Jump to content

MrC, I'm getting an error code 2 again


Recommended Posts

2 days after I thought the issue was fixed, my computer took the usual 7-9 minutes to boot with the same error code 2 from before, "shell notify icon failed to perform desired action". It doesn't always show up, but it does most of the time. I PM'd a mod to reopen the old topic but haven't heard back in over a week. Seems like it occurred after a Malwarebytes update. I don't think I have a virus this time, so I'm not sure I'm posting this in the right place. Here's the old topic:

http://forums.malwarebytes.org/index.php?showtopic=118035&hl=laralara&st=0

Link to post
Share on other sites

laralara, you should have sent me a PM so I'm aware that you posted again!

~~~~~~~~~~~~~~~~~~

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://www.itxassociates.com/OT-Tools/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

I don't like what I see........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

ComboFix 12-12-07.01 - sharon 12/09/2012 10:58:00.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1049 [GMT -8:00]

Running from: c:\documents and settings\sharon\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FW: PC Tools Firewall Plus *Disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\_ctypes.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\_elementtree.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\_hashlib.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\_socket.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\_ssl.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\pyexpat.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\pysqlite2._sqlite.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\python26.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\pythoncom26.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\PyWinTypes26.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\select.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\unicodedata.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32api.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32com.shell.shell.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32crypt.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32event.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32file.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32inet.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32pdh.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32process.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32profile.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32security.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\win32ts.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\windows._cacheinvalidation.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wx._controls_.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wx._core_.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wx._gdi_.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wx._html2.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wx._misc_.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wx._windows_.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wx._wizard.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wxbase293u_net_vc.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wxbase293u_vc.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wxmsw293u_adv_vc.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wxmsw293u_core_vc.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wxmsw293u_html_vc.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI29043\wxmsw293u_webview_vc.dll

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\_ctypes.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\_elementtree.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\_hashlib.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\_socket.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\_ssl.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\pyexpat.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\pysqlite2._sqlite.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\python26.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\pythoncom26.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\PyWinTypes26.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\select.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\unicodedata.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32api.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32com.shell.shell.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32crypt.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32event.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32file.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32inet.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32pdh.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32process.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32profile.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32security.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\win32ts.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\windows._cacheinvalidation.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wx._controls_.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wx._core_.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wx._gdi_.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wx._html2.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wx._misc_.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wx._windows_.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wx._wizard.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wxbase293u_net_vc.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wxbase293u_vc.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wxmsw293u_adv_vc.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wxmsw293u_core_vc.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wxmsw293u_html_vc.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI29043\wxmsw293u_webview_vc.dll

c:\windows\wininit.ini

.

.

((((((((((((((((((((((((( Files Created from 2012-11-09 to 2012-12-09 )))))))))))))))))))))))))))))))

.

.

2012-12-09 19:34 . 2012-12-09 19:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2012-11-25 03:46 . 2012-11-25 17:24 -------- d-----w- c:\program files\Web Publish

2012-11-25 03:46 . 2008-05-15 22:19 3715072 ----a-w- c:\windows\system32\cdintf300.dll

2012-11-25 03:43 . 2012-11-25 03:47 -------- d-----w- c:\program files\The Print Shop 23.1

2012-11-19 21:51 . 2012-11-19 21:51 -------- d-----w- c:\documents and settings\sharon\Local Settings\Application Data\Programs

2012-11-19 04:53 . 2012-11-19 04:53 -------- d-----w- c:\documents and settings\sharon\Local Settings\Application Data\Nero

2012-11-19 04:52 . 2012-11-19 04:52 -------- d-----w- c:\documents and settings\sharon\Application Data\Nero

2012-11-19 04:40 . 2012-11-19 04:59 -------- d-----w- c:\program files\Nero

2012-11-19 04:39 . 2012-11-19 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero

2012-11-19 04:23 . 2009-09-05 01:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll

2012-11-19 04:23 . 2009-09-05 01:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll

2012-11-19 04:22 . 2008-10-15 14:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll

2012-11-19 04:22 . 2007-07-20 02:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll

2012-11-16 21:38 . 2012-09-30 03:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-16 21:38 . 2012-11-16 21:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-11-15 23:32 . 2012-11-15 23:32 -------- d-----w- c:\documents and settings\sharon\Application Data\Malwarebytes

2012-11-15 23:32 . 2012-11-15 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-11-15 16:51 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-11-15 16:51 . 2012-11-15 16:51 -------- d-----w- C:\0d061fbcac79d09e9bb124cf52ce

2012-11-15 16:45 . 2012-11-15 16:46 -------- d-----w- c:\program files\Microsoft Security Client

2012-11-15 16:41 . 2012-11-15 16:41 -------- d-----w- c:\documents and settings\sharon\Application Data\PCToolsFirewallPlus

2012-11-15 16:39 . 2011-03-02 20:40 160576 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2012-11-15 16:39 . 2010-03-29 19:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2012-11-15 16:39 . 2011-01-17 17:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2012-11-15 16:37 . 2012-11-15 16:39 -------- d-----w- c:\program files\Common Files\PC Tools

2012-11-15 16:37 . 2011-01-12 18:36 89472 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys

2012-11-15 16:37 . 2010-07-08 16:49 57536 ----a-w- c:\windows\system32\drivers\pctNdis.sys

2012-11-15 16:37 . 2010-02-05 16:26 32808 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys

2012-11-15 16:37 . 2011-01-17 16:11 125248 ----a-w- c:\windows\system32\drivers\pctplfw.sys

2012-11-15 16:37 . 2012-11-15 16:41 -------- d-----w- c:\program files\PC Tools Firewall Plus

2012-11-15 06:44 . 2012-11-15 06:44 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-06 16:55 . 2012-05-05 16:23 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-06 16:55 . 2011-05-21 01:52 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-11-15 06:44 . 2008-10-25 16:59 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-11-15 06:44 . 2012-07-24 03:50 821736 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-11-15 06:44 . 2010-08-13 02:52 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-11-08 18:00 . 2012-12-09 15:53 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{208A3C36-CB8C-4412-8065-678015DCBAD7}\mpengine.dll

2012-11-08 18:00 . 2012-12-08 05:56 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-10-22 08:37 . 2004-08-04 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-10-10 07:22 . 2012-10-10 06:22 10220472 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2012-10-02 18:04 . 2004-08-04 12:00 58368 ----a-w- c:\windows\system32\synceng.dll

2012-09-21 14:50 . 2012-09-14 16:47 105088 ----a-w- c:\windows\system32\drivers\av5flt.sys

2012-11-06 19:52 . 2012-11-06 19:51 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn9\yt.dll" [2012-06-11 1524056]

.

[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]

[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]

2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]

2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]

2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]

2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-21 719672]

"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2012-11-09 16070136]

"12F9BEC1EC6BE2D5615C75033DB928BBBB2922E8._service_run"="c:\documents and settings\sharon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2012-12-06 1248360]

"MusicManager"="c:\documents and settings\sharon\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe" [2012-10-22 7356928]

"GoogleChromeAutoLaunch_65B68F2A14D8870A2AE39DA3D9784B74"="c:\documents and settings\sharon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2012-12-06 1248360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Communicator"="c:\program files\Microsoft Lync\communicator.exe" [2012-09-29 12105344]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-11-01 296096]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2011-04-07 2672600]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176]

"NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-09-03 1406248]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

.

c:\documents and settings\sharon\Start Menu\Programs\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Event Reminder.lnk - c:\program files\The Print Shop 23.1\Remind.exe [2010-6-21 344064]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLinkedConnections"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk

backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^sharon^Start Menu^Programs^Startup^Seagate NA0JGNRB Product Registration.lnk]

path=c:\documents and settings\sharon\Start Menu\Programs\Startup\Seagate NA0JGNRB Product Registration.lnk

backup=c:\windows\pss\Seagate NA0JGNRB Product Registration.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-09-24 04:43 926896 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]

2011-09-27 14:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]

2010-03-13 22:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Communicator]

2012-09-29 04:44 12105344 ----a-w- c:\program files\Microsoft Lync\communicator.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]

2006-11-23 05:10 151552 ----a-w- c:\program files\CyberLink\PCM4Everio\EverioService.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2007-11-08 07:56 166424 ----a-r- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2007-11-08 07:56 141848 ----a-r- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-11-13 08:24 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2007-11-08 07:56 137752 ----a-r- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-30 01:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2007-10-25 03:57 16855552 ------r- c:\windows\RTHDCPL.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

2007-10-11 03:04 1826816 ------r- c:\windows\SkyTel.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2012-07-03 17:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YMailAdvisor]

2009-05-08 10:53 174424 ----a-w- c:\program files\Yahoo!\Common\YMailAdvisor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=

"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=

"c:\\Documents and Settings\\sharon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\sharon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Lync\\communicator.exe"=

"c:\\Program Files\\Microsoft Lync\\UcMapi.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [5/8/2006 9:46 AM 4064]

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [11/15/2012 8:39 AM 251560]

R2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [10/21/2011 3:23 PM 196176]

R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [10/13/2011 5:21 PM 249648]

R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [11/16/2012 1:38 PM 399432]

R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 12:07 PM 503080]

R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [11/15/2012 8:39 AM 160576]

R2 ReplicaSysMon;Seagate Replica System Monitor;c:\program files\Seagate Replica\bin\ReplicaSysMon.exe [3/31/2011 11:46 AM 416208]

R2 Seagate-Replica-Svc;Seagate Replica Service;c:\program files\Seagate Replica\bin\Seagate-Replica-Svc.exe [3/31/2011 11:46 AM 1947600]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/16/2012 1:38 PM 22856]

R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [11/15/2012 8:37 AM 89472]

R3 pctNdisMP;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [11/15/2012 8:37 AM 57536]

R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [11/15/2012 8:37 AM 125248]

S0 jrvtbk;jrvtbk;c:\windows\system32\drivers\tguv.sys --> c:\windows\system32\drivers\tguv.sys [?]

S0 pkixkats;pkixkats;c:\windows\system32\drivers\uijs.sys --> c:\windows\system32\drivers\uijs.sys [?]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/16/2012 1:38 PM 676936]

S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [3/10/2006 2:55 PM 39424]

S3 Ftdippk2sacs;Ftdippk2sacs; [x]

S3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [11/15/2012 8:37 AM 57536]

S3 Pdrprsp;Pdrprsp; [x]

S3 RDID1059;Cakewalk Music Connector 1;c:\windows\system32\drivers\Rdwm1059.sys [10/21/2006 5:24 PM 66674]

S3 Wptaontfhm;Wptaontfhm; [x]

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-09 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 16:55]

.

2012-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 20:34]

.

2012-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 23:47]

.

2012-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 23:47]

.

2012-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-790525478-682003330-1004Core.job

- c:\documents and settings\sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-26 01:55]

.

2012-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-790525478-682003330-1004UA.job

- c:\documents and settings\sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-26 01:55]

.

2012-12-09 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job

- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-13 01:25]

.

2012-12-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-515967899-790525478-682003330-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 21:27]

.

2012-11-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-515967899-790525478-682003330-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 21:27]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?ilc=1

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: intuit.com\ttlc

Trusted Zone: turbotax.com

TCP: DhcpNameServer = 192.168.1.254

DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab

DPF: {DEA6994F-3ED5-40BC-B5E3-0FD02411B1B4} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_1/PhotoCenter_ActiveX_Control.cab?

FF - ProfilePath - c:\documents and settings\sharon\Application Data\Mozilla\Firefox\Profiles\nuy0i18j.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?fr=fp-tyc8

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc8&p=

FF - ExtSQL: 2012-11-01 09:13; {0153E448-190B-4987-BDE1-F256CADA672F}; c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - ExtSQL: 2012-11-02 07:35; fmconverter@gmail.com; c:\program files\Freemake\Freemake Video Converter\BrowserPlugin\Firefox

FF - ExtSQL: 2019-09-25 23:40; {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}; c:\documents and settings\sharon\Application Data\Mozilla\Firefox\Profiles\nuy0i18j.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}.xpi

FF - ExtSQL: !HIDDEN! 2009-09-02 06:20; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-12-09 11:36

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Seagate-Replica-Svc]

"ImagePath"="c:\program files\Seagate Replica\bin\Seagate-Replica-Svc.exe /startedbyscm:FE2355B7-40E2EE35-RebitSvcModule"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(5428)

c:\windows\system32\WININET.dll

c:\program files\Google\Drive\googledrivesync32.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\MsMpEng.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre7\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\PC Tools Firewall Plus\FWService.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\program files\Seagate Replica\bin\Seagate-Replica-Autoplay.exe

c:\program files\Seagate Replica\bin\Seagate-Replica-Tray.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\msdtc.exe

.

**************************************************************************

.

Completion time: 2012-12-09 11:47:13 - machine was rebooted

ComboFix-quarantined-files.txt 2012-12-09 19:47

.

Pre-Run: 429,299,785,728 bytes free

Post-Run: 430,907,092,992 bytes free

.

- - End Of File - - ADB36B745B17B497811E774E44D9C56B

Link to post
Share on other sites

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

File::

c:\windows\system32\drivers\tguv.sys

c:\windows\system32\drivers\uijs.sys

Driver::

jrvtbk

pkixkats

Pdrprsp

Wptaontfhm

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

ComboFix 12-12-07.01 - sharon 12/09/2012 19:55:20.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1270 [GMT -8:00]

Running from: c:\documents and settings\sharon\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\sharon\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FW: PC Tools Firewall Plus *Disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

.

FILE ::

"c:\windows\system32\drivers\tguv.sys"

"c:\windows\system32\drivers\uijs.sys"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\_ctypes.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\_elementtree.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\_hashlib.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\_socket.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\_ssl.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\pyexpat.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\pysqlite2._sqlite.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\python26.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\pythoncom26.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\PyWinTypes26.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\select.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\unicodedata.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32api.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32com.shell.shell.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32crypt.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32event.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32file.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32inet.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32pdh.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32process.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32profile.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32security.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\win32ts.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\windows._cacheinvalidation.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wx._controls_.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wx._core_.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wx._gdi_.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wx._html2.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wx._misc_.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wx._windows_.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wx._wizard.pyd

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wxbase293u_net_vc.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wxbase293u_vc.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wxmsw293u_adv_vc.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wxmsw293u_core_vc.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wxmsw293u_html_vc.dll

c:\docume~1\sharon\LOCALS~1\Temp\_MEI1642\wxmsw293u_webview_vc.dll

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\_ctypes.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\_elementtree.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\_hashlib.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\_socket.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\_ssl.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\pyexpat.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\pysqlite2._sqlite.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\python26.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\pythoncom26.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\PyWinTypes26.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\select.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\unicodedata.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32api.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32com.shell.shell.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32crypt.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32event.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32file.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32inet.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32pdh.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32process.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32profile.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32security.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\win32ts.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\windows._cacheinvalidation.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wx._controls_.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wx._core_.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wx._gdi_.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wx._html2.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wx._misc_.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wx._windows_.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wx._wizard.pyd

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wxbase293u_net_vc.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wxbase293u_vc.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wxmsw293u_adv_vc.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wxmsw293u_core_vc.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wxmsw293u_html_vc.dll

c:\documents and settings\sharon\Local Settings\temp\_MEI1642\wxmsw293u_webview_vc.dll

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_PDRPRSP

-------\Service_jrvtbk

-------\Service_Pdrprsp

-------\Service_pkixkats

-------\Service_Wptaontfhm

.

.

((((((((((((((((((((((((( Files Created from 2012-11-10 to 2012-12-10 )))))))))))))))))))))))))))))))

.

.

2012-12-10 04:55 . 2012-12-10 04:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2012-12-09 19:53 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C8EBC9E5-8F3F-4000-B482-6A144F63D30A}\mpengine.dll

2012-12-08 05:56 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-11-25 03:46 . 2012-11-25 17:24 -------- d-----w- c:\program files\Web Publish

2012-11-25 03:46 . 2008-05-15 22:19 3715072 ----a-w- c:\windows\system32\cdintf300.dll

2012-11-25 03:43 . 2012-11-25 03:47 -------- d-----w- c:\program files\The Print Shop 23.1

2012-11-19 21:51 . 2012-11-19 21:51 -------- d-----w- c:\documents and settings\sharon\Local Settings\Application Data\Programs

2012-11-19 04:53 . 2012-11-19 04:53 -------- d-----w- c:\documents and settings\sharon\Local Settings\Application Data\Nero

2012-11-19 04:52 . 2012-11-19 04:52 -------- d-----w- c:\documents and settings\sharon\Application Data\Nero

2012-11-19 04:40 . 2012-11-19 04:59 -------- d-----w- c:\program files\Nero

2012-11-19 04:39 . 2012-11-19 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero

2012-11-19 04:23 . 2009-09-05 01:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll

2012-11-19 04:23 . 2009-09-05 01:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll

2012-11-19 04:22 . 2008-10-15 14:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll

2012-11-19 04:22 . 2007-07-20 02:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll

2012-11-16 21:38 . 2012-09-30 03:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-16 21:38 . 2012-11-16 21:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-11-15 23:32 . 2012-11-15 23:32 -------- d-----w- c:\documents and settings\sharon\Application Data\Malwarebytes

2012-11-15 23:32 . 2012-11-15 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-11-15 16:51 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-11-15 16:51 . 2012-11-15 16:51 -------- d-----w- C:\0d061fbcac79d09e9bb124cf52ce

2012-11-15 16:45 . 2012-11-15 16:46 -------- d-----w- c:\program files\Microsoft Security Client

2012-11-15 16:41 . 2012-11-15 16:41 -------- d-----w- c:\documents and settings\sharon\Application Data\PCToolsFirewallPlus

2012-11-15 16:39 . 2011-03-02 20:40 160576 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2012-11-15 16:39 . 2010-03-29 19:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2012-11-15 16:39 . 2011-01-17 17:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2012-11-15 16:37 . 2012-11-15 16:39 -------- d-----w- c:\program files\Common Files\PC Tools

2012-11-15 16:37 . 2011-01-12 18:36 89472 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys

2012-11-15 16:37 . 2010-07-08 16:49 57536 ----a-w- c:\windows\system32\drivers\pctNdis.sys

2012-11-15 16:37 . 2010-02-05 16:26 32808 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys

2012-11-15 16:37 . 2011-01-17 16:11 125248 ----a-w- c:\windows\system32\drivers\pctplfw.sys

2012-11-15 16:37 . 2012-11-15 16:41 -------- d-----w- c:\program files\PC Tools Firewall Plus

2012-11-15 06:44 . 2012-11-15 06:44 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-06 16:55 . 2012-05-05 16:23 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-06 16:55 . 2011-05-21 01:52 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-11-15 06:44 . 2008-10-25 16:59 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-11-15 06:44 . 2012-07-24 03:50 821736 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-11-15 06:44 . 2010-08-13 02:52 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-10-22 08:37 . 2004-08-04 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-10-10 07:22 . 2012-10-10 06:22 10220472 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2012-10-02 18:04 . 2004-08-04 12:00 58368 ----a-w- c:\windows\system32\synceng.dll

2012-09-21 14:50 . 2012-09-14 16:47 105088 ----a-w- c:\windows\system32\drivers\av5flt.sys

2012-11-06 19:52 . 2012-11-06 19:51 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn9\yt.dll" [2012-06-11 1524056]

.

[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]

[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]

2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]

2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]

2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]

2012-11-09 00:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-21 719672]

"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2012-11-09 16070136]

"12F9BEC1EC6BE2D5615C75033DB928BBBB2922E8._service_run"="c:\documents and settings\sharon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2012-12-06 1248360]

"MusicManager"="c:\documents and settings\sharon\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe" [2012-10-22 7356928]

"GoogleChromeAutoLaunch_65B68F2A14D8870A2AE39DA3D9784B74"="c:\documents and settings\sharon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2012-12-06 1248360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Communicator"="c:\program files\Microsoft Lync\communicator.exe" [2012-09-29 12105344]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-11-01 296096]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2011-04-07 2672600]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176]

"NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-09-03 1406248]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

.

c:\documents and settings\sharon\Start Menu\Programs\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Event Reminder.lnk - c:\program files\The Print Shop 23.1\Remind.exe [2010-6-21 344064]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLinkedConnections"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk

backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^sharon^Start Menu^Programs^Startup^Seagate NA0JGNRB Product Registration.lnk]

path=c:\documents and settings\sharon\Start Menu\Programs\Startup\Seagate NA0JGNRB Product Registration.lnk

backup=c:\windows\pss\Seagate NA0JGNRB Product Registration.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-09-24 04:43 926896 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]

2011-09-27 14:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]

2010-03-13 22:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Communicator]

2012-09-29 04:44 12105344 ----a-w- c:\program files\Microsoft Lync\communicator.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]

2006-11-23 05:10 151552 ----a-w- c:\program files\CyberLink\PCM4Everio\EverioService.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2007-11-08 07:56 166424 ----a-r- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2007-11-08 07:56 141848 ----a-r- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-11-13 08:24 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2007-11-08 07:56 137752 ----a-r- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-30 01:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2007-10-25 03:57 16855552 ------r- c:\windows\RTHDCPL.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

2007-10-11 03:04 1826816 ------r- c:\windows\SkyTel.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2012-07-03 17:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YMailAdvisor]

2009-05-08 10:53 174424 ----a-w- c:\program files\Yahoo!\Common\YMailAdvisor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=

"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=

"c:\\Documents and Settings\\sharon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\sharon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Lync\\communicator.exe"=

"c:\\Program Files\\Microsoft Lync\\UcMapi.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [5/8/2006 9:46 AM 4064]

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [11/15/2012 8:39 AM 251560]

R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [10/13/2011 5:21 PM 249648]

R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [11/16/2012 1:38 PM 399432]

R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 12:07 PM 503080]

R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [11/15/2012 8:39 AM 160576]

R2 ReplicaSysMon;Seagate Replica System Monitor;c:\program files\Seagate Replica\bin\ReplicaSysMon.exe [3/31/2011 11:46 AM 416208]

R2 Seagate-Replica-Svc;Seagate Replica Service;c:\program files\Seagate Replica\bin\Seagate-Replica-Svc.exe [3/31/2011 11:46 AM 1947600]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/16/2012 1:38 PM 22856]

R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [11/15/2012 8:37 AM 89472]

R3 pctNdisMP;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [11/15/2012 8:37 AM 57536]

R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [11/15/2012 8:37 AM 125248]

S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [10/21/2011 3:23 PM 196176]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/16/2012 1:38 PM 676936]

S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [3/10/2006 2:55 PM 39424]

S3 Ftdippk2sacs;Ftdippk2sacs; [x]

S3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [11/15/2012 8:37 AM 57536]

S3 RDID1059;Cakewalk Music Connector 1;c:\windows\system32\drivers\Rdwm1059.sys [10/21/2006 5:24 PM 66674]

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-10 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 16:55]

.

2012-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 20:34]

.

2012-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 23:47]

.

2012-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 23:47]

.

2012-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-790525478-682003330-1004Core.job

- c:\documents and settings\sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-26 01:55]

.

2012-12-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-790525478-682003330-1004UA.job

- c:\documents and settings\sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-26 01:55]

.

2012-12-10 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job

- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-13 01:25]

.

2012-12-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-515967899-790525478-682003330-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 21:27]

.

2012-11-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-515967899-790525478-682003330-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 21:27]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?ilc=1

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: intuit.com\ttlc

Trusted Zone: turbotax.com

TCP: DhcpNameServer = 192.168.1.254

DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab

DPF: {DEA6994F-3ED5-40BC-B5E3-0FD02411B1B4} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_1/PhotoCenter_ActiveX_Control.cab?

FF - ProfilePath - c:\documents and settings\sharon\Application Data\Mozilla\Firefox\Profiles\nuy0i18j.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?fr=fp-tyc8

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc8&p=

FF - ExtSQL: 2012-11-01 09:13; {0153E448-190B-4987-BDE1-F256CADA672F}; c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - ExtSQL: 2012-11-02 07:35; fmconverter@gmail.com; c:\program files\Freemake\Freemake Video Converter\BrowserPlugin\Firefox

FF - ExtSQL: 2019-09-25 23:40; {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}; c:\documents and settings\sharon\Application Data\Mozilla\Firefox\Profiles\nuy0i18j.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}.xpi

FF - ExtSQL: !HIDDEN! 2009-09-02 06:20; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-12-09 20:55

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Seagate-Replica-Svc]

"ImagePath"="c:\program files\Seagate Replica\bin\Seagate-Replica-Svc.exe /startedbyscm:FE2355B7-40E2EE35-RebitSvcModule"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(4932)

c:\windows\system32\WININET.dll

c:\program files\Google\Drive\googledrivesync32.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\MsMpEng.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre7\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\PC Tools Firewall Plus\FWService.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\msdtc.exe

c:\windows\system32\wscntfy.exe

c:\program files\Seagate Replica\bin\Seagate-Replica-Autoplay.exe

c:\program files\Seagate Replica\bin\Seagate-Replica-Tray.exe

c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2012-12-09 21:05:35 - machine was rebooted

ComboFix-quarantined-files.txt 2012-12-10 05:05

ComboFix2.txt 2012-12-09 19:47

.

Pre-Run: 429,844,328,448 bytes free

Post-Run: 429,747,040,256 bytes free

.

- - End Of File - - 33CA976F7B1E8B7446E232D5CDA6651F

Link to post
Share on other sites

I didn't want you to download it, I just wanted to know if you had it installed on the system.

Also do you have 'Python' by Python Software Foundation.

All those files that ComboFix keeps deleting look like they're from wxWidgets-2.9.4 or Python.

Are you the only one using the computer??

MrC

Link to post
Share on other sites

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

MrC

Link to post
Share on other sites

"Silent Runners.vbs", revision 64, http://www.silentrunners.org/

Operating System: Microsoft Windows XP Professional Service Pack 3 (32-bit)

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

Yahoo! Pager = "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet [Yahoo! Inc.]

Search Protection = C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [Yahoo! Inc]

OfficeSyncProcess = "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE" [MS]

GoogleDriveSync = "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [Google]

12F9BEC1EC6BE2D5615C75033DB928BBBB2922E8._service_run = "C:\Documents and Settings\sharon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --type=service [Google Inc.]

MusicManager = "C:\Documents and Settings\sharon\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe" [Google Inc.]

GoogleChromeAutoLaunch_65B68F2A14D8870A2AE39DA3D9784B74 = "C:\Documents and Settings\sharon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --no-startup-window [Google Inc.]

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

Communicator = "C:\Program Files\Microsoft Lync\communicator.exe" /fromrunkey [MS]

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime [Apple Inc.]

TkBellExe = "C:\program files\real\realplayer\update\realsched.exe" -osboot [RealNetworks, Inc.]

SunJavaUpdateSched = "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [sun Microsystems, Inc.]

00PCTFW = "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s [PC Tools]

MSC = "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [MS]

NBAgent = "C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart [Nero AG]

Adobe ARM = "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [Adobe Systems Incorporated]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)

-> {HKLM…CLSID} = &Yahoo! Toolbar Helper

\InProcServer32\(Default) = C:\Program Files\Yahoo!\Companion\Installs\cpn10\yt.dll [Yahoo! Inc.]

{11111111-1111-1111-1111-110011441193}\(Default) = CrossriderApp0004493

-> {HKLM…CLSID} = Coupon Companion

\InProcServer32\(Default) = C:\Program Files\Coupon Companion\Coupon Companion.dll [215 Apps]

{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = AcroIEHelperStub

-> {HKLM…CLSID} = Adobe PDF Link Helper

\InProcServer32\(Default) = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [Adobe Systems Incorporated]

{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)

-> {HKLM…CLSID} = RealPlayer Download and Record Plugin for Internet Explorer

\InProcServer32\(Default) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [RealPlayer]

{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\(Default) = Lync add-on BHO

-> {HKLM…CLSID} = Lync Browser Helper

\InProcServer32\(Default) = C:\Program Files\Microsoft Lync\OCHelper.dll [MS]

{326E768D-4182-46FD-9C16-1449A49795F4}\(Default) = Increase performance and video formats for your HTML5 <video>

-> {HKLM…CLSID} = DivX Plus Web Player HTML5 <video>

\InProcServer32\(Default) = C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll [DivX, LLC]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)

-> {HKLM…CLSID} = Yahoo! IE Services Button

\InProcServer32\(Default) = C:\Program Files\Yahoo!\Common\yiesrvc.dll [Yahoo! Inc.]

{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)

-> {HKLM…CLSID} = Groove GFS Browser Helper

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM…CLSID} = Java Plug-In SSV Helper

\InProcServer32\(Default) = C:\Program Files\Java\jre7\bin\ssv.dll [Oracle Corporation]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)

-> {HKLM…CLSID} = Windows Live Sign-in Helper

\InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [MS]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

-> {HKLM…CLSID} = Google Toolbar Helper

\InProcServer32\(Default) = C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [Google Inc.]

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)

-> {HKLM…CLSID} = Google Toolbar Notifier BHO

\InProcServer32\(Default) = C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll [Google Inc.]

{B4F3A835-0E21-4959-BA22-42B3008E02FF}\(Default) = URLRedirectionBHO

-> {HKLM…CLSID} = Office Document Cache Handler

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL [MS]

{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)

-> {HKLM…CLSID} = Java Plug-In 2 SSV Helper

\InProcServer32\(Default) = C:\Program Files\Java\jre7\bin\jp2ssv.dll [Oracle Corporation]

{EAD3A971-6A23-4246-8691-C9244E858967}\(Default) = (no title provided)

-> {HKLM…CLSID} = OToolbarHelper Class

\InProcServer32\(Default) = C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll [null data]

{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}\(Default) = (no title provided)

-> {HKLM…CLSID} = SingleInstance Class

\InProcServer32\(Default) = C:\Program Files\Yahoo!\Companion\Installs\cpn7\YTSingleInstance.dll [Yahoo! Inc]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\

GDriveBlacklistedOverlay\(Default) = {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}

-> {HKLM…CLSID} = Google Drive Shell extension

\InProcServer32\(Default) = C:\Program Files\Google\Drive\googledrivesync32.dll [Google]

GDriveSharedOverlay\(Default) = {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}

-> {HKLM…CLSID} = Google Drive Shell extension

\InProcServer32\(Default) = C:\Program Files\Google\Drive\googledrivesync32.dll [Google]

GDriveSyncedOverlay\(Default) = {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}

-> {HKLM…CLSID} = Google Drive Shell extension

\InProcServer32\(Default) = C:\Program Files\Google\Drive\googledrivesync32.dll [Google]

GDriveSyncingOverlay\(Default) = {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}

-> {HKLM…CLSID} = Google Drive Shell extension

\InProcServer32\(Default) = C:\Program Files\Google\Drive\googledrivesync32.dll [Google]

Groove Explorer Icon Overlay 1 (GFS Unread Stub)\(Default) = {99FD978C-D287-4F50-827F-B2C658EDA8E7}

-> {HKLM…CLSID} = Groove Explorer Icon Overlay 1 (GFS Unread Stub)

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

Groove Explorer Icon Overlay 2 (GFS Stub)\(Default) = {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}

-> {HKLM…CLSID} = Groove Explorer Icon Overlay 2 (GFS Stub)

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)\(Default) = {920E6DB1-9907-4370-B3A0-BAFC03D81399}

-> {HKLM…CLSID} = Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

Groove Explorer Icon Overlay 3 (GFS Folder)\(Default) = {16F3DD56-1AF5-4347-846D-7C10C4192619}

-> {HKLM…CLSID} = Groove Explorer Icon Overlay 3 (GFS Folder)

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

Groove Explorer Icon Overlay 4 (GFS Unread Mark)\(Default) = {2916C86E-86A6-43FE-8112-43ABE6BF8DCC}

-> {HKLM…CLSID} = Groove Explorer Icon Overlay 4 (GFS Unread Mark)

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

{88895560-9AA2-1069-930E-00AA0030EBC8} = HyperTerminal Icon Ext

-> {HKLM…CLSID} = HyperTerminal Icon Ext

\InProcServer32\(Default) = C:\WINDOWS\system32\hticons.dll [Hilgraeve, Inc.]

{BAB66DEA-6E13-473b-AA5A-B4172418F54B} = Firehand Ember Thumbnail Icon Generator

-> {HKLM…CLSID} = (no title provided)

\InProcServer32\(Default) = C:\Program Files\Firehand Technologies\Ember\fhndicon.dll [Firehand Technologies Corporation]

{B327765E-D724-4347-8B16-78AE18552FC3} = NeroDigitalIconHandler

-> {HKLM…CLSID} = NeroDigitalIconHandler Class

\InProcServer32\(Default) = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll [Nero AG]

{7F1CF152-04F8-453A-B34C-E609530A9DC8} = NeroDigitalPropSheetHandler

-> {HKLM…CLSID} = NeroDigitalPropSheetHandler Class

\InProcServer32\(Default) = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll [Nero AG]

{5464D816-CF16-4784-B9F3-75C0DB52B499} = Yahoo! Mail

-> {HKLM…CLSID} = Yahoo! Mail Shell Extension

\InProcServer32\(Default) = C:\Program Files\Yahoo!\Common\YMMAPI.dll [Yahoo! Inc.]

{23170F69-40C1-278A-1000-000100020000} = 7-Zip Shell Extension

-> {HKLM…CLSID} = 7-Zip Shell Extension

\InProcServer32\(Default) = C:\Program Files\7-Zip\7-zip.dll [igor Pavlov]

{1530F7EE-5128-43BD-9977-84A4B0FAD7DF} = PhotoToys

-> {HKLM…CLSID} = (no title provided)

\InProcServer32\(Default) = C:\WINDOWS\system32\phototoys.dll [MS]

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} = OpenOffice.org Column Handler

-> {HKLM…CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" [OpenOffice.org]

{087B3AE3-E237-4467-B8DB-5A38AB959AC9} = OpenOffice.org Infotip Handler

-> {HKLM…CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" [OpenOffice.org]

{63542C48-9552-494A-84F7-73AA6A7C99C1} = OpenOffice.org Property Sheet Handler

-> {HKLM…CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" [OpenOffice.org]

{3B092F0C-7696-40E3-A80F-68D74DA84210} = OpenOffice.org Thumbnail Viewer

-> {HKLM…CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" [OpenOffice.org]

{6F5D5D75-8A92-45A8-9EB7-59CB44C8C6A2} = My Replica

-> {HKLM…CLSID} = My Replica

\InProcServer32\(Default) = C:\PROGRA~1\SEAGAT~1\bin\SEAGAT~2.DLL [seagate Technology LLC]

{41219729-53A7-4BFA-860D-3C07701A7367} = CRebitInfotipExt

-> {HKLM…CLSID} = RebitShellExt.InfotipExtension

\InProcServer32\(Default) = C:\PROGRA~1\SEAGAT~1\bin\SEAGAT~3.DLL [seagate Technology LLC]

{7A9A2CC0-1C55-41F8-8305-957DE59A6B0B} = CRebitContextMenuExt

-> {HKLM…CLSID} = ShellExt.ContextMenuExtension

\InProcServer32\(Default) = C:\PROGRA~1\SEAGAT~1\bin\SEAGAT~3.DLL [seagate Technology LLC]

{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} = iTunes

-> {HKLM…CLSID} = iTunes

\InProcServer32\(Default) = C:\Program Files\iTunes\iTunesMiniPlayer.dll [Apple Inc.]

{42042206-2D85-11D3-8CFF-005004838597} = Microsoft Office HTML Icon Handler

-> {HKLM…CLSID} = (no title provided)

\InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office14\msohevi.dll [MS]

{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} = Microsoft Office Metadata Handler

-> {HKLM…CLSID} = Microsoft Office Metadata Handler

\InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll [MS]

{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} = Microsoft Office Thumbnail Handler

-> {HKLM…CLSID} = Microsoft Office Thumbnail Handler

\InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll [MS]

{3D60EDA7-9AB4-4DA8-864C-D9B5F2E7281D} = Groove Namespace Extension

-> {HKLM…CLSID} = Workspaces

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

{0875DCB6-C686-4243-9432-ADCCF0B9F2D7} = Microsoft OneNote Namespace Extension for Windows Desktop Search

-> {HKLM…CLSID} = Microsoft OneNote Namespace Extension for Windows Desktop Search

\InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL [MS]

{506F4668-F13E-4AA1-BB04-B43203AB3CC0} = {506F4668-F13E-4AA1-BB04-B43203AB3CC0}

-> {HKLM…CLSID} = ImageExtractorShellExt Class

\InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office14\VISSHE.DLL [MS]

{D66DC78C-4F61-447F-942B-3FB6980118CF} = {D66DC78C-4F61-447F-942B-3FB6980118CF}

-> {HKLM…CLSID} = CInfoTipShellExt Class

\InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office14\VISSHE.DLL [MS]

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} = Groove GFS Browser Helper

-> {HKLM…CLSID} = Groove GFS Browser Helper

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

{6C467336-8281-4E60-8204-430CED96822D} = Groove GFS Context Menu Handler

-> {HKLM…CLSID} = Groove GFS Context Menu Handler

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

{2A541AE1-5BF6-4665-A8A3-CFA9672E4291} = Groove GFS Explorer Bar

-> {HKLM…CLSID} = Groove Folder Synchronization

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

{16F3DD56-1AF5-4347-846D-7C10C4192619} = Groove Explorer Icon Overlay 3 (GFS Folder)

-> {HKLM…CLSID} = Groove Explorer Icon Overlay 3 (GFS Folder)

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

{B5A7F190-DDA6-4420-B3BA-52453494E6CD} = Groove GFS Stub Execution Hook

-> {HKLM…CLSID} = Groove GFS Stub Execution Hook

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

{A449600E-1DC6-4232-B948-9BD794D62056} = Groove GFS Stub Icon Handler

-> {HKLM…CLSID} = Groove GFS Stub Icon Handler

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} = Groove Explorer Icon Overlay 2 (GFS Stub)

-> {HKLM…CLSID} = Groove Explorer Icon Overlay 2 (GFS Stub)

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

{920E6DB1-9907-4370-B3A0-BAFC03D81399} = Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)

-> {HKLM…CLSID} = Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} = Groove Explorer Icon Overlay 4 (GFS Unread Mark)

-> {HKLM…CLSID} = Groove Explorer Icon Overlay 4 (GFS Unread Mark)

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

{99FD978C-D287-4F50-827F-B2C658EDA8E7} = Groove Explorer Icon Overlay 1 (GFS Unread Stub)

-> {HKLM…CLSID} = Groove Explorer Icon Overlay 1 (GFS Unread Stub)

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

{387E725D-DC16-4D76-B310-2C93ED4752A0} = Groove XML Icon Handler

-> {HKLM…CLSID} = Groove XML Icon Handler

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

{00020D75-0000-0000-C000-000000000046} = Microsoft Outlook Desktop Icon Handler

-> {HKLM…CLSID} = Microsoft Outlook

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\MLSHEXT.DLL [MS]

{0006F045-0000-0000-C000-000000000046} = Microsoft Outlook Custom Icon Handler

-> {HKLM…CLSID} = Outlook File Icon Extension

\InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL [MS]

{0563DB41-F538-4B37-A92D-4659049B7766} = WLMD Message Handler

-> {HKLM…CLSID} = CLSID_WLMCMimeFilter

\InProcServer32\(Default) = C:\Program Files\Windows Live\Mail\mailcomm.dll [MS]

{00F33137-EE26-412F-8D71-F84E4C2C6625} = (no title provided)

-> {HKLM…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim

\InProcServer32\(Default) = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS]

{00F346CB-35A4-465B-8B8F-65A29DBAB1F6} = Windows Live Photo Gallery Viewer Drop Target Shim

-> {HKLM…CLSID} = Windows Live Photo Gallery Viewer Shim

\InProcServer32\(Default) = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS]

{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} = Windows Live Photo Gallery Editor Drop Target Shim

-> {HKLM…CLSID} = Windows Live Photo Gallery Editor Shim

\InProcServer32\(Default) = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS]

{00F30F90-3E96-453B-AFCD-D71989ECC2C7} = Windows Live Photo Gallery Autoplay Drop Target Shim

-> {HKLM…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim

\InProcServer32\(Default) = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS]

{97090E2F-3062-4459-855B-014F0D3CDBB1} = Windows Search Deskbar

-> {HKCU…CLSID} = Windows Search Deskbar

\InProcServer32\(Default) = C:\Program Files\Windows Desktop Search\deskbar.dll [MS]

-> {HKLM…CLSID} = Windows Search Deskbar

\InProcServer32\(Default) = C:\Program Files\Windows Desktop Search\deskbar.dll [MS]

{13E7F612-F261-4391-BEA2-39DF4F3FA311} = Windows Desktop Search

-> {HKLM…CLSID} = Windows Desktop Search

\InProcServer32\(Default) = C:\Program Files\Windows Desktop Search\msnlExt.dll [MS]

{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} = Shell Extensions for RealOne Player

-> {HKLM…CLSID} = RealOne Player Context Menu Class

\InProcServer32\(Default) = c:\program files\real\realplayer\rpshell.dll [RealNetworks, Inc.]

{09A47860-11B0-4DA5-AFA5-26D86198A780} = EPP

-> {HKLM…CLSID} = (no title provided)

\InProcServer32\(Default) = c:\PROGRA~1\MI239C~1\shellext.dll [MS]

{F764812A-132C-4013-9960-5CBBEB408A0E} = Nero Shell Extension

-> {HKLM…CLSID} = NeroShellExt Class

\InProcServer32\(Default) = C:\Program Files\Common Files\Nero\NeroShellExt\\NeroShellExt.dll [Nero AG]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> {B5A7F190-DDA6-4420-B3BA-52453494E6CD} = Groove GFS Stub Execution Hook

-> {HKLM…CLSID} = Groove GFS Stub Execution Hook

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

<<!>> {56F9679E-7826-4C84-81F3-532071A8BCC5} = (no title provided)

-> {HKLM…CLSID} = Windows Desktop Search Namespace Manager

\InProcServer32\(Default) = C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

WPDShServiceObj = {AAA288BA-9A4C-45B0-95D7-94D524869DB5}

-> {HKLM…CLSID} = WPDShServiceObj Class

\InProcServer32\(Default) = C:\WINDOWS\system32\WPDShServiceObj.dll [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> igfxcui\DLLName = igfxdev.dll [intel Corporation]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = {807573E5-5146-11D5-A672-00B0D022E945}

-> {HKLM…CLSID} = Microsoft Office InfoPath XML Mime Filter

\InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\

<<!>> livecall\CLSID = {828030A1-22C1-4009-854F-8E305202313F}

-> {HKLM…CLSID} = (no title provided)

\InProcServer32\(Default) = C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL [MS]

<<!>> ms-help\CLSID = {314111c7-a502-11d2-bbca-00c04f8ec294}

-> {HKLM…CLSID} = HxProtocol Class

\InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll [MS]

<<!>> msnim\CLSID = {828030A1-22C1-4009-854F-8E305202313F}

-> {HKLM…CLSID} = (no title provided)

\InProcServer32\(Default) = C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL [MS]

<<!>> wlmailhtml\CLSID = {03C514A3-1EFB-4856-9F99-10D7BE1653C0}

-> {HKLM…CLSID} = Windows Live Mail HTML Asynchronous Pluggable Protocol Handler

\InProcServer32\(Default) = C:\Program Files\Windows Live\Mail\mailcomm.dll [MS]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

7-Zip\(Default) = {23170F69-40C1-278A-1000-000100020000}

-> {HKLM…CLSID} = 7-Zip Shell Extension

\InProcServer32\(Default) = C:\Program Files\7-Zip\7-zip.dll [igor Pavlov]

EPP\(Default) = {09A47860-11B0-4DA5-AFA5-26D86198A780}

-> {HKLM…CLSID} = (no title provided)

\InProcServer32\(Default) = c:\PROGRA~1\MI239C~1\shellext.dll [MS]

XXX Groove GFS Context Menu Handler XXX\(Default) = {6C467336-8281-4E60-8204-430CED96822D}

-> {HKLM…CLSID} = Groove GFS Context Menu Handler

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

Yahoo! Mail\(Default) = {5464D816-CF16-4784-B9F3-75C0DB52B499}

-> {HKLM…CLSID} = Yahoo! Mail Shell Extension

\InProcServer32\(Default) = C:\Program Files\Yahoo!\Common\YMMAPI.dll [Yahoo! Inc.]

{A4FD8DDB-5800-4414-97F9-7457AC8EE4F0}\(Default) = (no title provided)

-> {HKLM…CLSID} = NBShellHook Class

\InProcServer32\(Default) = C:\Program Files\Nero\Nero 10\Nero BackItUp\NBShell.dll [Nero AG]

{F764812A-132C-4013-9960-5CBBEB408A0E}\(Default) = (no title provided)

-> {HKLM…CLSID} = NeroShellExt Class

\InProcServer32\(Default) = C:\Program Files\Common Files\Nero\NeroShellExt\\NeroShellExt.dll [Nero AG]

HKLM\SOFTWARE\Classes\*\shellex\DragDropHandlers\

NBShellHook\(Default) = {A4FD8DDB-5800-4414-97F9-7457AC8EE4F0}

-> {HKLM…CLSID} = NBShellHook Class

\InProcServer32\(Default) = C:\Program Files\Nero\Nero 10\Nero BackItUp\NBShell.dll [Nero AG]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

CRebitContextMenuExt\(Default) = {7A9A2CC0-1C55-41F8-8305-957DE59A6B0B}

-> {HKLM…CLSID} = ShellExt.ContextMenuExtension

\InProcServer32\(Default) = C:\PROGRA~1\SEAGAT~1\bin\SEAGAT~3.DLL [seagate Technology LLC]

MBAMShlExt\(Default) = {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

-> {HKLM…CLSID} = MBAMShlExt Class

\InProcServer32\(Default) = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll [Malwarebytes Corporation]

XXX Groove GFS Context Menu Handler XXX\(Default) = {6C467336-8281-4E60-8204-430CED96822D}

-> {HKLM…CLSID} = Groove GFS Context Menu Handler

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

7-Zip\(Default) = {23170F69-40C1-278A-1000-000100020000}

-> {HKLM…CLSID} = 7-Zip Shell Extension

\InProcServer32\(Default) = C:\Program Files\7-Zip\7-zip.dll [igor Pavlov]

EPP\(Default) = {09A47860-11B0-4DA5-AFA5-26D86198A780}

-> {HKLM…CLSID} = (no title provided)

\InProcServer32\(Default) = c:\PROGRA~1\MI239C~1\shellext.dll [MS]

XXX Groove GFS Context Menu Handler XXX\(Default) = {6C467336-8281-4E60-8204-430CED96822D}

-> {HKLM…CLSID} = Groove GFS Context Menu Handler

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

{F764812A-132C-4013-9960-5CBBEB408A0E}\(Default) = (no title provided)

-> {HKLM…CLSID} = NeroShellExt Class

\InProcServer32\(Default) = C:\Program Files\Common Files\Nero\NeroShellExt\\NeroShellExt.dll [Nero AG]

HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\

7-Zip\(Default) = {23170F69-40C1-278A-1000-000100020000}

-> {HKLM…CLSID} = 7-Zip Shell Extension

\InProcServer32\(Default) = C:\Program Files\7-Zip\7-zip.dll [igor Pavlov]

HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\

igfxcui\(Default) = {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}

-> {HKLM…CLSID} = GraphicsShellExt Class

\InProcServer32\(Default) = C:\WINDOWS\system32\igfxpph.dll [intel Corporation]

XXX Groove GFS Context Menu Handler XXX\(Default) = {6C467336-8281-4E60-8204-430CED96822D}

-> {HKLM…CLSID} = Groove GFS Context Menu Handler

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = NeroDigitalExt.NeroDigitalColumnHandler

-> {HKLM…CLSID} = NeroDigitalColumnHandler Class

\InProcServer32\(Default) = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll [Nero AG]

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = OpenOffice.org Column Handler

-> {HKLM…CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" [OpenOffice.org]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = PDF Column Info

-> {HKLM…CLSID} = PDF Shell Extension

\InProcServer32\(Default) = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll [Adobe Systems, Inc.]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

-> {HKLM…CLSID} = MBAMShlExt Class

\InProcServer32\(Default) = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll [Malwarebytes Corporation]

XXX Groove GFS Context Menu Handler XXX\(Default) = {6C467336-8281-4E60-8204-430CED96822D}

-> {HKLM…CLSID} = Groove GFS Context Menu Handler

\InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

{A4FD8DDB-5800-4414-97F9-7457AC8EE4F0}\(Default) = (no title provided)

-> {HKLM…CLSID} = NBShellHook Class

\InProcServer32\(Default) = C:\Program Files\Nero\Nero 10\Nero BackItUp\NBShell.dll [Nero AG]

HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\

NBShellHook\(Default) = {A4FD8DDB-5800-4414-97F9-7457AC8EE4F0}

-> {HKLM…CLSID} = NBShellHook Class

\InProcServer32\(Default) = C:\Program Files\Nero\Nero 10\Nero BackItUp\NBShell.dll [Nero AG]

Default executables:

--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = ComFile

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

NoDrives = (REG_DWORD) dword:0x00000000

{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

NoDrives = (REG_DWORD) dword:0x00000000

{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

DisableRegistryTools = (REG_DWORD) dword:0x00000000

{unrecognized setting}

EnableLinkedConnections = (REG_DWORD) dword:0x00000001

{unrecognized setting}

Active Desktop and Wallpaper:

-----------------------------

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

Wallpaper = C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

Wallpaper = C:\Documents and Settings\sharon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

Enabled Screen Saver:

---------------------

HKCU\Control Panel\Desktop\

SCRNSAVE.EXE = C:\WINDOWS\system32\ssstars.scr [MS]

Windows Portable Device AutoPlay Handlers

-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

AdobePhotoshopElementsShowPicturesOnArrival\

Provider = Adobe Photoshop Elements

InvokeProgID = PhotoshopElements.Application.2

InvokeVerb = edit

HKLM\SOFTWARE\Classes\PhotoshopElements.Application.2\shell\edit\DropTarget\CLSID = {06BA3416-AB29-4e01-A2F1-5AB6A17BEBBB}

-> {HKLM…CLSID} = (no title provided)

\LocalServer32\(Default) = C:\Program Files\Adobe\Photoshop Elements 2\PhotoshopElements.exe /Automation [Adobe Systems, Incorporated]

CanonMPNEX10PictureOnArrival\

Provider = MP Navigator EX Ver1.0

InvokeProgID = MPNavigatorEX10.AutoplayHandler

InvokeVerb = open

HKLM\SOFTWARE\Classes\MPNavigatorEX10.AutoplayHandler\shell\open\command\(Default) = C:\Program Files\Canon\MP Navigator EX 1.0\mpnex10.exe /AUTOPLAY %1 [CANON INC.]

CanonZB4PicturesOnArrival\

Provider = Canon ZoomBrowser EX

InvokeProgID = Zb.AutoplayHandler

InvokeVerb = open

HKLM\SOFTWARE\Classes\Zb.AutoplayHandler\shell\open\command\(Default) = C:\Program Files\Canon\ZoomBrowser EX MCU\MCULauncher.exe [null data]

iTunesBurnCDOnArrival\

Provider = iTunes

InvokeProgID = iTunes.BurnCD

InvokeVerb = burn

HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = "C:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L" [Apple Inc.]

iTunesImportSongsOnArrival\

Provider = iTunes

InvokeProgID = iTunes.ImportSongsOnCD

InvokeVerb = import

HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = "C:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L" [Apple Inc.]

iTunesPlaySongsOnArrival\

Provider = iTunes

InvokeProgID = iTunes.PlaySongsOnCD

InvokeVerb = play

HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = "C:\Program Files\iTunes\iTunes.exe" /playCD "%L" [Apple Inc.]

iTunesShowSongsOnArrival\

Provider = iTunes

InvokeProgID = iTunes.ShowSongsOnCD

InvokeVerb = showsongs

HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = "C:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L" [Apple Inc.]

MediaHub10BluRayOnArrival\

Provider = Nero MediaHub 10

InvokeProgID = OpenWithNeroMediaHub10

InvokeVerb = open

HKLM\SOFTWARE\Classes\OpenWithNeroMediaHub10\shell\open\command\(Default) = "C:\Program Files\Nero\Nero 10\Nero MediaHub\MediaHub.exe" %L [null data]

MediaHub10CDAudioOnArrival\

Provider = Nero MediaHub 10

InvokeProgID = OpenWithNeroMediaHub10

InvokeVerb = open

HKLM\SOFTWARE\Classes\OpenWithNeroMediaHub10\shell\open\command\(Default) = "C:\Program Files\Nero\Nero 10\Nero MediaHub\MediaHub.exe" %L [null data]

MediaHub10DVDMovieOnArrival\

Provider = Nero MediaHub 10

InvokeProgID = OpenWithNeroMediaHub10

InvokeVerb = open

HKLM\SOFTWARE\Classes\OpenWithNeroMediaHub10\shell\open\command\(Default) = "C:\Program Files\Nero\Nero 10\Nero MediaHub\MediaHub.exe" %L [null data]

MediaHub10MediaFilesOnArrival\

Provider = Nero MediaHub 10

InvokeProgID = ImportWithNeroMediaHub10

InvokeVerb = open

HKLM\SOFTWARE\Classes\ImportWithNeroMediaHub10\shell\open\command\(Default) = "C:\Program Files\Nero\Nero 10\Nero MediaHub\MediaHub.exe" /Import=%L [null data]

MediaHub10SVCDMovieOnArrival\

Provider = Nero MediaHub 10

InvokeProgID = OpenWithNeroMediaHub10

InvokeVerb = open

HKLM\SOFTWARE\Classes\OpenWithNeroMediaHub10\shell\open\command\(Default) = "C:\Program Files\Nero\Nero 10\Nero MediaHub\MediaHub.exe" %L [null data]

MediaHub10VCDMovieOnArrival\

Provider = Nero MediaHub 10

InvokeProgID = OpenWithNeroMediaHub10

InvokeVerb = open

HKLM\SOFTWARE\Classes\OpenWithNeroMediaHub10\shell\open\command\(Default) = "C:\Program Files\Nero\Nero 10\Nero MediaHub\MediaHub.exe" %L [null data]

MediaHub10WPDOnArrival\

Provider = Nero MediaHub 10

CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24}

InitCmdLine = /WiaCmd;"C:\Program Files\Nero\Nero 10\Nero MediaHub\MediaHub.exe" -Import %1 %2;

-> {HKLM…CLSID} = WPDShextAutoplay

\LocalServer32\(Default) = C:\WINDOWS\system32\WPDShextAutoplay.exe [MS]

MSLivePhotoAcqHWEventHandler\

Provider = @%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10

ProgID = Microsoft.LivePhotoAcqHWEventHandler

HKLM\SOFTWARE\Classes\Microsoft.LivePhotoAcqHWEventHandler\CLSID\(Default) = {3BD0ACD1-71CA-4475-92CC-E0AA0AAF843F}

-> {HKLM…CLSID} = (no title provided)

\LocalServer32\(Default) = C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe [MS]

MSLivePhotoAcquireDropHandler\

Provider = @%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10

InvokeProgID = Microsoft.LivePhotoAcqDTShim.1

InvokeVerb = open

HKLM\SOFTWARE\Classes\Microsoft.LivePhotoAcqDTShim.1\shell\open\DropTarget\CLSID = {00F33137-EE26-412F-8D71-F84E4C2C6625}

-> {HKLM…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim

\InProcServer32\(Default) = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS]

MSLiveShowPicturesOnArrival\

Provider = @%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10

InvokeProgID = Microsoft.Photos.LiveAutoplayShim.1

InvokeVerb = open

HKLM\SOFTWARE\Classes\Microsoft.Photos.LiveAutoplayShim.1\shell\open\DropTarget\CLSID = {00F30F90-3E96-453B-AFCD-D71989ECC2C7}

-> {HKLM…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim

\InProcServer32\(Default) = C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS]

MSLiveVideoCameraArrivalCaptureWizard\

Provider = @%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10

ProgID = WLXAutoPlayMgr.WLXHWEventHandler

InitCmdLine = WLXVideoAcquireWizard

HKLM\SOFTWARE\Classes\WLXAutoPlayMgr.WLXHWEventHandler\CLSID\(Default) = {9B5C97F6-B3A5-4A6D-8B03-993EC7291A22}

-> {HKLM…CLSID} = WLXWEventHandler Class

\LocalServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\WLXVideoCameraAutoPlayManager.exe" [MS]

MSWPDShellNamespaceHandler\

Provider = @%SystemRoot%\System32\WPDShextRes.dll,-501

CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24}

InitCmdLine =

-> {HKLM…CLSID} = WPDShextAutoplay

\LocalServer32\(Default) = C:\WINDOWS\system32\WPDShextAutoplay.exe [MS]

NapsterMTPHandler\

Provider = @C:\Program Files\Napster\napster.exe,-101

ProgID = Shell.HWEventHandlerShellExecute

InitCmdLine = "C:\Program Files\Napster\napster.exe" /devicesync

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}

-> {HKLM…CLSID} = ShellExecute HW Event Handler

\LocalServer32\(Default) = rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]

NapsterPlayCDHandler\

Provider = @C:\Program Files\Napster\napster.exe,-101

InvokeProgID = Napster.AutoplayHandler

InvokeVerb = open

HKLM\SOFTWARE\Classes\Napster.AutoplayHandler\shell\open\command\(Default) = "C:\Program Files\Napster\napster.exe" /playcd "%L" [Napster]

NeroAutoPlay2CDAudio\

Provider = Nero Express

InvokeProgID = Nero.AutoPlay2

InvokeVerb = HandleCDBurningOnArrival_CDAudio

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = C:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L [Ahead Software AG]

NeroAutoPlay2CopyCD\

Provider = Nero Express

InvokeProgID = Nero.AutoPlay2

InvokeVerb = PlayCDAudioOnArrival_CopyCD

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = C:\Program Files\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L [Ahead Software AG]

NeroAutoPlay2DataDisc\

Provider = Nero Express

InvokeProgID = Nero.AutoPlay2

InvokeVerb = HandleCDBurningOnArrival_DataDisc

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = C:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L [Ahead Software AG]

NeroAutoPlay2LaunchNeroStartSmart\

Provider = Nero StartSmart

InvokeProgID = Nero.AutoPlay2

InvokeVerb = HandleCDBurningOnArrival_LaunchNeroStartSmart

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L [Ahead Software AG]

NeroAutoPlay2PlayAudioCD\

Provider = Nero Media Player

InvokeProgID = Nero.AutoPlay2

InvokeVerb = PlayMusicFilesOnArrival_PlayAudioCD

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayMusicFilesOnArrival_PlayAudioCD\command\(Default) = C:\Program Files\Ahead\NeroMediaPlayer\NeroMediaPlayer.exe /Play %L [Ahead software]

NeroAutoPlay2PlayDVD\

Provider = Nero ShowTime

InvokeProgID = Nero.AutoPlay2

InvokeVerb = PlayVideoFilesOnArrival_PlayDVD

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayVideoFilesOnArrival_PlayDVD\command\(Default) = C:\Program Files\Ahead\Nero ShowTime\ShowTime.exe /Play %L [Nero Software AG]

NeroAutoPlay2VideoCapture\

Provider = NeroVision Express SE

ProgID = Shell.HWEventHandlerShellExecute

InitCmdLine = "C:\Program Files\Ahead\NeroVision\NeroVision.exe" /New:VideoCapture

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}

-> {HKLM…CLSID} = ShellExecute HW Event Handler

\LocalServer32\(Default) = rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]

NeroBurningROM10CopyCD\

Provider = Nero Burning ROM 10

InvokeProgID = Nero.BurningROM.10.AutoPlay

InvokeVerb = CopyCD

HKLM\SOFTWARE\Classes\Nero.BurningROM.10.AutoPlay\shell\CopyCD\command\(Default) = C:\Program Files\Nero\Nero 10\Nero Burning ROM\nero.exe -w /Dialog:DiscCopy [Nero AG]

NeroBurningROM10LaunchNBR\

Provider = Nero Burning ROM 10

InvokeProgID = Nero.BurningROM.10.AutoPlay

InvokeVerb = LanchNE

HKLM\SOFTWARE\Classes\Nero.BurningROM.10.AutoPlay\shell\LanchNE\command\(Default) = C:\Program Files\Nero\Nero 10\Nero Burning ROM\nero.exe /Media:AUTO /Drive:%L [Nero AG]

NeroExpress10CopyCD\

Provider = Nero Express 10

InvokeProgID = Nero.Express.10.AutoPlay

InvokeVerb = CopyCD

HKLM\SOFTWARE\Classes\Nero.Express.10.AutoPlay\shell\CopyCD\command\(Default) = C:\Program Files\Nero\Nero 10\Nero Express\NeroExpress.exe -w /Dialog:DiscCopy [Nero AG]

NeroExpress10LaunchNE\

Provider = Nero Express 10

InvokeProgID = Nero.Express.10.AutoPlay

InvokeVerb = LanchNE

HKLM\SOFTWARE\Classes\Nero.Express.10.AutoPlay\shell\LanchNE\command\(Default) = C:\Program Files\Nero\Nero 10\Nero Express\NeroExpress.exe /Media:AUTO /Drive:%L [Nero AG]

NeroVision10VideoCapture\

Provider = Nero Vision 10

ProgID = Shell.HWEventHandlerShellExecute

InitCmdLine = "C:\Program Files\Nero\Nero 10\Nero Vision\NeroVision.exe" /New:VideoCapture

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}

-> {HKLM…CLSID} = ShellExecute HW Event Handler

\LocalServer32\(Default) = rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]

PDirXDVArrival\

Provider = PowerDirector Express

ProgID = Shell.HWEventHandlerShellExecute

InitCmdLine = "C:\Program Files\CyberLink\PowerDirector Express\PDX.exe" /DV

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}

-> {HKLM…CLSID} = ShellExecute HW Event Handler

\LocalServer32\(Default) = rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]

Picasa2ImportPicturesOnArrival\

Provider = Picasa2

InvokeProgID = picasa2.autoplay

InvokeVerb = import

HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = C:\Program Files\Picasa2\Picasa2.exe "%1" [Google Inc.]

PPCDBurningOnArrival\

Provider = PowerProducer

InvokeProgID = Picture

InvokeVerb = OpenWithPowerProducer

HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = "C:\Program Files\CyberLink\PowerProducer\Producer.exe" [CyberLink]

PPDCameraArrival\

Provider = PowerProducer

InvokeProgID = Picture

InvokeVerb = OpenWithPowerProducer

HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = "C:\Program Files\CyberLink\PowerProducer\Producer.exe" [CyberLink]

PPDVArrival\

Provider = PowerProducer

ProgID = Shell.HWEventHandlerShellExecute

InitCmdLine = "C:\Program Files\CyberLink\PowerProducer\Producer.exe"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}

-> {HKLM…CLSID} = ShellExecute HW Event Handler

\LocalServer32\(Default) = rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]

RPCDBurningOnArrival\

Provider = RealPlayer

InvokeProgID = RealPlayer.CDBurn.6

InvokeVerb = open

HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "c:\program files\real\realplayer\\RealPlay.exe" /burn "%1" [RealNetworks, Inc.]

RPDeviceOnArrival\

Provider = RealPlayer

ProgID = RealPlayer.HWEventHandler

HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = {67E76F1D-BDE2-4052-913C-2752366192D2}

-> {HKLM…CLSID} = RealNetworks Scheduler

\LocalServer32\(Default) = "c:\program files\real\realplayer\Update\realsched.exe" -autoplay [RealNetworks, Inc.]

RPDVDBurningOnArrival\

Provider = RealPlayer

InvokeProgID = RealPlayer.DVDBurn.6

InvokeVerb = open

HKCU\Software\Classes\RealPlayer.DVDBurn.6\shell\open\command\(Default) = "c:\program files\real\realplayer\\RealPlay.exe" /burndvd "%1" [RealNetworks, Inc.]

RPPlayCDAudioOnArrival\

Provider = RealPlayer

InvokeProgID = RealPlayer.AudioCD.6

InvokeVerb = play

HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "c:\program files\real\realplayer\\RealPlay.exe" /play %1 [RealNetworks, Inc.]

RPPlayDVDMovieOnArrival\

Provider = RealPlayer

InvokeProgID = RealPlayer.DVD.6

InvokeVerb = play

HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "c:\program files\real\realplayer\\RealPlay.exe" /dvd %1 [RealNetworks, Inc.]

RPPlayMediaOnArrival\

Provider = RealPlayer

InvokeProgID = RealPlayer.AutoPlay.6

InvokeVerb = open

HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "c:\program files\real\realplayer\\RealPlay.exe" /autoplay "%1" [RealNetworks, Inc.]

WinampMTPHandler\

Provider = Winamp

ProgID = Shell.HWEventHandlerShellExecute

InitCmdLine = C:\Program Files\Winamp\winamp.exe

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}

-> {HKLM…CLSID} = ShellExecute HW Event Handler

\LocalServer32\(Default) = rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]

Startup items in "sharon" & "All Users" startup folders:

--------------------------------------------------------

C:\Documents and Settings\sharon\Start Menu\Programs\Startup

OneNote 2010 Screen Clipper and Launcher -> shortcut to: C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [MS]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Event Reminder -> shortcut to: C:\Program Files\The Print Shop 23.1\Remind.exe [broderbund Properties LLC]

Enabled Scheduled Tasks:

------------------------

Adobe Flash Player Updater -> launches: C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [Adobe Systems Incorporated]

AppleSoftwareUpdate -> launches: C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task [Apple Inc.]

GoogleUpdateTaskMachineCore -> launches: C:\Program Files\Google\Update\GoogleUpdate.exe /c [Google Inc.]

GoogleUpdateTaskMachineUA -> launches: C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler [Google Inc.]

GoogleUpdateTaskUserS-1-5-21-515967899-790525478-682003330-1004Core -> launches: C:\Documents and Settings\sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /c [Google Inc.]

GoogleUpdateTaskUserS-1-5-21-515967899-790525478-682003330-1004UA -> launches: C:\Documents and Settings\sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /ua /installsource scheduler [Google Inc.]

Microsoft Antimalware Scheduled Scan -> launches: c:\Program Files\Microsoft Security Client\MpCmdRun.exe Scan -ScheduleJob -RestrictPrivileges [MS]

RealUpgradeLogonTaskS-1-5-21-515967899-790525478-682003330-1004 -> launches: C:\Program Files\Real\RealUpgrade\realupgrade.exe /logoncheck [RealNetworks, Inc.]

RealUpgradeScheduledTaskS-1-5-21-515967899-790525478-682003330-1004 -> launches: C:\Program Files\Real\RealUpgrade\realupgrade.exe /scheduledcheck [RealNetworks, Inc.]

Winsock2 Service Provider DLLs:

-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS]

000000000002\LibraryPath = %SystemRoot%\System32\winrnr.dll [MS]

000000000003\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS]

000000000004\LibraryPath = %SystemRoot%\system32\wshbth.dll [MS]

000000000005\LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll [Apple Inc.]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 18 - 19

Toolbars, Explorer Bars, Extensions:

------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

{EF99BD32-C1FB-11D2-892F-0090271D4F88}

-> {HKLM…CLSID} = Yahoo! Toolbar

\InProcServer32\(Default) = C:\Program Files\Yahoo!\Companion\Installs\cpn10\yt.dll [Yahoo! Inc.]

{2318C2B1-4965-11D4-9B18-009027A5CD4F}

-> {HKLM…CLSID} = Google Toolbar

\InProcServer32\(Default) = C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [Google Inc.]

{F2CF5485-4E02-4F68-819C-B92DE9277049}

-> {HKLM…CLSID} = &Links

\InProcServer32\(Default) = C:\WINDOWS\system32\ieframe.dll [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

{EF99BD32-C1FB-11D2-892F-0090271D4F88} = (no title provided)

-> {HKLM…CLSID} = Yahoo! Toolbar

\InProcServer32\(Default) = C:\Program Files\Yahoo!\Companion\Installs\cpn10\yt.dll [Yahoo! Inc.]

{DC0F2F93-27FA-4F84-ACAA-9416F90B9511} = (no title provided)

-> {HKLM…CLSID} = PayPal Plug-In

\InProcServer32\(Default) = C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll [null data]

{2318C2B1-4965-11D4-9B18-009027A5CD4F} = (no title provided)

-> {HKLM…CLSID} = Google Toolbar

\InProcServer32\(Default) = C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [Google Inc.]

Explorer Bars

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = Groove Folder Synchronization

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{219C3416-8CB2-491A-A3C7-D9FCDDC9D600}\

ButtonText = Blog This

MenuText = &Blog This in Windows Live Writer

CLSIDExtension = {5F7B1267-94A9-47F5-98DB-E99415F33AEC}

-> {HKLM…CLSID} = BlogThisToolbarButton Class

\InProcServer32\(Default) = C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll [MS]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\

ButtonText = Send to OneNote

MenuText = Se&nd to OneNote

CLSIDExtension = {48E73304-E1D6-4330-914C-F5F514E3486C}

-> {HKLM…CLSID} = Send to OneNote from Internet Explorer button

\InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll [MS]

{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\

ButtonText = Lync add-on

MenuText = Lync add-on

CLSIDExtension = {31D09BA0-12F5-4CCE-BE8A-2923E76605DA}

-> {HKLM…CLSID} = Lync Browser Helper

\InProcServer32\(Default) = C:\Program Files\Microsoft Lync\OCHelper.dll [MS]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\

ButtonText = Yahoo! Services

CLSIDExtension = {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}

-> {HKLM…CLSID} = Yahoo! IE Services Button

\InProcServer32\(Default) = C:\Program Files\Yahoo!\Common\yiesrvc.dll [Yahoo! Inc.]

{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\

ButtonText = OneNote Lin&ked Notes

MenuText = OneNote Lin&ked Notes

CLSIDExtension = {FFFDC614-B694-4AE6-AB38-5D6374584B52}

-> {HKLM…CLSID} = Linked Notes button

\InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll [MS]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\

MenuText = @xpsp3res.dll,-20001

Exec = %windir%\Network Diagnostic\xpnetdiag.exe [MS]

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\

ButtonText = Yahoo! Messenger

MenuText = Yahoo! Messenger

Exec = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [Yahoo! Inc.]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

ButtonText = Messenger

MenuText = Windows Messenger

Exec = C:\Program Files\Messenger\msmsgs.exe [MS]

Miscellaneous IE Hijack Points

------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<<H>> {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} = (no title provided)

-> {HKLM…CLSID} = YTNavAssistPlugin Class

\InProcServer32\(Default) = C:\Program Files\Yahoo!\Companion\Installs\cpn10\yt.dll [Yahoo! Inc.]

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

@C:\Program Files\Nero\Update\NASvc.exe,-200, NAUpdate, "C:\Program Files\Nero\Update\NASvc.exe" [Nero AG]

Apple Mobile Device, Apple Mobile Device, "C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" [Apple Inc.]

BBUpdate, BBUpdate, "C:\Program Files\Microsoft\BingBar\SeaPort.EXE" [MS]

Bluetooth Support Service, BthServ, C:\WINDOWS\system32\svchost.exe -k bthsvcs {C:\WINDOWS\System32\bthserv.dll [MS]}

Bonjour Service, Bonjour Service, "C:\Program Files\Bonjour\mDNSResponder.exe" [Apple Inc.]

Canon Camera Access Library 8, CCALib8, C:\Program Files\Canon\CAL\CALMAIN.exe [Canon Inc.]

Cyberlink RichVideo Service(CRVS), RichVideo, "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" [empty string]

Intuit Update Service, IntuitUpdateService, "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" [null data]

Intuit Update Service v4, IntuitUpdateServiceV4, "C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe" [null data]

Java Quick Starter, JavaQuickStarterService, "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [Oracle Corporation]

MBAMScheduler, MBAMScheduler, "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" [Malwarebytes Corporation]

MBAMService, MBAMService, "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [Malwarebytes Corporation]

McciCMService, McciCMService, "C:\Program Files\Common Files\Motive\McciCMService.exe" [Alcatel-Lucent]

Microsoft Antimalware Service, MsMpSvc, "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [MS]

PC Tools Firewall Plus, PCToolsFirewallPlus, C:\Program Files\PC Tools Firewall Plus\FWService.exe [PC Tools]

Seagate Replica Service, Seagate-Replica-Svc, C:\Program Files\Seagate Replica\bin\Seagate-Replica-Svc.exe /startedbyscm:FE2355B7-40E2EE35-RebitSvcModule [seagate Technology LLC]

Seagate Replica System Monitor, ReplicaSysMon, C:\Program Files\Seagate Replica\bin\ReplicaSysMon.exe [seagate Technology LLC]

Windows Driver Foundation - User-mode Driver Framework, WudfSvc, C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup {C:\WINDOWS\System32\WUDFSvc.dll [MS]}

Windows Search, WSearch, C:\WINDOWS\system32\SearchIndexer.exe /Embedding [MS]

Yahoo! Updater, YahooAUService, "C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe" [Yahoo! Inc.]

Safe Mode Drivers & Services (subkey name, subkey default value):

-----------------------------------------------------------------

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\

<<!>> MsMpSvc, Service

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\

<<!>> MsMpSvc, Service

Print Monitors:

---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

Canon BJ Language Monitor i850\Driver = CNMLM4B.DLL [CANON INC.]

CutePDF Writer Monitor\Driver = cpwmon2k.dll [null data]

---------- (launch time: 2012-12-16 09:32:14)

<<!>>: Suspicious data at a malware launch point.

<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 137 seconds, including 45 seconds for message boxes)

Link to post
Share on other sites

I ran disc clean-up yesterday and this morning when i booted, it was fine. Turned off the computer and then booted it this afternoon, and the dreaded error code 2 showed up again. I hate bothering you all the time about this...

Is there anyway, to start Malwarebytes after Windows has started? Otherwise I'd have to always remember to disable it before I power off and then start it after the computer boots or I'll just have to wait 7-8 minutes for the computer to boot.

Link to post
Share on other sites

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://www.itxassociates.com/OT-Tools/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.