Author Topic: Win32 worm Alcan.A (Read 1140 times)

reno · « **on:** May 23, 2006, 11:00:41 AM »

I recently got this worm on my computer by downloading some stuff and since I don't have norton AV anymore (can't find the cd anymore

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> ) I can't get rid of the annoying thing.So could you please help me out a bit

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> (thx in advance, this thing is driving me crazy

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' /> )
here's my HJT-log:
Logfile of HijackThis v1.99.1
Scan saved at 17:56:19, on 23/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\outlook\outlook.exe
D:\WINDOWS\system32\winlog.exe
D:\Program Files\Messenger\MSMSGS.EXE
D:\Program Files\Weather\Weather.exe
D:\Program Files\ipwins\settingsDate.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\renaat\Bureaublad\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://pac.pandora.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [outlook] D:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Weather.lnk = D:\Program Files\Weather\Weather.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: BITS - D:\WINDOWS\system32\dnn6015se.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

guestolo · « **Reply #1 on:** May 23, 2006, 09:26:15 PM »

Hi reno, I'm not sure if I understand the following

Quote

I don't have norton AV anymore (can't find the cd anymore

I don't see reference to Norton's in your log, but I do see signs of Nod32?
By the way, if Nod32 is up to date, it is a very good AV

Can you do the following please
Download the latest version of Look2Me-Remover.exe by Atribune
and save it to your desktop

* Close all windows before continuing.
* Double-click Look2Me-Remover.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Remover will close and re-open in 1 minute. Click OK
* When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
* Your computer will then shutdown.
* After it has completed the shutdown>>Turn your computer back on.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Back in Windows, do the following
Please download [color=\"red\"]Brute Force Uninstaller[/color][/b] to your desktop. (rightclick on this link and choose save as, if using IE save target as)

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is>>In your case this appear to be your (D:) drive
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

[color=\"#CC0000\"]RIGHT CLICK HERE[/color]
and choose "Save As" (in IE it's "Save Target As") in order to download [color=\"#3333FF\"]Alcanshorty.bfu[/color].
Save it in the folder you made earlier (D:\BFU)
So you now have D:\Bfu\alcanshorty.bfu

=Open the D:\BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to alcanshorty.bfu in the D:\BFU folder
Right click alcanshorty.bfu and choose Select
In Brute Force Uninstaller select Execute
Wait for the "complete script execution" box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot the computer one more time
Come back here and post the following
1. Post a fresh Hijackthis log
2. Post the report from Look2Me-Destroyer, which may be found on your desktop or at C:\Look2Me-Destroyer.txt

reno · « **Reply #2 on:** May 24, 2006, 09:53:38 AM »

Hello again, first off thanks for the help

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> , what I meant about the antivirus programs was that I had norton installed before but I had to format my harddisks because there had been a writing error on one of my disks or something and I got Nod32 via Hitmanpro

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' /> . Anyway I followed the instructions and I think it worked (or at least partially) cause I can open my task management via ctrl-alt-del again ^^. Just to make sure here's the HJT and L2M logs:
Logfile of HijackThis v1.99.1
Scan saved at 16:50:06, on 24/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Eset\nod32krn.exe
D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Messenger\MSMSGS.EXE
D:\Program Files\Weather\Weather.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://pac.pandora.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Weather.lnk = D:\Program Files\Weather\Weather.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
-----------------------------------------------------------------------------------------------------------------------------

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 24/05/2006 16:42:02

Infected! D:\WINDOWS\system32\f00olad31d0.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP145\A0020449.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP146\A0020509.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP146\A0020513.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP146\A0020526.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP146\A0020531.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP146\A0021531.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0021549.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0021550.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0022563.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0022564.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0022571.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0022572.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023571.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023583.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023584.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023594.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023595.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023604.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023605.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023634.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023635.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023650.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023651.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023658.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023659.dll
Infected! D:\WINDOWS\system32\hr2m05f1e.dll
Infected! D:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: D:\WINDOWS\system32\f00olad31d0.dll
D:\WINDOWS\system32\f00olad31d0.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP145\A0020449.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP145\A0020449.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP146\A0020509.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP146\A0020509.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP146\A0020513.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP146\A0020513.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP146\A0020526.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP146\A0020526.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP146\A0020531.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP146\A0020531.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP146\A0021531.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP146\A0021531.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0021549.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0021549.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0021550.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0021550.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0022563.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0022563.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0022564.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0022564.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0022571.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0022571.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0022572.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0022572.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023571.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023571.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023583.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023583.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023584.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023584.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023594.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023594.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023595.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023595.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023604.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023604.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023605.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP148\A0023605.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023634.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023634.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023635.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023635.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023650.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023650.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023651.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023651.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023658.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023658.dll could not be deleted!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023659.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023659.dll could not be deleted!

Attempting to delete: D:\WINDOWS\system32\hr2m05f1e.dll
D:\WINDOWS\system32\hr2m05f1e.dll could not be deleted!

Attempting to delete: D:\WINDOWS\system32\guard.tmp
D:\WINDOWS\system32\guard.tmp could not be deleted!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8ED70ADD-FF45-43F6-875B-80DCD425D98D}"
HKCR\Clsid\{8ED70ADD-FF45-43F6-875B-80DCD425D98D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{19FBC226-7DFF-4CE8-8F38-DA260D79D429}"
HKCR\Clsid\{19FBC226-7DFF-4CE8-8F38-DA260D79D429}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{393716B9-5D65-45AB-AFEF-E3A452FE4A8B}"
HKCR\Clsid\{393716B9-5D65-45AB-AFEF-E3A452FE4A8B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{762DE519-C18C-4C1B-8A94-11FD26E3A61F}"
HKCR\Clsid\{762DE519-C18C-4C1B-8A94-11FD26E3A61F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2930B685-8312-425C-B778-25F688D833E2}"
HKCR\Clsid\{2930B685-8312-425C-B778-25F688D833E2}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{FB0FB500-1548-40ED-A7EC-EAF1C573E7D6}"
HKCR\Clsid\{FB0FB500-1548-40ED-A7EC-EAF1C573E7D6}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

guestolo · « **Reply #3 on:** May 24, 2006, 09:14:32 PM »

Can you do me a favor please
I need to make sure that SpySweeper realtime protections are not running
Uncheck any of the following that may apply
Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".

also, it doesn't appear to be running, but if you do have SpywareDoctor's protections running
disable it also
Open SpywareDoctor
1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".

Reboot the computer to ensure both are not running

Try the following one more time please
* Close all windows before continuing.
* Double-click Look2Me-Remover.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Remover will close and re-open in 1 minute. Click OK
* When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
* Your computer will then shutdown.
* AFTER it has completed the shutdown>>Turn your computer back on.

Post back the report from Look2me-destroyer and a new hijackthis log

reno · « **Reply #4 on:** May 25, 2006, 07:06:00 AM »

ok, I did those things it appears that my spysweeper has expired a while back, but I can't remove it (well I can remove the folder..) because when I open the software list it keeps getting stuck at retrieving programs, it just goes on infinitely.Anyway thanks a lot so far here are the updated logs:

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 14:02:33, on 25/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\userinit.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Eset\nod32krn.exe
D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Messenger\MSMSGS.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://pac.pandora.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

-----------------------------------------------------------------------------------------------------------------------------
L2M-log:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 25/05/2006 13:59:02

Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023668.dll
Infected! D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023730.dll
Infected! D:\WINDOWS\system32\f00olad31d0.dll
Infected! D:\WINDOWS\system32\hr8405lqe.dll
Infected! D:\WINDOWS\system32\oeeacc.dll
Infected! D:\WINDOWS\system32\p08q0al5edq.dll

Attempting to delete infected files...

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023668.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023668.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023730.dll
D:\System Volume Information\_restore{964F000C-FB2E-4E4C-9349-5CDC8D4F45B5}\RP149\A0023730.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\f00olad31d0.dll
D:\WINDOWS\system32\f00olad31d0.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\hr8405lqe.dll
D:\WINDOWS\system32\hr8405lqe.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\oeeacc.dll
D:\WINDOWS\system32\oeeacc.dll Deleted successfully!

Attempting to delete: D:\WINDOWS\system32\p08q0al5edq.dll
D:\WINDOWS\system32\p08q0al5edq.dll Deleted successfully!

Making registry repairs.

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

guestolo · « **Reply #5 on:** May 25, 2006, 09:09:56 AM »

Just on my way to work, can you do the following in the meantime
Don't try and just delete the SpySweeper folder, let's try and remove it properly

Go to START>>RUN>>type in services.msc
Hit OK
In the new window that opens, on the right hand side
Look for this service
Webroot Spy Sweeper Engine

Double click on it>>Stop the service if running
In the drop down menu set the startup type to Disabled
Then exit out of there

Open Ewido
[/list]From the main ewido screen, click on Update in the left menu, then click the Start update button.
If for some reason the auto updater won't work
Please manually update from this link
http://www.ewido.net/en/download/updates/

Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to the desktop or someplace you will remember
Exit Ewido
NOTE: When Ewido is running, don't open any other windows, let it run uninterrupted

When it's done

Go to START>>RUN>>type in cmd
Hit OK
In the prompt type the following cpmmands
Hit ENTER after each

regsvr32 mshtml.dll
regsvr32 shdocvw.dll -i
regsvr32 shell32.dll -i

Then type exit and hit Enter

Do a "Scan Only" with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Post back the following please
1. Run a Scan and save logfile with Hijackthis and post a fresh log
2. Post the whole report from Ewidos'

Let me know if add/remove programs will open please

reno · « **Reply #6 on:** May 25, 2006, 05:01:14 PM »

I couldn't do the Spysweeper part anymore because I already ran the uninst.exe file from the folder earlier so it wasn't in that list anymore

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> . As for the Ewido report I forgot to save the report :| I can however post you the HJT log if that's any good:

Logfile of HijackThis v1.99.1
Scan saved at 23:58:40, on 25/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Messenger\MSMSGS.EXE
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://pac.pandora.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe

EDIT: I forgot the mention that the software list still is stuck at retrieving programs (or should I make a seperate thread for that?)

guestolo · « **Reply #7 on:** May 25, 2006, 09:09:18 PM »

Go to START>>RUN>>type in cmd
Hit OK
In the prompt type the following command
Hit ENTER afterwards

REGSVR32 APPWIZ.CPL

Then type exit >>Hit Enter

Download and save WinPFind.zip
UNZIP the contents to your desktop
Don't run it yet

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe

Click START SCAN
Let this finish, a log will open so you will know it's done
Close out after

Reboot back to Normal mode

Back in Windows
Post the results of the WindPFind.txt located in the WinPFind folder

reno · « **Reply #8 on:** May 26, 2006, 05:30:36 AM »

Here's the WinPFind-log:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 18/03/2005 18:19:58 2337488 D:\WINDOWS\SYSTEM32\d3dx9_25.dll
aspack 26/05/2005 16:34:52 2297552 D:\WINDOWS\SYSTEM32\d3dx9_26.dll
aspack 22/07/2005 20:59:04 2319568 D:\WINDOWS\SYSTEM32\d3dx9_27.dll
aspack 5/12/2005 19:09:18 2323664 D:\WINDOWS\SYSTEM32\d3dx9_28.dll
PEC2 11/09/2002 14:00:00 41122 D:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 6/01/2006 19:06:34 573952 D:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 6/01/2006 19:06:34 573952 D:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 4/05/2006 6:26:22 5818784 D:\WINDOWS\SYSTEM32\MRT.exe
aspack 4/05/2006 6:26:22 5818784 D:\WINDOWS\SYSTEM32\MRT.exe
aspack 4/08/2004 10:03:00 729088 D:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 4/08/2004 10:03:20 676864 D:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 11/09/2002 14:00:00 1309184 D:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 4/08/2004 7:41:38 1309184 D:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in D:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/04/2006 20:09:58 H 0 D:\WINDOWS\38812880-IC
26/05/2006 12:10:40 S 2048 D:\WINDOWS\bootstat.dat
25/05/2006 0:43:46 H 54156 D:\WINDOWS\QTFont.qfn
25/05/2006 23:54:22 RH 749 D:\WINDOWS\WindowsShell.Manifest
25/05/2006 23:54:22 RH 749 D:\WINDOWS\system32\cdplayer.exe.manifest
25/05/2006 23:54:20 RH 749 D:\WINDOWS\system32\ncpa.cpl.manifest
25/05/2006 23:54:20 RH 749 D:\WINDOWS\system32\nwc.cpl.manifest
25/05/2006 23:54:22 RH 749 D:\WINDOWS\system32\sapi.cpl.manifest
25/05/2006 23:54:22 RH 749 D:\WINDOWS\system32\wuaucpl.cpl.manifest
30/03/2006 12:03:48 S 22339 D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912812.cat
26/05/2006 12:10:30 H 8192 D:\WINDOWS\system32\config\default.LOG
26/05/2006 12:11:08 H 1024 D:\WINDOWS\system32\config\SAM.LOG
26/05/2006 12:10:40 H 12288 D:\WINDOWS\system32\config\SECURITY.LOG
26/05/2006 12:11:10 H 53248 D:\WINDOWS\system32\config\software.LOG
26/05/2006 12:10:46 H 909312 D:\WINDOWS\system32\config\system.LOG
10/05/2006 23:45:04 H 1024 D:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
24/04/2006 23:44:38 HS 388 D:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\9c937a4e-21e5-48cb-997e-ff178e0708fb
24/04/2006 23:44:38 HS 24 D:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
26/05/2006 12:09:22 H 6 D:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 4/08/2004 10:03:36 70656 D:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 4/08/2004 10:03:36 554496 D:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 4/08/2004 10:03:36 110592 D:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 4/08/2004 10:03:36 137728 D:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 4/08/2004 10:03:36 80384 D:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 4/08/2004 10:03:36 156672 D:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 4/08/2004 10:03:36 359936 D:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 4/08/2004 10:03:36 132608 D:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 4/08/2004 10:03:36 380928 D:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 4/08/2004 10:03:36 69632 D:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/11/2005 13:03:50 49265 D:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 11/09/2002 14:00:00 189440 D:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 4/08/2004 10:03:36 625152 D:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 11/09/2002 14:00:00 35840 D:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 4/08/2004 10:03:36 25600 D:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 4/08/2004 10:03:36 260608 D:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 4/08/2004 10:03:36 36864 D:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 4/08/2004 10:03:36 117248 D:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 4/08/2004 10:03:38 302592 D:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 11/09/2002 14:00:00 28160 D:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 4/08/2004 10:03:38 94720 D:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 4/08/2004 10:03:38 148480 D:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 5:16:34 174872 D:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 11/09/2002 14:00:00 189440 D:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 11/09/2002 14:00:00 35840 D:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 11/09/2002 14:00:00 28160 D:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
24/01/2006 20:36:32 HS 84 D:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
1/01/2002 2:30:18 HS 62 D:\Documents and Settings\All Users\Application Data\desktop.ini
10/04/2006 14:38:32 1362 D:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
19/03/2006 16:38:48 999 D:\Documents and Settings\renaat\Menu Start\Programma's\Opstarten\Adobe Gamma.lnk
24/01/2006 20:36:32 HS 84 D:\Documents and Settings\renaat\Menu Start\Programma's\Opstarten\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
1/01/2002 2:30:18 HS 62 D:\Documents and Settings\renaat\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
   sv1    =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
   {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}    = D:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ImageConverter
   {C2B78404-577B-4565-B5B4-0555EFCC2A4B}    =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = D:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = D:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
   {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}    = D:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = D:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip van de dag = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   : D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
   ButtonText    = Spyware Doctor   :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
   ButtonText    = Messenger   : D:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
    =
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
   Explorer-band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adres   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Koppelingen   : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adres   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Koppelingen   : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   HPDJ Taskbar Utility   D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
   QuickTime Task   "D:\Program Files\QuickTime\qttask.exe" -atboottime
   ATICCC   "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
   DAEMON Tools   "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
   SunJavaUpdateSched   D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   MSMSGS   "D:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = D:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
   WinUpdate.exe   D:\Program Files\Windows\WinUpdate.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = D:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = userinit.exe
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
    = Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
    = WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 26/05/2006 12:18:30

guestolo · « **Reply #9 on:** May 27, 2006, 01:15:52 PM »

Sorry for the delay

Can you do the following please
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"WinUpdate.exe"=-

Double click on fix.reg and allow to add/merge to the registry

Reboot the computer

Back in Windows, can you do the following please
Save Silent Runners.vbs to your desktop
Right click on that link and choose Save Link As
Double click on it to run. You don't have to click yes or no, it will continue to run in a few seconds
If prompted by your AV, please let this script run, we are just collecting information

This will create a text file on your desktop
Open the text file and copy and paste the contents back here

NOTE: let silentrunners completely finish, it WILL prompt when it is done

Can you let me know the exact problem with you add/remove programs please
Does in not populate or is it a big blank space and if you scroll down you may see other installed applications?
Can you give it a couple minutes to populate?

Can you supply a uninstall list also from Hijackthis
Open Hijackthis>>Open Misc tools section>>Open Uninstall manager
Click the SAVE LIST.. button
Save the list too desktop then copy and paste back here the whole contents please

reno · « **Reply #10 on:** May 28, 2006, 05:59:14 AM »

I took a screenshot of my add/remove software: the text in the window means "The list is being composed. A moment of patience please...", no matter how long I leave it open it just remains like this.
here's the Silent Runners log:
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""D:\Program Files\Messenger\MSMSGS.EXE" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HPDJ Taskbar Utility" = "D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" ["HP"]
"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ATICCC" = ""D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"DAEMON Tools" = ""D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]
"SunJavaUpdateSched" = "D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Configuratiescherm-uitbreiding Beeldscherm-panning"
-> {HKLM...CLSID} = "Configuratiescherm-uitbreiding Beeldscherm-panning"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-pictogramuitbreiding"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "D:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "D:\WINDOWS\System32\Audiodev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" [file not found]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "D:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "D:\WINDOWS\system32\shdocvw.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "D:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "D:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "D:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\renaat\Application Data\Mozilla\Firefox\Bureaubladachtergrond.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "D:\WINDOWS\System32\logon.scr" [MS]

Startup items in "renaat" & "All Users" startup folders:
--------------------------------------------------------

D:\Documents and Settings\renaat\Menu Start\Programma's\Opstarten
"Adobe Gamma" -> shortcut to: "D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {HKLM...CLSID} = "PCTools Browser Monitor"
\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll" ["PC Tools"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
ewido security suite control, ewido security suite control, "D:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "D:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
NOD32 Kernel Service, NOD32krn, ""D:\Program Files\Eset\nod32krn.exe"" ["Eset "]
Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\System32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt09\Driver = "hpzsnt09.dll" ["HP"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 31 seconds, including 18 seconds for message boxes)

---------------------------------------------------------------------------------------------------
and here's the HJT uninstall manager list:
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
BearShare
Beveiligingsupdate for Windows Media Player 10 (KB911565)
Beveiligingsupdate voor Windows Media Player (KB911564)
Beveiligingsupdate voor Windows XP (KB890046)
Beveiligingsupdate voor Windows XP (KB893066)
Beveiligingsupdate voor Windows XP (KB893756)
Beveiligingsupdate voor Windows XP (KB896358)
Beveiligingsupdate voor Windows XP (KB896422)
Beveiligingsupdate voor Windows XP (KB896423)
Beveiligingsupdate voor Windows XP (KB896424)
Beveiligingsupdate voor Windows XP (KB896428)
Beveiligingsupdate voor Windows XP (KB899587)
Beveiligingsupdate voor Windows XP (KB899591)
Beveiligingsupdate voor Windows XP (KB900725)
Beveiligingsupdate voor Windows XP (KB901017)
Beveiligingsupdate voor Windows XP (KB901214)
Beveiligingsupdate voor Windows XP (KB902400)
Beveiligingsupdate voor Windows XP (KB904706)
Beveiligingsupdate voor Windows XP (KB905414)
Beveiligingsupdate voor Windows XP (KB905749)
Beveiligingsupdate voor Windows XP (KB905915)
Beveiligingsupdate voor Windows XP (KB908519)
Beveiligingsupdate voor Windows XP (KB908531)
Beveiligingsupdate voor Windows XP (KB911562)
Beveiligingsupdate voor Windows XP (KB911567)
Beveiligingsupdate voor Windows XP (KB911927)
Beveiligingsupdate voor Windows XP (KB912812)
Beveiligingsupdate voor Windows XP (KB912919)
Beveiligingsupdate voor Windows XP (KB913446)
Beveiligingsupdate voor Windows XP (KB913580)
CleanUp!
DivX
DivX Player
ewido anti-malware
HijackThis 1.99.1
Hitman Pro
iTunes
J2SE Runtime Environment 5.0 Update 6
LeuteScript 3
LS Image Converter
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
mIRC
Mozilla Firefox (1.5.0.3)
MSN Messenger 7.5
NOD32 antivirus systeem
Oblivion
QuickTime
Snowball Wars by OIN
Spybot - Search & Destroy 1.4
Spyware Doctor 3.5
SpywareBlaster v3.5.1
TeamSpeak 2 RC2
Update voor Windows XP (KB898461)
Update voor Windows XP (KB900485)
Update voor Windows XP (KB910437)
Ventrilo Client
VentriloMIX
VideoLAN VLC media player 0.8.4a
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Wolfenstein - Enemy Territory
Yazzle by OIN

(in dutch voor = for and beveiligingsupdate = security-update , just to clarify)

A great big thanks so far btw

guestolo · « **Reply #11 on:** May 28, 2006, 11:20:28 AM »

Can you do the following please
Download and install ccleaner

Once installed, can you open the program
Click on Tools

Close all browser windows
Then Highlight Snowball Wars by OIN
Then click the "Run Uninstaller"

Do the same for Yazzle by OIN

Anything by OIN is not safe!

NOTE: You have BearShare installed, if it's the free version it comes bundled with Adware

Quote

BearShare does not contain any spyware. However, BearShares does come bundled with some adware. This is harmless to you and your computer, it is used to display a few adverts while you surf and the only information collected is the information you supply during installation. If you do not like the adware that comes bundled with BearShare then you can purchase a subscription to the Pro version which does not contain any third party software.

Bottom line>It comes bundled with Spyware

There are better alternatives
http://www.spywareinfo.com/articles/p2p/

Afterwards
Click on Cleaner button on the top left
If you would like to keep cookies in IE, uncheck Cookies
If you would like to keep cookiis in Firefox, click the Application tab
and uncheck Cookies under Firefox

Click the Run Cleaner at the bottom right
OK the prompt
When it's done

Reboot the computer

Back in Windows..
Open CCleaner once more
This time click the Issues button on the left
Click "Scan for issues"
When it's done click "Fix Selected Issues"
Allow to make a backup and remove All Issues

When it's done, Log off the computer and then log back on

Check for updates with Ewido
Run a complete system scan, when it's done SAVE THE LOG and then post it back here

Try add/remove programs again, if it won't work in Normal mode, can you try safe mode and see if you get the same problem

Can I see a fresh Hijackthis log afterwards please

reno · « **Reply #12 on:** May 29, 2006, 05:03:43 PM »

Here's the new logs:

ewido anti-malware - Scan rapport
---------------------------------------------------------

+ Gemaakt op:         23:56:26, 29/05/2006
+ Rapport samenvatting:      D59EC6E8

+ Scan resultaten:

   :mozilla.10:D:\Documents and Settings\renaat\Application Data\Mozilla\Firefox\Profiles\ivge6t4b.default\cookies.txt -> TrackingCookie.Yieldmanager : Schoongemaakt met een backup
   :mozilla.11:D:\Documents and Settings\renaat\Application Data\Mozilla\Firefox\Profiles\ivge6t4b.default\cookies.txt -> TrackingCookie.Yieldmanager : Schoongemaakt met een backup
   :mozilla.12:D:\Documents and Settings\renaat\Application Data\Mozilla\Firefox\Profiles\ivge6t4b.default\cookies.txt -> TrackingCookie.Casalemedia : Schoongemaakt met een backup
   :mozilla.13:D:\Documents and Settings\renaat\Application Data\Mozilla\Firefox\Profiles\ivge6t4b.default\cookies.txt -> TrackingCookie.Casalemedia : Schoongemaakt met een backup
   :mozilla.14:D:\Documents and Settings\renaat\Application Data\Mozilla\Firefox\Profiles\ivge6t4b.default\cookies.txt -> TrackingCookie.Casalemedia : Schoongemaakt met een backup
   :mozilla.15:D:\Documents and Settings\renaat\Application Data\Mozilla\Firefox\Profiles\ivge6t4b.default\cookies.txt -> TrackingCookie.Casalemedia : Schoongemaakt met een backup

::Einde rapport

(schoongemaakt met backup = cleaned with backup)

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 23:57:14, on 29/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Messenger\MSMSGS.EXE
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Winamp\winamp.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://pac.pandora.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe

the add/remove program list still isn't showing but I haven't been able to reboot in safe mode yet (there's a pw on the pc since yesterday cause of upcoming exams

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' /> ), however ccleaner seemed to indicate that certain windows/system32 files were missing...

guestolo · « **Reply #13 on:** May 29, 2006, 09:03:40 PM »

Quote

that certain windows/system32 files were missing...

Please give me the exact names of the files please, that's important
Look into the backup registry file by right click on select EDIT
or look at the log of CCleaner

reno · « **Reply #14 on:** May 30, 2006, 10:34:21 AM »

Here's the ccleaner backup, I can't figure out which files it were exactly

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"D:\\WINDOWS\\System32\\pxwma.dll"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"D:\\WINDOWS\\System32\\pxsfs.dll"=dword:00000002

[HKEY_CLASSES_ROOT\SysmonLogManager.Snapin]

[HKEY_CLASSES_ROOT\WMPCD]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.autoreg]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.autoreg\OpenWithList]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bak]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bak\OpenWithList]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.be/foto's/]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.be/foto's/\OpenWithList]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.be/web-content/]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.be/web-content/\OpenWithList]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.be/web-data/]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.be/web-data/\OpenWithList]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bfu]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bfu\OpenWithList]
"a"="firefox.exe"
"MRUList"="ba"
"b"="BFU.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cut]
"Application"="NeroPhotoSnapViewer.Files7.cut"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dds]
"Application"="NeroPhotoSnapViewer.Files7.dds"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff]
"Application"="NeroPhotoSnapViewer.Files7.iff"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jng]
"Application"="NeroPhotoSnapViewer.Files7.jng"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.koa]
"Application"="NeroPhotoSnapViewer.Files7.koa"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm]
"Application"="NeroPhotoSnapViewer.Files7.lbm"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ljp]
"Application"="NeroPhotoSnapViewer.Files7.ljp"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lua]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lua\OpenWithList]
"a"="msnmsgr.exe"
"MRUList"="cba"
"b"="NOTEPAD.EXE"
"c"="WORDPAD.EXE"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mng]
"Application"="NeroPhotoSnapViewer.Files7.mng"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MPQ]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MPQ\OpenWithList]
"a"="NOTEPAD.EXE"
"MRUList"="ba"
"b"="WORDPAD.EXE"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.part]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.part\OpenWithList]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd]
"Application"="NeroPhotoSnapViewer.Files7.pcd"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx]
"Application"="NeroPhotoSnapViewer.Files7.pcx"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.properties]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.properties\OpenWithList]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sfv]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sfv\OpenWithList]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srt]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srt\OpenWithList]
"a"="vlc.exe"
"MRUList"="a"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.toc]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.toc\OpenWithList]
"a"="NOTEPAD.EXE"
"MRUList"="a"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.torrent]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.torrent\OpenWithList]
"a"="BT++.exe"
"MRUList"="ab"
"b"="iexplore.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.torrent\OpenWithProgids]
"bittorrent"=hex(0):

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm]
"Application"="NeroPhotoSnapViewer.Files7.xbm"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\OpenWithList]

[HKEY_CLASSES_ROOT\ADCS]
@="Directory-klassecontainer"

[HKEY_CLASSES_ROOT\ADCS\CLSID]
@="{89E30300-764D-11d0-B282-00A0C90F56FC}"

[HKEY_CLASSES_ROOT\Alg.AlgSetup]
@=""

[HKEY_CLASSES_ROOT\Alg.AlgSetup\CLSID]
@="{27D0BCCC-344D-4287-AF37-0C72C161C14C}"

[HKEY_CLASSES_ROOT\Alg.AlgSetup.1]
@=""

[HKEY_CLASSES_ROOT\Alg.AlgSetup.1\CLSID]
@="{27D0BCCC-344D-4287-AF37-0C72C161C14C}"

[HKEY_CLASSES_ROOT\CDDBControlApple.LanguageComponentType.2]
@="CDDBControlApple Class"

[HKEY_CLASSES_ROOT\CDDBControlApple.LanguageComponentType.2\CLSID]
@="{9BFE0984-30BA-6130-374C-14F8B53D8EB8}"

[HKEY_CLASSES_ROOT\ComPlusMetaData.MsCorHost]

[HKEY_CLASSES_ROOT\ComPlusMetaData.MsCorHost\CLSID]
@="{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\ComPlusMetaData.MsCorHost.2]
@="Microsoft COM+ Runtime Meta Data"

[HKEY_CLASSES_ROOT\ComPlusMetaData.MsCorHost.2\CLSID]
@="{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\Connection Manager Profile\DefaultIcon]
@="D:\\WINDOWS\\System32\\CMMGR32.EXE,1"

[HKEY_CLASSES_ROOT\Connection Manager Profile\shell\open]

[HKEY_CLASSES_ROOT\Connection Manager Profile\shell\open\command]
@="D:\\WINDOWS\\System32\\CMMGR32.EXE \"%1\""

[HKEY_CLASSES_ROOT\Connection Manager Profile\shell\Settings...]

[HKEY_CLASSES_ROOT\Connection Manager Profile\shell\Settings...\command]
@="D:\\WINDOWS\\System32\\CMMGR32.EXE /settings \"%1\""

[HKEY_CLASSES_ROOT\CoverDesigner.Files7.cdc\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero CoverDesigner\\CoverDes.exe,1"

[HKEY_CLASSES_ROOT\CoverDesigner.Files7.cdc\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\CoverDesigner.Files7.cdc\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero CoverDesigner\\CoverDes.exe\" \"%1\""

[HKEY_CLASSES_ROOT\CoverDesigner.Files7.ncd\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero CoverDesigner\\CoverDes.exe,1"

[HKEY_CLASSES_ROOT\CoverDesigner.Files7.ncd\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\CoverDesigner.Files7.ncd\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero CoverDesigner\\CoverDes.exe\" \"%1\""

[HKEY_CLASSES_ROOT\HeaderFooter.HeaderFooter.1]
@="Template Printer class"

[HKEY_CLASSES_ROOT\HeaderFooter.HeaderFooter.1\CLSID]
@="{30c3f6cd-98b5-11cf-bb82-00aa00bdce0b}"

[HKEY_CLASSES_ROOT\htmlfile\DefaultIcon]
@="D:\\PROGRA~1\\INTERN~1\\iexplore.avi,1"

[HKEY_CLASSES_ROOT\htmlfile\shell\open]
@="In het&zelfde venster openen"

[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
@="\"D:\\PROGRA~1\\INTERN~1\\iexplore.avi\" -nohome"

[HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec]
@="\"file://%1\",,-1,,,,,"
"NoActivateHandler"=""

[HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\Application]
@="IExplore"

[HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\Topic]
@="WWW_OpenURL"

[HKEY_CLASSES_ROOT\htmlfile\shell\opennew]
@="&Openen"

[HKEY_CLASSES_ROOT\htmlfile\shell\opennew\command]
@="\"D:\\PROGRA~1\\INTERN~1\\iexplore.avi\" %1"

[HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec]
@="\"%1\",,-1,0,,,,"
"NoActivateHandler"=""

[HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec\Application]
@="IExplore"

[HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec\IfExec]
@="*"

[HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec\Topic]
@="WWW_OpenURLNewWindow"

[HKEY_CLASSES_ROOT\mhtmlfile\DefaultIcon]
@="D:\\PROGRA~1\\INTERN~1\\iexplore.avi,22"

[HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew]
@="&Openen"

[HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\command]
@="\"D:\\PROGRA~1\\INTERN~1\\iexplore.avi\" %1"

[HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec]
@="\"file://%1\",,-1,,,,,"
"NoActivateHandler"=""

[HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec\Application]
@="IExplore"

[HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec\IfExec]
@="*"

[HKEY_CLASSES_ROOT\mhtmlfile\shell\opennew\ddeexec\Topic]
@="WWW_OpenURLNewWindow"

[HKEY_CLASSES_ROOT\msbackupfile\DefaultIcon]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6e,00,74,00,\
62,00,61,00,63,00,6b,00,75,00,70,00,2e,00,65,00,78,00,65,00,2c,00,31,00,30,\
00,00,00

[HKEY_CLASSES_ROOT\msbackupfile\shell\Open]
@="O&penen"

[HKEY_CLASSES_ROOT\msbackupfile\shell\Open\Command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6e,00,74,00,\
62,00,61,00,63,00,6b,00,75,00,70,00,2e,00,65,00,78,00,65,00,00,00

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\AudioToNeroDigital_PlayCDAudioOnArrival]
@="Audio-cd's converteren naar Nero Digital Audio"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe /Dialog:SaveTracks /Drive:%L"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\CDAudio_HandleCDBurningOnArrival]
@="Audio-cd maken"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\CDAudio_HandleCDBurningOnArrival\command]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe /New:AudioCD"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\CopyCD_PlayCDAudioOnArrival]
@="CD kopiëren"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\CopyCD_PlayCDAudioOnArrival\command]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe /New:DiscCopy"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\CopyCD_PlayMusicFilesOnArrival]
@="CD kopiëren"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\CopyCD_PlayMusicFilesOnArrival\command]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe /Dialog:DiscCopy /Drive:%L"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\DataDisc_HandleCDBurningOnArrival]
@="Dataschijf maken"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\DataDisc_HandleCDBurningOnArrival\command]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe /New:ISODisc"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\LaunchNeroStartSmart_HandleCDBurningOnArrival]
@="Nero StartSmart starten"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\LaunchNeroStartSmart_HandleCDBurningOnArrival\command]
@="D:\\Program Files\\Nero\\Nero 7\\Nero StartSmart\\NeroStartSmart.exe /AutoPlay"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\PlayAudioCD_PlayMusicFilesOnArrival]
@="Audio afspelen"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\PlayAudioCD_PlayMusicFilesOnArrival\command]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe /Play /Drive:%L"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\PlayDVD_PlayDVDMovieOnArrival]
@="Video afspelen"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\PlayDVD_PlayDVDMovieOnArrival\command]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe /Play /Drive:%L"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\PlayDVD_PlayVideoFilesOnArrival]
@="Video afspelen"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\PlayDVD_PlayVideoFilesOnArrival\command]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe /Play /Drive:%L"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\RipCD_PlayCDAudioOnArrival]
@="Audio-cd's converteren naar audiobestanden"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\RipCD_PlayCDAudioOnArrival\command]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe /Dialog:SaveTracks /Drive:%L"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\TranscodeVideo_PlayDVDMovieOnArrival]
@="Dvd-video hercoderen"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\TranscodeVideo_PlayDVDMovieOnArrival\command]
@="D:\\Program Files\\Nero\\Nero 7\\Nero Recode\\Recode.exe /New:CopyDVDVideo"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\VideoCapture_VideoCameraArrival]
@="Video vastleggen"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\VideoCapture_VideoCameraArrival\command]
@="D:\\Program Files\\Nero\\Nero 7\\Nero Vision\\NeroVision.exe /New:VideoCapture"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\ViewPhotos_ShowPicturesOnArrival]
@="Uw foto's weergeven"

[HKEY_CLASSES_ROOT\Nero.AutoPlay7\shell\ViewPhotos_ShowPicturesOnArrival\command]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe /"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.cue\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,5"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.cue\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.cue\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.img\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,5"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.img\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.img\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.iso\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,5"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.iso\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.iso\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nhf\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,3"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nhf\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nhf\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nhv\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,8"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nhv\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nhv\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nmd\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,8"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nmd\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nmd\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nr3\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,15"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nr3\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nr3\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nr4\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,18"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nr4\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nr4\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nra\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,4"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nra\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nra\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrb\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,2"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrb\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrb\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrc\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,2"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrc\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrc\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrd\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,8"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrd\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrd\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nre\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,17"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nre\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nre\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrg\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,5"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrg\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrg\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrh\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,3"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrh\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrh\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nri\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,2"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nri\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nri\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrm\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,7"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrm\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrm\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrs\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,2"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrs\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrs\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nru\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,2"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nru\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nru\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrv\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,8"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrv\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrv\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrw\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,16"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrw\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nrw\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nsd\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe,8"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nsd\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroBurningROM.Files7.nsd\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.cut\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.cut\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.cut\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.dds\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.dds\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.dds\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.ico\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.ico\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.ico\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.iff\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.iff\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.iff\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.jfif\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.jfif\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.jfif\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.jng\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.jng\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.jng\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.koa\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.koa\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.koa\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.lbm\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.lbm\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.lbm\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.ljp\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.ljp\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.ljp\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.mng\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.mng\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.mng\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.pbm\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.pbm\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.pbm\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.pcd\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.pcd\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.pcd\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.pcx\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.pcx\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.pcx\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.png\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.png\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.png\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.psd\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.psd\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.psd\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.tif\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.tif\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.tif\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.tiff\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.tiff\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.tiff\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.wbm\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.wbm\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.wbm\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.wbmp\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.wbmp\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.wbmp\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.xbm\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe,1"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.xbm\shell\open]
@="&Openen"

[HKEY_CLASSES_ROOT\NeroPhotoSnapViewer.Files7.xbm\shell\open\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero PhotoSnap\\PhotoSnapViewer.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.aac\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.aac\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.aac\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.ac3\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.ac3\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.ac3\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" "

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.aif\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.aif\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.aif\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.aiff\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.aiff\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.aiff\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.asf\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.asf\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.asf\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.avi\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.avi\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.avi\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.avs\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.avs\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.avs\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.bup\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.bup\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.bup\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.cda\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.cda\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.cda\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.dat\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.dat\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.dat\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.divx\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.divx\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.divx\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.dv\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.dv\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.dv\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.dvr-ms\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.dvr-ms\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.dvr-ms\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.ifo\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.ifo\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.ifo\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m1v\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m1v\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m1v\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m2p\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m2p\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m2p\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m2t\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m2t\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m2t\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m2v\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m2v\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m2v\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m3u\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,1"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m3u\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m3u\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m4a\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m4a\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.m4a\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mid\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mid\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mid\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.midi\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.midi\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.midi\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mmv\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mmv\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mmv\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mod\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mod\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mod\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mov\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mov\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mov\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mp2\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mp2\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mp2\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mp3\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mp3\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mp3\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mp4\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mp4\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mpa\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mpa\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mpa\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mpeg\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mpeg\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mpeg\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mpg\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,0"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mpg\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.mpg\shell\play\command]
@="\"D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe\" \"%1\""

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.pls\DefaultIcon]
@="D:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe,1"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.pls\shell\play]
@="S&pelen"

[HKEY_CLASSES_ROOT\NeroShowTime.Files7.pls\she

guestolo · « **Reply #15 on:** May 30, 2006, 11:24:20 PM »

That's not the whole list from CCleaner
It would of been nice to know what files were missing

Can you go to START>>RUN>>Type in
sfc /scannow

Let that run it's course, have your Windows CD handy, just in case
Let me know what you come up with

reno · « **Reply #16 on:** June 01, 2006, 10:44:16 AM »

Hmm ok this is weird, when I run this process after a while it says "please insert your windows xp professional cdrom" the thing however is that I have windows xp home edition

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />

guestolo · « **Reply #17 on:** June 04, 2006, 11:44:59 AM »

Can you get your hands on an XP home cd?
Preferrably one that has SP2 slipstreamed or included
Did sfc /scannow indicate what files were corrupt or missing?
It sure would be nice to know the files in question

TheTechGuide Forum

News:

Author Topic: Win32 worm Alcan.A (Read 1140 times)

reno

Win32 worm Alcan.A

guestolo

Win32 worm Alcan.A

reno

Win32 worm Alcan.A

guestolo

Win32 worm Alcan.A

reno

Win32 worm Alcan.A

guestolo

Win32 worm Alcan.A

reno

Win32 worm Alcan.A

guestolo

Win32 worm Alcan.A

reno

Win32 worm Alcan.A

guestolo

Win32 worm Alcan.A

reno

Win32 worm Alcan.A

guestolo

Win32 worm Alcan.A

reno

Win32 worm Alcan.A

guestolo

Win32 worm Alcan.A

reno

Win32 worm Alcan.A

guestolo

Win32 worm Alcan.A

reno

Win32 worm Alcan.A

guestolo

Win32 worm Alcan.A