My hard drive has been infected by Conduit

NeverFindExt or NeverShowExt???

There are hidden files marked as Super Hidden Files that are not viewed by the normal routine.


Please download SystemLook from one of the links below:
Link 1
Link 2
(Only direct links available)

Save the file to the Desktop

• Double-click SystemLook.exe to run it.
• Copy the content of the following code box into the open textfield:

Code:

:regfind 
NeverShowExt 
NeverFindExt

• Click the Look button to start the scan.
• When finished, a Notepad window opens with the results of the scan.
  

Please post the SystemLook.txt in your reply.


Thanks!

Thank you Cottonball. I learned something today and I like that.
Super Hidden Files
I didn't know I had any.
Thanks again.

@Layback Bear:

There is something to be learned every day you work here.
Don't you ever have some "What the heck is the OP talking about?" moments?
If you don't, you are lucky. I have those all the time. Some of them qualify under "Senior Moments"!

The hide or show files game is not my thing, although malware can do strange things and hide something where you least expect it. Normally, from what I understand, it is best to leave SuperHidden files just as they are.

Not sure if all files are displayed in Windows Explorer upon enabling 'Show hidden files' in Folder Options.
If a User insists on seeing them, or, if there is a valid need, to display SuperHidden files, you can do the following:

•Open the Registry editor(Start > Run > Regedit)
•Go to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
•In the right pane, double-click on SuperHidden and set its value to: 1

When done, close the Registry and restart the PC.

You might of taken me wrong.
I really didn't know what you just explained.
The thank you was meant whole heartily.

Don't you ever have some "What the heck is the OP talking about?" moments

See them every day.

I really don't want to see my Super Hidden files. They are super hidden for a reason and until now I didn't even know their was such a thing. I do find many things on my computer that I don't know what they are. Sometimes I will Google them. 99.999% of the time I just leave them alone.

I will remember if I ever want to see them all I have to do is ask you how.
Once again Thanks!

There are other ways of viewing those SuperHidden files, I'm sure.

I really don't want to see my Super Hidden files. They are super hidden for a reason...

Spot-on!!

SystemLook 30.07.11 by jpshortstuff
Log created at 02:06 on 03/10/2013 by Gerald
Administrator - Elevation successful

========== regfind ==========

Searching for "NeverShowExt"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Access.Shortcut.DataAccessPage.1]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Access.Shortcut.Diagram.1]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Access.Shortcut.Form.1]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Access.ShortCut.Function.1]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Access.Shortcut.Macro.1]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Access.Shortcut.Module.1]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Access.Shortcut.Query.1]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Access.Shortcut.Report.1]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Access.Shortcut.StoredProcedure.1]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Access.Shortcut.Table.1]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Access.Shortcut.View.1]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Application.Reference]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ECF03A32-103D-11d2-854D-006008059367}]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\fdse_file]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ffs0_file]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ffs1_file]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ffs2_file]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ffs3_file]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ffs4_file]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ffs5_file]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ffs6_file]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ffs7_file]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ffs8_file]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ffse_file]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\fse_file]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.URL]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.WEBSITE]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LibraryFolder]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.Website]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchConnectorFolder]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchFolder]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SHCmdFile]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECF03A32-103D-11d2-854D-006008059367}]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xnkfile]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}]
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{ECF03A32-103D-11d2-854D-006008059367}]
"NeverShowExt"=""

Searching for "NeverFindExt"
No data found.

-= EOF =-

I then ran it twice more and both times got the following result.

SystemLook 30.07.11 by jpshortstuff
Log created at 02:32 on 03/10/2013 by Gerald
Administrator - Elevation successful

========== regfind ==========

Searching for "NeverShowExt "
No data found.

Searching for "NeverFindExt"
No data found.

-= EOF =-

1) Can you tell me what the significance of this is?

It all deals with file extensions which have a NeverShowExt Registry value.

If you take one of the entries, at random, like:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}]
"NeverShowExt"=""

There's an entry in the Send To menu called "Compressed (zipped) Folder". It is obtained by right-clicking on a file,
If you take a look at the folder specifying the entries for the Send To menu, %APPDATA%\Microsoft\Windows\SendTo, you'll find that this item is: ZFSendToTarget.

The purpose of this shell extension is to allow for creating a compressed folder using Send To.

Some other entries point to file extensions for Supper Hidden Files.

2) Is there any point in keeping System_64.exe on my desktop any longer

Have no clue what System_x64.exe is. However, if you mean SystemLook_x64.exe, you can remove it any time you wish.