laralara

Ok, I understand, thank you so much for trying !!!

I restarted the computer and still got the error code 2

========== OTL ========== Service Ftdippk2sacs stopped successfully! Service Ftdippk2sacs deleted successfully! Service WDICA stopped successfully! Service WDICA deleted successfully! Service sfsync04 stopped successfully! Service sfsync04 deleted successfully! File System32\drivers\sfsync04.sys not found. Service PDRFRAME stopped successfully! Service PDRFRAME deleted successfully! Service PDRELI stopped successfully! Service PDRELI deleted successfully! Service PDFRAME stopped successfully! Service PDFRAME deleted successfully! Service PDCOMP stopped successfully! Service PDCOMP deleted successfully! Service PCIDump stopped successfully! Service PCIDump deleted successfully! Service MRENDIS5 stopped successfully! Service MRENDIS5 deleted successfully! File C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS not found. Service MREMPR5 stopped successfully! Service MREMPR5 deleted successfully! File C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS not found. Service lbrtfdc stopped successfully! Service lbrtfdc deleted successfully! Service i2omgmt stopped successfully! Service i2omgmt deleted successfully! Service Changer stopped successfully! Service Changer deleted successfully! Service catchme stopped successfully! Service catchme deleted successfully! File C:\ComboFix\catchme.sys not found. ADS C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6 deleted successfully. Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully. OTL by OldTimer - Version 3.2.69.0 log created on 12182012_122428

I don't know what I'm doing wrong, I ran the OTL twice and usually the extras.txt file is on the desktop, but now I can't find it anywhere. I even did a search.

I attached the OTL.txt file but I can't seem to find the extra.txt file...I will post it as soon as I find it OTL.Txt

I ran disc clean-up yesterday and this morning when i booted, it was fine. Turned off the computer and then booted it this afternoon, and the dreaded error code 2 showed up again. I hate bothering you all the time about this... Is there anyway, to start Malwarebytes after Windows has started? Otherwise I'd have to always remember to disable it before I power off and then start it after the computer boots or I'll just have to wait 7-8 minutes for the computer to boot.

"Silent Runners.vbs", revision 64, http://www.silentrunners.org/ Operating System: Microsoft Windows XP Professional Service Pack 3 (32-bit) Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} Yahoo! Pager = "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet [Yahoo! Inc.] Search Protection = C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [Yahoo! Inc] OfficeSyncProcess = "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE" [MS] GoogleDriveSync = "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [Google] 12F9BEC1EC6BE2D5615C75033DB928BBBB2922E8._service_run = "C:\Documents and Settings\sharon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --type=service [Google Inc.] MusicManager = "C:\Documents and Settings\sharon\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe" [Google Inc.] GoogleChromeAutoLaunch_65B68F2A14D8870A2AE39DA3D9784B74 = "C:\Documents and Settings\sharon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --no-startup-window [Google Inc.] ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} Communicator = "C:\Program Files\Microsoft Lync\communicator.exe" /fromrunkey [MS] QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime [Apple Inc.] TkBellExe = "C:\program files\real\realplayer\update\realsched.exe" -osboot [RealNetworks, Inc.] SunJavaUpdateSched = "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [sun Microsystems, Inc.] 00PCTFW = "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s [PC Tools] MSC = "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [MS] NBAgent = "C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart [Nero AG] Adobe ARM = "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [Adobe Systems Incorporated] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided) -> {HKLM…CLSID} = &Yahoo! Toolbar Helper \InProcServer32\(Default) = C:\Program Files\Yahoo!\Companion\Installs\cpn10\yt.dll [Yahoo! Inc.] {11111111-1111-1111-1111-110011441193}\(Default) = CrossriderApp0004493 -> {HKLM…CLSID} = Coupon Companion \InProcServer32\(Default) = C:\Program Files\Coupon Companion\Coupon Companion.dll [215 Apps] {18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = AcroIEHelperStub -> {HKLM…CLSID} = Adobe PDF Link Helper \InProcServer32\(Default) = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [Adobe Systems Incorporated] {3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided) -> {HKLM…CLSID} = RealPlayer Download and Record Plugin for Internet Explorer \InProcServer32\(Default) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [RealPlayer] {31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\(Default) = Lync add-on BHO -> {HKLM…CLSID} = Lync Browser Helper \InProcServer32\(Default) = C:\Program Files\Microsoft Lync\OCHelper.dll [MS] {326E768D-4182-46FD-9C16-1449A49795F4}\(Default) = Increase performance and video formats for your HTML5 <video> -> {HKLM…CLSID} = DivX Plus Web Player HTML5 <video> \InProcServer32\(Default) = C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll [DivX, LLC] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided) -> {HKLM…CLSID} = Yahoo! IE Services Button \InProcServer32\(Default) = C:\Program Files\Yahoo!\Common\yiesrvc.dll [Yahoo! Inc.] {72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided) -> {HKLM…CLSID} = Groove GFS Browser Helper \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM…CLSID} = Java Plug-In SSV Helper \InProcServer32\(Default) = C:\Program Files\Java\jre7\bin\ssv.dll [Oracle Corporation] {9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided) -> {HKLM…CLSID} = Windows Live Sign-in Helper \InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [MS] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM…CLSID} = Google Toolbar Helper \InProcServer32\(Default) = C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [Google Inc.] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided) -> {HKLM…CLSID} = Google Toolbar Notifier BHO \InProcServer32\(Default) = C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll [Google Inc.] {B4F3A835-0E21-4959-BA22-42B3008E02FF}\(Default) = URLRedirectionBHO -> {HKLM…CLSID} = Office Document Cache Handler \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL [MS] {DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided) -> {HKLM…CLSID} = Java Plug-In 2 SSV Helper \InProcServer32\(Default) = C:\Program Files\Java\jre7\bin\jp2ssv.dll [Oracle Corporation] {EAD3A971-6A23-4246-8691-C9244E858967}\(Default) = (no title provided) -> {HKLM…CLSID} = OToolbarHelper Class \InProcServer32\(Default) = C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll [null data] {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}\(Default) = (no title provided) -> {HKLM…CLSID} = SingleInstance Class \InProcServer32\(Default) = C:\Program Files\Yahoo!\Companion\Installs\cpn7\YTSingleInstance.dll [Yahoo! Inc] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ GDriveBlacklistedOverlay\(Default) = {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} -> {HKLM…CLSID} = Google Drive Shell extension \InProcServer32\(Default) = C:\Program Files\Google\Drive\googledrivesync32.dll [Google] GDriveSharedOverlay\(Default) = {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43} -> {HKLM…CLSID} = Google Drive Shell extension \InProcServer32\(Default) = C:\Program Files\Google\Drive\googledrivesync32.dll [Google] GDriveSyncedOverlay\(Default) = {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} -> {HKLM…CLSID} = Google Drive Shell extension \InProcServer32\(Default) = C:\Program Files\Google\Drive\googledrivesync32.dll [Google] GDriveSyncingOverlay\(Default) = {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} -> {HKLM…CLSID} = Google Drive Shell extension \InProcServer32\(Default) = C:\Program Files\Google\Drive\googledrivesync32.dll [Google] Groove Explorer Icon Overlay 1 (GFS Unread Stub)\(Default) = {99FD978C-D287-4F50-827F-B2C658EDA8E7} -> {HKLM…CLSID} = Groove Explorer Icon Overlay 1 (GFS Unread Stub) \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] Groove Explorer Icon Overlay 2 (GFS Stub)\(Default) = {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} -> {HKLM…CLSID} = Groove Explorer Icon Overlay 2 (GFS Stub) \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)\(Default) = {920E6DB1-9907-4370-B3A0-BAFC03D81399} -> {HKLM…CLSID} = Groove Explorer Icon Overlay 2.5 (GFS Unread Folder) \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] Groove Explorer Icon Overlay 3 (GFS Folder)\(Default) = {16F3DD56-1AF5-4347-846D-7C10C4192619} -> {HKLM…CLSID} = Groove Explorer Icon Overlay 3 (GFS Folder) \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] Groove Explorer Icon Overlay 4 (GFS Unread Mark)\(Default) = {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} -> {HKLM…CLSID} = Groove Explorer Icon Overlay 4 (GFS Unread Mark) \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ {88895560-9AA2-1069-930E-00AA0030EBC8} = HyperTerminal Icon Ext -> {HKLM…CLSID} = HyperTerminal Icon Ext \InProcServer32\(Default) = C:\WINDOWS\system32\hticons.dll [Hilgraeve, Inc.] {BAB66DEA-6E13-473b-AA5A-B4172418F54B} = Firehand Ember Thumbnail Icon Generator -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = C:\Program Files\Firehand Technologies\Ember\fhndicon.dll [Firehand Technologies Corporation] {B327765E-D724-4347-8B16-78AE18552FC3} = NeroDigitalIconHandler -> {HKLM…CLSID} = NeroDigitalIconHandler Class \InProcServer32\(Default) = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll [Nero AG] {7F1CF152-04F8-453A-B34C-E609530A9DC8} = NeroDigitalPropSheetHandler -> {HKLM…CLSID} = NeroDigitalPropSheetHandler Class \InProcServer32\(Default) = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll [Nero AG] {5464D816-CF16-4784-B9F3-75C0DB52B499} = Yahoo! Mail -> {HKLM…CLSID} = Yahoo! Mail Shell Extension \InProcServer32\(Default) = C:\Program Files\Yahoo!\Common\YMMAPI.dll [Yahoo! Inc.] {23170F69-40C1-278A-1000-000100020000} = 7-Zip Shell Extension -> {HKLM…CLSID} = 7-Zip Shell Extension \InProcServer32\(Default) = C:\Program Files\7-Zip\7-zip.dll [igor Pavlov] {1530F7EE-5128-43BD-9977-84A4B0FAD7DF} = PhotoToys -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = C:\WINDOWS\system32\phototoys.dll [MS] {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} = OpenOffice.org Column Handler -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" [OpenOffice.org] {087B3AE3-E237-4467-B8DB-5A38AB959AC9} = OpenOffice.org Infotip Handler -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" [OpenOffice.org] {63542C48-9552-494A-84F7-73AA6A7C99C1} = OpenOffice.org Property Sheet Handler -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" [OpenOffice.org] {3B092F0C-7696-40E3-A80F-68D74DA84210} = OpenOffice.org Thumbnail Viewer -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" [OpenOffice.org] {6F5D5D75-8A92-45A8-9EB7-59CB44C8C6A2} = My Replica -> {HKLM…CLSID} = My Replica \InProcServer32\(Default) = C:\PROGRA~1\SEAGAT~1\bin\SEAGAT~2.DLL [seagate Technology LLC] {41219729-53A7-4BFA-860D-3C07701A7367} = CRebitInfotipExt -> {HKLM…CLSID} = RebitShellExt.InfotipExtension \InProcServer32\(Default) = C:\PROGRA~1\SEAGAT~1\bin\SEAGAT~3.DLL [seagate Technology LLC] {7A9A2CC0-1C55-41F8-8305-957DE59A6B0B} = CRebitContextMenuExt -> {HKLM…CLSID} = ShellExt.ContextMenuExtension \InProcServer32\(Default) = C:\PROGRA~1\SEAGAT~1\bin\SEAGAT~3.DLL [seagate Technology LLC] {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} = iTunes -> {HKLM…CLSID} = iTunes \InProcServer32\(Default) = C:\Program Files\iTunes\iTunesMiniPlayer.dll [Apple Inc.] {42042206-2D85-11D3-8CFF-005004838597} = Microsoft Office HTML Icon Handler -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office14\msohevi.dll [MS] {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} = Microsoft Office Metadata Handler -> {HKLM…CLSID} = Microsoft Office Metadata Handler \InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll [MS] {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} = Microsoft Office Thumbnail Handler -> {HKLM…CLSID} = Microsoft Office Thumbnail Handler \InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll [MS] {3D60EDA7-9AB4-4DA8-864C-D9B5F2E7281D} = Groove Namespace Extension -> {HKLM…CLSID} = Workspaces \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] {0875DCB6-C686-4243-9432-ADCCF0B9F2D7} = Microsoft OneNote Namespace Extension for Windows Desktop Search -> {HKLM…CLSID} = Microsoft OneNote Namespace Extension for Windows Desktop Search \InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL [MS] {506F4668-F13E-4AA1-BB04-B43203AB3CC0} = {506F4668-F13E-4AA1-BB04-B43203AB3CC0} -> {HKLM…CLSID} = ImageExtractorShellExt Class \InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office14\VISSHE.DLL [MS] {D66DC78C-4F61-447F-942B-3FB6980118CF} = {D66DC78C-4F61-447F-942B-3FB6980118CF} -> {HKLM…CLSID} = CInfoTipShellExt Class \InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office14\VISSHE.DLL [MS] {72853161-30C5-4D22-B7F9-0BBC1D38A37E} = Groove GFS Browser Helper -> {HKLM…CLSID} = Groove GFS Browser Helper \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] {6C467336-8281-4E60-8204-430CED96822D} = Groove GFS Context Menu Handler -> {HKLM…CLSID} = Groove GFS Context Menu Handler \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] {2A541AE1-5BF6-4665-A8A3-CFA9672E4291} = Groove GFS Explorer Bar -> {HKLM…CLSID} = Groove Folder Synchronization \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] {16F3DD56-1AF5-4347-846D-7C10C4192619} = Groove Explorer Icon Overlay 3 (GFS Folder) -> {HKLM…CLSID} = Groove Explorer Icon Overlay 3 (GFS Folder) \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] {B5A7F190-DDA6-4420-B3BA-52453494E6CD} = Groove GFS Stub Execution Hook -> {HKLM…CLSID} = Groove GFS Stub Execution Hook \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] {A449600E-1DC6-4232-B948-9BD794D62056} = Groove GFS Stub Icon Handler -> {HKLM…CLSID} = Groove GFS Stub Icon Handler \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} = Groove Explorer Icon Overlay 2 (GFS Stub) -> {HKLM…CLSID} = Groove Explorer Icon Overlay 2 (GFS Stub) \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] {920E6DB1-9907-4370-B3A0-BAFC03D81399} = Groove Explorer Icon Overlay 2.5 (GFS Unread Folder) -> {HKLM…CLSID} = Groove Explorer Icon Overlay 2.5 (GFS Unread Folder) \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} = Groove Explorer Icon Overlay 4 (GFS Unread Mark) -> {HKLM…CLSID} = Groove Explorer Icon Overlay 4 (GFS Unread Mark) \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] {99FD978C-D287-4F50-827F-B2C658EDA8E7} = Groove Explorer Icon Overlay 1 (GFS Unread Stub) -> {HKLM…CLSID} = Groove Explorer Icon Overlay 1 (GFS Unread Stub) \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] {387E725D-DC16-4D76-B310-2C93ED4752A0} = Groove XML Icon Handler -> {HKLM…CLSID} = Groove XML Icon Handler \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] {00020D75-0000-0000-C000-000000000046} = Microsoft Outlook Desktop Icon Handler -> {HKLM…CLSID} = Microsoft Outlook \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\MLSHEXT.DLL [MS] {0006F045-0000-0000-C000-000000000046} = Microsoft Outlook Custom Icon Handler -> {HKLM…CLSID} = Outlook File Icon Extension \InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL [MS] {0563DB41-F538-4B37-A92D-4659049B7766} = WLMD Message Handler -> {HKLM…CLSID} = CLSID_WLMCMimeFilter \InProcServer32\(Default) = C:\Program Files\Windows Live\Mail\mailcomm.dll [MS] {00F33137-EE26-412F-8D71-F84E4C2C6625} = (no title provided) -> {HKLM…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim \InProcServer32\(Default) = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS] {00F346CB-35A4-465B-8B8F-65A29DBAB1F6} = Windows Live Photo Gallery Viewer Drop Target Shim -> {HKLM…CLSID} = Windows Live Photo Gallery Viewer Shim \InProcServer32\(Default) = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS] {00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} = Windows Live Photo Gallery Editor Drop Target Shim -> {HKLM…CLSID} = Windows Live Photo Gallery Editor Shim \InProcServer32\(Default) = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS] {00F30F90-3E96-453B-AFCD-D71989ECC2C7} = Windows Live Photo Gallery Autoplay Drop Target Shim -> {HKLM…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim \InProcServer32\(Default) = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS] {97090E2F-3062-4459-855B-014F0D3CDBB1} = Windows Search Deskbar -> {HKCU…CLSID} = Windows Search Deskbar \InProcServer32\(Default) = C:\Program Files\Windows Desktop Search\deskbar.dll [MS] -> {HKLM…CLSID} = Windows Search Deskbar \InProcServer32\(Default) = C:\Program Files\Windows Desktop Search\deskbar.dll [MS] {13E7F612-F261-4391-BEA2-39DF4F3FA311} = Windows Desktop Search -> {HKLM…CLSID} = Windows Desktop Search \InProcServer32\(Default) = C:\Program Files\Windows Desktop Search\msnlExt.dll [MS] {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} = Shell Extensions for RealOne Player -> {HKLM…CLSID} = RealOne Player Context Menu Class \InProcServer32\(Default) = c:\program files\real\realplayer\rpshell.dll [RealNetworks, Inc.] {09A47860-11B0-4DA5-AFA5-26D86198A780} = EPP -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = c:\PROGRA~1\MI239C~1\shellext.dll [MS] {F764812A-132C-4013-9960-5CBBEB408A0E} = Nero Shell Extension -> {HKLM…CLSID} = NeroShellExt Class \InProcServer32\(Default) = C:\Program Files\Common Files\Nero\NeroShellExt\\NeroShellExt.dll [Nero AG] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> {B5A7F190-DDA6-4420-B3BA-52453494E6CD} = Groove GFS Stub Execution Hook -> {HKLM…CLSID} = Groove GFS Stub Execution Hook \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] <<!>> {56F9679E-7826-4C84-81F3-532071A8BCC5} = (no title provided) -> {HKLM…CLSID} = Windows Desktop Search Namespace Manager \InProcServer32\(Default) = C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ WPDShServiceObj = {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -> {HKLM…CLSID} = WPDShServiceObj Class \InProcServer32\(Default) = C:\WINDOWS\system32\WPDShServiceObj.dll [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> igfxcui\DLLName = igfxdev.dll [intel Corporation] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = {807573E5-5146-11D5-A672-00B0D022E945} -> {HKLM…CLSID} = Microsoft Office InfoPath XML Mime Filter \InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL [MS] HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\ <<!>> livecall\CLSID = {828030A1-22C1-4009-854F-8E305202313F} -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL [MS] <<!>> ms-help\CLSID = {314111c7-a502-11d2-bbca-00c04f8ec294} -> {HKLM…CLSID} = HxProtocol Class \InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll [MS] <<!>> msnim\CLSID = {828030A1-22C1-4009-854F-8E305202313F} -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL [MS] <<!>> wlmailhtml\CLSID = {03C514A3-1EFB-4856-9F99-10D7BE1653C0} -> {HKLM…CLSID} = Windows Live Mail HTML Asynchronous Pluggable Protocol Handler \InProcServer32\(Default) = C:\Program Files\Windows Live\Mail\mailcomm.dll [MS] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ 7-Zip\(Default) = {23170F69-40C1-278A-1000-000100020000} -> {HKLM…CLSID} = 7-Zip Shell Extension \InProcServer32\(Default) = C:\Program Files\7-Zip\7-zip.dll [igor Pavlov] EPP\(Default) = {09A47860-11B0-4DA5-AFA5-26D86198A780} -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = c:\PROGRA~1\MI239C~1\shellext.dll [MS] XXX Groove GFS Context Menu Handler XXX\(Default) = {6C467336-8281-4E60-8204-430CED96822D} -> {HKLM…CLSID} = Groove GFS Context Menu Handler \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] Yahoo! Mail\(Default) = {5464D816-CF16-4784-B9F3-75C0DB52B499} -> {HKLM…CLSID} = Yahoo! Mail Shell Extension \InProcServer32\(Default) = C:\Program Files\Yahoo!\Common\YMMAPI.dll [Yahoo! Inc.] {A4FD8DDB-5800-4414-97F9-7457AC8EE4F0}\(Default) = (no title provided) -> {HKLM…CLSID} = NBShellHook Class \InProcServer32\(Default) = C:\Program Files\Nero\Nero 10\Nero BackItUp\NBShell.dll [Nero AG] {F764812A-132C-4013-9960-5CBBEB408A0E}\(Default) = (no title provided) -> {HKLM…CLSID} = NeroShellExt Class \InProcServer32\(Default) = C:\Program Files\Common Files\Nero\NeroShellExt\\NeroShellExt.dll [Nero AG] HKLM\SOFTWARE\Classes\*\shellex\DragDropHandlers\ NBShellHook\(Default) = {A4FD8DDB-5800-4414-97F9-7457AC8EE4F0} -> {HKLM…CLSID} = NBShellHook Class \InProcServer32\(Default) = C:\Program Files\Nero\Nero 10\Nero BackItUp\NBShell.dll [Nero AG] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ CRebitContextMenuExt\(Default) = {7A9A2CC0-1C55-41F8-8305-957DE59A6B0B} -> {HKLM…CLSID} = ShellExt.ContextMenuExtension \InProcServer32\(Default) = C:\PROGRA~1\SEAGAT~1\bin\SEAGAT~3.DLL [seagate Technology LLC] MBAMShlExt\(Default) = {57CE581A-0CB6-4266-9CA0-19364C90A0B3} -> {HKLM…CLSID} = MBAMShlExt Class \InProcServer32\(Default) = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll [Malwarebytes Corporation] XXX Groove GFS Context Menu Handler XXX\(Default) = {6C467336-8281-4E60-8204-430CED96822D} -> {HKLM…CLSID} = Groove GFS Context Menu Handler \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip\(Default) = {23170F69-40C1-278A-1000-000100020000} -> {HKLM…CLSID} = 7-Zip Shell Extension \InProcServer32\(Default) = C:\Program Files\7-Zip\7-zip.dll [igor Pavlov] EPP\(Default) = {09A47860-11B0-4DA5-AFA5-26D86198A780} -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = c:\PROGRA~1\MI239C~1\shellext.dll [MS] XXX Groove GFS Context Menu Handler XXX\(Default) = {6C467336-8281-4E60-8204-430CED96822D} -> {HKLM…CLSID} = Groove GFS Context Menu Handler \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] {F764812A-132C-4013-9960-5CBBEB408A0E}\(Default) = (no title provided) -> {HKLM…CLSID} = NeroShellExt Class \InProcServer32\(Default) = C:\Program Files\Common Files\Nero\NeroShellExt\\NeroShellExt.dll [Nero AG] HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\ 7-Zip\(Default) = {23170F69-40C1-278A-1000-000100020000} -> {HKLM…CLSID} = 7-Zip Shell Extension \InProcServer32\(Default) = C:\Program Files\7-Zip\7-zip.dll [igor Pavlov] HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\ igfxcui\(Default) = {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} -> {HKLM…CLSID} = GraphicsShellExt Class \InProcServer32\(Default) = C:\WINDOWS\system32\igfxpph.dll [intel Corporation] XXX Groove GFS Context Menu Handler XXX\(Default) = {6C467336-8281-4E60-8204-430CED96822D} -> {HKLM…CLSID} = Groove GFS Context Menu Handler \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = NeroDigitalExt.NeroDigitalColumnHandler -> {HKLM…CLSID} = NeroDigitalColumnHandler Class \InProcServer32\(Default) = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll [Nero AG] {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = OpenOffice.org Column Handler -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" [OpenOffice.org] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = PDF Column Info -> {HKLM…CLSID} = PDF Shell Extension \InProcServer32\(Default) = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll [Adobe Systems, Inc.] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ MBAMShlExt\(Default) = {57CE581A-0CB6-4266-9CA0-19364C90A0B3} -> {HKLM…CLSID} = MBAMShlExt Class \InProcServer32\(Default) = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll [Malwarebytes Corporation] XXX Groove GFS Context Menu Handler XXX\(Default) = {6C467336-8281-4E60-8204-430CED96822D} -> {HKLM…CLSID} = Groove GFS Context Menu Handler \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] {A4FD8DDB-5800-4414-97F9-7457AC8EE4F0}\(Default) = (no title provided) -> {HKLM…CLSID} = NBShellHook Class \InProcServer32\(Default) = C:\Program Files\Nero\Nero 10\Nero BackItUp\NBShell.dll [Nero AG] HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\ NBShellHook\(Default) = {A4FD8DDB-5800-4414-97F9-7457AC8EE4F0} -> {HKLM…CLSID} = NBShellHook Class \InProcServer32\(Default) = C:\Program Files\Nero\Nero 10\Nero BackItUp\NBShell.dll [Nero AG] Default executables: -------------------- <<!>> HKLM\SOFTWARE\Classes\.com\(Default) = ComFile Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoDrives = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoDrives = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ DisableRegistryTools = (REG_DWORD) dword:0x00000000 {unrecognized setting} EnableLinkedConnections = (REG_DWORD) dword:0x00000001 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ Wallpaper = C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ Wallpaper = C:\Documents and Settings\sharon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ SCRNSAVE.EXE = C:\WINDOWS\system32\ssstars.scr [MS] Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ AdobePhotoshopElementsShowPicturesOnArrival\ Provider = Adobe Photoshop Elements InvokeProgID = PhotoshopElements.Application.2 InvokeVerb = edit HKLM\SOFTWARE\Classes\PhotoshopElements.Application.2\shell\edit\DropTarget\CLSID = {06BA3416-AB29-4e01-A2F1-5AB6A17BEBBB} -> {HKLM…CLSID} = (no title provided) \LocalServer32\(Default) = C:\Program Files\Adobe\Photoshop Elements 2\PhotoshopElements.exe /Automation [Adobe Systems, Incorporated] CanonMPNEX10PictureOnArrival\ Provider = MP Navigator EX Ver1.0 InvokeProgID = MPNavigatorEX10.AutoplayHandler InvokeVerb = open HKLM\SOFTWARE\Classes\MPNavigatorEX10.AutoplayHandler\shell\open\command\(Default) = C:\Program Files\Canon\MP Navigator EX 1.0\mpnex10.exe /AUTOPLAY %1 [CANON INC.] CanonZB4PicturesOnArrival\ Provider = Canon ZoomBrowser EX InvokeProgID = Zb.AutoplayHandler InvokeVerb = open HKLM\SOFTWARE\Classes\Zb.AutoplayHandler\shell\open\command\(Default) = C:\Program Files\Canon\ZoomBrowser EX MCU\MCULauncher.exe [null data] iTunesBurnCDOnArrival\ Provider = iTunes InvokeProgID = iTunes.BurnCD InvokeVerb = burn HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = "C:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L" [Apple Inc.] iTunesImportSongsOnArrival\ Provider = iTunes InvokeProgID = iTunes.ImportSongsOnCD InvokeVerb = import HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = "C:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L" [Apple Inc.] iTunesPlaySongsOnArrival\ Provider = iTunes InvokeProgID = iTunes.PlaySongsOnCD InvokeVerb = play HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = "C:\Program Files\iTunes\iTunes.exe" /playCD "%L" [Apple Inc.] iTunesShowSongsOnArrival\ Provider = iTunes InvokeProgID = iTunes.ShowSongsOnCD InvokeVerb = showsongs HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = "C:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L" [Apple Inc.] MediaHub10BluRayOnArrival\ Provider = Nero MediaHub 10 InvokeProgID = OpenWithNeroMediaHub10 InvokeVerb = open HKLM\SOFTWARE\Classes\OpenWithNeroMediaHub10\shell\open\command\(Default) = "C:\Program Files\Nero\Nero 10\Nero MediaHub\MediaHub.exe" %L [null data] MediaHub10CDAudioOnArrival\ Provider = Nero MediaHub 10 InvokeProgID = OpenWithNeroMediaHub10 InvokeVerb = open HKLM\SOFTWARE\Classes\OpenWithNeroMediaHub10\shell\open\command\(Default) = "C:\Program Files\Nero\Nero 10\Nero MediaHub\MediaHub.exe" %L [null data] MediaHub10DVDMovieOnArrival\ Provider = Nero MediaHub 10 InvokeProgID = OpenWithNeroMediaHub10 InvokeVerb = open HKLM\SOFTWARE\Classes\OpenWithNeroMediaHub10\shell\open\command\(Default) = "C:\Program Files\Nero\Nero 10\Nero MediaHub\MediaHub.exe" %L [null data] MediaHub10MediaFilesOnArrival\ Provider = Nero MediaHub 10 InvokeProgID = ImportWithNeroMediaHub10 InvokeVerb = open HKLM\SOFTWARE\Classes\ImportWithNeroMediaHub10\shell\open\command\(Default) = "C:\Program Files\Nero\Nero 10\Nero MediaHub\MediaHub.exe" /Import=%L [null data] MediaHub10SVCDMovieOnArrival\ Provider = Nero MediaHub 10 InvokeProgID = OpenWithNeroMediaHub10 InvokeVerb = open HKLM\SOFTWARE\Classes\OpenWithNeroMediaHub10\shell\open\command\(Default) = "C:\Program Files\Nero\Nero 10\Nero MediaHub\MediaHub.exe" %L [null data] MediaHub10VCDMovieOnArrival\ Provider = Nero MediaHub 10 InvokeProgID = OpenWithNeroMediaHub10 InvokeVerb = open HKLM\SOFTWARE\Classes\OpenWithNeroMediaHub10\shell\open\command\(Default) = "C:\Program Files\Nero\Nero 10\Nero MediaHub\MediaHub.exe" %L [null data] MediaHub10WPDOnArrival\ Provider = Nero MediaHub 10 CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24} InitCmdLine = /WiaCmd;"C:\Program Files\Nero\Nero 10\Nero MediaHub\MediaHub.exe" -Import %1 %2; -> {HKLM…CLSID} = WPDShextAutoplay \LocalServer32\(Default) = C:\WINDOWS\system32\WPDShextAutoplay.exe [MS] MSLivePhotoAcqHWEventHandler\ Provider = @%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10 ProgID = Microsoft.LivePhotoAcqHWEventHandler HKLM\SOFTWARE\Classes\Microsoft.LivePhotoAcqHWEventHandler\CLSID\(Default) = {3BD0ACD1-71CA-4475-92CC-E0AA0AAF843F} -> {HKLM…CLSID} = (no title provided) \LocalServer32\(Default) = C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe [MS] MSLivePhotoAcquireDropHandler\ Provider = @%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10 InvokeProgID = Microsoft.LivePhotoAcqDTShim.1 InvokeVerb = open HKLM\SOFTWARE\Classes\Microsoft.LivePhotoAcqDTShim.1\shell\open\DropTarget\CLSID = {00F33137-EE26-412F-8D71-F84E4C2C6625} -> {HKLM…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim \InProcServer32\(Default) = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS] MSLiveShowPicturesOnArrival\ Provider = @%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10 InvokeProgID = Microsoft.Photos.LiveAutoplayShim.1 InvokeVerb = open HKLM\SOFTWARE\Classes\Microsoft.Photos.LiveAutoplayShim.1\shell\open\DropTarget\CLSID = {00F30F90-3E96-453B-AFCD-D71989ECC2C7} -> {HKLM…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim \InProcServer32\(Default) = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS] MSLiveVideoCameraArrivalCaptureWizard\ Provider = @%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10 ProgID = WLXAutoPlayMgr.WLXHWEventHandler InitCmdLine = WLXVideoAcquireWizard HKLM\SOFTWARE\Classes\WLXAutoPlayMgr.WLXHWEventHandler\CLSID\(Default) = {9B5C97F6-B3A5-4A6D-8B03-993EC7291A22} -> {HKLM…CLSID} = WLXWEventHandler Class \LocalServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\WLXVideoCameraAutoPlayManager.exe" [MS] MSWPDShellNamespaceHandler\ Provider = @%SystemRoot%\System32\WPDShextRes.dll,-501 CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24} InitCmdLine = -> {HKLM…CLSID} = WPDShextAutoplay \LocalServer32\(Default) = C:\WINDOWS\system32\WPDShextAutoplay.exe [MS] NapsterMTPHandler\ Provider = @C:\Program Files\Napster\napster.exe,-101 ProgID = Shell.HWEventHandlerShellExecute InitCmdLine = "C:\Program Files\Napster\napster.exe" /devicesync HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} -> {HKLM…CLSID} = ShellExecute HW Event Handler \LocalServer32\(Default) = rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS] NapsterPlayCDHandler\ Provider = @C:\Program Files\Napster\napster.exe,-101 InvokeProgID = Napster.AutoplayHandler InvokeVerb = open HKLM\SOFTWARE\Classes\Napster.AutoplayHandler\shell\open\command\(Default) = "C:\Program Files\Napster\napster.exe" /playcd "%L" [Napster] NeroAutoPlay2CDAudio\ Provider = Nero Express InvokeProgID = Nero.AutoPlay2 InvokeVerb = HandleCDBurningOnArrival_CDAudio HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = C:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L [Ahead Software AG] NeroAutoPlay2CopyCD\ Provider = Nero Express InvokeProgID = Nero.AutoPlay2 InvokeVerb = PlayCDAudioOnArrival_CopyCD HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = C:\Program Files\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L [Ahead Software AG] NeroAutoPlay2DataDisc\ Provider = Nero Express InvokeProgID = Nero.AutoPlay2 InvokeVerb = HandleCDBurningOnArrival_DataDisc HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = C:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L [Ahead Software AG] NeroAutoPlay2LaunchNeroStartSmart\ Provider = Nero StartSmart InvokeProgID = Nero.AutoPlay2 InvokeVerb = HandleCDBurningOnArrival_LaunchNeroStartSmart HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L [Ahead Software AG] NeroAutoPlay2PlayAudioCD\ Provider = Nero Media Player InvokeProgID = Nero.AutoPlay2 InvokeVerb = PlayMusicFilesOnArrival_PlayAudioCD HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayMusicFilesOnArrival_PlayAudioCD\command\(Default) = C:\Program Files\Ahead\NeroMediaPlayer\NeroMediaPlayer.exe /Play %L [Ahead software] NeroAutoPlay2PlayDVD\ Provider = Nero ShowTime InvokeProgID = Nero.AutoPlay2 InvokeVerb = PlayVideoFilesOnArrival_PlayDVD HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayVideoFilesOnArrival_PlayDVD\command\(Default) = C:\Program Files\Ahead\Nero ShowTime\ShowTime.exe /Play %L [Nero Software AG] NeroAutoPlay2VideoCapture\ Provider = NeroVision Express SE ProgID = Shell.HWEventHandlerShellExecute InitCmdLine = "C:\Program Files\Ahead\NeroVision\NeroVision.exe" /New:VideoCapture HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} -> {HKLM…CLSID} = ShellExecute HW Event Handler \LocalServer32\(Default) = rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS] NeroBurningROM10CopyCD\ Provider = Nero Burning ROM 10 InvokeProgID = Nero.BurningROM.10.AutoPlay InvokeVerb = CopyCD HKLM\SOFTWARE\Classes\Nero.BurningROM.10.AutoPlay\shell\CopyCD\command\(Default) = C:\Program Files\Nero\Nero 10\Nero Burning ROM\nero.exe -w /Dialog:DiscCopy [Nero AG] NeroBurningROM10LaunchNBR\ Provider = Nero Burning ROM 10 InvokeProgID = Nero.BurningROM.10.AutoPlay InvokeVerb = LanchNE HKLM\SOFTWARE\Classes\Nero.BurningROM.10.AutoPlay\shell\LanchNE\command\(Default) = C:\Program Files\Nero\Nero 10\Nero Burning ROM\nero.exe /Media:AUTO /Drive:%L [Nero AG] NeroExpress10CopyCD\ Provider = Nero Express 10 InvokeProgID = Nero.Express.10.AutoPlay InvokeVerb = CopyCD HKLM\SOFTWARE\Classes\Nero.Express.10.AutoPlay\shell\CopyCD\command\(Default) = C:\Program Files\Nero\Nero 10\Nero Express\NeroExpress.exe -w /Dialog:DiscCopy [Nero AG] NeroExpress10LaunchNE\ Provider = Nero Express 10 InvokeProgID = Nero.Express.10.AutoPlay InvokeVerb = LanchNE HKLM\SOFTWARE\Classes\Nero.Express.10.AutoPlay\shell\LanchNE\command\(Default) = C:\Program Files\Nero\Nero 10\Nero Express\NeroExpress.exe /Media:AUTO /Drive:%L [Nero AG] NeroVision10VideoCapture\ Provider = Nero Vision 10 ProgID = Shell.HWEventHandlerShellExecute InitCmdLine = "C:\Program Files\Nero\Nero 10\Nero Vision\NeroVision.exe" /New:VideoCapture HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} -> {HKLM…CLSID} = ShellExecute HW Event Handler \LocalServer32\(Default) = rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS] PDirXDVArrival\ Provider = PowerDirector Express ProgID = Shell.HWEventHandlerShellExecute InitCmdLine = "C:\Program Files\CyberLink\PowerDirector Express\PDX.exe" /DV HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} -> {HKLM…CLSID} = ShellExecute HW Event Handler \LocalServer32\(Default) = rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS] Picasa2ImportPicturesOnArrival\ Provider = Picasa2 InvokeProgID = picasa2.autoplay InvokeVerb = import HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = C:\Program Files\Picasa2\Picasa2.exe "%1" [Google Inc.] PPCDBurningOnArrival\ Provider = PowerProducer InvokeProgID = Picture InvokeVerb = OpenWithPowerProducer HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = "C:\Program Files\CyberLink\PowerProducer\Producer.exe" [CyberLink] PPDCameraArrival\ Provider = PowerProducer InvokeProgID = Picture InvokeVerb = OpenWithPowerProducer HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = "C:\Program Files\CyberLink\PowerProducer\Producer.exe" [CyberLink] PPDVArrival\ Provider = PowerProducer ProgID = Shell.HWEventHandlerShellExecute InitCmdLine = "C:\Program Files\CyberLink\PowerProducer\Producer.exe" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} -> {HKLM…CLSID} = ShellExecute HW Event Handler \LocalServer32\(Default) = rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS] RPCDBurningOnArrival\ Provider = RealPlayer InvokeProgID = RealPlayer.CDBurn.6 InvokeVerb = open HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "c:\program files\real\realplayer\\RealPlay.exe" /burn "%1" [RealNetworks, Inc.] RPDeviceOnArrival\ Provider = RealPlayer ProgID = RealPlayer.HWEventHandler HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = {67E76F1D-BDE2-4052-913C-2752366192D2} -> {HKLM…CLSID} = RealNetworks Scheduler \LocalServer32\(Default) = "c:\program files\real\realplayer\Update\realsched.exe" -autoplay [RealNetworks, Inc.] RPDVDBurningOnArrival\ Provider = RealPlayer InvokeProgID = RealPlayer.DVDBurn.6 InvokeVerb = open HKCU\Software\Classes\RealPlayer.DVDBurn.6\shell\open\command\(Default) = "c:\program files\real\realplayer\\RealPlay.exe" /burndvd "%1" [RealNetworks, Inc.] RPPlayCDAudioOnArrival\ Provider = RealPlayer InvokeProgID = RealPlayer.AudioCD.6 InvokeVerb = play HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "c:\program files\real\realplayer\\RealPlay.exe" /play %1 [RealNetworks, Inc.] RPPlayDVDMovieOnArrival\ Provider = RealPlayer InvokeProgID = RealPlayer.DVD.6 InvokeVerb = play HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "c:\program files\real\realplayer\\RealPlay.exe" /dvd %1 [RealNetworks, Inc.] RPPlayMediaOnArrival\ Provider = RealPlayer InvokeProgID = RealPlayer.AutoPlay.6 InvokeVerb = open HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "c:\program files\real\realplayer\\RealPlay.exe" /autoplay "%1" [RealNetworks, Inc.] WinampMTPHandler\ Provider = Winamp ProgID = Shell.HWEventHandlerShellExecute InitCmdLine = C:\Program Files\Winamp\winamp.exe HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} -> {HKLM…CLSID} = ShellExecute HW Event Handler \LocalServer32\(Default) = rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS] Startup items in "sharon" & "All Users" startup folders: -------------------------------------------------------- C:\Documents and Settings\sharon\Start Menu\Programs\Startup OneNote 2010 Screen Clipper and Launcher -> shortcut to: C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [MS] C:\Documents and Settings\All Users\Start Menu\Programs\Startup Event Reminder -> shortcut to: C:\Program Files\The Print Shop 23.1\Remind.exe [broderbund Properties LLC] Enabled Scheduled Tasks: ------------------------ Adobe Flash Player Updater -> launches: C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [Adobe Systems Incorporated] AppleSoftwareUpdate -> launches: C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task [Apple Inc.] GoogleUpdateTaskMachineCore -> launches: C:\Program Files\Google\Update\GoogleUpdate.exe /c [Google Inc.] GoogleUpdateTaskMachineUA -> launches: C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler [Google Inc.] GoogleUpdateTaskUserS-1-5-21-515967899-790525478-682003330-1004Core -> launches: C:\Documents and Settings\sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /c [Google Inc.] GoogleUpdateTaskUserS-1-5-21-515967899-790525478-682003330-1004UA -> launches: C:\Documents and Settings\sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /ua /installsource scheduler [Google Inc.] Microsoft Antimalware Scheduled Scan -> launches: c:\Program Files\Microsoft Security Client\MpCmdRun.exe Scan -ScheduleJob -RestrictPrivileges [MS] RealUpgradeLogonTaskS-1-5-21-515967899-790525478-682003330-1004 -> launches: C:\Program Files\Real\RealUpgrade\realupgrade.exe /logoncheck [RealNetworks, Inc.] RealUpgradeScheduledTaskS-1-5-21-515967899-790525478-682003330-1004 -> launches: C:\Program Files\Real\RealUpgrade\realupgrade.exe /scheduledcheck [RealNetworks, Inc.] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS] 000000000002\LibraryPath = %SystemRoot%\System32\winrnr.dll [MS] 000000000003\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS] 000000000004\LibraryPath = %SystemRoot%\system32\wshbth.dll [MS] 000000000005\LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll [Apple Inc.] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 18 - 19 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ {EF99BD32-C1FB-11D2-892F-0090271D4F88} -> {HKLM…CLSID} = Yahoo! Toolbar \InProcServer32\(Default) = C:\Program Files\Yahoo!\Companion\Installs\cpn10\yt.dll [Yahoo! Inc.] {2318C2B1-4965-11D4-9B18-009027A5CD4F} -> {HKLM…CLSID} = Google Toolbar \InProcServer32\(Default) = C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [Google Inc.] {F2CF5485-4E02-4F68-819C-B92DE9277049} -> {HKLM…CLSID} = &Links \InProcServer32\(Default) = C:\WINDOWS\system32\ieframe.dll [MS] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ {EF99BD32-C1FB-11D2-892F-0090271D4F88} = (no title provided) -> {HKLM…CLSID} = Yahoo! Toolbar \InProcServer32\(Default) = C:\Program Files\Yahoo!\Companion\Installs\cpn10\yt.dll [Yahoo! Inc.] {DC0F2F93-27FA-4F84-ACAA-9416F90B9511} = (no title provided) -> {HKLM…CLSID} = PayPal Plug-In \InProcServer32\(Default) = C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll [null data] {2318C2B1-4965-11D4-9B18-009027A5CD4F} = (no title provided) -> {HKLM…CLSID} = Google Toolbar \InProcServer32\(Default) = C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [Google Inc.] Explorer Bars HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = Groove Folder Synchronization Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {219C3416-8CB2-491A-A3C7-D9FCDDC9D600}\ ButtonText = Blog This MenuText = &Blog This in Windows Live Writer CLSIDExtension = {5F7B1267-94A9-47F5-98DB-E99415F33AEC} -> {HKLM…CLSID} = BlogThisToolbarButton Class \InProcServer32\(Default) = C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll [MS] {2670000A-7350-4F3C-8081-5663EE0C6C49}\ ButtonText = Send to OneNote MenuText = Se&nd to OneNote CLSIDExtension = {48E73304-E1D6-4330-914C-F5F514E3486C} -> {HKLM…CLSID} = Send to OneNote from Internet Explorer button \InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll [MS] {31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ ButtonText = Lync add-on MenuText = Lync add-on CLSIDExtension = {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> {HKLM…CLSID} = Lync Browser Helper \InProcServer32\(Default) = C:\Program Files\Microsoft Lync\OCHelper.dll [MS] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\ ButtonText = Yahoo! Services CLSIDExtension = {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -> {HKLM…CLSID} = Yahoo! IE Services Button \InProcServer32\(Default) = C:\Program Files\Yahoo!\Common\yiesrvc.dll [Yahoo! Inc.] {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ ButtonText = OneNote Lin&ked Notes MenuText = OneNote Lin&ked Notes CLSIDExtension = {FFFDC614-B694-4AE6-AB38-5D6374584B52} -> {HKLM…CLSID} = Linked Notes button \InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll [MS] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ MenuText = @xpsp3res.dll,-20001 Exec = %windir%\Network Diagnostic\xpnetdiag.exe [MS] {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\ ButtonText = Yahoo! Messenger MenuText = Yahoo! Messenger Exec = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [Yahoo! Inc.] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ ButtonText = Messenger MenuText = Windows Messenger Exec = C:\Program Files\Messenger\msmsgs.exe [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <<H>> {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} = (no title provided) -> {HKLM…CLSID} = YTNavAssistPlugin Class \InProcServer32\(Default) = C:\Program Files\Yahoo!\Companion\Installs\cpn10\yt.dll [Yahoo! Inc.] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ @C:\Program Files\Nero\Update\NASvc.exe,-200, NAUpdate, "C:\Program Files\Nero\Update\NASvc.exe" [Nero AG] Apple Mobile Device, Apple Mobile Device, "C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" [Apple Inc.] BBUpdate, BBUpdate, "C:\Program Files\Microsoft\BingBar\SeaPort.EXE" [MS] Bluetooth Support Service, BthServ, C:\WINDOWS\system32\svchost.exe -k bthsvcs {C:\WINDOWS\System32\bthserv.dll [MS]} Bonjour Service, Bonjour Service, "C:\Program Files\Bonjour\mDNSResponder.exe" [Apple Inc.] Canon Camera Access Library 8, CCALib8, C:\Program Files\Canon\CAL\CALMAIN.exe [Canon Inc.] Cyberlink RichVideo Service(CRVS), RichVideo, "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" [empty string] Intuit Update Service, IntuitUpdateService, "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" [null data] Intuit Update Service v4, IntuitUpdateServiceV4, "C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe" [null data] Java Quick Starter, JavaQuickStarterService, "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [Oracle Corporation] MBAMScheduler, MBAMScheduler, "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" [Malwarebytes Corporation] MBAMService, MBAMService, "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [Malwarebytes Corporation] McciCMService, McciCMService, "C:\Program Files\Common Files\Motive\McciCMService.exe" [Alcatel-Lucent] Microsoft Antimalware Service, MsMpSvc, "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [MS] PC Tools Firewall Plus, PCToolsFirewallPlus, C:\Program Files\PC Tools Firewall Plus\FWService.exe [PC Tools] Seagate Replica Service, Seagate-Replica-Svc, C:\Program Files\Seagate Replica\bin\Seagate-Replica-Svc.exe /startedbyscm:FE2355B7-40E2EE35-RebitSvcModule [seagate Technology LLC] Seagate Replica System Monitor, ReplicaSysMon, C:\Program Files\Seagate Replica\bin\ReplicaSysMon.exe [seagate Technology LLC] Windows Driver Foundation - User-mode Driver Framework, WudfSvc, C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup {C:\WINDOWS\System32\WUDFSvc.dll [MS]} Windows Search, WSearch, C:\WINDOWS\system32\SearchIndexer.exe /Embedding [MS] Yahoo! Updater, YahooAUService, "C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe" [Yahoo! Inc.] Safe Mode Drivers & Services (subkey name, subkey default value): ----------------------------------------------------------------- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\ <<!>> MsMpSvc, Service HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ <<!>> MsMpSvc, Service Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor i850\Driver = CNMLM4B.DLL [CANON INC.] CutePDF Writer Monitor\Driver = cpwmon2k.dll [null data] ---------- (launch time: 2012-12-16 09:32:14) <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 137 seconds, including 45 seconds for message boxes)

I spoke too soon, I got an error code 2 today

I think the error code 2 is gone now. Please let me know how to proceed, thanks!

It's booting quickly so far, but last time it took a few days to act up...I'm not sure how to test it other than to wait and see? Thanks MrC

Oops! I see, I'll delete what I just downloaded. I'm not the only user of this computer. My son was trying to learn C++ at one time and my hubby was using Ubuntu some time ago. Although when I asked him about Widgets he didn't know if we had it or not.

I don't really know what I'm doing, but I went ahead and downloaded wxWidgets-2.9.4

I don't know if I have wxWidgets installed, and I don't know how to determine if I do...sorry.

ComboFix 12-12-07.01 - sharon 12/09/2012 19:55:20.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1270 [GMT -8:00] Running from: c:\documents and settings\sharon\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\sharon\Desktop\CFScript.txt AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} FW: PC Tools Firewall Plus *Disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52} . FILE :: "c:\windows\system32\drivers\tguv.sys" "c:\windows\system32\drivers\uijs.sys" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\_ctypes.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\_elementtree.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\_hashlib.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\_socket.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\_ssl.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\pyexpat.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\pysqlite2._sqlite.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\python26.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\pythoncom26.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\PyWinTypes26.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\select.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\unicodedata.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32api.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32com.shell.shell.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32crypt.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32event.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32file.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32inet.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32pdh.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32process.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32profile.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32security.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32ts.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\windows._cacheinvalidation.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wx._controls_.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wx._core_.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wx._gdi_.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wx._html2.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wx._misc_.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wx._windows_.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wx._wizard.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wxbase293u_net_vc.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wxbase293u_vc.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wxmsw293u_adv_vc.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wxmsw293u_core_vc.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wxmsw293u_html_vc.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wxmsw293u_webview_vc.dll c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\sharon\Local Settings\temp\_MEI1642\_ctypes.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\_elementtree.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\_hashlib.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\_socket.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\_ssl.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\pyexpat.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\pysqlite2._sqlite.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\python26.dll c:\documents and settings\sharon\Local Settings\temp\_MEI1642\pythoncom26.dll c:\documents and settings\sharon\Local Settings\temp\_MEI1642\PyWinTypes26.dll c:\documents and settings\sharon\Local Settings\temp\_MEI1642\select.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\unicodedata.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32api.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32com.shell.shell.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32crypt.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32event.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32file.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32inet.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32pdh.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32process.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32profile.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32security.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32ts.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\windows._cacheinvalidation.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wx._controls_.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wx._core_.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wx._gdi_.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wx._html2.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wx._misc_.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wx._windows_.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wx._wizard.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wxbase293u_net_vc.dll c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wxbase293u_vc.dll c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wxmsw293u_adv_vc.dll c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wxmsw293u_core_vc.dll c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wxmsw293u_html_vc.dll c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wxmsw293u_webview_vc.dll . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_PDRPRSP -------\Service_jrvtbk -------\Service_Pdrprsp -------\Service_pkixkats -------\Service_Wptaontfhm . . ((((((((((((((((((((((((( Files Created from 2012-11-10 to 2012-12-10 ))))))))))))))))))))))))))))))) . . 2012-12-10 04:55 . 2012-12-10 04:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2012-12-09 19:53 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C8EBC9E5-8F3F-4000-B482-6A144F63D30A}\mpengine.dll 2012-12-08 05:56 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-11-25 03:46 . 2012-11-25 17:24 -------- d-----w- c:\program files\Web Publish 2012-11-25 03:46 . 2008-05-15 22:19 3715072 ----a-w- c:\windows\system32\cdintf300.dll 2012-11-25 03:43 . 2012-11-25 03:47 -------- d-----w- c:\program files\The Print Shop 23.1 2012-11-19 21:51 . 2012-11-19 21:51 -------- d-----w- c:\documents and settings\sharon\Local Settings\Application Data\Programs 2012-11-19 04:53 . 2012-11-19 04:53 -------- d-----w- c:\documents and settings\sharon\Local Settings\Application Data\Nero 2012-11-19 04:52 . 2012-11-19 04:52 -------- d-----w- c:\documents and settings\sharon\Application Data\Nero 2012-11-19 04:40 . 2012-11-19 04:59 -------- d-----w- c:\program files\Nero 2012-11-19 04:39 . 2012-11-19 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero 2012-11-19 04:23 . 2009-09-05 01:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll 2012-11-19 04:23 . 2009-09-05 01:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll 2012-11-19 04:22 . 2008-10-15 14:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll 2012-11-19 04:22 . 2007-07-20 02:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll 2012-11-16 21:38 . 2012-09-30 03:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-11-16 21:38 . 2012-11-16 21:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-11-15 23:32 . 2012-11-15 23:32 -------- d-----w- c:\documents and settings\sharon\Application Data\Malwarebytes 2012-11-15 23:32 . 2012-11-15 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2012-11-15 16:51 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe 2012-11-15 16:51 . 2012-11-15 16:51 -------- d-----w- C:\0d061fbcac79d09e9bb124cf52ce 2012-11-15 16:45 . 2012-11-15 16:46 -------- d-----w- c:\program files\Microsoft Security Client 2012-11-15 16:41 . 2012-11-15 16:41 -------- d-----w- c:\documents and settings\sharon\Application Data\PCToolsFirewallPlus 2012-11-15 16:39 . 2011-03-02 20:40 160576 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2012-11-15 16:39 . 2010-03-29 19:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2012-11-15 16:39 . 2011-01-17 17:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2012-11-15 16:37 . 2012-11-15 16:39 -------- d-----w- c:\program files\Common Files\PC Tools 2012-11-15 16:37 . 2011-01-12 18:36 89472 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys 2012-11-15 16:37 . 2010-07-08 16:49 57536 ----a-w- c:\windows\system32\drivers\pctNdis.sys 2012-11-15 16:37 . 2010-02-05 16:26 32808 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys 2012-11-15 16:37 . 2011-01-17 16:11 125248 ----a-w- c:\windows\system32\drivers\pctplfw.sys 2012-11-15 16:37 . 2012-11-15 16:41 -------- d-----w- c:\program files\PC Tools Firewall Plus 2012-11-15 06:44 . 2012-11-15 06:44 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-06 16:55 . 2012-05-05 16:23 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-12-06 16:55 . 2011-05-21 01:52 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-11-15 06:44 . 2008-10-25 16:59 143872 ----a-w- c:\windows\system32\javacpl.cpl 2012-11-15 06:44 . 2012-07-24 03:50 821736 ----a-w- c:\windows\system32\npDeployJava1.dll 2012-11-15 06:44 . 2010-08-13 02:52 746984 ----a-w- c:\windows\system32\deployJava1.dll 2012-10-22 08:37 . 2004-08-04 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-10-10 07:22 . 2012-10-10 06:22 10220472 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe 2012-10-02 18:04 . 2004-08-04 12:00 58368 ----a-w- c:\windows\system32\synceng.dll 2012-09-21 14:50 . 2012-09-14 16:47 105088 ----a-w- c:\windows\system32\drivers\av5flt.sys 2012-11-06 19:52 . 2012-11-06 19:51 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn9\yt.dll" [2012-06-11 1524056] . [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1] [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}] 2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}] 2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}] 2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}] 2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856] "OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-21 719672] "GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2012-11-09 16070136] "12F9BEC1EC6BE2D5615C75033DB928BBBB2922E8._service_run"="c:\documents and settings\sharon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2012-12-06 1248360] "MusicManager"="c:\documents and settings\sharon\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe" [2012-10-22 7356928] "GoogleChromeAutoLaunch_65B68F2A14D8870A2AE39DA3D9784B74"="c:\documents and settings\sharon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2012-12-06 1248360] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Communicator"="c:\program files\Microsoft Lync\communicator.exe" [2012-09-29 12105344] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888] "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-11-01 296096] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2011-04-07 2672600] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176] "NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-09-03 1406248] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968] . c:\documents and settings\sharon\Start Menu\Programs\Startup\ OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Event Reminder.lnk - c:\program files\The Print Shop 23.1\Remind.exe [2010-6-21 344064] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLinkedConnections"= 1 (0x1) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^sharon^Start Menu^Programs^Startup^Seagate NA0JGNRB Product Registration.lnk] path=c:\documents and settings\sharon\Start Menu\Programs\Startup\Seagate NA0JGNRB Product Registration.lnk backup=c:\windows\pss\Seagate NA0JGNRB Product Registration.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-09-24 04:43 926896 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] 2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon] 2011-09-27 14:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync] 2010-03-13 22:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] 2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Communicator] 2012-09-29 04:44 12105344 ----a-w- c:\program files\Microsoft Lync\communicator.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService] 2006-11-23 05:10 151552 ----a-w- c:\program files\CyberLink\PCM4Everio\EverioService.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2007-11-08 07:56 166424 ----a-r- c:\windows\system32\hkcmd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2007-11-08 07:56 141848 ----a-r- c:\windows\system32\igfxtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2011-11-13 08:24 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2007-11-08 07:56 137752 ----a-r- c:\windows\system32\igfxpers.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-11-30 01:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] 2007-10-25 03:57 16855552 ------r- c:\windows\RTHDCPL.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] 2007-10-11 03:04 1826816 ------r- c:\windows\SkyTel.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2012-07-03 17:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YMailAdvisor] 2009-05-08 10:53 174424 ----a-w- c:\program files\Yahoo!\Common\YMailAdvisor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection] 2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"= "c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"= "c:\\Documents and Settings\\sharon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\sharon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft Lync\\communicator.exe"= "c:\\Program Files\\Microsoft Lync\\UcMapi.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [5/8/2006 9:46 AM 4064] R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [11/15/2012 8:39 AM 251560] R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [10/13/2011 5:21 PM 249648] R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672] R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [11/16/2012 1:38 PM 399432] R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 12:07 PM 503080] R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [11/15/2012 8:39 AM 160576] R2 ReplicaSysMon;Seagate Replica System Monitor;c:\program files\Seagate Replica\bin\ReplicaSysMon.exe [3/31/2011 11:46 AM 416208] R2 Seagate-Replica-Svc;Seagate Replica Service;c:\program files\Seagate Replica\bin\Seagate-Replica-Svc.exe [3/31/2011 11:46 AM 1947600] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/16/2012 1:38 PM 22856] R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [11/15/2012 8:37 AM 89472] R3 pctNdisMP;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [11/15/2012 8:37 AM 57536] R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [11/15/2012 8:37 AM 125248] S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [10/21/2011 3:23 PM 196176] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/16/2012 1:38 PM 676936] S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [3/10/2006 2:55 PM 39424] S3 Ftdippk2sacs;Ftdippk2sacs; [x] S3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [11/15/2012 8:37 AM 57536] S3 RDID1059;Cakewalk Music Connector 1;c:\windows\system32\drivers\Rdwm1059.sys [10/21/2006 5:24 PM 66674] . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder . 2012-12-10 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 16:55] . 2012-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 20:34] . 2012-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 23:47] . 2012-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 23:47] . 2012-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-790525478-682003330-1004Core.job - c:\documents and settings\sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-26 01:55] . 2012-12-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-790525478-682003330-1004UA.job - c:\documents and settings\sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-26 01:55] . 2012-12-10 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-13 01:25] . 2012-12-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-515967899-790525478-682003330-1004.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 21:27] . 2012-11-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-515967899-790525478-682003330-1004.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 21:27] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/?ilc=1 uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105 IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm Trusted Zone: intuit.com\ttlc Trusted Zone: turbotax.com TCP: DhcpNameServer = 192.168.1.254 DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab DPF: {DEA6994F-3ED5-40BC-B5E3-0FD02411B1B4} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_1/PhotoCenter_ActiveX_Control.cab? FF - ProfilePath - c:\documents and settings\sharon\Application Data\Mozilla\Firefox\Profiles\nuy0i18j.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?fr=fp-tyc8 FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc8&p= FF - ExtSQL: 2012-11-01 09:13; {0153E448-190B-4987-BDE1-F256CADA672F}; c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext FF - ExtSQL: 2012-11-02 07:35; fmconverter@gmail.com; c:\program files\Freemake\Freemake Video Converter\BrowserPlugin\Firefox FF - ExtSQL: 2019-09-25 23:40; {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}; c:\documents and settings\sharon\Application Data\Mozilla\Firefox\Profiles\nuy0i18j.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}.xpi FF - ExtSQL: !HIDDEN! 2009-09-02 06:20; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-12-09 20:55 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Seagate-Replica-Svc] "ImagePath"="c:\program files\Seagate Replica\bin\Seagate-Replica-Svc.exe /startedbyscm:FE2355B7-40E2EE35-RebitSvcModule" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(4932) c:\windows\system32\WININET.dll c:\program files\Google\Drive\googledrivesync32.dll c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll c:\program files\iTunes\iTunesMiniPlayer.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft Security Client\MsMpEng.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\program files\Java\jre7\bin\jqs.exe c:\program files\Common Files\Motive\McciCMService.exe c:\program files\PC Tools Firewall Plus\FWService.exe c:\program files\CyberLink\Shared Files\RichVideo.exe c:\windows\system32\dllhost.exe c:\windows\system32\SearchIndexer.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\program files\Canon\CAL\CALMAIN.exe c:\windows\system32\dllhost.exe c:\windows\system32\msdtc.exe c:\windows\system32\wscntfy.exe c:\program files\Seagate Replica\bin\Seagate-Replica-Autoplay.exe c:\program files\Seagate Replica\bin\Seagate-Replica-Tray.exe c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe . ************************************************************************** . Completion time: 2012-12-09 21:05:35 - machine was rebooted ComboFix-quarantined-files.txt 2012-12-10 05:05 ComboFix2.txt 2012-12-09 19:47 . Pre-Run: 429,844,328,448 bytes free Post-Run: 429,747,040,256 bytes free . - - End Of File - - 33CA976F7B1E8B7446E232D5CDA6651F

ComboFix 12-12-07.01 - sharon 12/09/2012 10:58:00.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1049 [GMT -8:00] Running from: c:\documents and settings\sharon\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} FW: PC Tools Firewall Plus *Disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\_ctypes.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\_elementtree.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\_hashlib.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\_socket.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\_ssl.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\pyexpat.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\pysqlite2._sqlite.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\python26.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\pythoncom26.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\PyWinTypes26.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\select.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\unicodedata.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32api.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32com.shell.shell.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32crypt.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32event.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32file.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32inet.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32pdh.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32process.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32profile.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32security.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32ts.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\windows._cacheinvalidation.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wx._controls_.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wx._core_.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wx._gdi_.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wx._html2.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wx._misc_.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wx._windows_.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wx._wizard.pyd c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wxbase293u_net_vc.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wxbase293u_vc.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wxmsw293u_adv_vc.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wxmsw293u_core_vc.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wxmsw293u_html_vc.dll c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wxmsw293u_webview_vc.dll c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\sharon\Local Settings\temp\_MEI29043\_ctypes.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\_elementtree.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\_hashlib.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\_socket.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\_ssl.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\pyexpat.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\pysqlite2._sqlite.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\python26.dll c:\documents and settings\sharon\Local Settings\temp\_MEI29043\pythoncom26.dll c:\documents and settings\sharon\Local Settings\temp\_MEI29043\PyWinTypes26.dll c:\documents and settings\sharon\Local Settings\temp\_MEI29043\select.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\unicodedata.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32api.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32com.shell.shell.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32crypt.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32event.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32file.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32inet.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32pdh.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32process.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32profile.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32security.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32ts.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\windows._cacheinvalidation.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wx._controls_.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wx._core_.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wx._gdi_.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wx._html2.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wx._misc_.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wx._windows_.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wx._wizard.pyd c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wxbase293u_net_vc.dll c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wxbase293u_vc.dll c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wxmsw293u_adv_vc.dll c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wxmsw293u_core_vc.dll c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wxmsw293u_html_vc.dll c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wxmsw293u_webview_vc.dll c:\windows\wininit.ini . . ((((((((((((((((((((((((( Files Created from 2012-11-09 to 2012-12-09 ))))))))))))))))))))))))))))))) . . 2012-12-09 19:34 . 2012-12-09 19:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2012-11-25 03:46 . 2012-11-25 17:24 -------- d-----w- c:\program files\Web Publish 2012-11-25 03:46 . 2008-05-15 22:19 3715072 ----a-w- c:\windows\system32\cdintf300.dll 2012-11-25 03:43 . 2012-11-25 03:47 -------- d-----w- c:\program files\The Print Shop 23.1 2012-11-19 21:51 . 2012-11-19 21:51 -------- d-----w- c:\documents and settings\sharon\Local Settings\Application Data\Programs 2012-11-19 04:53 . 2012-11-19 04:53 -------- d-----w- c:\documents and settings\sharon\Local Settings\Application Data\Nero 2012-11-19 04:52 . 2012-11-19 04:52 -------- d-----w- c:\documents and settings\sharon\Application Data\Nero 2012-11-19 04:40 . 2012-11-19 04:59 -------- d-----w- c:\program files\Nero 2012-11-19 04:39 . 2012-11-19 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero 2012-11-19 04:23 . 2009-09-05 01:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll 2012-11-19 04:23 . 2009-09-05 01:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll 2012-11-19 04:22 . 2008-10-15 14:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll 2012-11-19 04:22 . 2007-07-20 02:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll 2012-11-16 21:38 . 2012-09-30 03:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-11-16 21:38 . 2012-11-16 21:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-11-15 23:32 . 2012-11-15 23:32 -------- d-----w- c:\documents and settings\sharon\Application Data\Malwarebytes 2012-11-15 23:32 . 2012-11-15 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2012-11-15 16:51 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe 2012-11-15 16:51 . 2012-11-15 16:51 -------- d-----w- C:\0d061fbcac79d09e9bb124cf52ce 2012-11-15 16:45 . 2012-11-15 16:46 -------- d-----w- c:\program files\Microsoft Security Client 2012-11-15 16:41 . 2012-11-15 16:41 -------- d-----w- c:\documents and settings\sharon\Application Data\PCToolsFirewallPlus 2012-11-15 16:39 . 2011-03-02 20:40 160576 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2012-11-15 16:39 . 2010-03-29 19:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2012-11-15 16:39 . 2011-01-17 17:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2012-11-15 16:37 . 2012-11-15 16:39 -------- d-----w- c:\program files\Common Files\PC Tools 2012-11-15 16:37 . 2011-01-12 18:36 89472 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys 2012-11-15 16:37 . 2010-07-08 16:49 57536 ----a-w- c:\windows\system32\drivers\pctNdis.sys 2012-11-15 16:37 . 2010-02-05 16:26 32808 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys 2012-11-15 16:37 . 2011-01-17 16:11 125248 ----a-w- c:\windows\system32\drivers\pctplfw.sys 2012-11-15 16:37 . 2012-11-15 16:41 -------- d-----w- c:\program files\PC Tools Firewall Plus 2012-11-15 06:44 . 2012-11-15 06:44 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-06 16:55 . 2012-05-05 16:23 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-12-06 16:55 . 2011-05-21 01:52 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-11-15 06:44 . 2008-10-25 16:59 143872 ----a-w- c:\windows\system32\javacpl.cpl 2012-11-15 06:44 . 2012-07-24 03:50 821736 ----a-w- c:\windows\system32\npDeployJava1.dll 2012-11-15 06:44 . 2010-08-13 02:52 746984 ----a-w- c:\windows\system32\deployJava1.dll 2012-11-08 18:00 . 2012-12-09 15:53 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{208A3C36-CB8C-4412-8065-678015DCBAD7}\mpengine.dll 2012-11-08 18:00 . 2012-12-08 05:56 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-10-22 08:37 . 2004-08-04 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-10-10 07:22 . 2012-10-10 06:22 10220472 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe 2012-10-02 18:04 . 2004-08-04 12:00 58368 ----a-w- c:\windows\system32\synceng.dll 2012-09-21 14:50 . 2012-09-14 16:47 105088 ----a-w- c:\windows\system32\drivers\av5flt.sys 2012-11-06 19:52 . 2012-11-06 19:51 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn9\yt.dll" [2012-06-11 1524056] . [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1] [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}] 2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}] 2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}] 2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}] 2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856] "OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-21 719672] "GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2012-11-09 16070136] "12F9BEC1EC6BE2D5615C75033DB928BBBB2922E8._service_run"="c:\documents and settings\sharon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2012-12-06 1248360] "MusicManager"="c:\documents and settings\sharon\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe" [2012-10-22 7356928] "GoogleChromeAutoLaunch_65B68F2A14D8870A2AE39DA3D9784B74"="c:\documents and settings\sharon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2012-12-06 1248360] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Communicator"="c:\program files\Microsoft Lync\communicator.exe" [2012-09-29 12105344] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888] "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-11-01 296096] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2011-04-07 2672600] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176] "NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-09-03 1406248] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968] . c:\documents and settings\sharon\Start Menu\Programs\Startup\ OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Event Reminder.lnk - c:\program files\The Print Shop 23.1\Remind.exe [2010-6-21 344064] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLinkedConnections"= 1 (0x1) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^sharon^Start Menu^Programs^Startup^Seagate NA0JGNRB Product Registration.lnk] path=c:\documents and settings\sharon\Start Menu\Programs\Startup\Seagate NA0JGNRB Product Registration.lnk backup=c:\windows\pss\Seagate NA0JGNRB Product Registration.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-09-24 04:43 926896 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] 2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon] 2011-09-27 14:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync] 2010-03-13 22:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] 2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Communicator] 2012-09-29 04:44 12105344 ----a-w- c:\program files\Microsoft Lync\communicator.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService] 2006-11-23 05:10 151552 ----a-w- c:\program files\CyberLink\PCM4Everio\EverioService.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2007-11-08 07:56 166424 ----a-r- c:\windows\system32\hkcmd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2007-11-08 07:56 141848 ----a-r- c:\windows\system32\igfxtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2011-11-13 08:24 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2007-11-08 07:56 137752 ----a-r- c:\windows\system32\igfxpers.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-11-30 01:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] 2007-10-25 03:57 16855552 ------r- c:\windows\RTHDCPL.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] 2007-10-11 03:04 1826816 ------r- c:\windows\SkyTel.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2012-07-03 17:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YMailAdvisor] 2009-05-08 10:53 174424 ----a-w- c:\program files\Yahoo!\Common\YMailAdvisor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection] 2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"= "c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"= "c:\\Documents and Settings\\sharon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\sharon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft Lync\\communicator.exe"= "c:\\Program Files\\Microsoft Lync\\UcMapi.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [5/8/2006 9:46 AM 4064] R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [11/15/2012 8:39 AM 251560] R2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [10/21/2011 3:23 PM 196176] R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [10/13/2011 5:21 PM 249648] R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672] R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [11/16/2012 1:38 PM 399432] R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 12:07 PM 503080] R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [11/15/2012 8:39 AM 160576] R2 ReplicaSysMon;Seagate Replica System Monitor;c:\program files\Seagate Replica\bin\ReplicaSysMon.exe [3/31/2011 11:46 AM 416208] R2 Seagate-Replica-Svc;Seagate Replica Service;c:\program files\Seagate Replica\bin\Seagate-Replica-Svc.exe [3/31/2011 11:46 AM 1947600] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/16/2012 1:38 PM 22856] R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [11/15/2012 8:37 AM 89472] R3 pctNdisMP;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [11/15/2012 8:37 AM 57536] R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [11/15/2012 8:37 AM 125248] S0 jrvtbk;jrvtbk;c:\windows\system32\drivers\tguv.sys --> c:\windows\system32\drivers\tguv.sys [?] S0 pkixkats;pkixkats;c:\windows\system32\drivers\uijs.sys --> c:\windows\system32\drivers\uijs.sys [?] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/16/2012 1:38 PM 676936] S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [3/10/2006 2:55 PM 39424] S3 Ftdippk2sacs;Ftdippk2sacs; [x] S3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [11/15/2012 8:37 AM 57536] S3 Pdrprsp;Pdrprsp; [x] S3 RDID1059;Cakewalk Music Connector 1;c:\windows\system32\drivers\Rdwm1059.sys [10/21/2006 5:24 PM 66674] S3 Wptaontfhm;Wptaontfhm; [x] . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder . 2012-12-09 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 16:55] . 2012-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 20:34] . 2012-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 23:47] . 2012-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 23:47] . 2012-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-790525478-682003330-1004Core.job - c:\documents and settings\sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-26 01:55] . 2012-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-790525478-682003330-1004UA.job - c:\documents and settings\sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-26 01:55] . 2012-12-09 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-13 01:25] . 2012-12-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-515967899-790525478-682003330-1004.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 21:27] . 2012-11-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-515967899-790525478-682003330-1004.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 21:27] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/?ilc=1 uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105 IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm Trusted Zone: intuit.com\ttlc Trusted Zone: turbotax.com TCP: DhcpNameServer = 192.168.1.254 DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab DPF: {DEA6994F-3ED5-40BC-B5E3-0FD02411B1B4} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_1/PhotoCenter_ActiveX_Control.cab? FF - ProfilePath - c:\documents and settings\sharon\Application Data\Mozilla\Firefox\Profiles\nuy0i18j.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?fr=fp-tyc8 FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc8&p= FF - ExtSQL: 2012-11-01 09:13; {0153E448-190B-4987-BDE1-F256CADA672F}; c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext FF - ExtSQL: 2012-11-02 07:35; fmconverter@gmail.com; c:\program files\Freemake\Freemake Video Converter\BrowserPlugin\Firefox FF - ExtSQL: 2019-09-25 23:40; {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}; c:\documents and settings\sharon\Application Data\Mozilla\Firefox\Profiles\nuy0i18j.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}.xpi FF - ExtSQL: !HIDDEN! 2009-09-02 06:20; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-12-09 11:36 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Seagate-Replica-Svc] "ImagePath"="c:\program files\Seagate Replica\bin\Seagate-Replica-Svc.exe /startedbyscm:FE2355B7-40E2EE35-RebitSvcModule" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(5428) c:\windows\system32\WININET.dll c:\program files\Google\Drive\googledrivesync32.dll c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll c:\program files\iTunes\iTunesMiniPlayer.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft Security Client\MsMpEng.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\program files\Java\jre7\bin\jqs.exe c:\program files\Common Files\Motive\McciCMService.exe c:\program files\PC Tools Firewall Plus\FWService.exe c:\program files\CyberLink\Shared Files\RichVideo.exe c:\program files\Seagate Replica\bin\Seagate-Replica-Autoplay.exe c:\program files\Seagate Replica\bin\Seagate-Replica-Tray.exe c:\windows\system32\dllhost.exe c:\windows\system32\SearchIndexer.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\program files\Canon\CAL\CALMAIN.exe c:\windows\system32\wscntfy.exe c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe c:\windows\system32\dllhost.exe c:\windows\system32\rundll32.exe c:\windows\system32\msdtc.exe . ************************************************************************** . Completion time: 2012-12-09 11:47:13 - machine was rebooted ComboFix-quarantined-files.txt 2012-12-09 19:47 . Pre-Run: 429,299,785,728 bytes free Post-Run: 430,907,092,992 bytes free . - - End Of File - - ADB36B745B17B497811E774E44D9C56B

Hi MrC! Thanks for getting back to me but recently my computer has been booting up just fine. And I didn't do anything to it. Possibly coz Malwarebytes got updated again? (it's set to update automatically) I'll attach the OTL reports anyway, just in case? OTL.Txt Extras.Txt

2 days after I thought the issue was fixed, my computer took the usual 7-9 minutes to boot with the same error code 2 from before, "shell notify icon failed to perform desired action". It doesn't always show up, but it does most of the time. I PM'd a mod to reopen the old topic but haven't heard back in over a week. Seems like it occurred after a Malwarebytes update. I don't think I have a virus this time, so I'm not sure I'm posting this in the right place. Here's the old topic: http://forums.malwarebytes.org/index.php?showtopic=118035&hl=laralara&st=0

Just did all that you told me to and when I checked my system restore, it was turned off again. So I turned it back on. You might want to warn people that sometimes after doing all the clean-up, the System Restore gets turned off. Thanks again and Happy Thanksgiving!!!

I installed Adobe Reader XI, and then I ran Security Check again, I still get the same result. Results of screen317's Security Check version 0.99.54 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Disabled! Microsoft Security Essentials Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Yahoo! Anti-Spy Malwarebytes Anti-Malware version 1.65.1.1000 JavaFX 2.1.1 Java 7 Update 9 Java SE Development Kit 7 Update 9 Adobe Flash Player 11.4.402.287 Adobe Reader 9 Adobe Reader out of Date! Mozilla Firefox (16.0.2) ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials MSMpEng.exe Microsoft Security Essentials msseces.exe Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Malwarebytes' Anti-Malware mbamscheduler.exe PC Tools Firewall Plus FirewallGUI.exe PC Tools Firewall Plus FWService.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 1% ````````````````````End of Log``````````````````````

I don't know why the Security Check keeps saying I have Adobe Reader 9, when I go to the Add/Remove Programs, I only see Adobe Reader X (10.1.4) ?

Hmmm, I thought I installed the latest edition of Adobe Reader. I'll try to do it again...

<p> </p> <div> Results of screen317's Security Check version 0.99.54 </div> <div> Windows XP Service Pack 3 x86 </div> <div> Internet Explorer 8 </div> <div>``````````````Antivirus/Firewall Check:`````````````` </div> <div> Windows Firewall Disabled! </div> <div>Microsoft Security Essentials </div> <div> Antivirus up to date! </div> <div>`````````Anti-malware/Other Utilities Check:````````` </div> <div> Yahoo! Anti-Spy </div> <div> Malwarebytes Anti-Malware version 1.65.1.1000 </div> <div> JavaFX 2.1.1 </div> <div> Java 7 Update 9 </div> <div> Java SE Development Kit 7 Update 9 </div> <div> Adobe Flash Player <span class="Apple-tab-span" style="white-space:pre"> </span>11.4.402.287 </div> <div> Adobe Reader 9 Adobe Reader out of Date! </div> <div> Mozilla Firefox (16.0.2) </div> <div>````````Process Check: objlist.exe by Laurent```````` </div> <div> Microsoft Security Essentials MSMpEng.exe </div> <div> Microsoft Security Essentials msseces.exe </div> <div> Malwarebytes Anti-Malware mbamservice.exe </div> <div> Malwarebytes Anti-Malware mbamgui.exe </div> <div> Malwarebytes' Anti-Malware mbamscheduler.exe </div> <div> PC Tools Firewall Plus FirewallGUI.exe </div> <div> PC Tools Firewall Plus FWService.exe </div> <div>`````````````````System Health check````````````````` </div> <div> Total Fragmentation on Drive C:: 1% </div> <div>````````````````````End of Log`````````````````````` </div> <div> </div>

I've restarted the PC 10 times now successfully, I think it's safe to say that the error code is gone. I suppose I should uninstall ComboFix and OTL? Is there anything I can do to prevent this from happening again?

Looks like you fixed it! (so far) I've restarted the computer 4 times already and I haven't gotten an error code, and it boots very quickly now. I will keep you posted. Thanks so much MrC!