
Application.Reference=rundll32.exe dfshim.dll,ShOpenVerbShortcut %1|%2
ASFFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /prefetch:7 /Open "%L"
ASXFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
AUFile="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
AvgDiagExFile="c:\Program Files\AVG\AVG9e\avgdiagex.exe" /FILE="%1" /UI
AVIFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /prefetch:8 /Open "%L"
avis="c:\Program Files\GRETECH\GomPlayere\GOM.exe" "%1"
!d
Briefcase=explorer.exe %1
callto=rundll32.exe msconf.dll,CallToProtocolHandler %l
CATFile=rundll32.exe cryptext.dll,CryptExtOpenCAT %1
CD.Digital.Audio.file="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
cdafile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
Centra.Client=c:\PROGRA~1\Centra\Client\bine\updater.exe "%1"
CERFile=rundll32.exe cryptext.dll,CryptExtOpenCER %1
CertificateStoreFile=rundll32.exe cryptext.dll,CryptExtOpenSTR %1
certificate_wab_auto_file="c:\Program Files\Outlook Expresse\wab.exe" /certificate %1
!d
ChromeHTML="c:\Documents and Settings\Drew\Local Settings\Application Data\Google\Chrome\Applicatione\chrome.exe" -- "%1"
clpfile=clipbrd.exe %1
!d
!d
CompressedFolder=rundll32.exe zipfldr.dll,RouteTheCall %L
ConferenceLink=rundll32.exe msconf.dll,OpenConfLink %l
Connection Manager Profile=c:\WINDOWS\system32e\CMMGR32.EXE "%1"
Cool.Edit.Pro.loop.file="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
Cool.Edit.Pro.session.file="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
Coverpage=%systemroot%\system32\fxscover.exe "%1"
CRLFile=rundll32.exe cryptext.dll,CryptExtOpenCRL %1
daap=c:\Program Files\iTunese\iTunes.exe /url "%1"
destinympe="c:\Program Files\Play MPE\Playere\MPEPlayer.exe" "%1"
DiamondWare.Digitized.file="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
DocShortcut=rundll32 %SystemRoot%\System32\shscrap.dll,OpenScrap_RunDLL /r /x %1
download_auto_file="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
dunfile=%SystemRoot%\system32\RUNDLL32.EXE NETSHELL.DLL,InvokeDunFile %1
DVDFlick="c:\Program Files\DVD Flicke\dvdflick.exe" -load "%1"
emffile=rundll32.exe c:\WINDOWS\system32e\shimgvw.dll,ImageView_Fullscreen %1
epm_auto_file="c:\Program Files\Play MPE\Playere\MPEPlayer.exe" "%1"
Excel.Addin=c:\PROGRA~1\MICROS~3\Office12e\Moc.exe "%1"
Excel.AddInMacroEnabled=c:\PROGRA~1\MICROS~3\Office12e\Moc.exe "%1"
Excel.Sheet.12=c:\PROGRA~1\MICROS~3\Office12e\Moc.exe "%1"
Excel.SheetBinaryMacroEnabled.12=c:\PROGRA~1\MICROS~3\Office12e\Moc.exe "%1"
Excel.SheetMacroEnabled.12=c:\PROGRA~1\MICROS~3\Office12e\Moc.exe "%1"
Excel.Template=c:\PROGRA~1\MICROS~3\Office12e\Moc.exe "%1"
Excel.TemplateMacroEnabled=c:\PROGRA~1\MICROS~3\Office12e\Moc.exe "%1"
!d
File.7z="c:\Program Files\ZipGenius 6e\zipgenius.exe" -open "%1"
File.CZip="c:\Program Files\ZipGenius 6e\zipgenius.exe" -open "%1"
File.Zip.1="c:\Program Files\ZipGenius 6e\zipgenius.exe" -open "%1"
fndfile=%SystemRoot%\Explorer.exe
Folder=%SystemRoot%\Explorer.exe /idlist,%I,%L
fonfile=%SystemRoot%\System32\fontview.exe %1
ftp="c:\Program Files\Internet Explorere\IEXPLORE.EXE" %1
giffile="c:\Program Files\Internet Explorere\iexplore.exe" -nohome
gomcmd="c:\Program Files\GRETECH\GomPlayere\GOM.exe" %1
gomlogo="c:\Program Files\GRETECH\GomPlayere\GOM.exe" "%1"
GomPlayer.3gp="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.asf="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.asx="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.avi="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.divx="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.dmb="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.dmskm="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.DVD="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.flv="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.gom="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.ifo="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.k3g="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.lmp4="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.m1v="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.m2v="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.m4v="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.MediaFile="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.mkv="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.mov="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.mp4="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.mpe="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.mpeg="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.mpg="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.mqv="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.ogm="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
Gomplayer.Skinfile="c:\Program Files\GRETECH\GomPlayere\GOM.exe" "%1"
GomPlayer.skm="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.swf="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.wm="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.wmv="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.wmx="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
GomPlayer.wvx="c:\Program Files\GRETECH\GomPlayere\GOM.exe" /open "%1"
Google Earth.kmlfile=c:\Program Files\Google\Google Earth\cliente\googleearth.exe "%1"
Google Earth.kmzfile=c:\Program Files\Google\Google Earth\cliente\googleearth.exe "%1"
Google.PhotoViewer.3.0="c:\Program Files\Google\Picasa3e\PicasaPhotoViewer.exe" "%1"
gopher="c:\Program Files\Internet Explorere\iexplore.exe" -nohome
h323file="rundll32.exe" msconf.dll,NewMediaPhone %l
HCP="c:\WINDOWS\PCHealth\HelpCtr\Binariese\HelpCtr.exe" -FromHCP -url "%1"
helpfile=winhlp32.exe %1
hlpfile=%SystemRoot%\System32\winhlp32.exe %1
htafile=c:\WINDOWS\system32e\mshta.exe "%1" %*
htfile="c:\Program Files\Windows NTe\HYPERTRM.EXE" %1
htmlfile="c:\Program Files\Internet Explorere\IEXPLORE.EXE" -nohome
HTTP="c:\Program Files\Internet Explorere\IEXPLORE.EXE" -nohome
https="c:\Program Files\Internet Explorere\IEXPLORE.EXE" -nohome
iiifile="rundll32.exe" msconf.dll,NewMediaPhone %l
!d
!d
InternetShortcut=rundll32.exe ieframe.dll,OpenURL %l
itms=c:\Program Files\iTunese\iTunes.exe /url "%1"
itmss=c:\Program Files\iTunese\iTunes.exe /url "%1"
itpc=c:\Program Files\iTunese\iTunes.exe /url "%1"
ITS FILE="c:\Program Files\Internet Explorere\iexplore.exe" -nohome
iTunes=c:\Program Files\iTunese\iTunes.exe /url "%1"
iTunes.aa="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.aax="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.aif="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.aifc="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.aiff="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.cda="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.cdda="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.ipa="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.ipg="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.ipsw="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.itdb="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.ite="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.itl="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.itlp="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.itms="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.itpc="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.m3u="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.m3u8="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.m4a="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.m4b="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.m4p="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.m4r="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.m4v="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.mov="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.mp2="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.mp3="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.mpeg="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.mpg="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.pcast="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.pls="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.rmp="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.wav="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.wave="c:\Program Files\iTunese\iTunes.exe" /open "%L"
jamak="c:\Program Files\GRETECH\GomPlayere\GOM.exe" "%1"
jarfile="c:\Program Files\Java\jre6\bine\javaw.exe" -jar "%1" %*
JNLPFile="c:\Program Files\Java\jre6\bine\javaws.exe" "%1"
jpegfile=rundll32.exe c:\WINDOWS\system32e\shimgvw.dll,ImageView_Fullscreen %1
JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
LDAP="c:\Program Files\Outlook Expresse\wab.exe" /ldap:%1
LiveCall="c:\Program Files\Windows Live\Messengere\wlcstart.exe" %1
m3ufile="c:\Program Files\Windows Media Playere\wmplayer.exe" /prefetch:6 /Open "%L"
MacromediaFlashPaper.MacromediaFlashPaper="c:\Program Files\Internet Explorere\iexplore.exe" -nohome "%1"
mailto="%ProgramFiles%\Outlook Express\msimn.exe" /mailurl:%1
mbam.script="c:\Program Files\Malwarebytes' Anti-Malwaree\mbam.exe" %1
MediaMonkey.AACFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.APEFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.APLFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.CDAFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.FLACFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.FLAFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.M3UFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.M4AFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.M4BFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.M4PFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.MACFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.MP+File="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.MP3File="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.MP4File="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.MPCFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.MPPFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.OGGFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.PCASTFile="c:\Program Files\MediaMonkeye\MediaMonkey.exe" "%1"
MediaMonkey.PLSFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.VQFFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.WAVFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.WMAFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
MediaMonkey.XSPFFile="c:\PROGRA~1\MEDIAM~1e\MEDIAM~2.EXE" "%1"
mhtmlfile="c:\Program Files\Internet Explorere\IEXPLORE.EXE" -nohome
Microsoft Internet Mail Message="c:\Program Files\Windows Live\Maile\wlmail.exe" /eml:%1
Microsoft Internet News Message="c:\Program Files\Windows Live\Maile\wlmail.exe" /nws:%1
Microsoft.InformationCard=c:\WINDOWS\system32\rundll32.exe c:\WINDOWS\system32e\infocardcpl.cpl,ImportInformationCard_RunDll %1
Microsoft.WindowsCardSpaceBackup=c:\WINDOWS\system32\rundll32.exe c:\WINDOWS\system32e\infocardcpl.cpl,ImportInformationCard_RunDll %1
Microsoft.Works.wpjfile=c:\PROGRA~1\MICROS~2e\MSWorks.exe "%1"
MIDFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
MMS="c:\Program Files\Windows Media Playere\wmplayer.exe" "%L"
MMST="c:\Program Files\Windows Media Playere\wmplayer.exe" "%L"
MMSU="c:\Program Files\Windows Media Playere\wmplayer.exe" "%L"
MPEG.I.Layer.3.file="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
mpegfile="c:\Program Files\Windows Media Playere\wmplayer.exe" /prefetch:9 /Open "%L"
MPlayer=mplay32.exe /play /close "%L"
MS-ITSS FILE="c:\Program Files\Internet Explorere\iexplore.exe" -nohome ms-itss:%1::/
msbackupfile=%SystemRoot%\system32\ntbackup.exe
MSBD="c:\Program Files\Windows Media Playere\wmplayer.exe" "%L"
MSCFile=%SystemRoot%\system32\mmc.exe "%1" %*
MSDASC=Rundll32.exe c:\PROGRA~1\COMMON~1\System\OLEDB~1e\oledb32.dll,OpenDSLFile %1
Msi.Package="%SystemRoot%\System32\msiexec.exe" /i "%1" %*
Msi.Patch="%SystemRoot%\System32\msiexec.exe" /p "%1" %*
MSInfo.Document=c:\Program Files\Common Files\Microsoft Shared\MSInfoe\MSInfo32.exe /msinfo_file %1
MSProgramGroup=c:\WINDOWS\system32e\grpconv.exe %1
MsRcIncident=%SystemRoot%\PCHealth\HelpCtr\Binaries\HelpCtr.exe -Mode "hcp://system/Remote%%20Assistance/RAClientLayout.xml" -url "hcp://system/Remote%%20Assistance/Interaction/Client/rctoolScreen1.htm" -ExtraArgument "IncidentFile=%1"
msstylesfile=%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Appearance /Action:OpenMSTheme /file:"%1"
MSWorks4Database=c:\PROGRA~1\MICROS~2e\wksdb.exe "%1"
MSWorks4Sheet=c:\PROGRA~1\MICROS~2e\wksss.exe "%1"
news="%ProgramFiles%\Outlook Express\msimn.exe" /newsurl:"%1"
nntp="%ProgramFiles%\Outlook Express\msimn.exe" /newsurl:"%1"
none="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
ogms="c:\Program Files\GRETECH\GomPlayere\GOM.exe" "%1"
Oice.Excel.Addin=c:\PROGRA~1\MICROS~3\Office12e\Oice.exe "%1"
Oice.Excel.Sheet=c:\PROGRA~1\MICROS~3\Office12e\Oice.exe "%1"
Oice.Excel.Template=c:\PROGRA~1\MICROS~3\Office12e\Oice.exe "%1"
Oice.PowerPoint.Show=c:\PROGRA~1\MICROS~3\Office12e\Oice.exe "%1"
Oice.PowerPoint.SlideShow=c:\PROGRA~1\MICROS~3\Office12e\Oice.exe "%1"
Oice.PowerPoint.Template=c:\PROGRA~1\MICROS~3\Office12e\Oice.exe "%1"
Oice.Word.Document=c:\PROGRA~1\MICROS~3\Office12e\Oice.exe "%1"
otffile=%SystemRoot%\System32\fontview.exe %1
P7RFile=rundll32.exe cryptext.dll,CryptExtOpenP7R %1
P7SFile=rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1
Paint.Picture=rundll32.exe c:\WINDOWS\system32e\shimgvw.dll,ImageView_Fullscreen %1
pbkfile=%SystemRoot%\system32\rasphone.exe -f "%1"
pcast=c:\Program Files\iTunese\iTunes.exe /url "%1"
PerfFile=%SystemRoot%\system32\perfmon.exe %1
pfmfile=%SystemRoot%\System32\fontview.exe %1
picasa="c:\Program Files\Google\Picasa3e\Picasa3.exe" "%1"
!d
pjpegfile=rundll32.exe c:\WINDOWS\system32e\shimgvw.dll,ImageView_Fullscreen %1
pngfile=rundll32.exe c:\WINDOWS\system32e\shimgvw.dll,ImageView_Fullscreen %1
PowerPoint.Show.12=c:\PROGRA~1\MICROS~3\Office12e\Moc.exe "%1"
PowerPoint.ShowMacroEnabled.12=c:\PROGRA~1\MICROS~3\Office12e\Moc.exe "%1"
PowerPoint.SlideShow.12=c:\PROGRA~1\MICROS~3\Office12e\Moc.exe "%1"
PowerPoint.SlideShowMacroEnabled.12=c:\PROGRA~1\MICROS~3\Office12e\Moc.exe "%1"
PowerPoint.Template.12=c:\PROGRA~1\MICROS~3\Office12e\Moc.exe "%1"
PowerPoint.TemplateMacroEnabled.12=c:\PROGRA~1\MICROS~3\Office12e\Moc.exe "%1"
prffile=rundll32.exe msrating.dll,ClickedOnPRF %1
Publishing Folder=explorer.exe /idlist,%I,%L
QuickTime.3g2=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.3gp=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.3gp2=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.3gpp=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.aac=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.ac3=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.adts=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.aif=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.aifc=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.aiff=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.amc=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.AMR=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.au=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.avi=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.bmp=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.bwf=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.caf=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.cdda=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.cel=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.dib=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.dif=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.dv=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.flc=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.fli=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.gif=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.gsm=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.jp2=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.jpe=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.jpeg=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.jpg=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.kar=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m15=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m1a=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m1s=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m1v=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m3u=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m3url=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m4a=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m4b=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m4p=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m4v=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m75=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mac=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.mid=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.midi=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mov=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mp2=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mp3=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mp4=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mpa=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mpeg=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mpg=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mpm=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mpv=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mqv=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.pct=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.pic=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.pict=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.png=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.pnt=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.pntg=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.psd=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.qcp=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.qht=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.qhtm=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.qt=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.qti=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.qtif=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.qtl=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.rgb=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.rts=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.rtsp=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.sd2=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.sdp=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.sdv=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.sgi=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.smf=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.smi=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.smil=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.sml=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.snd=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.swa=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.targa=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.tga=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.tif=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.tiff=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.ulw=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.vfw=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.wav=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
ratfile=rundll32.exe msrating.dll,ClickedOnRAT %1
Raw.PCM.audio.file="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
!d
!d
rlogin=rundll32.exe url.dll,TelnetProtocolHandler %l
rtffile="c:\Program Files\Windows NT\Accessoriese\WORDPAD.EXE" "%1"
Safari.safariextz="c:\Program Files\Safarie\Safari.exe" "%1"
Safari.webarchive="c:\Program Files\Safarie\Safari.exe" "%1"
SafariDownload="c:\Program Files\Safarie\Safari.exe" -url "%1"
SafariHTML="c:\Program Files\Safarie\Safari.exe" -url "%1"
SafariURL="c:\Program Files\Safarie\Safari.exe" -url "%1"
SampleVision.file="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
SavedDsQuery=rundll32 %SystemRoot%\system32\dsquery.dll,OpenSavedDsQuery %1
!d
scriptletfile="c:\WINDOWSe\NOTEPAD.EXE" "%1"
SHCmdFile=explorer.exe
Shell=%SystemRoot%\Explorer.exe /idlist,%I,%L
ShellScrap=rundll32 %SystemRoot%\system32\shscrap.dll,OpenScrap_RunDLL %1
snews="%ProgramFiles%\Outlook Express\msimn.exe" /newsurl:"%1"
SOF.1=notepad.exe "%1"
SoundBlaster.VOC.file="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
SoundRec="c:\Program Files\coolpro2e\coolpro2.exe" "%1"
SPCFile=rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1
STLFile=rundll32.exe cryptext.dll,CryptExtOpenCTL %1
SUPER.Encode.Profile=c:\Program Files\eRightSoft\SUPERe\SUPER.exe "%1"
T126_Whiteboard="c:\Program Files\NetMeetinge\wb32.exe" - "%1"
telnet=rundll32.exe url.dll,TelnetProtocolHandler %l
themefile=%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"%1"
TIFImage.Document=rundll32.exe c:\WINDOWS\system32e\shimgvw.dll,ImageView_Fullscreen %1
tn3270=rundll32.exe url.dll,TelnetProtocolHandler %l
ttcfile=%SystemRoot%\System32\fontview.exe %1
ttffile=%SystemRoot%\System32\fontview.exe %1
!d
ulsfile="rundll32.exe" msconf.dll,NewMediaPhone %l
vcard_wab_auto_file="c:\Program Files\Outlook Expresse\wab.exe" /vcard %1
wab_auto_file="c:\Program Files\Outlook Expresse\wab.exe" %1
WAXFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
webpnpFile=%SystemRoot%\system32\wpnpinst.exe %1
Whiteboard="c:\Program Files\NetMeetinge\wb32.exe" "%1"
Windows Live Contact="c:\Program Files\Windows Live\Maile\wlmail.exe" /contact:%1
Windows Live Group="c:\Program Files\Windows Live\Maile\wlmail.exe" /group:%1
Windows.CompositeFont="%WinDir%\System32\notepad.exe" "%1"
Windows.Movie.Maker="c:\Program Files\Movie Makere\moviemk.exe" %1
Windows.XamlDocument="c:\WINDOWS\system32e\PresentationHost.exe" "%1" %*
Windows.Xbap="c:\WINDOWS\system32e\PresentationHost.exe" "%1" %*
WindowsLive.PhotoGallery.bmp.14.0=c:\Program Files\Windows Live\Photo Gallerye\WLXPhotoGallery.exe /LaunchPhotoViewer /v "%1"
WindowsLive.PhotoGallery.gif.14.0=c:\Program Files\Windows Live\Photo Gallerye\WLXPhotoGallery.exe /LaunchPhotoViewer /v "%1"
WindowsLive.PhotoGallery.ico.14.0=c:\Program Files\Windows Live\Photo Gallerye\WLXPhotoGallery.exe /LaunchPhotoViewer /v "%1"
WindowsLive.PhotoGallery.jpg.14.0=c:\Program Files\Windows Live\Photo Gallerye\WLXPhotoGallery.exe /LaunchPhotoViewer /v "%1"
WindowsLive.PhotoGallery.png.14.0=c:\Program Files\Windows Live\Photo Gallerye\WLXPhotoGallery.exe /LaunchPhotoViewer /v "%1"
WindowsLive.PhotoGallery.raw.14.0=c:\Program Files\Windows Live\Photo Gallerye\WLXPhotoGallery.exe /LaunchPhotoViewer /v "%1"
WindowsLive.PhotoGallery.tif.14.0=c:\Program Files\Windows Live\Photo Gallerye\WLXPhotoGallery.exe /LaunchPhotoViewer /v "%1"
WindowsLive.PhotoGallery.video.14.0=c:\Program Files\Windows Live\Photo Gallerye\WLXPhotoGallery.exe /LaunchPhotoViewer /v "%1"
WindowsLive.PhotoGallery.wdp.14.0=c:\Program Files\Windows Live\Photo Gallerye\WLXPhotoGallery.exe /LaunchPhotoViewer /v "%1"
WindowsLiveWriter.BlogThis.1="c:\Program Files\Windows Live\Writere\WindowsLiveWriter.exe" "%1"
WindowsLiveWriter.Post.1="c:\Program Files\Windows Live\Writere\WindowsLiveWriter.exe" "%1"
WksWPExe=c:\PROGRA~1\MICROS~2e\WksWP.exe /SHELL "%1"
WLPG="c:\Program Files\Windows Live\Photo Gallerye\WLXAlbumDownloadWizard.exe" %1
wmafile="c:\Program Files\Windows Media Playere\wmplayer.exe" /prefetch:5 /Open "%L"
WMDFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /WMPackage:"%L"
wmffile=rundll32.exe c:\WINDOWS\system32e\shimgvw.dll,ImageView_Fullscreen %1
WMP.DVR-MSFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
WMSFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /layout:"%L"
WMVFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /prefetch:7 /Open "%L"
WMZFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /layout:"%L"
Word.Document.12=c:\PROGRA~1\MICROS~3\Office12e\Moc.exe "%1"
Word.DocumentMacroEnabled.12=c:\PROGRA~1\MICROS~3\Office12e\Moc.exe "%1"
Wordpad.Document.1="%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE" "%1"
WPLFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
wrifile="c:\Program Files\Windows NT\Accessoriese\WORDPAD.EXE" "%1"
WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
WVXFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
x-internet-signup=%ProgramFiles%\Internet Explorer\Connection Wizard\ISIGNUP.EXE %1
xmlfile="c:\Program Files\Internet Explorere\iexplore.exe" -nohome
XPSViewer.Document.1="c:\WINDOWS\system32\XPSViewere\XPSViewer.exe" "%1" %*
xslfile="c:\Program Files\Internet Explorere\iexplore.exe" -nohome
zapfile=%SystemRoot%\system32\NOTEPAD.EXE %1
ZGK.1="c:\Program Files\ZipGenius 6e\pwman.exe" -open "%1"
ZTM.1="%1" %*
.bat
.cmd
.com
.exe
.scr
.reg
.txt

=============== Created Last 30 ================


==================== Find3M ====================

2010-12-09 13:07:07 2027008 ----a-w- c:\WINDOWS\system32e\ntkrnlpa.exe

============= FINISH: 17:51:13.75 ===============

Attached Files


Edited by Blade Zephon, 03 March 2011 - 08:38 PM.
Fixed formatting. ~BZ


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:50 AM

Posted 06 March 2011 - 11:09 AM

Hi,

1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format). Post also fresh dds logs.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Bahhh

Bahhh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 06 March 2011 - 10:03 PM

Wow, can't thank you enough for the help and reply. It did find 1 threat and removed it. Additional logs attached.

Drew

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:50 AM

Posted 07 March 2011 - 12:54 AM

Hi,

uTorrent
Limewire


Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Bahhh

Bahhh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 07 March 2011 - 04:47 PM

I'm having trouble turning off AVG 9.0. I followed the instructions to turn off resident shield and email and link scanner and ComboFix said it would be dangerous to run ComboFix with AVG installed. I tried to uninstall and it gave me this

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Access is denied.


I tried 3 times rooting around in AVG advance tools to turn everything off but couldn't get ComboFix to run and I tried 3 times to uninstall AVG and got the same error. AVG spit out a log buts it's too big to upload even zipped.

Any ideas?

Thanks again,

Drew

Edited by Bahhh, 07 March 2011 - 04:57 PM.


#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:50 AM

Posted 08 March 2011 - 12:45 AM

Hi,

Did you try AVG remover?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Bahhh

Bahhh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 08 March 2011 - 03:59 PM

That worked!

I ran ComboFix and it seemed like it did it's thing with no problems. Logs are attached. Any idea what I picked up? I'm uninstalling Limewire now.

Thanks, again!


Drew

Attached Files



#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:50 AM

Posted 09 March 2011 - 01:07 AM

Any idea what I picked up?

You had TDL infection there.


Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\docume~1\alluse~1\applic~1\nMmFjKc15405
DDS::
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 24.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.


* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked.
  • Click Scan
  • Wait for the scan to finish.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:50 AM

Posted 18 March 2011 - 04:48 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users