# Finding Registry Value and Editing Using Batch File



## bigslo (Mar 17, 2008)

I would like to know how to search a Registry Entry using a Batch file and modify that entry. For example, I want to search all occurrence of "amvo" in the registry and delete them all.


----------



## ozrom1e (May 16, 2006)

JV Power tools has an option to search the registry this can be found at: http://www.macecraft.com/


----------



## bigslo (Mar 17, 2008)

ozrom1e said:


> JV Power tools has an option to search the registry this can be found at: http://www.macecraft.com/


Thanks, but I'm not looking for a software, I would like to create a batch file that can find a registry entry and delete it.


----------



## Jeruvy (Sep 20, 2007)

Then you have to write one.


----------



## bigslo (Mar 17, 2008)

Thats the problem. I'm new to batch files and I don't know the function or code to search the registry.


----------



## Mosaic1 (Aug 17, 2001)

bigslo,

Amvo is a malware file. You need malware help. Don't attempt this yourself. We need to get a good look at your system.

Download Deckard's System Scanner to your Desktop from one of these links:

http://www.techsupportforum.com/sectools/Deckard/dss.exe
http://deckard.geekstogo.com/dss.exe

Close all applications and windows. Disable any currently running security programs and Anti virus.

Double click on dss.exe to run it.

When the scan is complete, a text file will open - Main.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt here.
A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
Please attach Extra.txt to your post. If the Folder doesn't open, please open it and find extra.txt manually.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

To attach a file, do not use the quick reply feature. Instead, click the orange reply button. Next, scroll down and Click the[Manage Attachments] button. 
Upload 
C:\Deckard\System Scanner\Extra.txt

*Be sure to re-enable any Anti Virus or other security programs you disabled after Deckard's system scan has finished.*

What DSS will do:
--create a new System Restore point in Windows XP and Vista.
--clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
--check some important areas of your system and produce a report for your analyst to review. 
--System Scanner automatically runs HijackThis for you, but if you do not have hijackthis installed, it will run its own cloned version of hijackthis.


----------



## Mosaic1 (Aug 17, 2001)

> Thats the problem. I'm new to batch files and I don't know the function or code to search the registry.


 That's because there is none. Batches often are written to use console tools which do the heavy lifting.

At any rate, amvo is removed by some of the anti malware tools and needs special attention. There's more to it than just the one file and its entries.


----------



## bigslo (Mar 17, 2008)

Thanks for all the reply's. But my main problem is the command. I only mention amvo as an example, that is not what I want to remove and I'm not looking for a software to remove it. 

My main point is:
to display something in the window, we use "echo" command; right? And to wait for a key press from the user, we use "pause" command. Like wise, I just want to know the code (and/or syntax) to search the registry.


----------



## Mosaic1 (Aug 17, 2001)

> Like wise, I just want to know the code (and/or syntax) to search the registry.


 Did you read my last post? I hate auto registry cleaning. It can lead to disaster. But a batch is not the way to go on this one, IMO. There is no magic dos command to search the registry. You need a tool to do that. Then assess what you find and decide whether or not you should remove the entries.

Even if you were to export the registry and do a text search, many of the entries would be in hex and therfore you might miss some of them. 
There recently was another thread here where someone wanted to search and remove on auto. People responded and gave him a link to a tool.

It's your business how you deal with your system. But I never have and never will recommend something to do that without allowing the User (And the User needs to be well versed in the registry) to assess the findings.

I'll bow out of this thread now and hope you are very careful with your registry.


----------



## devil_himself (Apr 7, 2007)

Greetings bigslo

First Of All Sorry For My English .. Not My Mother Tongue .. Ignore Any Grammar Errors

I'm Myself New To "Batch" Scripting .. But I Still Reckon That batch Cannot Be Used To Search The Whole Registry. I Think There Is Also No Third Party App Available To Be Used With Batch To Search The Registry .....

You Should Think Of Other Scripting Languages ... Like VBS Or Powershell Or May Be Perl

This Is A better And Safe Option -- > http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip


----------



## ozrom1e (May 16, 2006)

Personally I think it is commendable that someone wants to learn how to batch file and especially with the registry. This is in demand that someone knows how to do this very dangerous thing like registry editing with out having to know what is going on. The best way to start is with Google. Just search Google for *batch file* and then proceed to start learning, also make sure you have Acronis True Image to make an image of everything you have so when the registry gets trashed you can restore the image back to the computer so you can start over again and again. When I started learning about the registry I had a crash computer downstairs that I used and must have restored the OS over 500 times, you get good at restoring after that many times.

Actually the correct way to clear this up is to post a HijackThis log file and have a gold shield go thru this with you to clean your computer it is easier and also free and you will not have to spend three years learning batch files and the registry keys.


----------



## bigslo (Mar 17, 2008)

Hi Mosaic1,

I've downloaded the "dss.exe" you've mentioned. I've scanned my system and I've attached the results.

Maybe a month or so, the task manager wont show fully, only a little portion of bottom part is visible. Please see attached file "TaskManager.jpg" in the zip file "otherimages.zip". So, I cannot see any process in the background. But I use a software "procexp.exe" to view the tasks and I don't think there's any other problem than this.

And now, my main problem is, this morning, some pages pops up in the Internet Explorer every three minutes or so (please see attached popups.zip file including "popup1.jpg", "popup2.jpg", "popup3.jpg", "popup4.jpg", "popup5.jpg"). I think this is strange as I didn't even use Internet Explorer, I always use Opera and Firefox only. And in opera, this page "trustedantivirus.jpg" and "tinyurl.jpg"(in the zip file "otherimages.zip)keeps poping up too.

I really need help.


----------



## Mosaic1 (Aug 17, 2001)

Process Explorer is an excellent program. I use it myself.

But for your Task Manager problem, try this. Double Click on the body of the window to resize it to normal.

Now you do have some nasty malware present. AS a start, let's see what Combofix will kill.

Next go here and follow the tutorial on using Combofix. Post the log when you have finished running that utility.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply

-------------------------

When you post the combofix results, please do not attach. Copy and paste them into a reply.


----------



## Mosaic1 (Aug 17, 2001)

Additionally, if you are running any file sharing programs or have installed any kind of cracked software, this can infect you. In fact, many of the people with malware are in trouble because they use file sharing and cracks. Please uninstall anything you have installed using a crack or file sharing., And then I highly recommend that you uninstall any file sharing programs.


----------



## bigslo (Mar 17, 2008)

Hi Mosaic1,

Here's the log file contents of combofix:

ComboFix 08-03-17.1 - John 2008-03-19 14:40:41.1 - *FAT32*x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.391 [GMT 5.5:30]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 09:00	82,380	----a-w	C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-03-19 09:00	---------	d-----w	C:\Documents and Settings\John\Application Data\Hewlett-Packard
2008-03-19 08:59	---------	d-----w	C:\Program Files\Hewlett-Packard
2008-03-19 08:59	---------	d-----w	C:\Program Files\Common Files\Hewlett-Packard
2008-03-19 08:59	---------	d-----w	C:\Documents and Settings\John\Application Data\Share-to-Web Upload Folder
2008-03-19 08:45	---------	d-----w	C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14 1077277]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42 69632]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 14:41:07
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-19 14:41:19


----------



## bigslo (Mar 17, 2008)

Hi Mosaic1,

Thanks for the tip about the task manager, its working fine now. The log file I sent earlier was from a test done with combofix right after I load windows. This morning I was so annoyed by my computer that I format my C drive and load windows. Now I install some softwares, including

1. AVG Free Edition
Version - 7.5.519,
Virus Base - 269.21.7/1334,
Release Date - 3/18/2008 8:52 PM

2. Spybot - Search and Destroy
Version - 1.5.2.0
System settings protector 1.5.2.16

Are these two software good enough to protect my computer? If not what else should I get or what software should i use to replace these.

I've done a complete scan of my computer with AVG and i've attached the result- "resultoverview" and "virusresults". I've also run Spybot's immunize and also a Search & Destroy.

After these tests, I've exited both these processes and run the combofix again. Here's the log file contents:

ComboFix 08-03-17.1 - John 2008-03-19 18:35:43.3 - *FAT32*x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.283 [GMT 5.5:30]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))
.

2008-03-19 18:08 . 2008-03-19 18:08 d--------	C:\Documents and Settings\John\Application Data\Media Player Classic
2008-03-19 18:08 . 2003-06-18 17:31	17,920	--a------	C:\WINDOWS\system32\mdimon.dll
2008-03-19 18:08 . 2008-03-19 18:08	376	--a------	C:\WINDOWS\ODBC.INI
2008-03-19 18:07 . 2008-03-19 18:07 d--------	C:\WINDOWS\SHELLNEW
2008-03-19 18:07 . 2008-03-19 18:07 d--------	C:\Program Files\Microsoft ActiveSync
2008-03-19 18:07 . 2008-03-19 18:07 d--------	C:\Program Files\IrfanView
2008-03-19 18:05 . 2008-03-19 18:05 dr-h-----	C:\MSOCache
2008-03-19 18:04 . 2008-03-19 18:04 d--------	C:\Program Files\K-Lite Codec Pack
2008-03-19 18:02 . 2008-03-19 18:02 d--------	C:\Program Files\Vypress Chat
2008-03-19 18:02 . 2008-03-19 18:02 d--------	C:\Documents and Settings\John\Application Data\VyPRESS
2008-03-19 17:59 . 2008-03-19 17:59 d--------	C:\Program Files\Google
2008-03-19 17:58 . 2008-03-19 17:58 d--------	C:\Program Files\Foxit Software
2008-03-19 17:57 . 2008-03-19 17:57 d--------	C:\Program Files\GlobalSCAPE
2008-03-19 17:50 . 2008-03-19 17:50 d--------	C:\Program Files\Common Files\Macromedia Shared
2008-03-19 17:50 . 2008-03-19 17:50 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Macrovision
2008-03-19 17:49 . 2008-03-19 17:49 d--------	C:\Program Files\Macromedia
2008-03-19 17:49 . 2008-03-19 17:49 d--------	C:\Program Files\Common Files\Macromedia
2008-03-19 17:09 . 2008-03-19 17:09 d--------	C:\Program Files\Common Files\Adobe Systems Shared
2008-03-19 17:09 . 2008-03-19 17:09 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2008-03-19 17:08 . 2008-03-19 17:08 d--------	C:\Program Files\Common Files\Adobe
2008-03-19 16:47 . 2008-03-19 16:47 d--------	C:\Program Files\Opera
2008-03-19 16:45 . 2008-03-19 16:45 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-19 16:45 . 2003-04-06 21:35	155,648	--a------	C:\WINDOWS\system32\igfxres.dll
2008-03-19 16:43 . 2008-03-19 16:43 d--------	C:\Program Files\C-Media 3D Audio
2008-03-19 16:42 . 2008-03-19 16:42 d--h-----	C:\Program Files\InstallShield Installation Information
2008-03-19 16:42 . 2008-03-19 16:42 d--------	C:\Program Files\Common Files\InstallShield
2008-03-19 16:08 . 2008-03-19 16:08 d--------	C:\Program Files\Spybot - Search & Destroy
2008-03-19 16:08 . 2008-03-19 16:08 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-03-19 15:59 . 2001-08-17 14:03	21,760	--a------	C:\WINDOWS\system32\dllcache\usbstor.sys
2008-03-19 15:57 . 2008-03-19 15:57 d--------	C:\WUTemp
2008-03-19 15:57 . 2003-08-25 18:06	182,880	--a------	C:\WINDOWS\system32\iuengine.dll
2008-03-19 15:57 . 2003-08-25 18:06	182,880	--a------	C:\WINDOWS\system32\dllcache\iuengine.dll
2008-03-19 15:37 . 2008-03-19 15:37 d--------	C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-03-19 15:37 . 2008-03-19 15:37 d--------	C:\Documents and Settings\John\Application Data\AVG7
2008-03-19 15:37 . 2008-03-19 15:37 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-03-19 15:37 . 2008-03-19 15:37 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg7
2008-03-19 15:37 . 2008-03-19 15:37	499,712	--a------	C:\WINDOWS\system32\msvcp71.dll
2008-03-19 15:37 . 2008-03-19 15:37	348,160	--a------	C:\WINDOWS\system32\msvcr71.dll
2008-03-19 15:08 . 2008-03-19 15:08 d--------	C:\Program Files\Free Download Manager
2008-03-19 15:08 . 2008-03-19 15:09 d--------	C:\Documents and Settings\John\Application Data\Free Download Manager
2008-03-19 15:08 . 2008-03-19 15:08 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\FreeDownloadManager.ORG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 09:14	---------	d-----w	C:\Program Files\Common Files\Cisco Systems
2008-03-19 09:00	82,380	----a-w	C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-03-19 09:00	---------	d-----w	C:\Documents and Settings\John\Application Data\Hewlett-Packard
2008-03-19 08:59	---------	d-----w	C:\Program Files\Hewlett-Packard
2008-03-19 08:59	---------	d-----w	C:\Program Files\Common Files\Hewlett-Packard
2008-03-19 08:59	---------	d-----w	C:\Documents and Settings\John\Application Data\Share-to-Web Upload Folder
2008-03-19 08:45	---------	d-----w	C:\Program Files\microsoft frontpage
2008-01-10 07:46	159,839	----a-w	C:\WINDOWS\system32\xvidvfw.dll
2008-01-10 07:45	755,027	----a-w	C:\WINDOWS\system32\xvidcore.dll
2007-12-24 08:19	7,680	----a-w	C:\WINDOWS\system32\ff_vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2008-02-13 18:02 2453551]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42 69632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-19 15:37 579072]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 21:49 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 21:37 114688]
"Cmaudio"="cmicnfg.cpl" []
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 03:18 479232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-19 15:37 219136]

C:\Documents and Settings\John\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Vypress Chat StartUp.lnk - C:\WINDOWS\Installer\{32230531-F971-468F-9BD4-7C3369F3468B}\iconVCAdvertised.exe [2008-03-19 18:02:11 12390]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2001-08-02 07:14 1077277 C:\Program Files\Messenger\msmsgs.exe

*Newly Created Service* - OSE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 18:36:06
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-19 18:36:19
ComboFix3.txt 2008-03-19 09:11:22
ComboFix2.txt 2008-03-19 13:04:28

*
I've also run Hijackthis(I though it might be helpful) and here's the log file too:*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:35 PM, on 3/19/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Vypress Chat\VyChat.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Vypress Chat StartUp.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{43515474-9D24-4175-8AE3-326B0341D493}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{43515474-9D24-4175-8AE3-326B0341D493}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{43515474-9D24-4175-8AE3-326B0341D493}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 5264 bytes

Looking forward to hear from you.


----------



## Mosaic1 (Aug 17, 2001)

Hi bigslo,



> Are these two software good enough to protect my computer? If not what else should I get or what software should i use to replace these.


 No. I can'[t lie to you on this. Nothiong is 100% effective. IT is always good to get an olnline scan once in a while. No one AV sees everything because these malwares are constantly writing new files.

You have to have a firewall too.

Do you use any Flash drives or other writeable removeable media?


----------



## bigslo (Mar 17, 2008)

Hi Mosaic1,

Yes, I use a pen drive often. But when I plug it into my computer I usually check it with an antivirus first and "autorun" is almost always found.


----------



## Mosaic1 (Aug 17, 2001)

bigslo,

That's good. I can assume, then ,that you're aware of the danger of autorun.inf files. Autorun.inf is a nice feature which is being abused by malware to infect people.

Combofix has added restrictions to prevent autorun.inf files from running on any drives. So if you put in a CD, it will not autorun either. Are you ok with that or do you want to remove these restrictions and take your own precautions. 

The autorun.inf files found may not always be malware, but then again, they may be. That's the thing. You have to know how to deal with them before you allow any to run.


----------



## bigslo (Mar 17, 2008)

Hi Mosaic1,

Thanks for the advise. I would rather the autorun be disabled than put my system at risk. So, I don't need to run combofix every now and then. Or should I run it occasionaly.


----------



## Mosaic1 (Aug 17, 2001)

Hi bigslo,

In fact, you should not ever run Combofix on your own. The copy you have now is going to be out dated within a few days, if it is not already. It senses when it is past a certain date and uninstalls itself.


----------



## bigslo (Mar 17, 2008)

Hi Mosaic1,

I have another problem. I wanted to create a batch file that searches a drive and if found, take some actions. Suppose we want to search all files named "new.txt" in a particular drive and f found delete them. I wrote a series of codes like this(to find and delete "new.txt" in Drive C:

C:
dir new.txt

This code searches drive C: for "new.txt". Suppose it is found in "C:\Documents and Settings\John\Desktop".

After this, what I want to be done is go to "C:\Documents and Settings\John\Desktop" and execute the necessary action on that file (in this case; delete "new.txt"). And if multiple files are found in different locations, I want it to automatically go to all the locations and take the necessary action for all the files found.

And one more thing, is there a loop function that can be used in batch files. Like the ones used in C/C++, i.e, "for loop" or "while loop" etc.

Best Regards,
Big Slo


----------



## Mosaic1 (Aug 17, 2001)

If you just want to delete files, del /s filename.txt will recursively delete all files named filename.txt in the named directory.

Like this:
You don't have to Change (go) to the directory in this case. 

del /s C:\filename.txt 

Because of the /s switch, the path looks odd. But it works. 

Look at the for command 

for /? will give you help on that.


----------



## bigslo (Mar 17, 2008)

Hi Mosaic1,

Got another problem again (seems I'm always in trouble ). I have a virus or something that makes an exe file with the name of the folder in which it is in. Like in the folder "New Folder", an exe file "New Folder" will be created. It is created in almost all folders; i think, as there are around 3000 or more files when I scan with AVG Free edition. It detect it as "Virus identified Worm/Autoit.GA". Can you please help.


----------



## bigslo (Mar 17, 2008)

Got another problem again (seems I'm always in trouble ). I have a virus or something that makes an exe file with the name of the folder in which it is in. Like in the folder "New Folder", an exe file "New Folder" will be created. It is created in almost all folders; i think, as there are around 3000 or more files when I scan with AVG Free edition. It detect it as "Virus identified Worm/Autoit.GA". Can you please help.


----------



## Mosaic1 (Aug 17, 2001)

Hi bigslo,

You should start a new thread here in the malware forum for your new problem and post a new log so someone will help. 


Mosaic1


----------



## Mosaic1 (Aug 17, 2001)

It's also important that you keep your system updated with the latest windows service pack and then the security updates needed. That, along with a good Anti Virus and firewall are essentials.


----------

