Jump to content

PLEASE HELP, Rans.Gendarm and possible ZEROACCESS and what else?


Recommended Posts

Hi, I've kinda been following other threads about how to handle these Trojans and what they can do. I also understand that each case is unique so I would appreciate your help. I already have downloaded the necessary virus programs but ran ONLY my Malwarebytes and Chameleon, My Mcafee, (which I don't understand what I'm paying for if it can't catch these things), Rogue Killer; and Farbar. The only anti-virus that I've downloaded to my desk top but have NOT run is Combo-fix. I have ALL log files on hand but PLEASE let me know if I'm ahead of myself or not following your instruction. I REALLY want my computer clean and I WILL donate via Paypal after we're done. THANK YOU in advance. Here is the RK log identifying the Rans. gendarm trojan, I however could not find any evidence of the ZeroAccess Trojan. Please advise.

RogueKiller V8.4.2 [Jan 6 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version

Started in : Normal mode

User : Kat Cyganiak [Admin rights]

Mode : Scan -- Date : 01/07/2013 06:08:28

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 16 ¤¤¤

[RUN][Rans.Gendarm] HKUS\S-1-5-21-1443698480-2959366254-1151133129-1000_Classes[...]\Run : Update (rundll32.exe "C:\Users\Kat Cyganiak\AppData\Roaming\Elluminate\Elluminate\mijimxh.dll",DllRegisterServer) -> FOUND

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : SymInstallStub (C:\Users\KATCYG~1\AppData\Local\Temp\SymInstallStub.exe /partnerid=realnw /productlist=nss /staging=false /delay=5 /affid=rplr /desktopshortcut=1 /startmenushortcut=1 /launchedby=3) -> FOUND

[TASK][sUSP PATH] Norton Product InstallerIdle.job : C:\Users\Kat Cyganiak\AppData\Local\Temp\SymInstallStub.exe /partnerid=realnw /productlist=nss /staging=false /delay=0 /affid=RPLR /desktopshortcut=1 /startmenushortcut=1 /launchedby=4 -> FOUND

[TASK][sUSP PATH] Norton Product Installer.job : C:\Users\Kat Cyganiak\AppData\Local\Temp\SymInstallStub.exe /partnerid=realnw /productlist=nss /staging=false /delay=0 /affid=RPLR /desktopshortcut=1 /startmenushortcut=1 /launchedby=2 -> FOUND

[TASK][sUSP PATH] Norton Product Installer : C:\Users\Kat Cyganiak\AppData\Local\Temp\SymInstallStub.exe /partnerid=realnw /productlist=nss /staging=false /delay=0 /affid=RPLR /desktopshortcut=1 /startmenushortcut=1 /launchedby=2 -> FOUND

[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤

-> D:\windows\system32\config\SOFTWARE

-> D:\windows\system32\config\SYSTEM

-> D:\Users\Default\NTUSER.DAT

¤¤¤ Infection : Rans.Gendarm ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500418AS ATA Device +++++

--- User ---

[MBR] eb6d0d160b40dc281d5f2801a0252f33

[bSP] 7dd49a80c8617bcaaa65ef71a28057c9 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo

2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 461899 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++

Error reading User MBR!

User = LL1 ... OK!

Error reading LL2 MBR!

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++

Error reading User MBR!

User = LL1 ... OK!

Error reading LL2 MBR!

+++++ PhysicalDrive3: Generic- SM/xD-Picture USB Device +++++

Error reading User MBR!

User = LL1 ... OK!

Error reading LL2 MBR!

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++

Error reading User MBR!

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[2]_S_01072013_02d0608.txt >>

RKreport[1]_S_01072013_02d0413.txt ; RKreport[2]_S_01072013_02d0608.txt

Link to post
Share on other sites

Hello and welcome. Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif Download OTL to your desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:
    netsvcs
  • Click the Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and paste them into your next post.

icon11.gif Download aswMBR.exe to your desktop.

  • Double click the aswMBR.exe to run it
  • You will be asked if you want to use Avast! Free anti virus for scanning - select No
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.

Please include the following in your next post:

  • OTL.txt and Extras.txt logs
  • aswMBR log

Link to post
Share on other sites

Here are all the logs you asked for. THANK YOU SO much for your help. When I tried to "POST" an "ERROR OCCURED post too long" happened so I will post them separately.

OTL logfile created on: 1/9/2013 4:09:33 PM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Kat Cyganiak\Desktop

64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.99 Gb Total Physical Memory | 3.68 Gb Available Physical Memory | 61.40% Memory free

12.09 Gb Paging File | 9.92 Gb Available in Paging File | 82.02% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 451.07 Gb Total Space | 314.00 Gb Free Space | 69.61% Space Free | Partition Type: NTFS

Drive D: | 14.65 Gb Total Space | 5.72 Gb Free Space | 39.08% Space Free | Partition Type: NTFS

Computer Name: CYGANIAKS-PC | User Name: Kat Cyganiak | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/01/09 16:06:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kat Cyganiak\Desktop\OTL.exe

PRC - [2013/01/08 21:41:42 | 000,945,152 | ---- | M] (215 Apps) -- C:\Program Files (x86)\Shopping Sidekick Plugin\Shopping Sidekick Plugin-bg.exe

PRC - [2013/01/07 06:02:55 | 000,295,072 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe

PRC - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

PRC - [2012/11/29 20:33:06 | 000,232,608 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe

PRC - [2012/11/29 20:31:04 | 000,038,608 | ---- | M] () -- C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe

PRC - [2012/11/26 05:14:06 | 000,213,344 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn6\ytbb.exe

PRC - [2012/10/18 17:00:00 | 000,685,496 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK32.EXE

PRC - [2012/09/05 09:57:26 | 000,271,808 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee Security Scan\3.0.285\SSScheduler.exe

PRC - [2011/10/13 17:21:52 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE

PRC - [2010/10/22 16:57:40 | 000,210,240 | ---- | M] () -- C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe

PRC - [2010/10/22 16:57:26 | 000,660,800 | ---- | M] () -- C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe

PRC - [2010/10/19 12:09:04 | 001,795,488 | ---- | M] (Audible, Inc.) -- C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe

PRC - [2010/03/20 14:58:42 | 000,095,232 | ---- | M] () -- C:\Program Files (x86)\Warner Bros. Digital Copy Manager\Warner Bros. Digital Copy Manager.exe

PRC - [2009/07/17 15:07:58 | 000,237,568 | ---- | M] (Alcor Micro Corp.) -- C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe

PRC - [2009/07/07 09:23:00 | 001,779,952 | ---- | M] () -- C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe

PRC - [2009/05/08 04:53:34 | 000,174,424 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\Yahoo!\Common\YMailAdvisor.exe

PRC - [2009/04/07 12:53:32 | 000,030,440 | ---- | M] () -- C:\Program Files (x86)\dcmsvc\dcmsvc.exe

PRC - [2009/02/03 07:15:18 | 000,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files (x86)\Yahoo!\Search Protection\SearchProtection.exe

PRC - [2008/12/18 13:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe

PRC - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

========== Modules (No Company Name) ==========

MOD - [2013/01/09 03:37:47 | 000,998,400 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\f042f66c2ad8fd5b8c34fa22cd22079e\System.Management.ni.dll

MOD - [2013/01/09 03:35:10 | 001,840,640 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\439eccf3a1fb34830a0a38cdf48afa08\System.Web.Services.ni.dll

MOD - [2013/01/09 03:34:52 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\004bc6615f9c06df5c98859d35149fe6\System.Configuration.ni.dll

MOD - [2013/01/09 03:34:50 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b757806657fa5db2b1ed1a89b026b463\System.Xml.ni.dll

MOD - [2013/01/09 03:34:38 | 012,433,920 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\0c3da9004b277959e24a9fd606d3dd05\System.Windows.Forms.ni.dll

MOD - [2013/01/09 03:34:31 | 001,593,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\78157a494dc9a7e52be8840decfcd9cc\System.Drawing.ni.dll

MOD - [2013/01/09 03:33:48 | 007,977,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\cc149d08e75f8c53cd28ac926b38c370\System.ni.dll

MOD - [2013/01/09 03:33:43 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\2227d1559f87943255069398608d5c56\mscorlib.ni.dll

MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll

MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll

MOD - [2010/10/22 16:57:26 | 000,660,800 | ---- | M] () -- C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe

MOD - [2010/03/20 14:58:42 | 000,095,232 | ---- | M] () -- C:\Program Files (x86)\Warner Bros. Digital Copy Manager\Warner Bros. Digital Copy Manager.exe

MOD - [2009/07/07 09:24:00 | 000,268,528 | ---- | M] () -- C:\Program Files (x86)\Dell DataSafe Online\SdbShared.dll

MOD - [2009/07/07 09:24:00 | 000,140,528 | ---- | M] () -- C:\Program Files (x86)\Dell DataSafe Online\SdbShared.XmlSerializers.dll

MOD - [2009/07/07 09:24:00 | 000,095,472 | ---- | M] () -- C:\Program Files (x86)\Dell DataSafe Online\SdbUI.dll

MOD - [2009/07/07 09:23:00 | 001,779,952 | ---- | M] () -- C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe

MOD - [2009/07/07 09:23:00 | 000,058,608 | ---- | M] () -- C:\Program Files (x86)\Dell DataSafe Online\BalloonWindow.dll

MOD - [2009/07/07 09:23:00 | 000,017,648 | ---- | M] () -- C:\Program Files (x86)\Dell DataSafe Online\CppUtils.dll

MOD - [2009/04/07 12:53:32 | 000,030,440 | ---- | M] () -- C:\Program Files (x86)\dcmsvc\dcmsvc.exe

========== Services (SafeList) ==========

SRV:64bit: - File not found [Auto | Stopped] -- C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe -- (ekrn)

SRV:64bit: - [2012/11/22 04:42:06 | 000,378,952 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)

SRV:64bit: - [2012/11/09 06:37:30 | 000,177,680 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Windows\SysNative\mfevtps.exe -- (mfevtp)

SRV:64bit: - [2012/11/09 06:34:50 | 000,218,320 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)

SRV:64bit: - [2012/10/07 03:13:42 | 000,220,856 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe -- (MSK80Service)

SRV:64bit: - [2012/10/07 03:13:42 | 000,220,856 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe -- (McProxy)

SRV:64bit: - [2012/10/07 03:13:42 | 000,220,856 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe -- (mcpltsvc)

SRV:64bit: - [2012/10/07 03:13:42 | 000,220,856 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe -- (McNaiAnn)

SRV:64bit: - [2012/10/07 03:13:42 | 000,220,856 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe -- (McMPFSvc)

SRV:64bit: - [2012/10/07 03:13:42 | 000,220,856 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe -- (HomeNetSvc)

SRV:64bit: - [2012/10/06 07:28:16 | 001,007,288 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe -- (mfecore)

SRV:64bit: - [2012/08/31 12:20:06 | 000,201,304 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)

SRV:64bit: - [2009/03/31 13:01:34 | 000,092,160 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe -- (AERTFilters)

SRV:64bit: - [2008/12/18 13:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)

SRV:64bit: - [2008/01/20 20:51:26 | 000,015,872 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\inetinfo.exe -- (IISADMIN)

SRV:64bit: - [2007/06/07 01:50:32 | 000,567,280 | ---- | M] ( ) [Auto | Running] -- C:\Windows\SysNative\dlbtcoms.exe -- (dlbt_device)

SRV - [2013/01/09 04:29:32 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)

SRV - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)

SRV - [2012/12/07 22:09:08 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)

SRV - [2012/11/29 20:31:04 | 000,038,608 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe -- (RealNetworks Downloader Resolver Service)

SRV - [2012/09/05 09:56:44 | 000,234,776 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\McAfee Security Scan\3.0.285\McCHSvc.exe -- (McComponentHostService)

SRV - [2011/10/21 15:23:42 | 000,196,176 | ---- | M] (Microsoft Corporation.) [Auto | Stopped] -- C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)

SRV - [2011/10/13 17:21:52 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate)

SRV - [2010/10/22 16:57:40 | 000,210,240 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe -- (MotoHelper)

SRV - [2010/04/13 20:11:18 | 000,231,224 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)

SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)

SRV - [2010/02/20 17:05:18 | 000,373,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (WAS)

SRV - [2009/06/26 10:19:12 | 001,124,848 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- c:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCom\RoxMediaDB10.exe -- (RoxMediaDB10)

SRV - [2009/04/11 00:28:17 | 000,052,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll -- (AppHostSvc)

SRV - [2009/03/29 22:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

SRV - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/12/14 16:49:28 | 000,024,176 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)

DRV:64bit: - [2012/11/09 06:40:24 | 000,069,672 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\cfwids.sys -- (cfwids)

DRV:64bit: - [2012/11/09 06:37:42 | 000,339,776 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mfewfpk.sys -- (mfewfpk)

DRV:64bit: - [2012/11/09 06:35:50 | 000,771,096 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfehidk.sys -- (mfehidk)

DRV:64bit: - [2012/11/09 06:34:58 | 000,515,528 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfefirek.sys -- (mfefirek)

DRV:64bit: - [2012/11/09 06:34:18 | 000,309,400 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeavfk.sys -- (mfeavfk)

DRV:64bit: - [2012/11/09 06:33:58 | 000,178,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeapfk.sys -- (mfeapfk)

DRV:64bit: - [2012/11/02 01:46:50 | 000,328,976 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\mfencbdc.sys -- (mfencbdc)

DRV:64bit: - [2012/11/02 01:46:50 | 000,097,208 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\mfencrk.sys -- (mfencrk)

DRV:64bit: - [2012/10/19 09:51:50 | 000,074,120 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\McPvDrv.sys -- (McPvDrv)

DRV:64bit: - [2012/09/28 10:32:56 | 000,053,760 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\usbaapl64.sys -- (USBAAPL64)

DRV:64bit: - [2012/08/21 12:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)

DRV:64bit: - [2012/05/28 10:28:18 | 000,197,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HipShieldK.sys -- (HipShieldK)

DRV:64bit: - [2012/02/29 07:52:46 | 000,016,384 | ---- | M] (Microsoft Corporation) [Recognizer | System | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)

DRV:64bit: - [2010/04/13 20:10:24 | 000,066,040 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\Windows\SysNative\DRIVERS\MOBK.sys -- (MOBKFilter)

DRV:64bit: - [2009/11/04 16:54:06 | 000,049,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mfesmfk.sys -- (mfesmfk)

DRV:64bit: - [2009/09/30 18:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)

DRV:64bit: - [2009/09/16 10:15:38 | 000,040,904 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mferkdk.sys -- (mferkdk)

DRV:64bit: - [2009/06/18 08:15:16 | 000,041,032 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mfebopk.sys -- (mfebopk)

DRV:64bit: - [2009/06/04 17:54:36 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\iastor.sys -- (iaStor)

DRV:64bit: - [2009/05/20 02:00:00 | 000,055,280 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\PxHlpa64.sys -- (PxHlpa64)

DRV:64bit: - [2009/05/11 23:19:20 | 000,081,952 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)

DRV:64bit: - [2009/05/08 11:56:26 | 000,053,632 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\motodrv.sys -- (MotDev)

DRV:64bit: - [2009/04/06 19:25:08 | 000,292,352 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\k57nd60a.sys -- (k57nd60a)

DRV:64bit: - [2008/01/20 20:46:55 | 000,317,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\e1e6032e.sys -- (e1express)

DRV:64bit: - [2006/11/02 01:48:50 | 002,488,320 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\atikmdag.sys -- (R300)

DRV - [2009/06/26 09:27:28 | 000,065,520 | ---- | M] (Sonic Solutions) [File_System | System | Stopped] -- C:\Windows\SysWOW64\drivers\RxFilter.sys -- (RxFilter)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}

IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2410}: "URL" = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=100&systemid=410&apn_dtid=BND410&apn_ptnrs=AGA&o=APN10649&apn_uid=5366121342314564&q={searchTerms}

IE:64bit: - HKLM\..\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}: "URL" = http://searchfunmoods.com/results.php?f=4&q={searchTerms}&a=adknlg1y&ir=adknlg1y&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyE0DyByE0E0DyEzz0BtCtCtN0D0Tzu0CtAyByEtN1L2XzutBtFtBtFtCtFyEtDyB&cr=1892756836

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKLM\..\URLSearchHook: {9ee802e8-c931-47ab-b570-aa8f791598ca} - C:\Program Files (x86)\eMusic\tbeMu1.dll (Conduit Ltd.)

IE - HKLM\..\SearchScopes,DefaultScope = {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2410}: "URL" = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=100&systemid=410&apn_dtid=BND410&apn_ptnrs=AGA&o=APN10649&apn_uid=5366121342314564&q={searchTerms}

IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1641676

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn6\yt.dll (Yahoo! Inc.)

IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

IE - HKCU\..\SearchScopes\{1514BC5F-681F-4FED-83C5-7AE89459354C}: "URL" = http://search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8

IE - HKCU\..\SearchScopes\{43AF21D6-884C-47A2-8F8F-5EF6465AE905}: "URL" = http://search.yahoo.com/search?fr=mcafee&p={SearchTerms}

IE - HKCU\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2410}: "URL" = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=100&systemid=410&apn_dtid=BND410&apn_ptnrs=AGA&o=APN10649&apn_uid=5366121342314564&q={searchTerms}

IE - HKCU\..\SearchScopes\{E0FA9551-4AE2-453F-A45E-285EF0F281A5}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 192.168.*.*;<local>

========== FireFox ==========

FF - prefs.js..browser.search.defaultEngine: "Yahoo"

FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"

FF - prefs.js..browser.search.order.1: "Search Results"

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-tyc8"

FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-tyc8"

FF - prefs.js..browser.search.param.yahoo-type: ""

FF - prefs.js..browser.search.selectedEngine: "Secure Search"

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - prefs.js..extensions.enabledAddons: %7B635abd67-4fe9-1b23-4f01-e679fa7484c1%7D:2.5.1.20121011034613

FF - prefs.js..extensions.enabledAddons: %7B20a82645-c095-46ed-80e3-08825760534b%7D:0.0.0

FF - prefs.js..extensions.enabledAddons: %7B46551EC9-40F0-4e47-8E18-8E5CF550CFB8%7D:1.3.1

FF - prefs.js..extensions.enabledAddons: %7B4176DFF4-4698-11DE-BEEB-45DA55D89593%7D:0.8.37

FF - prefs.js..extensions.enabledAddons: %7B3e0c7f3a-3f50-4730-beb5-4a9a10e2831c%7D:6.9

FF - prefs.js..extensions.enabledAddons: %7B2b5e07c4-cc81-4624-8936-820622afdbd5%7D:1.0

FF - prefs.js..extensions.enabledAddons: twitter%40disconnect.me:2.1.2

FF - prefs.js..extensions.enabledAddons: personas%40christopher.beard:1.6.2

FF - prefs.js..extensions.enabledAddons: chromeview%40systemantics.net:0.2.2

FF - prefs.js..extensions.enabledAddons: %7B4ED1F68A-5463-4931-9384-8FFF5ED91D92%7D:3.6.0

FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1

FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_146.dll File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll ()

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()

FF - HKLM\Software\MozillaPlugins\@mcafee.com/MVT: C:\Program Files (x86)\McAfee\Supportability\MVT\NPMVTPlugin.dll (McAfee, Inc.)

FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@oberon-media.com/ONCAdapter: C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll File not found

FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=16.0.0.282: c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprndlchromebrowserrecordext;version=1.3.0: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprndlhtml5videoshim;version=1.3.0: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprndlpepperflashvideoshim;version=1.3.0: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=16.0.0.282: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)

FF - HKLM\Software\MozillaPlugins\@realnetworks.com/npdlplugin;version=1: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\PROGRAM FILES\ESET\ESET SMART SECURITY\MOZILLA THUNDERBIRD

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files (x86)\McAfee\SiteAdvisor [2012/12/21 03:18:02 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{34712C68-7391-4c47-94F3-8F88D49AD632}: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ [2013/01/07 06:03:57 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013/01/07 06:03:57 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/12/13 10:21:35 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\msktbird@mcafee.com: C:\Program Files\McAfee\MSK [2013/01/04 20:03:41 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird

FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/12/13 10:21:35 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2012/11/28 23:18:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kat Cyganiak\AppData\Roaming\Mozilla\Extensions

[2013/01/08 23:37:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions

[2013/01/03 11:08:26 | 000,000,000 | ---D | M] (Browser Backgrounds) -- C:\Users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions\{3e0c7f3a-3f50-4730-beb5-4a9a10e2831c}

[2012/12/06 18:23:14 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

[2013/01/03 11:08:26 | 000,020,387 | ---- | M] () (No name found) -- C:\Users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions\chromeview@systemantics.net.xpi

[2013/01/03 11:08:26 | 000,330,316 | ---- | M] () (No name found) -- C:\Users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions\personas@christopher.beard.xpi

[2013/01/03 11:08:26 | 000,035,303 | ---- | M] () (No name found) -- C:\Users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions\twitter@disconnect.me.xpi

[2013/01/03 11:08:26 | 000,009,599 | ---- | M] () (No name found) -- C:\Users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions\{2b5e07c4-cc81-4624-8936-820622afdbd5}.xpi

[2013/01/03 11:08:23 | 000,222,578 | ---- | M] () (No name found) -- C:\Users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions\{4176DFF4-4698-11DE-BEEB-45DA55D89593}.xpi

[2013/01/03 11:08:23 | 000,269,905 | ---- | M] () (No name found) -- C:\Users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}.xpi

[2012/10/14 23:28:26 | 000,002,687 | ---- | M] () -- C:\Users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\searchplugins\Search_Results.xml

[2012/12/07 22:09:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions

[2012/12/21 03:18:02 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES (X86)\MCAFEE\SITEADVISOR

[2012/12/06 18:23:52 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION

[2012/12/07 22:09:08 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll

[2012/08/29 15:58:29 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml

[2012/12/26 22:00:46 | 000,002,024 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\McSiteAdvisor.xml

[2012/10/14 23:28:26 | 000,002,687 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\Search_Results.xml

[2012/10/11 21:30:39 | 000,002,058 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage: http://www.google.com

CHR - default_search_provider: Google (Enabled)

CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}

CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter},

CHR - homepage: http://www.google.com

CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer

CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\23.0.1271.97\ppGoogleNaClPluginChrome.dll

CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\23.0.1271.97\pdf.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\23.0.1271.97\gcswf32.dll

CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Kat Cyganiak\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll

CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Users\Kat Cyganiak\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.41.123.2_0\McChPlg.dll

CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll

CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll

CHR - plugin: Java Deployment Toolkit 6.0.300.12 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

CHR - plugin: Java Platform SE 6 U30 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll

CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll

CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll

CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll

CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll

CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll

CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll

CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll

CHR - plugin: Oberon com adapter (Enabled) = C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll

CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll

CHR - plugin: McAfee Virtual Technician (Enabled) = C:\Program Files (x86)\McAfee\Supportability\MVT\NPMVTPlugin.dll

CHR - plugin: RealPlayer G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll

CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpjplug.dll

CHR - plugin: RealPlayer HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll

CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll

CHR - plugin: RealNetworks Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll

CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll

CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll

CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

CHR - plugin: McAfee SecurityCenter (Enabled) = c:\progra~2\mcafee\msc\npmcsn~1.dll

CHR - Extension: Angry Birds = C:\Users\Kat Cyganiak\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.5.0.7_0\

CHR - Extension: Shopping Sidekick Plugin = C:\Users\Kat Cyganiak\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlopielgodpjhkbapdlbbicpiefpaack\1.20.5_0\crossrider

CHR - Extension: Shopping Sidekick Plugin = C:\Users\Kat Cyganiak\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlopielgodpjhkbapdlbbicpiefpaack\1.20.5_0\

CHR - Extension: SiteAdvisor = C:\Users\Kat Cyganiak\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.60.126.1_0\

CHR - Extension: RealDownloader = C:\Users\Kat Cyganiak\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji\1.3.0_0\

CHR - Extension: Cath Kidston = C:\Users\Kat Cyganiak\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndlpkmaeinmnbiadacenijnhlolneopm\3_0\

CHR - Extension: Cut The Rope = C:\Users\Kat Cyganiak\AppData\Local\Google\Chrome\User Data\Default\Extensions\oifmiihfojalcnahgflekehmhbnlandb\1.0.1_0\

CHR - Extension: Angry Birds Wonderful Pistachios HD = C:\Users\Kat Cyganiak\AppData\Local\Google\Chrome\User Data\Default\Extensions\olacfkfcglkclgojodocdaladnipiigo\1.0_0\

O1 HOSTS File: ([2006/09/18 15:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2:64bit: - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL File not found

O2:64bit: - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn6\yt.dll (Yahoo! Inc.)

O2 - BHO: (Shopping Sidekick Plugin) - {11111111-1111-1111-1111-110211181102} - C:\Program Files (x86)\Shopping Sidekick Plugin\Shopping Sidekick Plugin.dll (215 Apps)

O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll File not found

O2 - BHO: (RealNetworks Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)

O2 - BHO: (Search-Results Toolbar) - {3ec1a45c-8bc3-4bfe-b226-4051c5d3d068} - C:\PROGRA~2\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll File not found

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

O2 - BHO: (eMusic Toolbar) - {9ee802e8-c931-47ab-b570-aa8f791598ca} - C:\Program Files (x86)\eMusic\tbeMu1.dll (Conduit Ltd.)

O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)

O3:64bit: - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)

O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.

O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O3 - HKLM\..\Toolbar: (Search-Results Toolbar) - {3ec1a45c-8bc3-4bfe-b226-4051c5d3d068} - C:\PROGRA~2\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll File not found

O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)

O3 - HKLM\..\Toolbar: (eMusic Toolbar) - {9ee802e8-c931-47ab-b570-aa8f791598ca} - C:\Program Files (x86)\eMusic\tbeMu1.dll (Conduit Ltd.)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn6\yt.dll (Yahoo! Inc.)

O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (eMusic Toolbar) - {9EE802E8-C931-47AB-B570-AA8F791598CA} - C:\Program Files (x86)\eMusic\tbeMu1.dll (Conduit Ltd.)

O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\Windows\SysNative\NvCpl.dll (NVIDIA Corporation)

O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)

O4:64bit: - HKLM..\Run: [skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe File not found

O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)

O4 - HKLM..\Run: [dcmsvc] C:\Program Files (x86)\dcmsvc\dcmsvc.exe ()

O4 - HKLM..\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe ()

O4 - HKLM..\Run: [mcpltui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

O4 - HKLM..\Run: [ROC_roc_ssl_v12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 File not found

O4 - HKLM..\Run: [shwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe (Alcor Micro Corp.)

O4 - HKLM..\Run: [TkBellExe] c:\program files (x86)\real\realplayer\Update\realsched.exe (RealNetworks, Inc.)

O4 - HKLM..\Run: [YMailAdvisor] C:\Program Files (x86)\Yahoo!\Common\YMailAdvisor.exe (Yahoo! Inc.)

O4 - HKLM..\Run: [YSearchProtection] C:\Program Files (x86)\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)

O4 - HKCU..\Run: [Akamai NetSession Interface] "C:\Users\Kat Cyganiak\AppData\Local\Akamai\netsession_win.exe" File not found

O4 - HKCU..\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe File not found

O4 - HKLM..\RunOnceEx: [ContentMerger] c:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCom\ContentMerger10.exe (Sonic Solutions)

O4 - Startup: C:\Users\Kat Cyganiak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

O4 - Startup: C:\Users\Kat Cyganiak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Warner Bros.lnk = C:\Program Files (x86)\Warner Bros. Digital Copy Manager\Warner Bros. Digital Copy Manager.exe ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found

O1364bit: - gopher Prefix: missing

O13 - gopher Prefix: missing

O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)

O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)

O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)

O15 - HKCU\..Trusted Domains: real.com ([rhap-app-4-0] https in Trusted sites)

O15 - HKCU\..Trusted Domains: real.com ([rhapreg] https in Trusted sites)

O16:64bit: - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)

O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Reg Error: Key error.)

O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 10.5.0)

O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 10.5.0)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D26857BB-2F49-4A2F-B6B1-4062C58553CB}: DhcpNameServer = 192.168.1.254

O18:64bit: - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)

O18:64bit: - Protocol\Handler\livecall - No CLSID value found

O18:64bit: - Protocol\Handler\ms-help - No CLSID value found

O18:64bit: - Protocol\Handler\msnim - No CLSID value found

O18:64bit: - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)

O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found

O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O18:64bit: - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll (McAfee, Inc.)

O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)

O20 - AppInit_DLLs: (C:\Windows\system32\d3d8thk32.dll) - File not found

O20 - AppInit_DLLs: (C:\Windows\system32\cdosys32.dll) - File not found

O20 - AppInit_DLLs: (C:\Windows\system32\dmime32.dll) - File not found

O20 - AppInit_DLLs: (C:\Windows\system32\cryptsvc32.dll) - File not found

O20 - AppInit_DLLs: (C:\Windows\system32\dxmasf32.dll) - File not found

O20 - AppInit_DLLs: (C:\Windows\system32\dhcpsapi32.dll) - File not found

O20 - AppInit_DLLs: (C:\Windows\system32\dhcpsapi32.dllbpj9uy2m32.dll) - File not found

O20 - AppInit_DLLs: (C:\Windows\system32\dhcpsapi32.dllbpj9uy2m32.dllmj38k32.dll) - File not found

O20 - AppInit_DLLs: (C:\Windows\system32\dhcpsapi32.dllbpj9uy2m32.dllmj38k32.dllfxteu32.dll) - File not found

O20 - AppInit_DLLs: (C:\Windows\system32\dhcpsapi32.dllbpj9uy2m32.dllmj38k32.dllfxteu32.dllijapy3o32.dll) - File not found

O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Users\Public\Pictures\Sample Pictures\Tree.jpg

O24 - Desktop BackupWallPaper: C:\Users\Public\Pictures\Sample Pictures\Tree.jpg

O32 - HKLM CDRom: AutoRun - 1

O33 - MountPoints2\{0e2008ad-c71e-11de-ba31-002564d74ed4}\Shell - "" = AutoRun

O33 - MountPoints2\{0e2008ad-c71e-11de-ba31-002564d74ed4}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -a

O33 - MountPoints2\L\Shell - "" = AutoRun

O33 - MountPoints2\L\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a

O34 - HKLM BootExecute: (autocheck autochk *)

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/09 16:06:40 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Kat Cyganiak\Desktop\OTL.exe

[2013/01/09 15:04:35 | 000,688,992 | R--- | C] (Swearware) -- C:\Users\Kat Cyganiak\Desktop\dds.com

[2013/01/09 15:03:39 | 000,688,992 | ---- | C] (Swearware) -- C:\Users\Kat Cyganiak\Desktop\dds.scr

[2013/01/09 13:35:19 | 000,000,000 | ---D | C] -- C:\Users\Kat Cyganiak\Desktop\HELP! how to removie rans_gendarm and google redirect viruses - Malwarebytes Forum_files

[2013/01/09 00:16:26 | 000,253,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ncrypt.dll

[2013/01/09 00:15:48 | 000,456,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\shlwapi.dll

[2013/01/08 21:57:16 | 000,000,000 | ---D | C] -- C:\Users\Kat Cyganiak\AppData\Local\MFAData

[2013/01/08 21:57:16 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData

[2013/01/08 21:57:16 | 000,000,000 | ---D | C] -- C:\Users\Kat Cyganiak\AppData\Local\Avg2013

[2013/01/08 21:42:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDFCreator

[2013/01/08 21:42:32 | 000,137,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSMAPI32.OCX

[2013/01/08 21:42:31 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSMPIDE.DLL

[2013/01/08 21:42:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PDFCreator

[2013/01/08 21:41:51 | 000,000,000 | ---D | C] -- C:\Users\Kat Cyganiak\AppData\Local\Shopping Sidekick Plugin

[2013/01/08 21:41:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Shopping Sidekick Plugin

[2013/01/08 21:41:30 | 000,000,000 | ---D | C] -- C:\Users\Kat Cyganiak\AppData\Roaming\Funmoods

[2013/01/08 21:31:18 | 000,000,000 | ---D | C] -- C:\Users\Kat Cyganiak\Desktop\RK_Quarantine

[2013/01/07 23:07:12 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET

[2013/01/07 23:07:12 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2013/01/07 16:12:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Symantec Shared

[2013/01/07 06:48:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec

[2013/01/07 06:48:18 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security Scan

[2013/01/07 06:48:18 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\NSSx64

[2013/01/07 06:48:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Norton Security Scan

[2013/01/07 06:48:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton

[2013/01/07 06:48:18 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\NSSx64\0307060.005

[2013/01/07 06:48:17 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller

[2013/01/07 06:48:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NortonInstaller

[2013/01/07 06:07:33 | 000,000,000 | ---D | C] -- C:\Users\Kat Cyganiak\AppData\Roaming\RealNetworks

[2013/01/07 06:03:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\RealNetworks

[2013/01/07 06:03:50 | 000,000,000 | ---D | C] -- C:\ProgramData\RealNetworks

[2013/01/07 06:03:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\xing shared

[2013/01/07 06:03:20 | 000,201,424 | ---- | C] (RealNetworks, Inc.) -- C:\Windows\SysWow64\rmoc3260.dll

[2013/01/07 06:03:01 | 000,006,656 | ---- | C] (RealNetworks, Inc.) -- C:\Windows\SysWow64\pndx5016.dll

[2013/01/07 06:03:01 | 000,005,632 | ---- | C] (RealNetworks, Inc.) -- C:\Windows\SysWow64\pndx5032.dll

[2013/01/07 06:02:59 | 000,272,896 | ---- | C] (Progressive Networks) -- C:\Windows\SysWow64\pncrt.dll

[2013/01/07 06:02:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealNetworks

[2013/01/07 05:59:53 | 000,000,000 | ---D | C] -- C:\Users\Kat Cyganiak\AppData\Local\Real

[2013/01/07 05:09:56 | 000,000,000 | ---D | C] -- C:\FRST

[2013/01/06 23:00:19 | 000,000,000 | ---D | C] -- C:\Users\Kat Cyganiak\AppData\Local\WinZip

[2013/01/06 22:59:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip

[2013/01/06 22:59:12 | 000,000,000 | ---D | C] -- C:\ProgramData\WinZip

[2013/01/06 22:59:11 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip

[2013/01/04 19:42:35 | 000,000,000 | ---D | C] -- C:\Users\Kat Cyganiak\AppData\Local\McAfee File Lock

[2013/01/04 17:48:26 | 000,197,264 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\HipShieldK.sys

[2012/12/21 10:00:23 | 000,000,000 | ---D | C] -- C:\Users\Kat Cyganiak\AppData\Roaming\Malwarebytes

[2012/12/21 10:00:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

[2012/12/21 10:00:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2012/12/21 10:00:18 | 000,024,176 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys

[2012/12/21 10:00:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware

[2012/12/21 08:48:34 | 000,000,000 | ---D | C] -- C:\e

[2012/12/21 08:48:33 | 000,000,000 | ---D | C] -- C:\Data

[2012/12/21 03:00:17 | 000,368,128 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll

[2012/12/21 03:00:17 | 000,293,376 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll

[2012/12/21 03:00:17 | 000,048,128 | ---- | C] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll

[2012/12/21 03:00:17 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll

[2012/12/13 10:29:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iCloud

[2012/12/13 10:26:52 | 000,000,000 | ---D | C] -- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

[2012/12/13 10:21:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime

[2012/12/13 10:21:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\QuickTime

[2012/12/13 03:02:54 | 000,054,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\WdfLdr.sys

[2012/12/13 03:02:53 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\Wdfres.dll

[2012/12/13 03:02:52 | 000,020,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winusb.dll

[2012/12/13 03:02:51 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WUDFx.dll

[2012/12/13 03:02:51 | 000,229,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WUDFHost.exe

[2012/12/13 03:02:51 | 000,194,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WUDFPlatform.dll

[2012/12/13 03:02:51 | 000,045,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WUDFCoinstaller.dll

[2012/12/13 03:02:01 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll

[2012/12/13 03:02:01 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll

[2012/12/13 03:02:01 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll

[2012/12/13 03:02:00 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll

[2012/12/13 03:02:00 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll

[2012/12/13 03:02:00 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll

[2012/12/13 03:02:00 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe

[2012/12/13 03:02:00 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe

[2012/12/13 03:01:59 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll

[2012/12/13 03:01:59 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl

[2012/12/13 03:01:59 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl

[2012/12/13 03:01:59 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll

[2012/12/13 03:01:58 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll

[2012/12/13 03:01:58 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll

[2012/12/13 03:01:58 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll

[2012/12/12 19:18:28 | 001,210,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kernel32.dll

[2012/12/12 19:17:42 | 000,477,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dpnet.dll

[2012/12/12 19:17:42 | 000,376,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dpnet.dll

[2012/12/12 19:17:42 | 000,068,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dpnathlp.dll

[2012/12/12 19:17:42 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dpnsvr.exe

[2012/12/12 19:17:42 | 000,023,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dpnsvr.exe

[2009/12/02 16:53:59 | 008,653,312 | ---- | C] (Dell, Inc. ) -- C:\Users\Kat Cyganiak\AppData\Roaming\DataSafeDotNet.exe

[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/01/09 16:06:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kat Cyganiak\Desktop\OTL.exe

[2013/01/09 15:29:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job

[2013/01/09 15:23:00 | 000,000,910 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2013/01/09 15:04:36 | 000,688,992 | R--- | M] (Swearware) -- C:\Users\Kat Cyganiak\Desktop\dds.com

[2013/01/09 15:03:39 | 000,688,992 | ---- | M] (Swearware) -- C:\Users\Kat Cyganiak\Desktop\dds.scr

[2013/01/09 14:40:25 | 000,079,916 | ---- | M] () -- C:\ProgramData\nvModes.dat

[2013/01/09 14:40:25 | 000,079,916 | ---- | M] () -- C:\ProgramData\nvModes.001

[2013/01/09 14:38:20 | 000,000,906 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2013/01/09 14:36:16 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2013/01/09 14:36:16 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2013/01/09 14:36:13 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2013/01/09 13:35:20 | 000,301,945 | ---- | M] () -- C:\Users\Kat Cyganiak\Desktop\HELP! how to removie rans_gendarm and google redirect viruses - Malwarebytes Forum.htm

[2013/01/09 04:29:31 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe

[2013/01/09 04:29:31 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

[2013/01/09 03:29:53 | 004,948,664 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

[2013/01/09 03:09:08 | 000,731,514 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2013/01/09 03:09:08 | 000,613,418 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2013/01/09 03:09:08 | 000,107,806 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2013/01/08 18:29:14 | 000,000,928 | ---- | M] () -- C:\Users\Kat Cyganiak\Desktop\RogueKillerX64 - Shortcut.lnk

[2013/01/08 02:05:30 | 000,000,588 | ---- | M] () -- C:\Users\Kat Cyganiak\Desktop\notepad - Shortcut.lnk

[2013/01/08 02:01:26 | 000,037,376 | ---- | M] () -- C:\Users\Kat Cyganiak\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2013/01/07 17:41:42 | 000,000,709 | ---- | M] () -- C:\Users\Kat Cyganiak\Desktop\eset_smart_security_live_installer - Shortcut.lnk

[2013/01/07 17:37:54 | 000,000,462 | -H-- | M] () -- C:\Windows\tasks\Norton Security Scan for Kat Cyganiak.job

[2013/01/07 06:48:21 | 000,001,172 | ---- | M] () -- C:\Users\Public\Desktop\Norton Security Scan.lnk

[2013/01/07 06:04:11 | 000,000,877 | ---- | M] () -- C:\Users\Public\Desktop\RealPlayer.lnk

[2013/01/07 06:03:20 | 000,201,424 | ---- | M] (RealNetworks, Inc.) -- C:\Windows\SysWow64\rmoc3260.dll

[2013/01/07 06:03:01 | 000,006,656 | ---- | M] (RealNetworks, Inc.) -- C:\Windows\SysWow64\pndx5016.dll

[2013/01/07 06:03:01 | 000,005,632 | ---- | M] (RealNetworks, Inc.) -- C:\Windows\SysWow64\pndx5032.dll

[2013/01/07 06:02:59 | 000,272,896 | ---- | M] (Progressive Networks) -- C:\Windows\SysWow64\pncrt.dll

[2013/01/07 05:09:38 | 000,000,567 | ---- | M] () -- C:\Users\Kat Cyganiak\Desktop\FRST64 - Shortcut.lnk

[2013/01/07 04:10:52 | 000,000,594 | ---- | M] () -- C:\Users\Kat Cyganiak\Desktop\RogueKiller - Shortcut.lnk

[2013/01/07 03:07:11 | 000,003,355 | ---- | M] () -- C:\Users\Kat Cyganiak\Desktop\pspbrwse.jbf

[2013/01/07 01:35:58 | 000,000,866 | ---- | M] () -- C:\Users\Kat Cyganiak\Desktop\mbam-chameleon - Shortcut.lnk

[2013/01/06 22:59:34 | 000,001,856 | ---- | M] () -- C:\Users\Public\Desktop\WinZip.lnk

[2013/01/06 22:59:34 | 000,001,802 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

[2013/01/04 00:37:29 | 000,000,950 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/12/21 09:21:57 | 401,129,403 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2012/12/21 09:14:14 | 000,751,078 | ---- | M] () -- C:\Users\Kat Cyganiak\AppData\Roaming\1.bmp

[2012/12/21 09:14:02 | 000,018,252 | ---- | M] () -- C:\Users\Kat Cyganiak\AppData\Roaming\sound.mp3

[2012/12/21 09:13:57 | 000,114,890 | ---- | M] () -- C:\Users\Kat Cyganiak\AppData\Roaming\1.jpg

[2012/12/16 07:31:20 | 000,048,128 | ---- | M] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll

[2012/12/16 07:12:54 | 000,034,304 | ---- | M] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll

[2012/12/16 05:08:21 | 000,368,128 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll

[2012/12/16 04:50:29 | 000,293,376 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll

[2012/12/14 16:49:28 | 000,024,176 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys

[2012/12/13 10:29:34 | 000,000,629 | ---- | M] () -- C:\Windows\SysNative\mapisvc.inf

[2012/12/13 10:27:44 | 000,001,696 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk

[2012/12/13 10:21:23 | 000,001,758 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk

[2012/12/13 10:19:16 | 000,001,866 | ---- | M] () -- C:\Users\Public\Desktop\Safari.lnk

[2012/12/13 10:19:16 | 000,001,866 | ---- | M] () -- C:\Users\Kat Cyganiak\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk

[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/01/09 13:35:18 | 000,301,945 | ---- | C] () -- C:\Users\Kat Cyganiak\Desktop\HELP! how to removie rans_gendarm and google redirect viruses - Malwarebytes Forum.htm

[2013/01/08 21:42:32 | 000,087,040 | ---- | C] () -- C:\Windows\SysNative\pdfcmnnt.dll

[2013/01/08 18:29:14 | 000,000,928 | ---- | C] () -- C:\Users\Kat Cyganiak\Desktop\RogueKillerX64 - Shortcut.lnk

[2013/01/08 02:05:30 | 000,000,588 | ---- | C] () -- C:\Users\Kat Cyganiak\Desktop\notepad - Shortcut.lnk

[2013/01/07 17:41:42 | 000,000,709 | ---- | C] () -- C:\Users\Kat Cyganiak\Desktop\eset_smart_security_live_installer - Shortcut.lnk

[2013/01/07 06:48:22 | 000,000,462 | -H-- | C] () -- C:\Windows\tasks\Norton Security Scan for Kat Cyganiak.job

[2013/01/07 06:48:21 | 000,001,172 | ---- | C] () -- C:\Users\Public\Desktop\Norton Security Scan.lnk

[2013/01/07 06:48:18 | 000,000,172 | ---- | C] () -- C:\Windows\SysNative\drivers\NSSx64\0307060.005\isolate.ini

[2013/01/07 06:04:11 | 000,000,877 | ---- | C] () -- C:\Users\Public\Desktop\RealPlayer.lnk

[2013/01/07 05:09:38 | 000,000,567 | ---- | C] () -- C:\Users\Kat Cyganiak\Desktop\FRST64 - Shortcut.lnk

[2013/01/07 04:10:52 | 000,000,594 | ---- | C] () -- C:\Users\Kat Cyganiak\Desktop\RogueKiller - Shortcut.lnk

[2013/01/07 03:07:11 | 000,003,355 | ---- | C] () -- C:\Users\Kat Cyganiak\Desktop\pspbrwse.jbf

[2013/01/07 01:35:58 | 000,000,866 | ---- | C] () -- C:\Users\Kat Cyganiak\Desktop\mbam-chameleon - Shortcut.lnk

[2013/01/06 22:59:34 | 000,001,856 | ---- | C] () -- C:\Users\Public\Desktop\WinZip.lnk

[2013/01/06 22:59:33 | 000,001,802 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

[2013/01/04 17:47:53 | 000,002,641 | ---- | C] () -- C:\Windows\SysNative\drivers\mfencrk.inf

[2013/01/04 17:47:51 | 000,002,946 | ---- | C] () -- C:\Windows\SysNative\drivers\mfencbdc.inf

[2012/12/31 13:19:07 | 000,079,428 | ---- | C] () -- C:\Users\Kat Cyganiak\Desktop\sarah.jpg

[2012/12/21 10:00:19 | 000,000,950 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/12/21 09:21:57 | 401,129,403 | ---- | C] () -- C:\Windows\MEMORY.DMP

[2012/12/21 09:14:14 | 000,751,078 | ---- | C] () -- C:\Users\Kat Cyganiak\AppData\Roaming\1.bmp

[2012/12/21 09:14:02 | 000,018,252 | ---- | C] () -- C:\Users\Kat Cyganiak\AppData\Roaming\sound.mp3

[2012/12/21 09:13:56 | 000,114,890 | ---- | C] () -- C:\Users\Kat Cyganiak\AppData\Roaming\1.jpg

[2012/12/13 10:21:23 | 000,001,758 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk

[2012/12/13 03:03:00 | 000,000,003 | ---- | C] () -- C:\Windows\SysNative\drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf

[2012/12/13 03:03:00 | 000,000,003 | ---- | C] () -- C:\Windows\SysNative\drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf

[2012/11/28 23:27:48 | 000,079,916 | ---- | C] () -- C:\ProgramData\nvModes.001

[2012/11/18 01:17:05 | 000,172,400 | ---- | C] () -- C:\Program Files (x86)\2pres.dll

[2012/04/24 15:39:30 | 000,000,218 | ---- | C] () -- C:\Users\Kat Cyganiak\.recently-used.xbel

[2011/10/23 15:02:40 | 000,000,702 | ---- | C] () -- C:\Windows\HEGAMES.INI

[2011/10/19 13:39:15 | 000,099,350 | ---- | C] () -- C:\Users\Kat Cyganiak\New document 1.2011_10_19_14_39_15.0.svg

[2011/09/15 22:27:17 | 000,000,016 | ---- | C] () -- C:\Windows\RealityFusion.ini

[2010/12/28 22:41:35 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol

[2010/12/15 12:40:44 | 000,000,380 | ---- | C] () -- C:\Users\Kat Cyganiak\Documents - Shortcut.lnk

[2010/09/26 08:50:24 | 000,024,247 | ---- | C] () -- C:\Users\Kat Cyganiak\AppData\Roaming\UserTile.png

[2010/04/17 23:06:53 | 000,000,139 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc

[2010/02/10 06:08:52 | 000,001,356 | ---- | C] () -- C:\Users\Kat Cyganiak\AppData\Local\d3d9caps.dat

[2009/12/02 01:02:11 | 000,870,128 | ---- | C] () -- C:\Users\Kat Cyganiak\AppData\Roaming\mcs.rma

[2009/12/02 01:02:11 | 000,000,004 | ---- | C] () -- C:\Users\Kat Cyganiak\AppData\Roaming\E2C539

[2009/11/02 14:10:30 | 000,037,376 | ---- | C] () -- C:\Users\Kat Cyganiak\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/10/14 17:26:26 | 000,079,916 | ---- | C] () -- C:\ProgramData\nvModes.dat

========== ZeroAccess Check ==========

[2006/11/02 09:30:40 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

"" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 11:59:03 | 012,899,840 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 11:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64

"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/04/11 01:11:14 | 000,891,392 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 00:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64

"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2008/01/20 20:50:58 | 000,513,024 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== Alternate Data Streams ==========

@Alternate Data Stream - 165 bytes -> C:\ProgramData\TEMP:DFC5A2B2

@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84

< End of report >

Link to post
Share on other sites

OTL Extras logfile created on: 1/9/2013 4:09:33 PM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Kat Cyganiak\Desktop

64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.99 Gb Total Physical Memory | 3.68 Gb Available Physical Memory | 61.40% Memory free

12.09 Gb Paging File | 9.92 Gb Available in Paging File | 82.02% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 451.07 Gb Total Space | 314.00 Gb Free Space | 69.61% Space Free | Partition Type: NTFS

Drive D: | 14.65 Gb Total Space | 5.72 Gb Free Space | 39.08% Space Free | Partition Type: NTFS

Computer Name: CYGANIAKS-PC | User Name: Kat Cyganiak | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)

InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = 9F 9E 16 8C DC 5B C8 01 [binary data]

"VistaSp2" = 01 D5 7A EC AB 5F CA 01 [binary data]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"oobe_av" = 1

========== Firewall Settings ==========

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{02AD9D20-03D2-4DE0-8793-E8253026AD86}" = EMCGadgets64

"{21B133D6-5979-47F0-BE1C-F6A6B304693F}" = Visual Studio 2010 x64 Redistributables

"{22D8AE6F-3C6B-47E8-8F04-629F23DBE978}" = iTunes

"{26A24AE4-039D-4CA4-87B4-2F86416013FF}" = Java 6 Update 13 (64-bit)

"{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup

"{655107BA-F557-4B0E-B344-BA1C85B08488}" = Motorola Mobile Drivers Installation 4.8.0

"{6DD01FF3-63CE-436B-96DB-61363EAA4EB8}" = MobileMe Control Panel

"{89BDAE1A-7B8E-4A0E-A169-02F7F366451D}" = iCloud

"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007

"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007

"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9B48B0AC-C813-4174-9042-476A887592C7}" = Windows Live ID Sign-in Assistant

"{CD95F661-A5C4-44F5-A6AA-ECDD91C240D7}" = WinZip 17.0

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CFF4500E-C5D6-695D-A027-B3D4DDED2CC3}" = McAfee Online Backup

"{D70884EA-E2CE-4539-91DB-4766CC1E5F5F}" = Apple Mobile Device Support

"{E60B7350-EA5F-41E0-9D6F-E508781E36D2}" = Dell Dock

"{EF79C448-6946-4D71-8134-03407888C054}" = Shared C Run-time for x64

"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"NVIDIA Drivers" = NVIDIA Drivers

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call

"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86

"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86

"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Central Data

"{098122AB-C605-4853-B441-C0A4EB359B75}" = DirectXInstallService

"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger

"{0E6EC2D7-5C9B-28B7-C848-171EDACB9625}" = Warner Bros. Digital Copy Manager

"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1

"{13766F76-6C8C-4E57-A9F3-3212D1C6E0D1}" = Dell DataSafe Online

"{14DC0059-00F1-4F62-BD1A-AB23CD51A95E}" = Adobe AIR

"{15C77FC3-8137-4A5E-8F81-F559045DD6B0}" = Shipping Assistant 3.6

"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Central Tools

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java 6 Update 30

"{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java 7 Update 5

"{27C467F8-F8EF-4f68-BD72-D63632B2096C}" = McAfee Online Backup

"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1

"{2B4C7E1E-E446-4740-ADB5-9842E742EE8A}" = Windows Live Toolbar

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager

"{49FA793C-785E-47E9-93DF-BD442B0B45D1}" = McAfee Virtual Technician

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update

"{537BF16E-7412-448C-95D8-846E85A1D817}" = Roxio Easy CD and DVD Burning

"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack

"{5D95AD35-368F-47D5-B63A-A082DDF00111}" = Microsoft Digital Image Starter Edition 2006 Editor

"{612B5D2E-8084-4102-91DE-24281E4EFB2C}" = Roxio Easy CD and DVD Burning

"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM

"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86

"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail

"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3

"{691F4068-81BF-49E3-B32E-FE3E16400111}" = Microsoft Digital Image Starter Edition 2006 Library

"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer

"{6B4AD1A9-E73A-4184-9D6B-072F8A3C5EBA}" = VoiceOver Kit

"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Central Audio

"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime

"{7860ADB4-6A16-4245-B956-4DCCA6B371CF}" = Frontline Excel Solvers V11.0

"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)

"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack

"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-002A-0000-1000-0000000FF1CE}_HOMESTUDENTR_{664655D8-B9BB-455D-8A58-7EAF7B0B2862}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-002A-0409-1000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0116-0409-1000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In

"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86

"{94CAC2F1-C856-47F4-AF24-65A1E75AEDB9}" = MotoHelper MergeModules

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{9F0A32A5-4EBF-4B9D-A3CD-31579F2E1400}" = Multimedia Card Reader

"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AAECF7BA-E83B-4A10-87EA-DE0B333F8734}" = RealNetworks - Microsoft Visual C++ 2010 Runtime

"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.2

"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9

"{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}" = QuickTime

"{AF7EBCA4-9FAF-4DC8-8D09-67854BB84D34}" = RealDownloader

"{B4089055-D468-45A4-A6BA-5A138DD715FC}" = Bing Bar

"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Central Copy

"{B6D38690-755E-4F40-A35A-23F8BC2B86AC}" = Microsoft_VC90_MFCLOC_x86

"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)

"{C25D3128-3136-4B33-9D32-8F0F5E81F349}" = MGTEK dopisp

"{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update

"{CCE825DB-347A-4004-A186-5F4A6FDD8547}" = Apple Application Support

"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86

"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 Anniversary Edition

"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86

"{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials

"{EC877639-07AB-495C-BFD1-D63AF9140810}" = Roxio Activation Module

"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Central Core

"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]

"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform

"{F73A5B18-EB75-4B2C-B32D-9457576E2417}" = Windows Live Photo Gallery

"{F751C062-87DA-4D33-8A12-6E7F1D4C051C}" = Netflix in Windows Media Center

"{FA4C2D53-205F-4245-9717-F3761154824D}" = Safari

"{FDB46DE7-9045-47BB-970A-3E4ED5369E03}" = EMC 10 Content

"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin

"Adobe Shockwave Player" = Adobe Shockwave Player 11.6

"AT&T Yahoo! Browser Configuration" = AT&T Yahoo! Browser Configuration

"AudibleDownloadManager" = Audible Download Manager

"com.warnerbros.DigitalCopyManager.449F66ACC381FDC604DC2AA255FEECEEBBBEE1E5.1" = Warner Bros. Digital Copy Manager

"dcmsvc_is1" = dcmsvc 1.0

"eMusic Toolbar" = eMusic Toolbar

"FrostWire" = FrostWire 4.21.8

"Google Chrome" = Google Chrome

"HOMESTUDENTR" = Microsoft Office Home and Student 2007

"Inkscape" = Inkscape 0.48.2

"InstallShield_{9F0A32A5-4EBF-4B9D-A3CD-31579F2E1400}" = Multimedia Card Reader

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100

"McAfee Security Scan" = McAfee Security Scan Plus

"MegaStat Excel 2007" = MegaStat Excel 2007

"MotoHelper" = MotoHelper 2.0.34 Driver 4.8.0

"Mozilla Firefox 17.0.1 (x86 en-US)" = Mozilla Firefox 17.0.1 (x86 en-US)

"MozillaMaintenanceService" = Mozilla Maintenance Service

"MSC" = McAfee Total Protection

"NSS" = Norton Security Scan

"PictureItSuiteTrial_v11" = Microsoft Digital Image Starter Edition 2006

"RealPlayer 16.0" = RealPlayer

"Rhapsody" = Rhapsody

"Shopping Sidekick Plugin" = Shopping Sidekick Plugin

"webmmf" = WebM Media Foundation Components

"WinLiveSuite_Wave3" = Windows Live Essentials

"Yahoo! Companion" = Yahoo! Toolbar

"Yahoo! Mail" = Yahoo! Internet Mail

"Yahoo! Mail Advisor" = Yahoo! Mail Advisor

"Yahoo! Search Defender" = Yahoo! Search Protection

"Yahoo! Software Update" = Yahoo! Software Update

"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 20 Event Log Errors ==========

[ Application Events ]

Error - 10/19/2012 8:20:39 PM | Computer Name = Cyganiaks-PC | Source = MsiInstaller | ID = 11606

Description =

Error - 10/19/2012 8:20:39 PM | Computer Name = Cyganiaks-PC | Source = MsiInstaller | ID = 11606

Description =

Error - 10/21/2012 11:47:13 AM | Computer Name = Cyganiaks-PC | Source = Application Hang | ID = 1002

Description = The program iexplore.exe version 9.0.8112.16450 stopped interacting

with Windows and was closed. To see if more information about the problem is available,

check the problem history in the Problem Reports and Solutions control panel. Process

ID: 1bfc Start Time: 01cdaf95ed894a77 Termination Time: 79

Error - 10/23/2012 12:57:20 PM | Computer Name = Cyganiaks-PC | Source = Application Error | ID = 1000

Description = Faulting application MotoHelperAgent.exe, version 2.0.34.0, time stamp

0x4cc216d4, faulting module IEBHO.dll_unloaded, version 0.0.0.0, time stamp 0x507aa066,

exception code 0xc0000005, fault offset 0x6ac406f0, process id 0xf48, application

start time 0x01cdae5816d1648f.

Error - 10/23/2012 12:57:20 PM | Computer Name = Cyganiaks-PC | Source = Application Error | ID = 1000

Description = Faulting application msnmsgr.exe, version 14.0.8050.1202, time stamp

0x493623f7, faulting module IEBHO.dll_unloaded, version 0.0.0.0, time stamp 0x507aa066,

exception code 0xc0000005, fault offset 0x6ac406f0, process id 0xf10, application

start time 0x01cdae5826941f2f.

Error - 10/23/2012 12:57:46 PM | Computer Name = Cyganiaks-PC | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 9.0.8112.16450, time stamp

0x503723f6, faulting module IEBHO.dll, version 1.0.0.1, time stamp 0x507aa066,

exception code 0xc0000005, fault offset 0x0001bcbf, process id 0xdc4, application

start time 0x01cdb13f626d270f.

Error - 10/23/2012 12:58:41 PM | Computer Name = Cyganiaks-PC | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 9.0.8112.16450, time stamp

0x503723f6, faulting module IEBHO.dll, version 1.0.0.1, time stamp 0x507aa066,

exception code 0xc0000005, fault offset 0x0001bcbf, process id 0x1a84, application

start time 0x01cdb13dcf5aacc7.

Error - 10/23/2012 1:01:20 PM | Computer Name = Cyganiaks-PC | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 9.0.8112.16450, time stamp

0x503723f6, faulting module IEBHO.dll, version 1.0.0.1, time stamp 0x507aa066,

exception code 0xc0000005, fault offset 0x0001bcbf, process id 0x14f4, application

start time 0x01cdb13db5b5b3f7.

Error - 10/23/2012 6:28:22 PM | Computer Name = Cyganiaks-PC | Source = Application Hang | ID = 1002

Description = The program iexplore.exe version 9.0.8112.16450 stopped interacting

with Windows and was closed. To see if more information about the problem is available,

check the problem history in the Problem Reports and Solutions control panel. Process

ID: 1030 Start Time: 01cdb16da4f3dbef Termination Time: 31

Error - 10/23/2012 6:35:28 PM | Computer Name = Cyganiaks-PC | Source = Application Error | ID = 1000

Description = Faulting application nvvsvc.exe, version 8.15.11.8595, time stamp

0x4a0fba70, faulting module NVSVC64.DLL, version 8.15.11.8595, time stamp 0x4a0fba6b,

exception code 0xc0000005, fault offset 0x000000000000408b, process id 0x4c4, application

start time 0x01cdb16ea8359ea4.

[ OSession Events ]

Error - 6/6/2010 3:52:10 PM | Computer Name = Cyganiaks-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:

12.0.6524.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 459

seconds with 360 seconds of active time. This session ended with a crash.

Error - 3/20/2011 7:20:39 PM | Computer Name = Cyganiaks-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:

12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 5270

seconds with 900 seconds of active time. This session ended with a crash.

Error - 2/25/2012 6:07:15 PM | Computer Name = Cyganiaks-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:

12.0.6654.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 4682

seconds with 2220 seconds of active time. This session ended with a crash.

Error - 2/29/2012 8:41:12 PM | Computer Name = Cyganiaks-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:

12.0.6654.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 65

seconds with 60 seconds of active time. This session ended with a crash.

Error - 12/18/2012 10:49:33 PM | Computer Name = Cyganiaks-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 0, Application Name: Microsoft Office Word, Application Version:

12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 3162

seconds with 1200 seconds of active time. This session ended with a crash.

Error - 1/7/2013 11:20:40 PM | Computer Name = Cyganiaks-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 0, Application Name: Microsoft Office Word, Application Version:

12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 7678

seconds with 4080 seconds of active time. This session ended with a crash.

[ System Events ]

Error - 1/9/2013 4:12:15 PM | Computer Name = Cyganiaks-PC | Source = DCOM | ID = 10010

Description =

Error - 1/9/2013 4:37:35 PM | Computer Name = Cyganiaks-PC | Source = Service Control Manager | ID = 7023

Description =

Error - 1/9/2013 4:37:35 PM | Computer Name = Cyganiaks-PC | Source = Service Control Manager | ID = 7000

Description =

Error - 1/9/2013 4:37:35 PM | Computer Name = Cyganiaks-PC | Source = Service Control Manager | ID = 7003

Description =

Error - 1/9/2013 4:37:35 PM | Computer Name = Cyganiaks-PC | Source = Service Control Manager | ID = 7000

Description =

Error - 1/9/2013 4:37:35 PM | Computer Name = Cyganiaks-PC | Source = Service Control Manager | ID = 7003

Description =

Error - 1/9/2013 4:37:35 PM | Computer Name = Cyganiaks-PC | Source = Service Control Manager | ID = 7000

Description =

Error - 1/9/2013 4:37:35 PM | Computer Name = Cyganiaks-PC | Source = Service Control Manager | ID = 7026

Description =

Error - 1/9/2013 4:38:07 PM | Computer Name = Cyganiaks-PC | Source = WMPNetworkSvc | ID = 866293

Description =

Error - 1/9/2013 4:38:54 PM | Computer Name = Cyganiaks-PC | Source = WMPNetworkSvc | ID = 866293

Description =

< End of report >

Link to post
Share on other sites

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software

Run date: 2013-01-09 17:59:54

-----------------------------

17:59:54.914 OS Version: Windows x64 6.0.6002 Service Pack 2

17:59:54.914 Number of processors: 4 586 0x1E05

17:59:54.914 ComputerName: CYGANIAKS-PC UserName: Kat Cyganiak

17:59:58.861 Initialize success

18:00:14.154 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

18:00:14.154 Disk 0 Vendor: ST3500418AS CC44 Size: 476940MB BusType: 3

18:00:14.170 Disk 0 MBR read successfully

18:00:14.185 Disk 0 MBR scan

18:00:14.185 Disk 0 Windows VISTA default MBR code

18:00:14.185 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63

18:00:14.185 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15000 MB offset 81920

18:00:14.201 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 461899 MB offset 30801920

18:00:14.232 Disk 0 scanning C:\Windows\system32\drivers

18:00:17.571 Service scanning

18:00:27.336 Modules scanning

18:00:27.336 Disk 0 trace - called modules:

18:00:27.367 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys

18:00:27.367 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80066ca060]

18:00:27.383 3 CLASSPNP.SYS[fffffa60010bcc33] -> nt!IofCallDriver -> [0xfffffa800642c520]

18:00:27.383 5 acpi.sys[fffffa60008ddfde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8006429060]

18:00:27.383 Scan finished successfully

18:01:29.908 Disk 0 MBR has been saved successfully to "C:\Users\Kat Cyganiak\Desktop\MBR.dat"

18:01:29.923 The log file has been saved successfully to "C:\Users\Kat Cyganiak\Desktop\aswMBR.txt"

Link to post
Share on other sites

Please do this next:

icon11.gif Run OTL.exe

  • Copy/paste the following text written inside of the box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    @Alternate Data Stream - 165 bytes -> C:\ProgramData\TEMP:DFC5A2B2
    @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
    :Commands
    [EmptyTemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, it will reboot when it is done and produce a log

icon11.gif Go to this page and download Malwarebytes Anti-Rootkit (MBAR)

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • MBAR will create logs that you will find in the same folder you found MBAR.exe. Please post those for me to review.

icon11.gif Download Combofix from the link below, and save it to your desktop.

Link 1

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.

.

Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registry key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:

  • OTL Fix log
  • MBAR log(s)
  • ComboFix log

Link to post
Share on other sites

OK, I did what you said to a "T" and both programs didn't run as you said they would. I shut down ALL of my McAfee and it was red. I got some error screen shots saying I had "processes running that may not allow CombFix to work properly". Only on the ComboFix scan. But the report said it was still running. Maybe I'm reading it wrong and should just do what I'm told. Here are the 2 log reports.

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_30

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED

CPU speed: 2.660000 GHz

Memory total: 6432174080, free: 4173111296

------------ Kernel report ------------

01/09/2013 23:22:31

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\acpi.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\pciide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\drivers\mfehidk.sys

\SystemRoot\System32\Drivers\PxHlpa64.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\msrpc.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\system32\drivers\McPvDrv.sys

\SystemRoot\System32\drivers\ecache.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\system32\drivers\crcdisk.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\tunmp.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\system32\DRIVERS\nvBridge.kmd

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\ohci1394.sys

\SystemRoot\system32\DRIVERS\1394BUS.SYS

\SystemRoot\system32\DRIVERS\k57nd60a.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\msiscsi.sys

\SystemRoot\system32\DRIVERS\storport.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\nvhda64v.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\drivers\RTKVHD64.sys

\SystemRoot\system32\DRIVERS\MOBK.sys

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\System32\DRIVERS\rasacd.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\mfewfpk.sys

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\smb.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\drivers\mfeavfk.sys

\SystemRoot\system32\drivers\mfefirek.sys

\SystemRoot\system32\DRIVERS\mfencbdc.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\usbscan.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\drivers\spsys.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\system32\drivers\mrxdav.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\system32\DRIVERS\cdfs.sys

\SystemRoot\system32\drivers\cfwids.sys

\SystemRoot\system32\drivers\mfeapfk.sys

\??\C:\Users\KATCYG~1\AppData\Local\Temp\aswMBR.sys

\SystemRoot\system32\DRIVERS\asyncmac.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk4\DR4

Upper Device Object: 0xfffffa8007c0f060

Upper Device Driver Name: \Driver\disk\

Lower Device Name: \Device\00000072\

Lower Device Object: 0xfffffa8008af6640

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk3\DR3

Upper Device Object: 0xfffffa8008719060

Upper Device Driver Name: \Driver\disk\

Lower Device Name: \Device\00000071\

Lower Device Object: 0xfffffa8008af6060

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR2

Upper Device Object: 0xfffffa800871b060

Upper Device Driver Name: \Driver\disk\

Lower Device Name: \Device\00000070\

Lower Device Object: 0xfffffa8008f2bb70

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xfffffa80085ad060

Upper Device Driver Name: \Driver\disk\

Lower Device Name: \Device\0000006f\

Lower Device Object: 0xfffffa80086ca9b0

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa80066c7060

Upper Device Driver Name: \Driver\disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\

Lower Device Object: 0xfffffa8006427520

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2013.01.10.02

Downloaded database version: v2013.01.04.01

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 3

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa80066c7060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa80066920e0, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80066c7060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\

DevicePointer: 0xfffffa800642b520, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa8006427520, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xfffff8800fc7b550, 0xfffffa80066c7060, 0xfffffa80196c9080

Lower DeviceData: 0xfffff880123548c0, 0xfffffa8006427520, 0xfffffa80158748f0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 22CF417C

Partition information:

Partition 0 type is Other (0xde)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 80262

Partition 1 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 81920 Numsec = 30720000

Partition 2 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 30801920 Numsec = 945969200

Partition file system is NTFS

Partition is bootable

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...

Physical Sector Size: 0

Drive: 1, DevicePointer: 0xfffffa80085ad060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8008538b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80085ad060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\

DevicePointer: 0xfffffa80086ca9b0, DeviceName: \Device\0000006f\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 2, DevicePointer: 0xfffffa800871b060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8008719b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa800871b060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\disk\

DevicePointer: 0xfffffa8008f2bb70, DeviceName: \Device\00000070\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 3, DevicePointer: 0xfffffa8008719060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa800871bb90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8008719060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\disk\

DevicePointer: 0xfffffa8008af6060, DeviceName: \Device\00000071\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 4, DevicePointer: 0xfffffa8007c0f060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8007c272e0, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8007c0f060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\disk\

DevicePointer: 0xfffffa8008af6640, DeviceName: \Device\00000072\, DriverName: \Driver\USBSTOR\

------------ End ----------

Done!

Performing system, memory and registry scan...

Infected: C:\Program Files (x86)\Shopping Sidekick Plugin\Shopping Sidekick Plugin.dll --> [PUP.215Apps]

Infected: HKLM\SOFTWARE\CLASSES\TYPELIB\{44444444-4444-4444-4444-440244184402}\1.0\0\win32 --> [PUP.215Apps]

Infected: C:\Program Files (x86)\Shopping Sidekick Plugin\Shopping Sidekick Plugin.dll --> [PUP.215Apps]

Infected: C:\Program Files (x86)\Shopping Sidekick Plugin\Shopping Sidekick Plugin-bg.exe --> [PUP.215Apps]

Infected: C:\Program Files (x86)\Shopping Sidekick Plugin\Shopping Sidekick Plugin-bg.exe --> [PUP.215Apps]

Infected: HKLM\SOFTWARE\CLASSES\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} --> [PUP.Funmoods]

Infected: HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} --> [PUP.Funmoods]

Infected: HKCU\SOFTWARE\CLASSES\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} --> [PUP.Funmoods]

Infected: HKCU\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} --> [PUP.Funmoods]

Infected: HKCU\SOFTWARE\INSTALLCORE\funmoods --> [PUP.FunMoods]

Done!

Scan finished

Creating System Restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 3

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Removal scheduling successful. System shutdown needed.

System shutdown occurred

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_30

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED

CPU speed: 2.660000 GHz

Memory total: 6432174080, free: 5185740800

ComboFix 13-01-08.01 - Kat Cyganiak 01/10/2013 13:21:13.1.4 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6134.4217 [GMT -6:00]

Running from: c:\users\Kat Cyganiak\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Kat Cyganiak\AppData\Roaming\E2C539

c:\users\Public\invokesi.exe

c:\windows\security\Database\tmp.edb

c:\windows\SysWow64\Cache

c:\windows\SysWow64\Cache\272512937d9e61a4.fb

c:\windows\SysWow64\Cache\287204568329e189.fb

c:\windows\SysWow64\Cache\28bc8f716fd76a47.fb

c:\windows\SysWow64\Cache\31a0997e9a5b5eb3.fb

c:\windows\SysWow64\Cache\32c84fe32bb74d60.fb

c:\windows\SysWow64\Cache\3917078cb68ec657.fb

c:\windows\SysWow64\Cache\590ba23ce359fd0c.fb

c:\windows\SysWow64\Cache\610289e025a3ee9a.fb

c:\windows\SysWow64\Cache\651c5d3cdbfb8bd1.fb

c:\windows\SysWow64\Cache\6c59ac5e7e7a3ad0.fb

c:\windows\SysWow64\Cache\6d03dad1035885d3.fb

c:\windows\SysWow64\Cache\a8556537add6dfc5.fb

c:\windows\SysWow64\Cache\ad10a52aff5e038d.fb

c:\windows\SysWow64\Cache\bc700ca0c660fd66.fb

c:\windows\SysWow64\Cache\c1fa887b03019701.fb

c:\windows\SysWow64\Cache\c4d28dca2e7648be.fb

c:\windows\SysWow64\Cache\d201ef9910cd39de.fb

c:\windows\SysWow64\Cache\d2e94710a5708128.fb

c:\windows\SysWow64\Cache\d79b9dfe81484ec4.fb

c:\windows\SysWow64\Cache\f998975c9cc711ee.fb

.

.

((((((((((((((((((((((((( Files Created from 2012-12-10 to 2013-01-10 )))))))))))))))))))))))))))))))

.

.

2013-01-10 19:33 . 2013-01-10 19:51 -------- d-----w- c:\users\Kat Cyganiak\AppData\Local\temp

2013-01-10 19:33 . 2013-01-10 19:33 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-10 04:31 . 2013-01-10 04:31 -------- d-----w- C:\_OTL

2013-01-10 04:29 . 2013-01-10 04:29 -------- d-----w- C:\skins

2013-01-10 04:29 . 2013-01-10 04:29 -------- d-----w- C:\w

2013-01-10 04:29 . 2013-01-10 04:29 -------- d-----w- C:\Cache

2013-01-09 06:16 . 2012-11-20 04:22 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll

2013-01-09 06:16 . 2012-11-20 04:21 253952 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-09 06:15 . 2012-11-23 01:54 2770432 ----a-w- c:\windows\system32\win32k.sys

2013-01-09 06:15 . 2012-11-02 10:47 1869824 ----a-w- c:\windows\system32\msxml3.dll

2013-01-09 06:15 . 2012-11-02 10:47 1794560 ----a-w- c:\windows\system32\msxml6.dll

2013-01-09 06:15 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\SysWow64\msxml6.dll

2013-01-09 06:15 . 2012-11-02 10:19 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll

2013-01-09 06:15 . 2012-11-22 04:22 456192 ----a-w- c:\windows\system32\shlwapi.dll

2013-01-09 03:57 . 2013-01-09 04:00 -------- d-----w- c:\programdata\MFAData

2013-01-09 03:57 . 2013-01-09 03:57 -------- d-----w- c:\users\Kat Cyganiak\AppData\Local\MFAData

2013-01-09 03:57 . 2013-01-09 03:57 -------- d-----w- c:\users\Kat Cyganiak\AppData\Local\Avg2013

2013-01-09 03:42 . 2005-03-12 06:07 87040 ----a-w- c:\windows\system32\pdfcmnnt.dll

2013-01-09 03:42 . 1998-06-24 06:00 137000 ----a-w- c:\windows\SysWow64\MSMAPI32.OCX

2013-01-09 03:42 . 2013-01-09 03:42 -------- d-----w- c:\program files (x86)\PDFCreator

2013-01-09 03:42 . 1998-07-06 06:00 23552 ----a-w- c:\windows\SysWow64\MSMPIDE.DLL

2013-01-09 03:41 . 2013-01-09 03:41 -------- d-----w- c:\users\Kat Cyganiak\AppData\Local\Shopping Sidekick Plugin

2013-01-09 03:41 . 2013-01-10 08:19 -------- d-----w- c:\program files (x86)\Shopping Sidekick Plugin

2013-01-09 03:41 . 2013-01-09 03:41 -------- d-----w- c:\users\Kat Cyganiak\AppData\Roaming\Funmoods

2013-01-08 05:07 . 2013-01-08 05:07 -------- d-----w- c:\program files\ESET

2013-01-07 22:12 . 2013-01-07 22:12 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared

2013-01-07 12:48 . 2013-01-07 12:48 -------- d-----w- c:\programdata\Symantec

2013-01-07 12:48 . 2013-01-07 12:48 -------- d-----w- c:\windows\system32\drivers\NSSx64

2013-01-07 12:48 . 2013-01-07 12:48 -------- d-----w- c:\programdata\Norton

2013-01-07 12:48 . 2013-01-07 12:48 -------- d-----w- c:\program files (x86)\Norton Security Scan

2013-01-07 12:48 . 2013-01-07 12:48 -------- d-----w- c:\program files (x86)\NortonInstaller

2013-01-07 12:07 . 2013-01-07 12:07 -------- d-----w- c:\users\Kat Cyganiak\AppData\Roaming\RealNetworks

2013-01-07 12:03 . 2013-01-07 12:03 -------- d-----w- c:\program files (x86)\RealNetworks

2013-01-07 12:03 . 2013-01-07 12:03 -------- d-----w- c:\programdata\RealNetworks

2013-01-07 12:03 . 2013-01-07 12:03 -------- d-----w- c:\program files (x86)\Common Files\xing shared

2013-01-07 12:02 . 2013-01-07 12:02 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll

2013-01-07 12:02 . 2013-01-07 12:02 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll

2013-01-07 11:59 . 2013-01-07 11:59 -------- d-----w- c:\users\Kat Cyganiak\AppData\Local\Real

2013-01-07 11:09 . 2013-01-07 11:10 -------- d-----w- C:\FRST

2013-01-07 05:00 . 2013-01-07 05:00 -------- d-----w- c:\users\Kat Cyganiak\AppData\Local\WinZip

2013-01-07 04:59 . 2013-01-07 04:59 -------- d-----w- c:\programdata\WinZip

2013-01-07 04:59 . 2013-01-07 04:59 -------- d-----w- c:\program files\WinZip

2013-01-05 01:42 . 2013-01-05 02:11 -------- d-----w- c:\users\Kat Cyganiak\AppData\Local\McAfee File Lock

2013-01-04 23:48 . 2013-01-04 23:48 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\McAfee File Lock

2013-01-04 23:48 . 2012-05-28 16:28 197264 ----a-w- c:\windows\system32\drivers\HipShieldK.sys

2012-12-21 16:00 . 2012-12-21 16:00 -------- d-----w- c:\users\Kat Cyganiak\AppData\Roaming\Malwarebytes

2012-12-21 16:00 . 2012-12-21 16:00 -------- d-----w- c:\programdata\Malwarebytes

2012-12-21 16:00 . 2013-01-04 06:37 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-12-21 16:00 . 2012-12-14 22:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-21 14:48 . 2013-01-10 04:29 -------- d-----w- C:\e

2012-12-21 14:48 . 2013-01-10 04:29 -------- d-----w- C:\Data

2012-12-21 09:00 . 2012-12-16 13:31 48128 ----a-w- c:\windows\system32\atmlib.dll

2012-12-21 09:00 . 2012-12-16 13:12 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-21 09:00 . 2012-12-16 11:08 368128 ----a-w- c:\windows\system32\atmfd.dll

2012-12-21 09:00 . 2012-12-16 10:50 293376 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-13 16:26 . 2012-12-13 16:27 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69

2012-12-13 16:21 . 2012-12-13 16:21 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll

2012-12-13 16:21 . 2012-12-13 16:21 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll

2012-12-13 16:21 . 2012-12-13 16:21 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll

2012-12-13 16:21 . 2012-12-13 16:21 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll

2012-12-13 16:21 . 2012-12-13 16:21 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll

2012-12-13 16:21 . 2012-12-13 16:21 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll

2012-12-13 16:21 . 2012-12-13 16:21 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll

2012-12-13 16:21 . 2012-12-13 16:21 -------- d-----w- c:\program files (x86)\QuickTime

2012-12-13 09:01 . 2012-11-14 06:11 2312704 ----a-w- c:\windows\system32\jscript9.dll

2012-12-13 01:18 . 2012-09-28 16:34 1210368 ----a-w- c:\windows\system32\kernel32.dll

2012-12-13 01:18 . 2012-08-21 11:50 267648 ----a-w- c:\windows\system32\drivers\volsnap.sys

2012-12-13 01:17 . 2012-11-13 01:45 2048 ----a-w- c:\windows\system32\tzres.dll

2012-12-13 01:17 . 2012-11-13 01:29 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-12-13 01:17 . 2012-11-02 10:45 477696 ----a-w- c:\windows\system32\dpnet.dll

2012-12-13 01:17 . 2012-11-02 10:45 68096 ----a-w- c:\windows\system32\dpnathlp.dll

2012-12-13 01:17 . 2012-11-02 10:18 376320 ----a-w- c:\windows\SysWow64\dpnet.dll

2012-12-13 01:17 . 2012-11-02 08:59 26112 ----a-w- c:\windows\system32\dpnsvr.exe

2012-12-13 01:17 . 2012-11-02 08:26 23040 ----a-w- c:\windows\SysWow64\dpnsvr.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-09 10:29 . 2012-03-29 13:58 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-01-09 10:29 . 2012-03-14 17:41 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-01-09 09:03 . 2006-11-02 12:35 67599240 ----a-w- c:\windows\system32\mrt.exe

2012-11-09 12:40 . 2012-11-09 12:40 69672 ----a-w- c:\windows\system32\drivers\cfwids.sys

2012-11-09 12:37 . 2011-12-06 23:44 339776 ----a-w- c:\windows\system32\drivers\mfewfpk.sys

2012-11-09 12:37 . 2011-12-06 23:28 177680 ----a-w- c:\windows\system32\mfevtps.exe

2012-11-09 12:35 . 2011-03-13 17:20 771096 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2012-11-09 12:34 . 2012-11-09 12:34 515528 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2012-11-09 12:34 . 2012-11-09 12:34 309400 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2012-11-09 12:33 . 2012-11-09 12:33 178840 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2012-11-02 07:46 . 2012-11-02 07:46 97208 ----a-w- c:\windows\system32\drivers\mfencrk.sys

2012-11-02 07:46 . 2012-11-02 07:46 328976 ----a-w- c:\windows\system32\drivers\mfencbdc.sys

2012-11-02 07:46 . 2012-11-02 07:46 10544 ----a-w- c:\windows\system32\drivers\mfeclnrk.sys

2012-10-25 09:12 . 2012-10-25 09:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx

2012-10-25 09:12 . 2012-10-25 09:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts

2012-10-19 15:51 . 2012-09-26 04:30 74120 ----a-w- c:\windows\system32\drivers\McPvDrv.sys

2012-05-17 15:52 . 2012-11-18 07:17 172400 ----a-w- c:\program files (x86)\2pres.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn6\yt.dll" [2012-11-26 1525088]

.

[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]

[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{9ee802e8-c931-47ab-b570-aa8f791598ca}]

2009-11-20 08:22 2166296 ----a-w- c:\program files (x86)\eMusic\tbeMu1.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{9ee802e8-c931-47ab-b570-aa8f791598ca}"= "c:\program files (x86)\eMusic\tbeMu1.dll" [2009-11-20 2166296]

.

[HKEY_CLASSES_ROOT\clsid\{9ee802e8-c931-47ab-b570-aa8f791598ca}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"ShwiconXP9106"="c:\program files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe" [2009-07-17 237568]

"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]

"YSearchProtection"="c:\program files (x86)\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

"dcmsvc"="c:\program files (x86)\dcmsvc\dcmsvc.exe" [2009-04-07 30440]

"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-27 59240]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-11-29 151952]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-10-07 454160]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]

"YMailAdvisor"="c:\program files (x86)\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]

"mcpltui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-10-07 454160]

"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2013-01-07 295072]

.

c:\users\Sarah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]

.

c:\users\Kat Cyganiak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

Warner Bros.lnk - c:\program files (x86)\Warner Bros. Digital Copy Manager\Warner Bros. Digital Copy Manager.exe [2010-3-20 95232]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Audible Download Manager.lnk - c:\program files (x86)\Audible\Bin\AudibleDownloadHelper.exe [2010-10-19 1795488]

McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.285\SSScheduler.exe [2012-9-5 271808]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2012-10-18 685496]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-31 92160]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

iissvcs REG_MULTI_SZ w3svc was

apphost REG_MULTI_SZ apphostsvc

.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

Themes

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-10 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 10:29]

.

2013-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-14 18:56]

.

2013-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-14 18:56]

.

2013-01-09 c:\windows\Tasks\Norton Security Scan for Kat Cyganiak.job

- c:\progra~2\NORTON~2\Engine\376~1.5\Nss.exe [2013-01-07 10:19]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]

@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"

[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]

2010-04-14 02:11 3816248 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]

@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"

[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]

2010-04-14 02:11 3816248 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]

@="{b4caf489-1eec-c617-49ad-8d7088598c06}"

[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]

2010-04-14 02:11 3816248 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-05-23 7833120]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-17 16308768]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = 192.168.*.*;<local>

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: real.com\rhap-app-4-0

Trusted Zone: real.com\rhapreg

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - ExtSQL: 2013-01-03 11:08; {46551EC9-40F0-4e47-8E18-8E5CF550CFB8}; c:\users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}.xpi

FF - ExtSQL: 2013-01-03 11:08; {4176DFF4-4698-11DE-BEEB-45DA55D89593}; c:\users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions\{4176DFF4-4698-11DE-BEEB-45DA55D89593}.xpi

FF - ExtSQL: 2013-01-03 11:08; {3e0c7f3a-3f50-4730-beb5-4a9a10e2831c}; c:\users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions\{3e0c7f3a-3f50-4730-beb5-4a9a10e2831c}

FF - ExtSQL: 2013-01-03 11:08; {2b5e07c4-cc81-4624-8936-820622afdbd5}; c:\users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions\{2b5e07c4-cc81-4624-8936-820622afdbd5}.xpi

FF - ExtSQL: 2013-01-03 11:08; twitter@disconnect.me; c:\users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions\twitter@disconnect.me.xpi

FF - ExtSQL: 2013-01-03 11:08; personas@christopher.beard; c:\users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions\personas@christopher.beard.xpi

FF - ExtSQL: 2013-01-03 11:08; chromeview@systemantics.net; c:\users\Kat Cyganiak\AppData\Roaming\Mozilla\Firefox\Profiles\sojvyjpv.default\extensions\chromeview@systemantics.net.xpi

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

FF - user.js: extensions.funmoods.hmpg - true

FF - user.js: extensions.funmoods.hmpgUrl - hxxp://searchfunmoods.com/?f=1&a=adknlg1y&ir=adknlg1y&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyE0DyByE0E0DyEzz0BtCtCtN0D0Tzu0CtAyByEtN1L2XzutBtFtBtFtCtFyEtDyB&cr=1892756836

FF - user.js: extensions.funmoods.dfltSrch - true

FF - user.js: extensions.funmoods.srchPrvdr - Funmoods

FF - user.js: extensions.funmoods.dnsErr - true

FF - user.js: extensions.funmoods_i.newTab - true

FF - user.js: extensions.funmoods.newTabUrl - hxxp://searchfunmoods.com/?f=2&a=adknlg1y&ir=adknlg1y&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyE0DyByE0E0DyEzz0BtCtCtN0D0Tzu0CtAyByEtN1L2XzutBtFtBtFtCtFyEtDyB&cr=1892756836

FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://searchfunmoods.com/?f=3&a=adknlg1y&ir=adknlg1y&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyE0DyByE0E0DyEzz0BtCtCtN0D0Tzu0CtAyByEtN1L2XzutBtFtBtFtCtFyEtDyB&cr=1892756836&q=

FF - user.js: extensions.funmoods.id - 002564D74ED48B11

FF - user.js: extensions.funmoods.instlDay - 15713

FF - user.js: extensions.funmoods.vrsn - 1.5.23.22

FF - user.js: extensions.funmoods.vrsni - 1.5.23.22

FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2221:40

FF - user.js: extensions.funmoods.prtnrId - funmoods

FF - user.js: extensions.funmoods.prdct - funmoods

FF - user.js: extensions.funmoods.aflt - adknlg1y

FF - user.js: extensions.funmoods_i.smplGrp - none

FF - user.js: extensions.funmoods.tlbrId - base

FF - user.js: extensions.funmoods.instlRef - adknlg1y

FF - user.js: extensions.funmoods.dfltLng -

FF - user.js: extensions.funmoods.excTlbr - false

FF - user.js: extensions.funmoods.autoRvrt - false

FF - user.js: extensions.funmoods.envrmnt - production

FF - user.js: extensions.funmoods.isdcmntcmplt - true

FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{11111111-1111-1111-1111-110211181102} - c:\program files (x86)\Shopping Sidekick Plugin\Shopping Sidekick Plugin.dll

BHO-{3ec1a45c-8bc3-4bfe-b226-4051c5d3d068} - c:\progra~2\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll

Toolbar-{3ec1a45c-8bc3-4bfe-b226-4051c5d3d068} - c:\progra~2\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll

Toolbar-10 - (no file)

Wow6432Node-HKCU-Run-Akamai NetSession Interface - c:\users\Kat Cyganiak\AppData\Local\Akamai\netsession_win.exe

Wow6432Node-HKCU-Run-MobileDocuments - c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe

Wow6432Node-HKLM-Run-ROC_roc_ssl_v12 - c:\program files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe

SafeBoot-WudfPf

SafeBoot-WudfRd

Toolbar-10 - (no file)

WebBrowser-{9EE802E8-C931-47AB-B570-AA8F791598CA} - (no file)

HKLM-Run-Skytel - c:\program files\Realtek\Audio\HDA\Skytel.exe

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

AddRemove-RealPlayer 16.0 - c:\program files (x86)\real\realplayer\Update\r1puninst.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1443698480-2959366254-1151133129-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]

@Denied: (Full) (RestrictedCode)

@Denied: (Full) (LocalSystem)

@Denied: (Full) (S-1-5-21-1443698480-2959366254-1151133129-1000)

@Denied: (Full) (Administrators)

.

[HKEY_USERS\S-1-5-21-1443698480-2959366254-1151133129-1000_Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]

@Denied: (Full) (RestrictedCode)

@Denied: (Full) (LocalSystem)

"LangID"=hex:09,04

"@c:\\Windows\\SysWOW64\\ieframe.dll,-903"="URL:HyperText Transfer Protocol"

"@c:\\Windows\\system32\\notepad.exe,-469"="Text Document"

"c:\\Program Files (x86)\\Microsoft Office\\Office12\\EXCEL.EXE"="Microsoft Office Excel"

"c:\\Program Files (x86)\\Microsoft Office\\Office12\\WINWORD.EXE"="Microsoft Office Word"

"c:\\Windows\\system32\\NOTEPAD.EXE"="Notepad"

"@c:\\Windows\\SysWOW64\\ieframe.dll,-880"="Internet Explorer"

"@c:\\Windows\\system32\\NetworkExplorer.dll,-1"="Network"

"@c:\\Program Files (x86)\\Windows Live\\Messenger\\msgsres.dll,-4200"="Windows Live Messenger"

"@netlogon.dll,-1010"="Netlogon Service"

"@c:\\Windows\\System32\\hhctrl.ocx,-452"="Compiled HTML Help file"

"@c:\\Program Files (x86)\\Windows Mail\\WinMail.exe,-221"="Windows Mail E-Mail Message"

"@c:\\Windows\\SysWOW64\\ieframe.dll,-912"="HTML Document"

"@c:\\Windows\\SysWOW64\\ieframe.dll,-913"="MHTML Document"

"@c:\\Windows\\System32\\msxml3r.dll,-1"="XML Document"

"@c:\\Windows\\System32\\msimsg.dll,-34"="Windows Installer Package"

"@c:\\Windows\\System32\\msimsg.dll,-35"="Windows Installer Patch"

"@c:\\Windows\\system32\\unregmp2.exe,-9903"="AIFF Format Sound"

"@c:\\Windows\\system32\\unregmp2.exe,-9904"="AU Format Sound"

"@c:\\Windows\\system32\\unregmp2.exe,-9918"="CD Audio Track"

"@c:\\Program Files (x86)\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-1"="MPEG-4 Audio File"

"@c:\\Program Files (x86)\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-2"="MPEG-4 Audio File (Protected)"

"@c:\\Windows\\system32\\unregmp2.exe,-9907"="MIDI Sequence"

"@c:\\Windows\\system32\\unregmp2.exe,-9902"="Movie Clip"

"@c:\\Windows\\system32\\unregmp2.exe,-9925"="MP3 Format Sound"

"@c:\\Windows\\system32\\unregmp2.exe,-9908"="Wave Sound"

"@c:\\Windows\\system32\\unregmp2.exe,-9912"="Windows Media Audio file"

"@c:\\Windows\\system32\\unregmp2.exe,-9909"="Windows Media Audio/Video file"

"@c:\\Windows\\system32\\unregmp2.exe,-9910"="Windows Media Audio/Video playlist"

"@c:\\Windows\\system32\\unregmp2.exe,-9905"="Video Clip"

"@c:\\Windows\\system32\\unregmp2.exe,-9914"="Windows Media Audio/Video file"

"@%ProgramFiles(x86)%\\Windows Live\\Photo Gallery\\regres.dll,-3072;en-us.8051.1204"="Bitmap Image"

"@c:\\Windows\\system32\\mspaint.exe,-59418"="Paintbrush Picture"

"@%ProgramFiles(x86)%\\Windows Live\\Photo Gallery\\regres.dll,-3070;en-us.8051.1204"="JPEG Image"

"@%ProgramFiles(x86)%\\Windows Live\\Photo Gallery\\regres.dll,-3071;en-us.8051.1204"="PNG Image"

"@%ProgramFiles(x86)%\\Windows Live\\Photo Gallery\\regres.dll,-3074;en-us.8051.1204"="TIFF Image"

"@c:\\Program Files (x86)\\Common Files\\system\\wab32res.dll,-10100"="Contacts"

"c:\\Program Files (x86)\\Windows Photo Gallery\\PhotoViewer.dll"="Windows Photo Gallery"

"c:\\Program Files (x86)\\QuickTime\\PictureViewer.exe"="PictureViewer"

"c:\\Program Files (x86)\\Windows Live\\Photo Gallery\\WLXPhotoGallery.exe"="Windows Live Photo Gallery"

"c:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"="Internet Explorer"

"c:\\Windows\\system32\\mspaint.exe"="Paint"

"c:\\PROGRA~2\\MICROS~1\\Office12\\OIS.EXE"="Microsoft Office Picture Manager"

"@c:\\Windows\\system32\\NetworkExplorer.dll,-2"="Provides access to the computers and devices that are on your network."

"@%SystemRoot%\\system32\\mlang.dll,-4386"="English (United States)"

"c:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe"="Adobe Reader 9.4"

"@c:\\Windows\\system32\\unregmp2.exe,-9926"="M3U file"

"@c:\\Windows\\system32\\unregmp2.exe,-9923"="Windows Media playlist"

"@c:\\Windows\\system32\\mmsys.cpl,-701"="chord.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-700"="chimes.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-702"="ding.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-705"="ir_inter.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-704"="ir_end.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-703"="ir_begin.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-707"="recycle.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-706"="notify.wav"

"@c:\\Windows\\system32\\Speech\\SpeechUX\\sapi.cpl,-5580"="Speech Misrecognition.wav"

"@c:\\Windows\\system32\\Speech\\SpeechUX\\sapi.cpl,-5581"="Speech Disambiguation.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-708"="ringout.wav"

"@c:\\Windows\\system32\\Speech\\SpeechUX\\sapi.cpl,-5579"="Speech Sleep.wav"

"@c:\\Windows\\system32\\Speech\\SpeechUX\\sapi.cpl,-5577"="Speech On.wav"

"@c:\\Windows\\system32\\Speech\\SpeechUX\\sapi.cpl,-5578"="Speech Off.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-711"="Windows Balloon.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-710"="tada.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-714"="Windows Critical Stop.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-713"="Windows Battery Low.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-712"="Windows Battery Critical.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-717"="Windows Error.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-716"="Windows Ding.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-715"="Windows Default.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-720"="Windows Hardware Fail.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-719"="Windows Feed Discovered.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-718"="Windows Exclamation.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-736"="Windows Information Bar.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-722"="Windows Hardware Remove.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-721"="Windows Hardware Insert.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-725"="Windows Menu Command.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-724"="Windows Logon Sound.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-723"="Windows Logoff Sound.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-727"="Windows Notify.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-734"="Windows Navigation Start.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-726"="Windows Minimize.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-729"="Windows Recycle.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-728"="Windows Print complete.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-737"="Windows Pop-up Blocked.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-732"="Windows Ringout.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-731"="Windows Ringin.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-730"="Windows Restore.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-735"="Windows Startup.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-733"="Windows Shutdown.wav"

"@c:\\Windows\\system32\\mmsys.cpl,-738"="Windows User Account Control.wav"

"@c:\\Windows\\system32\\SampleRes.dll,-111"="Desert Landscape"

"@c:\\Windows\\system32\\SampleRes.dll,-101"="Creek"

"@c:\\Windows\\system32\\SampleRes.dll,-114"="Autumn Leaves"

"@c:\\Windows\\system32\\SampleRes.dll,-105"="Forest Flowers"

"@c:\\Windows\\system32\\SampleRes.dll,-107"="Dock"

"@c:\\Windows\\system32\\SampleRes.dll,-102"="Frangipani Flowers"

"@c:\\Windows\\system32\\SampleRes.dll,-103"="Forest"

"@c:\\Windows\\system32\\SampleRes.dll,-108"="Green Sea Turtle"

"@c:\\Windows\\system32\\SampleRes.dll,-115"="Garden"

"@c:\\Windows\\system32\\SampleRes.dll,-112"="Oryx Antelope"

"@c:\\Windows\\system32\\SampleRes.dll,-109"="Humpback Whale"

"@c:\\Windows\\system32\\SampleRes.dll,-110"="Tree"

"@c:\\Windows\\system32\\SampleRes.dll,-104"="Toco Toucan"

"@c:\\Windows\\system32\\SampleRes.dll,-113"="Winter Leaves"

"@c:\\Windows\\system32\\SampleRes.dll,-106"="Waterfall"

"@c:\\Windows\\system32\\SampleRes.dll,-144"="Lake"

"@c:\\Windows\\system32\\SampleRes.dll,-142"="Butterfly"

"@c:\\Windows\\system32\\SampleRes.dll,-143"="Bear"

"@c:\\Windows\\help\\Tablet PC\\PTRes.dll,-342"="Tablet PC Pen Training"

"@c:\\Windows\\system32\\StikyNot.exe,-551"="Sticky Notes"

"@c:\\Windows\\help\\Tablet PC\\TTRes.dll,-342"="Tablet PC Touch Training"

"@themeui.dll,-2037"="{Tahoma, 8 pt}"

"@themeui.dll,-2038"="{Tahoma, 8 pt}"

"@themeui.dll,-2039"="{Tahoma, 8 pt}"

"@themeui.dll,-2040"="{Tahoma, 8 pt}"

"@themeui.dll,-2041"="{Tahoma, 8 pt}"

"@themeui.dll,-2042"="{Tahoma, 8 pt}"

"@c:\\Windows\\SysWOW64\\ieframe.dll,-5723"="The Internet"

"@c:\\Windows\\System32\\ieframe.dll,-12385"="Favorites Bar"

"@c:\\Program Files (x86)\\Windows Live\\Toolbar\\wltcore.dll,-151"="Windows Live Toolbar"

"@c:\\Program Files (x86)\\Windows Live\\Toolbar\\wltcore.dll,-150"="Windows Live Toolbar BHO"

"@c:\\Windows\\System32\\wpccpl.dll,-100"="Parental Controls"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4920"="Accelerated graphics"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4921"="Use software rendering instead of GPU rendering"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4746"="Accessibility"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4731"="Always expand ALT text for images"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4918"="Enable Caret Browsing for new windows and tabs"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4732"="Move system caret with focus/selection changes"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4919"="Play system sounds"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4908"="Reset text size to medium for new windows and tabs"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4907"="Reset zoom level for new windows and tabs"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4745"="Browsing"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4913"="Enable automatic crash recovery"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4917"="Display Accelerator button on selection"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4902"="Automatically recover from page layout errors with Compatibility View"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4852"="Use inline AutoComplete in Windows Explorer and Run Dialog"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4851"="Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4910"="Use most recent order when switching tabs with Ctrl+Tab"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4833"="Show friendly HTTP error messages"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4743"="Use Passive FTP (for firewall and DSL modem compatibility)"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4737"="Enable FTP folder view (outside of Internet Explorer)"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4849"="Go to an intranet site for a single word entry in the Address bar"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4835"="Notify when downloads complete"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4838"="Close unused folders in History and Favorites"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4861"="Reuse windows for launching shortcuts (when tabbed browsing is off)"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6005"="Disable script debugging (Other)"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6004"="Disable script debugging (Internet Explorer)"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4832"="Display a notification about every script error"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6622"="Enable websites to use the search pane"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4735"="Use smooth scrolling"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4733"="Enable Suggested Sites"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4828"="Underline links"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4825"="Always"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4827"="Hover"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4826"="Never"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4874"="Enable third-party browser extensions"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4873"="Enable visual styles on buttons and controls in webpages"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4747"="Security"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6310"="Block unsecured images with other mixed content"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4750"="Empty Temporary Internet Files folder when browser is closed"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4749"="Do not save encrypted pages to disk"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4892"="Allow active content from CDs to run on My Computer"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4761"="Check for publisher's certificate revocation"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4762"="Check for signatures on downloaded programs"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6304"="Enable DOM Storage"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4891"="Allow active content to run in files on My Computer"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4863"="Enable Integrated Windows Authentication"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6019"="Enable memory protection to help mitigate online attacks"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-5365"="Enable SmartScreen Filter"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6006"="Allow software to run or install even if the signature is invalid"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4757"="Warn if changing between secure and not secure mode"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4759"="Warn about certificate address mismatch"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4752"="Use SSL 2.0"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4753"="Use SSL 3.0"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4760"="Check for server certificate revocation"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4758"="Warn if POST submittal is redirected to a zone that does not permit posts"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4754"="Use TLS 1.0"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6300"="Enable native XMLHTTP support"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4822"="HTTP 1.1 settings"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4823"="Use HTTP 1.1"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4824"="Use HTTP 1.1 through proxy connections"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6000"="International"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6002"="Send IDN server names"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6008"="Show Notification bar for encoded addresses"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6003"="Send IDN server names for Intranet addresses"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6007"="Always show encoded addresses"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6018"="Use UTF-8 for mailto links"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4839"="Send UTF-8 URLs"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4744"="Multimedia"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4922"="Enable alternative codecs in HTML5 media elements"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4741"="Play animations in webpages"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4871"="Enable automatic image resizing"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4742"="Show pictures"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4843"="Show image download placeholders"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4739"="Play sounds in webpages"

"@c:\\Windows\\system32\\wmploc.dll,-1721"="Windows Media Player"

"@c:\\Program Files (x86)\\Microsoft Silverlight\\4.0.60531.0\\npctrlui.dll,-400"="Microsoft Silverlight"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4774"="ActiveX controls and plug-ins"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4775"="Run ActiveX controls and plug-ins"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4803"="Enable"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4806"="Administrator approved"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4805"="Disable"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4804"="Prompt"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4897"="Allow previously unused ActiveX controls to run without prompt"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4900"="Only allow approved domains to use ActiveX without prompt"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4899"="Display video and animation on a webpage that does not use external media player"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4889"="Automatic prompting for ActiveX controls"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4884"="Binary and script behaviors"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4776"="Download signed ActiveX controls"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4923"="Allow ActiveX Filtering"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4783"="Initialize and script ActiveX controls not marked as safe for scripting"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4780"="Allow Scriptlets"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4784"="Script ActiveX controls marked safe for scripting"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4777"="Download unsigned ActiveX controls"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4788"="User Authentication"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4790"="Logon"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4807"="Anonymous logon"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4808"="Prompt for user name and password"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4810"="Automatic logon only in Intranet zone"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4809"="Automatic logon with current user name and password"

"@mscorier.dll,-1001"=".NET Framework-reliant components"

"@mscorier.dll,-1006"="Run components signed with Authenticode"

"@mscorier.dll,-1004"="Enable"

"@mscorier.dll,-1003"="Disable"

"@mscorier.dll,-1005"="Prompt"

"@mscorier.dll,-1002"="Run components not signed with Authenticode"

"@mscorier.dll,-1007"="Permissions for components with manifests"

"@mscorier.dll,-1008"="High Safety"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4791"="Downloads"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4792"="File download"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4793"="Font download"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4794"="Miscellaneous"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4862"="Don't prompt for client certificate selection when only one certificate exists"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4785"="Access data sources across domains"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4796"="Drag and drop or copy and paste files"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4898"="Allow websites to open windows without address or status bars"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4797"="Submit non-encrypted form data"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4911"="Include local directory path when uploading files to a server"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4798"="Launching programs and files in an IFRAME"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4870"="Allow META REFRESH"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4885"="Enable MIME Sniffing"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4872"="Display mixed content"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4883"="Use Pop-up Blocker"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-5368"="Use SmartScreen Filter"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4890"="Allow webpages to use restricted protocols for active content"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4864"="Launching applications and unsafe files"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4855"="Navigate windows and frames across different domains"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4853"="Userdata persistence"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4879"="Allow scripting of Microsoft web browser control"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4887"="Allow script-initiated windows without size or position constraints"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4886"="Websites in less privileged web content zone can navigate into this zone"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4782"="Scripting"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4786"="Active scripting"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4787"="Scripting of Java applets"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4854"="Allow Programmatic clipboard access"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4912"="Allow websites to prompt for information using scripted windows"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4867"="Allow status bar updates via script"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-4901"="Enable XSS filter"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6400"=".NET Framework"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6401"="Loose XAML"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6403"="XAML browser applications"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-6402"="XPS documents"

"@c:\\Windows\\SysWOW64\\inetcpl.cpl,-5440"="Enable .NET Framework setup"

"c:\\Program Files (x86)\\Jasc Software Inc\\Paint Shop Pro 7\\psp.exe"="Paint Shop Pro 7"

"@c:\\Windows\\SysWOW64\\ieframe.dll,-914"="SVG Document"

"@c:\\Program Files (x86)\\Common Files\\System\\wab32res.dll,-4602"="Contact file"

"@c:\\Program Files (x86)\\Common Files\\system\\wab32res.dll,-10203"="Contact"

"@c:\\Windows\\system32\\zipfldr.dll,-10195"="Compressed (zipped) Folder"

"@c:\\Windows\\system32\\ieframe.dll,-904"="URL:HyperText Transfer Protocol with Privacy"

"c:\\Program Files (x86)\\iTunes\\iTunes.exe"="iTunes"

"c:\\Program Files (x86)\\Windows Calendar\\wincal.exe"="Windows Calendar"

"@%ProgramFiles%\\Windows Live\\Photo Gallery\\regres.dll,-10;en-us.8051.1204"="Windows Live Photo Gallery"

"@wmploc.dll,-102"="Windows Media Player"

"c:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe"="Windows Media Player"

"c:\\Program Files (x86)\\Windows NT\\Accessories\\WORDPAD.EXE"="WordPad"

"@c:\\Windows\\system32\\ieframe.dll,-903"="URL:HyperText Transfer Protocol"

"@c:\\Windows\\SysWOW64\\occache.dll,-1070"="Downloaded Program Files"

"@c:\\Windows\\SysWOW64\\occache.dll,-1071"="Downloaded Program Files are ActiveX controls and Java applets downloaded automatically from the Internet when you view certain pages. They are temporarily stored in the Downloaded Program Files folder on your hard disk."

"@c:\\Windows\\SysWOW64\\occache.dll,-1072"="&View Files"

"@%systemroot%\\system32\\setupcln.dll,-1002"="Previous Windows installation(s)"

"@%systemroot%\\system32\\setupcln.dll,-1003"="Files from a previous Windows installation. Files and folders that may conflict with the installation of Windows have been moved to folders named Windows.old. You can access data from the previous Windows installations in this folder."

"@%SystemRoot%\\system32\\werfault.exe,-100"="System error memory dump files"

"@%SystemRoot%\\system32\\werfault.exe,-101"="Remove system error memory dump files."

"@%SystemRoot%\\system32\\werfault.exe,-102"="System error minidump files"

"@%SystemRoot%\\system32\\werfault.exe,-103"="Remove system error minidump files."

"@%systemroot%\\system32\\setupcln.dll,-1000"="Temporary Windows installation files"

"@%systemroot%\\system32\\setupcln.dll,-1001"="Installation files used by Windows setup. These files are left over from the installation process and can be safely deleted."

"@%systemroot%\\system32\\setupcln.dll,-1004"="Files discarded by Windows upgrade"

"@%systemroot%\\system32\\setupcln.dll,-1005"="Files from a previous Windows installation. As a precaution, Windows upgrade keeps a copy of any files that were not moved to the new version of Windows and were not identified as Windows system files. If you are sure that no user's personal files are missing after the upgrade, you can delete these files."

"@%SystemRoot%\\system32\\wer.dll,-297"="Per user archived Windows Error Reporting Files"

"@%SystemRoot%\\system32\\wer.dll,-298"="Files used for error reporting and solution checking."

"@%SystemRoot%\\system32\\wer.dll,-295"="Per user queued Windows Error Reporting Files"

"@%SystemRoot%\\system32\\wer.dll,-296"="Files used for error reporting and solution checking."

"@%SystemRoot%\\system32\\wer.dll,-301"="System archived Windows Error Reporting Files"

"@%SystemRoot%\\system32\\wer.dll,-302"="Files used for error reporting and solution checking."

"@%SystemRoot%\\system32\\wer.dll,-299"="System queued Windows Error Reporting Files"

"@%SystemRoot%\\system32\\wer.dll,-300"="Files used for error reporting and solution checking."

"@c:\\Windows\\system32\\filemgmt.dll,-2204"="Services"

"@c:\\Program Files (x86)\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-3"="AIFF Audio File"

"@c:\\Program Files (x86)\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-9"="MPEG Layer 2 Audio"

"@c:\\Program Files (x86)\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-7"="M3U Audio Playlist"

"c:\\Program Files (x86)\\QuickTime\\QuickTimePlayer.exe"="QuickTime Player"

"c:\\Program Files (x86)\\Real\\RealPlayer\\RealPlay.exe"="RealPlayer"

"@c:\\Windows\\System32\\gameux.dll,-10046"="Microsoft Games"

"@c:\\Windows\\ehome\\ehepgres.dll,-277"="Recorded TV"

"c:\\Program Files (x86)\\Microsoft Office\\Office12\\POWERPNT.EXE"="Microsoft Office PowerPoint"

"c:\\Program Files (x86)\\Inkscape\\inkscape.exe"="Inkscape"

"@c:\\Program Files (x86)\\Microsoft Silverlight\\4.1.10111.0\\npctrlui.dll,-400"="Microsoft Silverlight"

"@c:\\PROGRA~1\\MICROS~1\\PURBLE~1\\PurblePlace.exe,-112"="Purble Place"

"@c:\\PROGRA~1\\MICROS~1\\Mahjong\\Mahjong.exe,-44419"="Mahjong Titans"

"@c:\\Program Files (x86)\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-10"="MPEG Layer 3 Audio"

"@c:\\Program Files (x86)\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-15"="WAVE Audio File"

"c:\\Program Files\\Windows Photo Gallery\\WindowsPhotoGallery.exe"="Windows Photo Gallery"

"@c:\\Windows\\SysWOW64\\ieframe.dll,-24585"="Cascading Style Sheet Document"

"@c:\\Windows\\System32\\wshext.dll,-4804"="JScript Script File"

"@c:\\Windows\\System32\\wshext.dll,-4802"="VBScript Script File"

"c:\\Windows\\SysWOW64\\javaws.exe"="Java Web Start Launcher"

"c:\\Program Files (x86)\\Microsoft Digital Image 2006\\pi.exe"="Microsoft Digital Image 2006 Editor"

"c:\\PROGRA~2\\Rhapsody\\rhapsody.exe"="RealNetworks Rhapsody"

"@c:\\Windows\\system32\\unregmp2.exe,-9991"="&Play"

"c:\\Program Files\\WinZip\\WINZIP64.EXE"="WinZip"

"@%ProgramFiles(x86)%\\Windows Live\\Photo Gallery\\regres.dll,-3077;en-us.8051.1204"="Icon"

"@c:\\Windows\\system32\\mmcbase.dll,-130"="Microsoft Common Console Document"

"@c:\\Windows\\System32\\msxml3r.dll,-2"="XSL Stylesheet"

"@c:\\Windows\\System32\\msrating.dll,-3000"="Rating System File"

"@c:\\Windows\\System32\\setupapi.dll,-2000"="Setup Information"

"@c:\\Windows\\System32\\acppage.dll,-6003"="Windows Command Script"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Dell\DellDock\DockLogin.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE

c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

c:\program files (x86)\Motorola\MotoHelper\MotoHelperService.exe

c:\windows\SysWOW64\rundll32.exe

c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe

c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe

.

**************************************************************************

.

Completion time: 2013-01-10 13:55:10 - machine was rebooted

ComboFix-quarantined-files.txt 2013-01-10 19:55

.

Pre-Run: 404,320,927,744 bytes free

Post-Run: 406,006,222,848 bytes free

.

- - End Of File - - B7157D4981E031E192808170A4BEA2CA

Link to post
Share on other sites

Please do this next:

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information, C:\_OTL\MovedFiles or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

icon11.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Please include the following in your next post:

  • MBAM log
  • JRT log

Link to post
Share on other sites

Sorry it took so long my Father is in the hospital, he has cancer. Anyway here are the logs you asked for. There are two logs for the MBAM because I forgot to shut down McAfee the first time and and it "QUARANTINED" the infected stuff. I keep noticing that this "FUNMOODS" SEARCH tab keeps popping up in the background of Google Chrome when my daughter uses it. (I HATE G.C.) so I uninstalled it. Don't know if that was cool or not, That FUNMOODS thing just wouldn't GO AWAY. If I "Fed"up I'm sorry, I said I would follow directions, PLEASE don't blow me off now:(

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.15.02

Windows Vista Service Pack 2 x64 NTFS

Internet Explorer 9.0.8112.16421

Kat Cyganiak :: CYGANIAKS-PC [administrator]

1/14/2013 7:26:25 PM

mbam-log-2013-01-14 (19-26-25).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 552603

Time elapsed: 2 hour(s), 57 minute(s), 19 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 6

HKCR\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\esrv.funmoodsESrvc.1 (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\esrv.funmoodsESrvc (PUP.Funmoods) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} (PUP.Funmoods) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\InstallCore\funmoods (PUP.FunMoods) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Program Files (x86)\Windows Live\Messenger\riched20.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.

(end)

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.15.02

Windows Vista Service Pack 2 x64 NTFS

Internet Explorer 9.0.8112.16421

Kat Cyganiak :: CYGANIAKS-PC [administrator]

1/15/2013 6:50:06 PM

mbam-log-2013-01-15 (18-50-06).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 552774

Time elapsed: 1 hour(s), 36 minute(s), 11 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.4.2 (01.08.2013:1)

OS: Windows Vista Home Premium x64

Ran by Kat Cyganiak on Tue 01/15/2013 at 3:00:12.43

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\conduit

Successfully deleted: [Registry Key] hkey_local_machine\software\conduit

Successfully deleted: [Registry Key] hkey_current_user\software\datamngr_toolbar

Successfully deleted: [Registry Key] hkey_local_machine\software\freeze.com

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\conduit

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\crossrider

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\fun web products

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\funwebproducts

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\esrv.exe

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\products\a28b4d68debaa244eb686953b7074fef

Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\CrossriderApp0021802.BHO

Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\CrossriderApp0021802.Sandbox

Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\CrossriderApp0021802.Sandbox.1

Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT1641676

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{02478d38-c3f9-4efb-9b51-7695eca05670}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{02478d38-c3f9-4efb-9b51-7695eca05670}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{11111111-1111-1111-1111-110211181102}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{11111111-1111-1111-1111-110211181102}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{171debeb-c3d4-40b7-ac73-056a5eba4a7e}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{3c471948-f874-49f5-b338-4f214a2ee0b1}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{9afb8248-617f-460d-9366-d71cdeda3179}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{ca3eb689-8f09-4026-aa10-b9534c691ce0}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{d824f0de-3d60-4f57-9eb1-66033ecd8abb}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\boost_interprocess"

Successfully deleted: [Folder] "C:\ProgramData\trymedia"

Successfully deleted: [Folder] "C:\ProgramData\wecarereminder"

Successfully deleted: [Folder] "C:\Users\Kat Cyganiak\AppData\Roaming\funmoods"

Successfully deleted: [Folder] "C:\Users\Kat Cyganiak\AppData\Roaming\opencandy"

Successfully deleted: [Folder] "C:\Users\Kat Cyganiak\appdata\local\opencandy"

Successfully deleted: [Folder] "C:\Users\Kat Cyganiak\appdata\locallow\conduit"

Successfully deleted: [Folder] "C:\Users\Kat Cyganiak\appdata\locallow\datamngr"

~~~ FireFox

Successfully deleted: [File] C:\Users\Kat Cyganiak\AppData\Roaming\mozilla\firefox\profiles\sojvyjpv.default\user.js

Successfully deleted: [File] C:\Users\Kat Cyganiak\AppData\Roaming\mozilla\firefox\profiles\sojvyjpv.default\searchplugins\search_results.xml

Successfully deleted the following from C:\Users\Kat Cyganiak\AppData\Roaming\mozilla\firefox\profiles\sojvyjpv.default\prefs.js

user_pref("browser.search.order.1", "Search Results");

user_pref("extensions.funmoods.aflt", "adknlg1y");

user_pref("extensions.funmoods.autoRvrt", false);

user_pref("extensions.funmoods.dfltLng", "");

user_pref("extensions.funmoods.dfltSrch", true);

user_pref("extensions.funmoods.dnsErr", true);

user_pref("extensions.funmoods.envrmnt", "production");

user_pref("extensions.funmoods.excTlbr", false);

user_pref("extensions.funmoods.hmpg", true);

user_pref("extensions.funmoods.hmpgUrl", "http://searchfunmoods.com/?f=1&a=adknlg1y&ir=adknlg1y&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyE0DyByE0E0DyEzz0BtCtCtN0D0Tzu0CtAyByEtN1L2XzutBtF

user_pref("extensions.funmoods.id", "002564D74ED48B11");

user_pref("extensions.funmoods.instlDay", "15713");

user_pref("extensions.funmoods.instlRef", "adknlg1y");

user_pref("extensions.funmoods.isdcmntcmplt", true);

user_pref("extensions.funmoods.mntrvrsn", "1.3.0");

user_pref("extensions.funmoods.newTabUrl", "http://searchfunmoods.com/?f=2&a=adknlg1y&ir=adknlg1y&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyE0DyByE0E0DyEzz0BtCtCtN0D0Tzu0CtAyByEtN1L2XzutB

user_pref("extensions.funmoods.prdct", "funmoods");

user_pref("extensions.funmoods.prtnrId", "funmoods");

user_pref("extensions.funmoods.srchPrvdr", "Funmoods");

user_pref("extensions.funmoods.tlbrId", "base");

user_pref("extensions.funmoods.tlbrSrchUrl", "http://searchfunmoods.com/?f=3&a=adknlg1y&ir=adknlg1y&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyE0DyByE0E0DyEzz0BtCtCtN0D0Tzu0CtAyByEtN1L2Xzu

user_pref("extensions.funmoods.vrsn", "1.5.23.22");

user_pref("extensions.funmoods.vrsni", "1.5.23.22");

user_pref("extensions.funmoods_i.newTab", true);

user_pref("extensions.funmoods_i.smplGrp", "none");

user_pref("extensions.funmoods_i.vrsnTs", "1.5.23.2221:40:58");

Emptied folder: C:\Users\Kat Cyganiak\AppData\Roaming\mozilla\firefox\profiles\sojvyjpv.default\minidumps [14 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Tue 01/15/2013 at 3:08:01.14

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link to post
Share on other sites

I'm sorry about your father. I have no trouble with you uninstalling Chrome either. Please do this next:

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.

Please include the following in your next post:

  • How is the computer running now?
  • ESET log

Link to post
Share on other sites

sorry again, Heres that log from ESET. WOW the word Trojan is in there a lot!

C:\Users\Kat Cyganiak\AppData\Local\Google\Chrome\User Data\Default\Default\aalecobnbdlnmjlmkbmefgeecfnlnhjl\background.html Win32/BHO.OEI trojan

C:\Users\Kat Cyganiak\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\1eae594e-6e4fce4c a variant of Java/Exploit.Agent.NEA trojan

C:\Users\Kat Cyganiak\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\34182e61-687a0d34 a variant of Java/TrojanDownloader.Agent.NBA trojan

C:\Users\Kat Cyganiak\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\67c420ef-552a2e2f a variant of Java/Exploit.CVE-2012-4681.CD trojan

C:\Users\Kat Cyganiak\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\10663c71-71541a46 a variant of Java/Exploit.Agent.NEA trojan

C:\Users\Kat Cyganiak\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\729f233f-3f2be397 a variant of Java/Exploit.Agent.NEA trojan

C:\Users\Kat Cyganiak\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe Win32/OpenCandy application

C:\Users\Kat Cyganiak\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe Win32/OpenCandy application

C:\Users\Kat Cyganiak\Downloads\cbsidlm-tr1_7-Free_Convert_MP3_to_WMA-SEO-75176736.exe Win32/DownloadAdmin.D application

C:\Users\Kat Cyganiak\Downloads\DownloadManagerSetup.exe a variant of Win32/InstallCore.BB application

C:\Users\Kat Cyganiak\Downloads\FreeMp3WmaConverterSetup-r100-w.exe Win32/Toolbar.SearchSuite application

C:\Users\Kat Cyganiak\Downloads\installer_adobe_illustrator.exe multiple threats

C:\Users\Kat Cyganiak\Downloads\Setup.exe a variant of Win32/Adware.iBryte.D application

C:\Users\Kat Cyganiak\Downloads\WinZip170.exe a variant of Win32/OpenInstall application

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FP8AK6ME\updater-startnow-200-2.5-g[1].exe a variant of Win32/Toolbar.Zugo application

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FP8AK6ME\updater-startnow-200-2.5-g[1].exe a variant of Win32/Toolbar.Zugo application

Link to post
Share on other sites

Please do this next and let me know how the computer is running afterwards, please:

icon11.gif Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :Files
    C:\Users\Kat Cyganiak\AppData\Local\Google\Chrome\User Data\Default\Default\aalecobnbdlnmjlmkbmefgeecfnlnhjl\background.html
    C:\Users\Kat Cyganiak\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe
    C:\Users\Kat Cyganiak\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe
    C:\Users\Kat Cyganiak\Downloads\cbsidlm-tr1_7-Free_Convert_MP3_to_WMA-SEO-75176736.exe
    C:\Users\Kat Cyganiak\Downloads\DownloadManagerSetup.exe
    C:\Users\Kat Cyganiak\Downloads\FreeMp3WmaConverterSetup-r100-w.exe
    C:\Users\Kat Cyganiak\Downloads\installer_adobe_illustrator.exe
    C:\Users\Kat Cyganiak\Downloads\Setup.exe
    C:\Users\Kat Cyganiak\Downloads\WinZip170.exe
    [EmptyTemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, it will reboot when it is done and produce a log

Please include the following in your next post:

  • OTL Fix log
  • How is the computer running now?

Link to post
Share on other sites

It seems to be running ok, no BIG change. I don't know if it matters but on the (processes killed) I still see the google chrome thing and Frostwire and MP3 convert things. ALL of these were deleted (uninstalled) but like I said I am not THAT savy. THANKS AGAIN!

All processes killed

Error: Unable to interpret <:FilesC:\Users\Kat Cyganiak\AppData\Local\Google\Chrome\User Data\Default\Default\aalecobnbdlnmjlmkbmefgeecfnlnhjl\background.htmlC:\Users\Kat Cyganiak\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exeC:\Users\Kat Cyganiak\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exeC:\Users\Kat Cyganiak\Downloads\cbsidlm-tr1_7-Free_Convert_MP3_to_WMA-SEO-75176736.exeC:\Users\Kat Cyganiak\Downloads\DownloadManagerSetup.exeC:\Users\Kat Cyganiak\Downloads\FreeMp3WmaConverterSetup-r100-w.exeC:\Users\Kat Cyganiak\Downloads\installer_adobe_illustrator.exeC:\Users\Kat Cyganiak\Downloads\Setup.exeC:\Users\Kat Cyganiak\Downloads\WinZip170.exe[EmptyTemp]> in the current context!

OTL by OldTimer - Version 3.2.69.0 log created on 01222013_204856

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Link to post
Share on other sites

ok, the first time I copied/pasted that text in the window, it pasted all in one line. This time when I pasted it I hit enter where the lines are supposed to be divided and looked like the original and this is what came back. I also shut off ALL of my virus scanners and fire walls.

All processes killed

========== FILES ==========

C:\Users\Kat Cyganiak\AppData\Local\Google\Chrome\User Data\Default\Default\aalecobnbdlnmjlmkbmefgeecfnlnhjl\background.html moved successfully.

C:\Users\Kat Cyganiak\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe moved successfully.

C:\Users\Kat Cyganiak\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe moved successfully.

C:\Users\Kat Cyganiak\Downloads\cbsidlm-tr1_7-Free_Convert_MP3_to_WMA-SEO-75176736.exe moved successfully.

C:\Users\Kat Cyganiak\Downloads\DownloadManagerSetup.exe moved successfully.

C:\Users\Kat Cyganiak\Downloads\FreeMp3WmaConverterSetup-r100-w.exe moved successfully.

C:\Users\Kat Cyganiak\Downloads\installer_adobe_illustrator.exe moved successfully.

C:\Users\Kat Cyganiak\Downloads\Setup.exe moved successfully.

C:\Users\Kat Cyganiak\Downloads\WinZip170.exe moved successfully.

File\Folder [EmptyTemp] not found.

OTL by OldTimer - Version 3.2.69.0 log created on 01242013_180137

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

My computer seems to be quite a bit faster

Link to post
Share on other sites

That's much better, but I see now that I left a line out of the script. I need you to run one more:

icon11.gif Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :Commands
    [EmptyTemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, it will reboot when it is done and produce a log

Post that log for me when you're done, please.

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.