Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Grandma's computer got ran over by a malware, along a satu..


  • This topic is locked This topic is locked
34 replies to this topic

#1 joecool111

joecool111

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 27 August 2010 - 01:49 AM

Hey guys,

Wanted to say thanks for all that you guys do in helping others. I usually am the one helping others, myself, but
today I find myself in need of help. I've got grandma's laptop, she's been playing those internet games and got the
stuffins knocked out of her computer. I've run malwarebytes, microsoft security essentials, windows safety scanner,
spyhunter, spybot s&d, multiple times, in and out of safemode. they are all coming clear, now. I have removed or
disabled (from within ie 'Mangle add ons') all the BHOs that are not mainstream (ms, adobe), yet still all three browsers (ie, ff, chrome) go bananas when I try to go places. safe or full mode. I put Arora on here and it, so far, is not slammered.

The system is a walmart special Toshiba Laptop running Vista Basic, celeron dual core. Here's the URL that comes up when I try to go to trendmicro...

hxxp://stopmalwaresite.com/block.php?url=http://www.trendmicro.com/go

Here's the DDS.txt log file (everything here is from safe mode). I've also attached it as it may be easier to work with from within your own notepad (wordwrap). I've attached the Attach.txt DDS file, the GMER log and a HiJackThis log (dunno if it's of any use yet...). Set up my forum acct for email notifications and so forth... Thanks guys!


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Mary at 1:48:49.17 on Fri 08/27/2010
Internet Explorer: 8.0.6001.18943
Microsoft® Windows Vistaâ„¢ Home Basic 6.0.6002.2.1252.1.1033.18.1915.965 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\vds.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Arora\arora.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Mary\Desktop\Defogger.exe
C:\Users\Mary\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
TB: &Inbox.com Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\inbox\ctbr.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: {F6B40D73-1671-4A2F-BD6F-B1DD69E0F9A0} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; FunWebProducts; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.praize.com/Games/Bowling/"
mRun: [Skytel] Skytel.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRunOnce: [{1017A80C-6F09-4548-A84D-EDD6AC9525F0}] "c:\program files\lexmark toolbar\temp\setup.exe" english "c:\program files\Lexmark Toolbar" /ie
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\mary\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {B1CF6225-211E-4B4C-B466-5F224E348FF3} - c:\program files\inbox\weather\CWeather.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} -
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\mary\appdata\roaming\mozilla\firefox\profiles\nrftk4gi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50-ff-green-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZZ&fl=0&ptb=XRw1DJpIxGWswU6NgKSEOw&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\users\mary\appdata\roaming\mozilla\firefox\profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-11-25 20384]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-9-30 7168]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [2009-5-14 22312]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
S2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S2 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2008-11-25 954368]
S2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxduserv.exe [2008-5-23 94208]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-8-24 1153368]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2010-7-14 326488]
S2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-9-30 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
S3 IO_Memory;IO_Memory;c:\windows\system32\sysprep\drivers\IOPort.SYS [2008-11-25 4170]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-9-30 9216]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-16 136176]

=============== Created Last 30 ================

2010-08-27 05:48:31 0 ----a-w- c:\users\mary\defogger_reenable
2010-08-27 01:22:17 0 d-----w- c:\program files\Arora
2010-08-27 01:17:30 0 d-----w- c:\users\mary\appdata\roaming\Canneverbe Limited
2010-08-27 01:17:30 0 d-----w- c:\programdata\Canneverbe Limited
2010-08-27 01:17:17 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-08-27 00:38:51 0 d-----w- c:\program files\Trend Micro
2010-08-25 00:41:10 0 d-----w- C:\sh4ldr
2010-08-25 00:41:10 0 d-----w- c:\program files\Enigma Software Group
2010-08-25 00:40:58 0 d-----w- c:\windows\CED3DF1E01D145ADBF3364AE5E8843B8.TMP
2010-08-25 00:40:54 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-08-24 20:53:13 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-21 13:51:15 0 d-----w- c:\program files\webserver
2010-08-16 12:28:47 0 d-----w- c:\programdata\Google
2010-08-12 10:44:59 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-08-12 10:44:58 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 10:44:57 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 10:44:56 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys

==================== Find3M ====================

2010-06-26 06:05:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02:15 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02:15 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25:02 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-21 13:37:03 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-18 23:10:05 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-18 17:31:29 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-06-18 10:45:32 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-18 10:45:32 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-18 10:45:30 86016 ----a-w- c:\windows\inf\infstor.dat
2010-06-11 16:16:20 274944 ----a-w- c:\windows\system32\schannel.dll
2010-06-08 17:35:04 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35:03 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-12-10 18:31:10 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-02-10 02:16:08 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-15 09:41:14 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-03-16 18:30:08 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009031620090317\index.dat
2008-12-28 19:51:53 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2008-12-28 19:51:49 4 --sh--r- c:\windows\system32\drivers\taishop.sys

============= FINISH: 1:51:50.59 ===============

Attached Files


Edited by Orange Blossom, 28 August 2010 - 12:39 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:06 PM

Posted 02 September 2010 - 12:34 AM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the "Custom Scans/Fixes" section paste in the below in bold

    netsvc
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  • Push the button.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into the body of your next reply.

***************************************************

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.log" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and copy/paste its contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try unchecking the Devices box in addition to the others previously requested. Also, try running GMER in Safe Mode.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


~Blade


In your next reply, please include the following:
OTL.txt
Extras.txt
Gmer.log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 joecool111

joecool111
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 03 September 2010 - 08:18 AM

Hey Blade,

Thanks for your help. I followed your instructions. Turned off all these little things on the notification bar b4 running GMER then realized that might skew things between OTL & GMER, so I rebooted, turned the junk off then re-ran OTL. This time it wouldn't give me an extras.txt file. So then I ran GMER. It bombed. I download a new copy and ran it, it bombed.

Dunno if the original GMER I ran has any validity at this point. Dunno if anything I did on this sequence is of any value at this point. I'm attaching the OTL & Extras file just in case they are...

And I tried so hard to follow directions exactly...... Oh, well

OTL logfile created on: 9/3/2010 6:56:03 AM - Run 2
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Users\Mary\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18943)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 44.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 140.37 Gb Total Space | 89.26 Gb Free Space | 63.59% Space Free | Partition Type: NTFS
Drive D: | 10.28 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MARY-PC
Current User Name: Mary
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/03 05:44:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Mary\Desktop\OTL.exe
PRC - [2010/07/14 15:19:28 | 000,326,488 | ---- | M] (Enigma Software Group USA, LLC.) -- C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
PRC - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/06/01 14:53:46 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010/05/28 08:59:16 | 002,484,176 | ---- | M] (Crawler.com) -- C:\Program Files\Inbox\CToolbar.exe
PRC - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2010/03/18 11:19:26 | 000,207,360 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2010/03/04 23:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2009/10/16 16:06:32 | 000,589,824 | ---- | M] ( ) -- C:\Windows\System32\lxducoms.exe
PRC - [2009/10/16 15:53:44 | 000,094,208 | ---- | M] (Lexmark International, Inc.) -- C:\Windows\System32\spool\drivers\w32x86\3\lxduserv.exe
PRC - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2009/08/18 11:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/07/10 14:49:24 | 000,323,584 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
PRC - [2009/06/08 14:43:00 | 001,395,200 | ---- | M] (Crawler.com) -- c:\Program Files\Inbox\CMail.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/02/26 15:24:50 | 000,097,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/08/04 17:46:22 | 000,046,392 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe
PRC - [2008/07/19 00:39:30 | 000,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2008/04/17 03:19:48 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2008/04/16 19:53:00 | 000,954,368 | ---- | M] (Atheros Communications, Inc.) -- C:\Program Files\Jumpstart\jswpsapi.exe
PRC - [2008/04/15 21:54:42 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/02/06 17:52:40 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2008/01/20 22:33:41 | 000,017,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iashost.exe
PRC - [2007/12/03 21:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\SMARTLogService\TosIPCSrv.exe
PRC - [2007/11/21 21:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
PRC - [2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe


========== Modules (SafeList) ==========

MOD - [2010/09/03 05:44:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Mary\Desktop\OTL.exe
MOD - [2010/03/05 10:01:02 | 000,420,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
MOD - [2009/04/11 02:28:25 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\wmiutils.dll
MOD - [2009/04/11 02:28:25 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\wbemsvc.dll
MOD - [2009/04/11 02:28:25 | 000,030,208 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\wbemprox.dll
MOD - [2009/04/11 02:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\fastprox.dll
MOD - [2009/04/11 02:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\rsaenh.dll
MOD - [2009/04/11 02:21:38 | 001,748,992 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\GdiPlus.dll
MOD - [2009/04/11 02:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/01/20 22:34:47 | 000,188,928 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\wbemdisp.dll
MOD - [2008/01/20 22:34:21 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2008/01/20 22:33:52 | 000,376,832 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sxs.dll
MOD - [2008/01/20 22:33:26 | 000,357,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbemcomn.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/07/14 15:19:28 | 000,326,488 | ---- | M] (Enigma Software Group USA, LLC.) [Auto | Running] -- C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe -- (SpyHunter 4 Service)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/29 08:51:54 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [Auto | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/03/04 23:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
SRV - [2009/10/16 16:06:32 | 000,589,824 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxducoms.exe -- (lxdu_device)
SRV - [2009/10/16 15:53:44 | 000,094,208 | ---- | M] () [Auto | Running] -- C:\Windows\System32\spool\DRIVERS\W32X86\3\\lxduserv.exe -- (lxduCATSCustConnectService)
SRV - [2009/09/24 21:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/08/04 17:46:22 | 000,046,392 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
SRV - [2008/07/19 00:39:30 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2008/04/17 03:19:48 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2008/04/16 19:53:00 | 000,954,368 | ---- | M] (Atheros Communications, Inc.) [Auto | Running] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)
SRV - [2008/04/15 21:54:42 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/02/06 17:52:40 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2008/01/20 22:33:00 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/03 21:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2007/11/21 21:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Mary\AppData\Local\Temp\7zSB6EF.tmp\iscflash.sys -- (iscFlash)
DRV - [2010/03/25 21:30:22 | 000,151,216 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2010/03/25 21:30:22 | 000,042,368 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2009/12/02 12:21:00 | 000,021,896 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\eufs.sys -- (EUFS)
DRV - [2009/12/02 12:20:58 | 000,015,240 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\eudskacs.sys -- (EUDSKACS)
DRV - [2009/12/02 12:20:56 | 000,027,016 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\eubakup.sys -- (EUBAKUP)
DRV - [2009/12/02 12:20:54 | 000,123,784 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\EuDisk.sys -- (EuDisk)
DRV - [2009/11/16 03:13:14 | 000,216,576 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2009/11/12 14:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/03/26 08:00:02 | 000,064,000 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTSTOR.sys -- (RTSTOR)
DRV - [2009/02/12 15:11:24 | 000,022,312 | ---- | M] (EldoS Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\dddsk.sys -- (ElRawDisk)
DRV - [2008/08/14 10:40:40 | 000,203,312 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/07/28 19:53:48 | 000,919,552 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/07/18 22:52:16 | 000,279,376 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32)
DRV - [2008/06/12 22:43:16 | 002,381,312 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2008/04/28 20:59:18 | 000,020,384 | ---- | M] (Atheros Communications, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\jswpslwf.sys -- (jswpslwf)
DRV - [2008/04/15 21:53:44 | 000,312,344 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2008/04/09 22:00:04 | 002,095,512 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/20 22:32:53 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 22:32:53 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 22:32:52 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 22:32:52 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 22:32:52 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 22:32:52 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 22:32:51 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 22:32:51 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 22:32:50 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 22:32:50 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/20 22:32:50 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 22:32:49 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 22:32:49 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 22:32:49 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 22:32:49 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 22:32:49 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 22:32:48 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 22:32:48 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 22:32:47 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 22:32:47 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 22:32:46 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 22:32:45 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 22:32:21 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 22:32:21 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 22:32:21 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008/01/18 12:22:00 | 000,009,216 | ---- | M] (Inventec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\sysprep\PEDRV.SYS -- (SVRPEDRV)
DRV - [2007/12/14 15:53:24 | 000,024,200 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2007/11/09 18:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2006/11/28 19:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/20 17:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/11/09 02:32:00 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I)
DRV - [2006/11/09 02:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N)
DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/06/11 06:15:00 | 000,004,170 | ---- | M] (ITC) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\sysprep\Drivers\IOPort.SYS -- (IO_Memory)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3023599555-3989719847-863854613-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKU\S-1-5-21-3023599555-3989719847-863854613-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-3023599555-3989719847-863854613-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-3023599555-3989719847-863854613-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Inbox.com Search"
FF - prefs.js..browser.search.defaulturl: "http://search.aol.com/aolcom/search?invocationType=tb50-ff-green-chromesbox-en-us&query="
FF - prefs.js..browser.search.order.1: "Inbox.com Search"
FF - prefs.js..browser.search.param.yahoo-fr: "moz2-ytff-msgr"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "moz2-ytff-msgr"
FF - prefs.js..browser.search.selectedEngine: "MyWebSearch"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.7
FF - prefs.js..extensions.enabledItems: {9bc51d13-3849-4541-a69c-da418934ca05}:1.7
FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.0.8
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.13
FF - prefs.js..extensions.enabledItems: tabkit@jomel.me.uk:0.5.12
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100503
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119091315
FF - prefs.js..keyword.URL: "http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZZ&fl=0&ptb=XRw1DJpIxGWswU6NgKSEOw&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor="
FF - prefs.js..keyword.defaultURL: "http://www.inbox.com/search/dispatcher.aspx?tp=aus&tbid=&qkw="


FF - HKLM\software\mozilla\Firefox\Extensions\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}: C:\Program Files\Inbox\firefox\ [2010/05/29 13:35:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/11 18:58:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/18 18:56:47 | 000,000,000 | ---D | M]

[2009/03/02 12:29:07 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\Mozilla\Extensions
[2010/08/24 19:47:24 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions
[2009/12/02 17:10:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}(221)
[2010/08/16 08:28:23 | 000,000,000 | ---D | M] (Flagfox) -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2009/12/07 21:07:49 | 000,000,000 | ---D | M] (Session Manager) -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}(222)
[2010/05/03 08:09:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/16 08:28:26 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/03/22 17:20:03 | 000,000,000 | ---D | M] (Flashblock) -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2009/06/25 11:45:25 | 000,000,000 | ---D | M] (Green Toolbar) -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{6358a00e-05d4-431e-8c28-90753cc79b31}
[2010/03/03 17:49:58 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/08/16 08:26:03 | 000,000,000 | ---D | M] (AOL Toolbar) -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}
[2009/10/01 04:18:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{9bc51d13-3849-4541-a69c-da418934ca05}
[2010/05/29 14:13:59 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/05/03 08:09:36 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2010/08/16 08:26:03 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/08/16 08:26:03 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/06/18 13:26:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2009/12/19 11:07:14 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\inboxcomtoolbar@inbox.com
[2010/08/16 08:26:03 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\tabkit@jomel.me.uk
[2009/06/25 11:45:44 | 000,001,738 | ---- | M] () -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\searchplugins\aol-search.xml
[2009/01/31 00:50:19 | 000,000,717 | ---- | M] () -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\searchplugins\ask.xml
[2010/04/11 18:59:24 | 000,001,331 | ---- | M] () -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\searchplugins\crawlersrch.xml
[2009/06/18 08:38:06 | 000,002,128 | ---- | M] () -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\searchplugins\inbox-search.xml
[2010/05/27 18:49:12 | 000,009,929 | ---- | M] () -- C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\searchplugins\mywebsearch.xml
[2010/08/24 05:28:41 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/01/24 10:09:29 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/03/02 12:29:02 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\real-networks@partners.mozilla.com
[2010/06/18 19:10:09 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/08/26 21:52:10 | 000,404,406 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123haustiereundmehr.com
O1 - Hosts: 13984 more lines...
O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3023599555-3989719847-863854613-1000\..\Toolbar\ShellBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\S-1-5-21-3023599555-3989719847-863854613-1000\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\S-1-5-21-3023599555-3989719847-863854613-1000\..\Toolbar\WebBrowser: (&Inbox.com Toolbar) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Inbox\ctbr.dll File not found
O3 - HKU\S-1-5-21-3023599555-3989719847-863854613-1000\..\Toolbar\WebBrowser: (&Inbox Toolbar) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll File not found
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [Lexmark 5600-6600 Series Fax Server] C:\Program Files\Lexmark 5600-6600 Series\fm3032.exe ()
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PC SpeedScan Pro] C:\Program Files\Ascentive\PC SpeedScan Pro\PCSpeedScan.exe File not found
O4 - HKLM..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe (Ascentive)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-3023599555-3989719847-863854613-1000..\Run: [CrawlerMail] c:\Program Files\Inbox\CMail.exe (Crawler.com)
O4 - HKU\S-1-5-21-3023599555-3989719847-863854613-1000..\Run: [DW6] C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe (The Weather Channel Interactive, Inc.)
O4 - HKU\S-1-5-21-3023599555-3989719847-863854613-1000..\Run: [RunWeather] C:\Program Files\Inbox\Weather\CWeather.exe (Crawler.com)
O4 - HKU\S-1-5-21-3023599555-3989719847-863854613-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKLM..\RunOnce: [{1017A80C-6F09-4548-A84D-EDD6AC9525F0}] C:\Program Files\Lexmark Toolbar\Temp\setup.exe ()
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\RunOnce: [TodoBackupInstall] File not found
O4 - HKU\S-1-5-21-3023599555-3989719847-863854613-1000..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident\4.0; File not found
O4 - Startup: C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote Table Of Contents.onetoc2 ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Inbox.com Weather - {B1CF6225-211E-4B4C-B466-5F224E348FF3} - C:\Program Files\Inbox\Weather\CWeather.exe (Crawler.com)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-3023599555-3989719847-863854613-1000\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab (Windows Live OneCare safety scanner control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220
O18 - Protocol\Handler\inbox {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll File not found
O18 - Protocol\Handler\lbxfile {56831180-F115-11d2-B6AA-00104B2B9943} - C:\Program Files\Libronix DLS\System\FileProt.dll (Libronix Corporation)
O18 - Protocol\Handler\lbxres {24508F1B-9E94-40EE-9759-9AF5795ADF52} - C:\Program Files\Libronix DLS\System\ResProt.dll (Libronix Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/09/03 05:44:32 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Mary\Desktop\OTL.exe
[2010/09/02 15:57:25 | 000,021,896 | ---- | C] (CHENGDU YIWO Tech Development Co., Ltd) -- C:\Windows\System32\drivers\eufs.sys
[2010/09/02 15:57:14 | 000,015,240 | ---- | C] (CHENGDU YIWO Tech Development Co., Ltd) -- C:\Windows\System32\drivers\eudskacs.sys
[2010/09/02 15:57:13 | 000,027,016 | ---- | C] (CHENGDU YIWO Tech Development Co., Ltd) -- C:\Windows\System32\drivers\eubakup.sys
[2010/09/02 15:57:12 | 000,123,784 | ---- | C] (CHENGDU YIWO Tech Development Co., Ltd) -- C:\Windows\System32\drivers\EuDisk.sys
[2010/09/02 15:57:03 | 000,000,000 | ---D | C] -- C:\Program Files\EASEUS
[2010/08/27 02:27:25 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Mary\Desktop\HijackThis.exe
[2010/08/26 21:22:48 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\Arora
[2010/08/26 21:22:17 | 000,000,000 | ---D | C] -- C:\Program Files\Arora
[2010/08/26 21:17:30 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Roaming\Canneverbe Limited
[2010/08/26 21:17:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Canneverbe Limited
[2010/08/26 21:17:12 | 000,000,000 | ---D | C] -- C:\Program Files\CDBurnerXP
[2010/08/26 21:13:15 | 000,000,000 | ---D | C] -- C:\Users\Mary\AppData\Local\Yahoo!
[2010/08/26 20:38:51 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/08/24 20:41:10 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2010/08/24 20:41:10 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2010/08/24 20:40:58 | 000,000,000 | ---D | C] -- C:\Windows\CED3DF1E01D145ADBF3364AE5E8843B8.TMP
[2010/08/24 20:40:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/08/24 16:53:13 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/08/24 02:49:17 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/08/21 09:51:15 | 000,000,000 | ---D | C] -- C:\Program Files\webserver
[2010/08/16 08:28:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Google
[2010/08/16 08:20:19 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2010/08/12 06:45:25 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010/08/12 06:45:25 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010/08/12 06:45:25 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/08/12 06:45:25 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2010/08/12 06:45:24 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/08/12 06:45:24 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010/08/12 06:45:24 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010/08/12 06:45:24 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010/08/12 06:45:24 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2010/08/12 06:45:24 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2010/08/12 06:45:23 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010/08/12 06:45:23 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2010/08/12 06:45:23 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/08/12 06:45:23 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010/08/12 06:45:23 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010/08/12 06:45:22 | 000,081,920 | ---- | C] (Radius Inc.) -- C:\Windows\System32\iccvid.dll
[2010/08/12 06:45:19 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rtutils.dll
[2010/08/12 06:45:16 | 002,037,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2010/08/12 06:45:02 | 003,600,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/08/12 06:45:01 | 003,548,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/06/18 06:34:07 | 001,069,056 | ---- | C] ( ) -- C:\Windows\System32\lxduserv.dll
[2010/06/18 06:34:06 | 000,651,264 | ---- | C] ( ) -- C:\Windows\System32\lxdupmui.dll
[2010/06/18 06:34:00 | 000,376,832 | ---- | C] ( ) -- C:\Windows\System32\lxducomm.dll
[2010/06/18 06:33:59 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\lxduinpa.dll
[2010/06/18 06:33:58 | 000,339,968 | ---- | C] ( ) -- C:\Windows\System32\lxduiesc.dll
[2010/06/18 06:33:53 | 000,860,160 | ---- | C] ( ) -- C:\Windows\System32\lxduusb1.dll
[2010/06/18 06:33:52 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxduhbn3.dll
[2009/10/15 21:32:46 | 000,409,600 | ---- | C] ( ) -- C:\Windows\System32\lxducoin.dll
[2009/03/16 14:18:45 | 000,438,272 | ---- | C] ( ) -- C:\Windows\System32\LXDUhcp.dll
[2009/03/16 14:18:44 | 000,577,536 | ---- | C] ( ) -- C:\Windows\System32\lxdulmpm.dll
[2009/03/16 14:18:42 | 000,761,856 | ---- | C] ( ) -- C:\Windows\System32\lxducomc.dll
[3 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/03 06:46:48 | 008,650,752 | -HS- | M] () -- C:\Users\Mary\ntuser.dat
[2010/09/03 06:29:31 | 000,697,560 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/09/03 06:29:31 | 000,599,826 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/09/03 06:29:31 | 000,103,294 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/09/03 06:23:42 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/03 06:23:42 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/03 06:23:08 | 000,000,416 | ---- | M] () -- C:\Windows\tasks\PCConfidential.job
[2010/09/03 06:23:08 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\RegTool Startup.job
[2010/09/03 06:22:49 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/03 06:22:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/03 06:21:37 | 000,524,288 | -HS- | M] () -- C:\Users\Mary\ntuser.dat{6d9f0594-762d-11df-b1fa-001e3385d404}.TMContainer00000000000000000001.regtrans-ms
[2010/09/03 06:21:37 | 000,065,536 | -HS- | M] () -- C:\Users\Mary\ntuser.dat{6d9f0594-762d-11df-b1fa-001e3385d404}.TM.blf
[2010/09/03 06:21:05 | 002,373,545 | -H-- | M] () -- C:\Users\Mary\AppData\Local\IconCache.db
[2010/09/03 05:44:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Mary\Desktop\OTL.exe
[2010/09/02 15:57:13 | 000,001,060 | ---- | M] () -- C:\Users\Public\Desktop\EASEUS Todo Backup 1.1.lnk
[2010/09/02 15:56:36 | 035,662,424 | ---- | M] () -- C:\Users\Mary\Desktop\todobackup.zip
[2010/08/27 02:57:32 | 000,001,356 | ---- | M] () -- C:\Users\Mary\AppData\Local\d3d9caps.dat
[2010/08/27 02:43:42 | 000,011,163 | ---- | M] () -- C:\Users\Mary\Desktop\bleepingcoputer.zip
[2010/08/27 02:27:26 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Mary\Desktop\HijackThis.exe
[2010/08/27 01:48:31 | 000,000,000 | ---- | M] () -- C:\Users\Mary\defogger_reenable
[2010/08/27 01:41:51 | 000,284,915 | ---- | M] () -- C:\Users\Mary\Desktop\gmer-1.zip
[2010/08/27 01:41:44 | 000,284,915 | ---- | M] () -- C:\Users\Mary\Desktop\gmer.zip
[2010/08/27 01:39:56 | 000,525,824 | ---- | M] () -- C:\Users\Mary\Desktop\dds.scr
[2010/08/27 01:39:01 | 000,050,477 | ---- | M] () -- C:\Users\Mary\Desktop\Defogger.exe
[2010/08/27 00:57:31 | 000,000,914 | ---- | M] () -- C:\Users\Mary\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/08/26 21:52:10 | 000,404,406 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/08/26 21:17:19 | 000,001,697 | ---- | M] () -- C:\Users\Public\Desktop\CDBurnerXP.lnk
[2010/08/26 20:33:17 | 000,000,420 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{7740C5BF-A858-4EC9-B4C4-CBDAE476D2DB}.job
[2010/08/24 20:41:11 | 000,002,046 | ---- | M] () -- C:\Users\Mary\Desktop\SpyHunter.lnk
[2010/08/24 17:00:40 | 000,001,080 | ---- | M] () -- C:\Users\Mary\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/08/24 17:00:40 | 000,001,056 | ---- | M] () -- C:\Users\Mary\Desktop\Spybot - Search & Destroy.lnk
[2010/08/24 12:21:27 | 000,001,501 | ---- | M] () -- C:\ProgramData\.wtav
[2010/08/24 01:02:17 | 000,001,862 | ---- | M] () -- C:\Users\Mary\Desktop\First virus log
[2010/08/21 09:49:57 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2010/08/16 08:25:19 | 000,001,021 | ---- | M] () -- C:\Users\Public\Desktop\The Weather Channel Desktop .lnk
[2010/08/15 09:38:03 | 000,000,398 | ---- | M] () -- C:\Windows\tasks\EasyShare Registration Task.job
[2010/08/12 11:30:49 | 000,724,704 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[3 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/02 16:02:28 | 000,001,972 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
[2010/09/02 16:02:28 | 000,001,082 | ---- | C] () -- C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2010/09/02 15:57:13 | 000,001,060 | ---- | C] () -- C:\Users\Public\Desktop\EASEUS Todo Backup 1.1.lnk
[2010/09/02 15:56:01 | 035,662,424 | ---- | C] () -- C:\Users\Mary\Desktop\todobackup.zip
[2010/08/27 02:42:51 | 000,011,163 | ---- | C] () -- C:\Users\Mary\Desktop\bleepingcoputer.zip
[2010/08/27 01:48:31 | 000,000,000 | ---- | C] () -- C:\Users\Mary\defogger_reenable
[2010/08/27 01:41:51 | 000,284,915 | ---- | C] () -- C:\Users\Mary\Desktop\gmer-1.zip
[2010/08/27 01:41:42 | 000,284,915 | ---- | C] () -- C:\Users\Mary\Desktop\gmer.zip
[2010/08/27 01:39:56 | 000,525,824 | ---- | C] () -- C:\Users\Mary\Desktop\dds.scr
[2010/08/27 01:39:01 | 000,050,477 | ---- | C] () -- C:\Users\Mary\Desktop\Defogger.exe
[2010/08/26 21:17:19 | 000,001,697 | ---- | C] () -- C:\Users\Public\Desktop\CDBurnerXP.lnk
[2010/08/26 21:17:17 | 000,007,168 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2010/08/26 20:33:17 | 000,000,420 | -H-- | C] () -- C:\Windows\tasks\User_Feed_Synchronization-{7740C5BF-A858-4EC9-B4C4-CBDAE476D2DB}.job
[2010/08/24 20:41:11 | 000,002,046 | ---- | C] () -- C:\Users\Mary\Desktop\SpyHunter.lnk
[2010/08/24 16:53:46 | 000,001,080 | ---- | C] () -- C:\Users\Mary\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/08/24 16:53:46 | 000,001,056 | ---- | C] () -- C:\Users\Mary\Desktop\Spybot - Search & Destroy.lnk
[2010/08/24 11:54:44 | 000,001,501 | ---- | C] () -- C:\ProgramData\.wtav
[2010/08/24 01:02:17 | 000,001,862 | ---- | C] () -- C:\Users\Mary\Desktop\First virus log
[2010/08/21 09:49:57 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/06/18 06:33:50 | 000,208,896 | ---- | C] () -- C:\Windows\System32\lxdugrd.dll
[2009/10/27 15:59:45 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/09/22 21:03:50 | 000,234,752 | ---- | C] () -- C:\ProgramData\lxduJSW.log
[2009/08/28 19:20:23 | 000,000,244 | ---- | C] () -- C:\Users\Mary\AppData\Roaming\wklnhst.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/06/25 11:46:07 | 000,393,334 | ---- | C] () -- C:\Users\Mary\AppData\Roaming\ecotoolbar.bmp
[2009/06/25 11:46:07 | 000,000,550 | ---- | C] () -- C:\Users\Mary\AppData\Roaming\power.bat
[2009/06/06 10:23:44 | 000,001,501 | ---- | C] () -- C:\Windows\bizpub32.INI
[2009/05/21 14:05:08 | 000,000,243 | ---- | C] () -- C:\Windows\wininit.ini
[2009/05/21 00:32:38 | 000,000,002 | ---- | C] () -- C:\Windows\msoffice.ini
[2009/03/28 15:41:56 | 000,007,264 | ---- | C] () -- C:\ProgramData\N360BUOptions.ini
[2009/03/28 15:38:41 | 000,000,241 | ---- | C] () -- C:\Windows\AvDetected.ini
[2009/03/24 15:07:56 | 000,000,089 | ---- | C] () -- C:\ProgramData\lxdu.log
[2009/03/22 20:32:32 | 000,223,232 | ---- | C] () -- C:\Windows\System32\sqlite3.dll
[2009/03/22 20:32:31 | 000,086,016 | ---- | C] () -- C:\Windows\System32\SQLiteWrapper.dll
[2009/03/16 14:41:24 | 000,000,944 | ---- | C] () -- C:\ProgramData\lxduDiagnostics.log
[2009/03/16 14:23:08 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxduvs.dll
[2009/03/16 14:21:47 | 001,036,288 | ---- | C] () -- C:\Windows\System32\lxdudrs.dll
[2009/03/16 14:21:47 | 000,081,920 | ---- | C] () -- C:\Windows\System32\lxducaps.dll
[2009/03/16 14:21:47 | 000,069,632 | ---- | C] () -- C:\Windows\System32\lxducnv4.dll
[2009/03/16 14:21:30 | 000,045,056 | ---- | C] () -- C:\Windows\System32\LXDUPMON.DLL
[2009/03/16 14:21:30 | 000,032,768 | ---- | C] () -- C:\Windows\System32\LXDUFXPU.DLL
[2009/03/16 14:21:10 | 000,086,016 | ---- | C] () -- C:\Windows\System32\lxduoem.dll
[2009/03/16 14:19:36 | 000,000,044 | ---- | C] () -- C:\Windows\System32\lxdurwrd.ini
[2009/03/16 14:18:45 | 000,389,120 | ---- | C] () -- C:\Windows\System32\LXDUinst.dll
[2009/03/16 14:17:27 | 000,000,000 | ---- | C] () -- C:\ProgramData\UpdaterLog.txt
[2009/03/05 06:54:58 | 000,073,728 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/03/01 09:11:03 | 000,000,048 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/02/09 21:35:53 | 000,001,356 | ---- | C] () -- C:\Users\Mary\AppData\Local\d3d9caps.dat
[2009/01/16 00:35:24 | 000,026,340 | ---- | C] () -- C:\Users\Mary\AppData\Roaming\UserTile.png
[2008/12/28 18:13:36 | 000,016,384 | ---- | C] () -- C:\Users\Mary\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/28 15:51:53 | 000,000,013 | RHS- | C] () -- C:\Windows\System32\drivers\fbd.sys
[2008/12/28 15:51:49 | 000,000,004 | RHS- | C] () -- C:\Windows\System32\drivers\taishop.sys
[2008/11/25 22:04:07 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2008/11/25 22:04:07 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2008/11/25 22:04:07 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2008/11/25 22:04:07 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2008/09/30 15:36:25 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2008/06/12 22:59:22 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1502.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 13:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2004/08/17 20:00:00 | 000,073,748 | -H-- | C] () -- C:\Windows\System32\FastUserSwitchingCompatibilityex.dll

========== LOP Check ==========

[2009/03/18 13:59:03 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\5600-6600 Series
[2010/08/26 21:17:30 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\Canneverbe Limited
[2009/03/18 07:16:55 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/05/01 18:09:31 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\FoxPlayerAIR.01F2E49DE175CC541F416F2DF78BDD5E63AD0096.1
[2009/03/17 12:30:47 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\Individual Software
[2009/03/18 13:40:38 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\Lexmark Productivity Studio
[2009/01/04 14:18:30 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\Libronix DLS
[2009/01/16 00:35:24 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\PeerNetworking
[2009/03/19 13:19:32 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\Pogo Games
[2009/12/20 10:46:28 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\Skinux
[2009/08/28 19:21:03 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\Template
[2009/01/23 14:04:38 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\Toshiba
[2009/05/08 20:01:07 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\VersionTracker Pro
[2010/04/30 08:15:46 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\Wal-Mart
[2009/01/12 11:55:20 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\WeatherBug
[2009/03/18 16:57:14 | 000,000,000 | ---D | M] -- C:\Users\Mary\AppData\Roaming\WinBatch
[2010/08/15 09:38:03 | 000,000,398 | ---- | M] () -- C:\Windows\Tasks\EasyShare Registration Task.job
[2010/09/03 06:23:08 | 000,000,416 | ---- | M] () -- C:\Windows\Tasks\PCConfidential.job
[2010/09/03 06:23:08 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\RegTool Startup.job
[2010/09/02 19:14:07 | 000,032,542 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/08/26 20:33:17 | 000,000,420 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{7740C5BF-A858-4EC9-B4C4-CBDAE476D2DB}.job

========== Purity Check ==========



========== Custom Scans ==========


< netsvc >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/20 22:32:22 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys
[2008/01/20 22:32:22 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/20 22:32:22 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/20 22:32:22 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/20 22:32:22 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2008/03/24 23:22:22 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=2D77788D0B7FE269044F58C86AE099CE -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_3e1ecd89\AGP440.sys
[2008/03/24 23:22:22 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=2D77788D0B7FE269044F58C86AE099CE -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.22142_none_ba734aead7ed1bb6\AGP440.sys
[2008/03/25 23:38:23 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=ED91751834103DB2A74470CD763A49FE -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_e4087235\AGP440.sys
[2008/03/25 23:38:23 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=ED91751834103DB2A74470CD763A49FE -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.20800_none_b8b64d46daa7e57a\AGP440.sys
[2006/11/02 05:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/03/12 02:38:18 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_4c9c5a00\atapi.sys
[2008/03/12 02:38:18 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18034_none_dd1bb97e219e87cb\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/20 22:32:21 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/20 22:32:21 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 05:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/03/12 02:24:20 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=96DC4E1A9F90CCD489950A8935425C59 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.22134_none_dda556493abc2795\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTOR.SYS >
[2008/04/15 21:54:16 | 000,388,120 | ---- | M] (Intel Corporation) MD5=8D58627FEF3F8767665D9F4DC91CBD97 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver64\IaStor.sys
[2008/04/15 21:53:44 | 000,312,344 | ---- | M] (Intel Corporation) MD5=DB0CC620B27A928D968C1A1E9CD9CB87 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver\IaStor.sys
[2008/04/15 21:53:44 | 000,312,344 | ---- | M] (Intel Corporation) MD5=DB0CC620B27A928D968C1A1E9CD9CB87 -- C:\Windows\System32\drivers\iaStor.sys
[2008/04/15 21:53:44 | 000,312,344 | ---- | M] (Intel Corporation) MD5=DB0CC620B27A928D968C1A1E9CD9CB87 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_77c04a30\iaStor.sys

< MD5 for: IASTORV.SYS >
[2008/01/20 22:32:49 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
[2008/01/20 22:32:49 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/20 22:32:49 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: KR10N.SYS >
[2006/11/09 02:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) MD5=6A4ADB9186DD0E114E623DAF57E42B31 -- C:\Windows\System32\drivers\KR10N.sys
[2006/11/09 02:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) MD5=6A4ADB9186DD0E114E623DAF57E42B31 -- C:\Windows\System32\DriverStore\FileRepository\kr10.inf_c681c175\KR10N.sys
[2005/09/27 04:57:00 | 000,207,104 | ---- | M] (TOSHIBA CORPORATION) MD5=A1963360E74931222A67356C8AD48378 -- C:\Windows\System32\DriverStore\FileRepository\kr10n.inf_f8c77270\KR10N.sys

< MD5 for: NETLOGON.DLL >
[2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/20 22:33:41 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/20 22:32:47 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/20 22:32:47 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/20 22:32:47 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/20 22:34:39 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/11 02:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2009/04/11 02:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/04/11 02:28:18 | 001,209,856 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\comsvcs.dll
[2009/03/08 07:31:42 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll
[2009/03/08 07:31:37 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll
[2009/04/11 02:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009/04/11 02:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll
[2010/03/05 10:01:02 | 000,420,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\vbscript.dll
[3 C:\Windows\system32\*.tmp files -> C:\Windows\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/09/30 14:36:49 | 011,894,784 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008/09/30 14:36:45 | 000,102,400 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008/09/30 14:36:49 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2008/09/30 14:36:55 | 016,179,200 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2008/09/30 14:36:56 | 006,574,080 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

========== Alternate Data Streams ==========

@Alternate Data Stream - 152 bytes -> C:\ProgramData\TEMP:C46995DA
@Alternate Data Stream - 151 bytes -> C:\ProgramData\TEMP:DE73B0FE
@Alternate Data Stream - 151 bytes -> C:\ProgramData\TEMP:07348C09
@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:2D0C22DC
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:1299CD38
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:D1B5B4F1
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:DFC5A2B2
< End of report >

***************************************************

OTL Extras logfile created on: 9/3/2010 5:50:16 AM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Users\Mary\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18943)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 140.37 Gb Total Space | 89.22 Gb Free Space | 63.56% Space Free | Partition Type: NTFS
Drive D: | 10.28 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MARY-PC
Current User Name: Mary
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3023599555-3989719847-863854613-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3023599555-3989719847-863854613-1000]
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0C4A8158-0866-4910-9E2D-48F14CCCD643}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{14368C64-4F78-4EDC-A0D8-FF5C9C7F9EB8}" = lport=138 | protocol=17 | dir=in | app=system |
"{1ECBCCFD-E97C-4435-ADD3-394A7E9710DA}" = rport=445 | protocol=6 | dir=out | app=system |
"{2868247E-6B4D-40CB-AFAB-1B4238EC7052}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{2E444732-A06E-4E3A-BCCD-8477660D9F63}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{2FA52115-9FF2-4EA3-A861-84AD51D540E9}" = rport=138 | protocol=17 | dir=out | app=system |
"{3A4EA785-9349-4D8C-8D50-8EDEC343BF9D}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{45C69E15-AA7B-4BF7-A76B-10E7FB1AB95C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{4D0D83F4-A35E-4423-A320-B3B822340CBB}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{4E867632-5366-4DAA-B72A-F09585318F3B}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{5542C915-D016-4AE9-835F-C7FB2C5DB2A5}" = rport=139 | protocol=6 | dir=out | app=system |
"{5BED486E-BBFB-43BE-B3C8-1A6039316A0E}" = lport=139 | protocol=6 | dir=in | app=system |
"{6BC19D42-09B5-4C2D-8949-41D8A9B24177}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{7AD669ED-DF48-4A09-BB3E-7BF83B8DA043}" = lport=137 | protocol=17 | dir=in | app=system |
"{AAC7FEE0-8CB4-41C2-AC6A-99A1CCE0AB2F}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{B4724D5D-F81E-4E88-B7FF-30C77B28E9C3}" = lport=3540 | protocol=17 | dir=in | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{BF80FCA2-2A5E-4B5A-AA3D-1E8C63D6D768}" = lport=445 | protocol=6 | dir=in | app=system |
"{C1F1C4C8-FCD0-4991-8066-E6C2B980140F}" = lport=3540 | protocol=17 | dir=in | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{DE26D1FA-6624-46F2-9B6F-7FB13863F51D}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{E173C5ED-B56D-48B1-95D8-C6556F0F160F}" = rport=137 | protocol=17 | dir=out | app=system |
"{EDFCB7C1-E8D1-4487-A5D2-3C0DDC0DCC69}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{F69B54FB-04D9-43D6-9953-0BF7357FFE73}" = rport=3540 | protocol=17 | dir=out | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{FECF86B2-B608-4C95-83A8-D4ADCCEDA618}" = rport=3540 | protocol=17 | dir=out | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{038DDB65-01FC-416E-B6B1-09FC8385DAB8}" = protocol=17 | dir=in | app=c:\program files\lexmark 5600-6600 series\lxdufax.exe |
"{04FE85FE-693E-476B-B26C-960C2577F1A7}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{051779D6-D437-4831-8737-06E8F84C06C4}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{05345546-571F-477C-A475-FCE75E24F2D9}" = protocol=6 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{08108BAD-46A4-4A28-9D55-059564D4D2A3}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{15F50D75-BCCE-4650-9B25-1AB947CB5551}" = protocol=6 | dir=in | app=c:\windows\system32\lxducoms.exe |
"{16829F84-A53A-41B8-82CF-92CAC0B5ED3B}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{1AA63575-B37B-4ACA-9662-BA97AB46A42F}" = protocol=17 | dir=in | app=c:\program files\aol 9.1\waol.exe |
"{20A1FDD1-13B4-4786-8F84-F0CC86DD011F}" = protocol=17 | dir=in | app=c:\program files\common files\aol\1234042782\ee\aolsoftware.exe |
"{21F9CF88-A7A4-45C5-92B6-F60DA992C5B4}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{2886C9D7-BD50-4D2D-A48F-ABAB6272FF83}" = protocol=6 | dir=in | app=c:\program files\common files\aol\acs\aoldial.exe |
"{39B1B313-A138-4509-A295-F414F488ED0C}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{3CEE5186-9180-4217-AAF2-98CB1CD0F1BC}" = protocol=6 | dir=in | app=c:\program files\common files\aol\system information\sinf.exe |
"{44B6AE1E-99A9-4261-98C8-35703B61B971}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{45B6ADC2-8FD7-481B-A623-E27BB3B97BD5}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{47EBFEAA-0B9A-4063-A0A9-43B443F3AE54}" = protocol=6 | dir=in | app=c:\program files\lexmark 5600-6600 series\lxdufax.exe |
"{47F3BA84-CB4B-4F53-9986-C457765C1A92}" = protocol=6 | dir=in | app=c:\program files\common files\aol\topspeed\3.0\aoltpsd3.exe |
"{5502B3D1-21BC-4CC6-BFE4-C904C5CC5D36}" = protocol=17 | dir=in | app=c:\program files\lexmark 5600-6600 series\lxduamon.exe |
"{579120B8-C3E5-49E9-B987-AAEB8CCDDA21}" = protocol=17 | dir=in | app=c:\program files\common files\aol\topspeed\3.0\aoltpsd3.exe |
"{6075BAAE-BE39-4887-957A-776EF911F2AD}" = protocol=6 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{6142C6DC-ED09-452B-ADF2-6CAB84333FC2}" = protocol=6 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{656396AB-3116-49B0-BBD3-63DC212239D7}" = protocol=17 | dir=in | app=c:\program files\common files\aol\acs\aoldial.exe |
"{75A9EF69-033C-4606-8874-C304FAF6BA8F}" = protocol=6 | dir=in | app=c:\program files\common files\aol\acs\aolacsd.exe |
"{7CA9846D-4FA6-467C-AF9E-FBFA5C463FDF}" = protocol=6 | dir=in | app=c:\program files\common files\aol\1234042782\ee\aolsoftware.exe |
"{80A077F0-D392-465E-B3D7-399AD22E7951}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{81B5E260-CF81-4B50-8062-D474050E23E1}" = protocol=17 | dir=in | app=c:\windows\system32\lxducoms.exe |
"{86D87A0E-D713-4C3E-AD93-9CAB4C36C991}" = protocol=6 | dir=in | app=c:\program files\aol 9.1\waol.exe |
"{89703AF6-A147-4F5B-B541-DFD95211340F}" = protocol=6 | dir=in | app=c:\program files\lexmark 5600-6600 series\lxduamon.exe |
"{96277DB9-79D6-444B-B7D1-37A732C418DF}" = protocol=6 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{9684AA99-51D5-4675-968D-7E0AE75EC7F0}" = protocol=17 | dir=in | app=c:\program files\common files\aol\system information\sinf.exe |
"{9EA63397-60A1-472A-9CED-80D344703556}" = protocol=17 | dir=in | app=c:\program files\common files\aol\acs\aolacsd.exe |
"{A1D0B9F8-20CE-4686-9A38-6FDAD8B70C8A}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{AC2D62BD-DF80-4656-A5B7-6BCB379989F1}" = protocol=6 | dir=in | app=c:\windows\system32\lxducoms.exe |
"{BC93473D-CA16-4E42-A7EB-0F355E48A2E6}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{C722D50F-3EF2-4F37-BF42-6F26E74B6A53}" = protocol=6 | dir=in | app=c:\program files\lexmark 5600-6600 series\frun.exe |
"{CA7EA9ED-5602-4A99-BCF0-1EC12437C73E}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{CF105387-23A9-401B-A374-0F3030B8683F}" = protocol=17 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{DAC00B2B-97CF-47BB-9CDD-3FFE1345AB87}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{DC386EFC-6F4E-4B4C-8DAE-6C59AA6E08D7}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{DD3018BF-4F63-42DA-B1C8-15869644CF71}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{EB729E98-4723-4E52-84D7-F16AA40AC33C}" = protocol=6 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{ECCAF9DB-58CB-471E-998A-75ECABB48AF9}" = protocol=17 | dir=in | app=c:\program files\lexmark 5600-6600 series\frun.exe |
"{EFE1DB28-9274-416C-9365-4BB24EACE3CE}" = protocol=17 | dir=in | app=c:\windows\system32\lxducoms.exe |
"{F3D865F0-1CD6-4052-A64D-02E02E416753}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{F52A1979-B4AE-45EF-AC15-405F305BFC57}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{FD4986AE-B689-4389-973E-511571011CF1}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{FD4ADD30-AA71-4C2A-99B8-93BEC5340F2D}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"TCP Query User{08138EB3-C22A-4441-8AE3-EBD52A064CFF}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{BE0F5B2F-29C6-4638-88C2-3810B56395E8}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{6DBC1D4E-565E-4EB0-9B67-7D247E8B5071}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{9CEFE32F-5A5C-4CA0-8215-15C96FFBDD42}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{007B37D9-0C45-4202-834B-DD5FAAE99D63}" = ArcSoft Print Creations - Slimline Card
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0D5D0BEE-FBA9-4928-A50D-6CDFAB827755}" = TOSHIBA ConfigFree
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{10812DE7-2E57-4740-B226-6B3BE34AF9D7}" = Lexmark Tools for Office
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{13F2D4A5-E141-4BBF-898F-E36293348540}" = PC SpeedScan Pro
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{19991EAD-C273-47EB-87E8-0D274925230B}" = OEB Resource Driver
"{224821ED-CADA-4A8A-AC8D-3734CC0F0931}" = Amazon Links
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skypeâ„¢ 4.0
"{2883F6F5-0509-43F3-868C-D50330DD9DD3}" = TOSHIBA Hardware Setup
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{415B2719-AD3A-4944-B404-C472DB6085B3}" = Cisco EAP-FAST Module
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{44CDBD1B-89FB-4E02-8319-2A4C550F664A}" = RTC Client API v1.2
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{4571CC76-42C4-7D67-E024-0AEB166E1C6F}" = Acrobat.com
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B1E87C3-00DE-4898-8E39-E390AAEF2391}" = TOSHIBA Supervisor Password
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5F81DD84-6A2F-11D4-903E-00E0293397B7}" = Bible Data Type System Files
"{5F81DD89-6A2F-11D4-903E-00E0293397B7}" = Common System Files
"{5F81DD92-6A2F-11D4-903E-00E0293397B7}" = Libronix Digital Library System
"{5F81DD97-6A2F-11D4-903E-00E0293397B7}" = Libronix DLS Application
"{5F81DD9B-6A2F-11D4-903E-00E0293397B7}" = LibronixUpdate
"{5F81DD9F-6A2F-11D4-903E-00E0293397B7}" = LLS Resource Driver
"{5F81DDA3-6A2F-11D4-903E-00E0293397B7}" = PDF Resource Driver
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}" = fflink
"{612AD33D-9824-4E87-8396-92374E91C4BB}_is1" = Inbox Toolbar
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{6C6F0968-2B86-42B4-AF34-46A5F06E8FA4}" = MySoftware Fonts
"{72CB5335-6D2A-4207-B811-6CB6C6925039}" = Batch Update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110542703}" = Word Whomp To Go
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{890EF3F8-742F-46BD-9E8E-084B3A1F4364}" = QuickBooks Financial Center
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8C3F7B7D-21A0-4C8E-A055-8B814CAF8482}" = Design & Print, Business Edition
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9591C049-5CAE-4E89-A8D9-191F1899628B}" = ArcSoft Print Creations - Funhouse
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D44A1FA-ED59-47D4-B1C2-4E561D8BFEEB}" = Wal-Mart Digital Photo Manager
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A0EFB06D-0C7C-4A85-B1D3-65AF82536A7B}" = Sentence Diagramming
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A732B597-83FF-4E5B-BF49-B388653E822E}" = Spyware Striker
"{AC6569FA-6919-442A-8552-073BE69E247A}" = TOSHIBA Service Station
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B0BCDCBD-863D-4CAB-BF68-8D1F6B1BDC13}" = Atheros Wi-Fi Protected Setup Library
"{B0D83FCD-9D42-43ED-8315-250326AADA02}" = ArcSoft Print Creations - Scrapbook
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B1CF6225-211E-4B4C-B466-5F224E348FF3}_is1" = Inbox.com Weather
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Disc Creator
"{C1E11C46-E6EB-4BD2-9ADF-2A98ACBEB216}" = iTunes
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}" = Toshiba Registration
"{CA0AF735-4583-413E-897F-E91A237EE2E1}" = Libronix DLS Shortcuts
"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
"{CAE8A0F1-B498-4C23-95FA-55047E730C8F}" = ArcSoft Print Creations
"{CC351B44-5610-43C5-81E6-A2C760CB0A20}" = Graphical Query Editor
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CED3DF1E-01D1-45AD-BF33-64AE5E8843B8}" = SpyHunter
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark Printable Web
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{E1E56B8A-1AAF-422A-91DB-625059FB9863}" = TOSHIBA Desktop Links
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E33E9496-820B-4BAF-86B2-8E6E484F7675}" = Cribbage 2D
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{E6B4117F-AC59-4B13-9274-EB136E8897EE}" = ArcSoft Print Creations - Album Page
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Arora" = Arora 0.10.0
"Bejeweled Blitz" = Bejeweled Blitz
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CToolbar_UNINSTALL" = Inbox.com Toolbar
"EASEUS Todo Backup 1.1_is1" = EASEUS Todo Backup 1.1
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Lexmark 5600-6600 Series" = Lexmark 5600-6600 Series
"Libronix DLS" = Libronix Digital Library System
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Essentials" = Microsoft Security Essentials
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"The Weather Channel Desktop 6" = The Weather Channel Desktop 6
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Trivia Machine" = Trivia Machine (remove only)
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Encoder 9" = Windows Media Encoder 9 Series

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3023599555-3989719847-863854613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/2/2010 7:12:42 PM | Computer Name = Mary-PC | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 6.0.6001.18000, time stamp
0x47918b89, faulting module ntdll.dll, version 6.0.6002.18005, time stamp 0x49e03821,
exception code 0xc000071b, fault offset 0x000888f5, process id 0x7b4, application
start time 0x01cb4ae0c19859e0.

Error - 9/2/2010 7:14:32 PM | Computer Name = Mary-PC | Source = WinMgmt | ID = 10
Description =

Error - 9/2/2010 7:50:35 PM | Computer Name = Mary-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/2/2010 7:50:35 PM | Computer Name = Mary-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/2/2010 7:50:37 PM | Computer Name = Mary-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/3/2010 5:50:57 AM | Computer Name = Mary-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/3/2010 5:50:57 AM | Computer Name = Mary-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/3/2010 5:50:57 AM | Computer Name = Mary-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/3/2010 5:51:04 AM | Computer Name = Mary-PC | Source = SPP | ID = 16387
Description =

Error - 9/3/2010 5:51:04 AM | Computer Name = Mary-PC | Source = System Restore | ID = 8193
Description =

[ DFS Replication Events ]
Error - 6/16/2010 4:01:24 AM | Computer Name = Mary-PC | Source = DFSR | ID = 6104
Description = The DFS Replication service failed to register the WMI providers.
Replication is disabled until the problem is resolved. Additional Information: Error:
2147943453 (The service did not respond to the start or control request in a timely
fashion.)

Error - 6/17/2010 10:27:59 PM | Computer Name = Mary-PC | Source = DFSR | ID = 6104
Description = The DFS Replication service failed to register the WMI providers.
Replication is disabled until the problem is resolved. Additional Information: Error:
2147943453 (The service did not respond to the start or control request in a timely
fashion.)

Error - 6/18/2010 12:59:36 AM | Computer Name = Mary-PC | Source = DFSR | ID = 6104
Description = The DFS Replication service failed to register the WMI providers.
Replication is disabled until the problem is resolved. Additional Information: Error:
2147943453 (The service did not respond to the start or control request in a timely
fashion.)

Error - 6/18/2010 4:56:38 AM | Computer Name = Mary-PC | Source = DFSR | ID = 6104
Description = The DFS Replication service failed to register the WMI providers.
Replication is disabled until the problem is resolved. Additional Information: Error:
2147943453 (The service did not respond to the start or control request in a timely
fashion.)

[ System Events ]
Error - 9/2/2010 4:07:33 PM | Computer Name = Mary-PC | Source = Print | ID = 19
Description = The print spooler failed to share printer Send To OneNote 2007 with
shared resource name Send To OneNote 2007. Error 2114. The printer cannot be used
by others on the network.

Error - 9/2/2010 4:07:34 PM | Computer Name = Mary-PC | Source = Print | ID = 19
Description = The print spooler failed to share printer Organizer PDF Creator with
shared resource name Organizer PDF Creator. Error 2114. The printer cannot be used
by others on the network.

Error - 9/2/2010 4:07:34 PM | Computer Name = Mary-PC | Source = Print | ID = 19
Description = The print spooler failed to share printer Lexmark 5600-6600 Series
(USB) with shared resource name Lexmark 5600-6600 Series (USB). Error 2114. The
printer cannot be used by others on the network.

Error - 9/2/2010 4:07:34 PM | Computer Name = Mary-PC | Source = Print | ID = 19
Description = The print spooler failed to share printer Fax Lexmark 5600-6600 Series
with shared resource name Fax Lexmark 5600-6600 Series. Error 2114. The printer
cannot be used by others on the network.

Error - 9/2/2010 4:31:51 PM | Computer Name = Mary-PC | Source = Service Control Manager | ID = 7032
Description =

Error - 9/2/2010 4:31:52 PM | Computer Name = Mary-PC | Source = Service Control Manager | ID = 7032
Description =

Error - 9/2/2010 4:53:39 PM | Computer Name = Mary-PC | Source = Service Control Manager | ID = 7032
Description =

Error - 9/2/2010 4:56:39 PM | Computer Name = Mary-PC | Source = Service Control Manager | ID = 7032
Description =

Error - 9/2/2010 7:06:15 PM | Computer Name = Mary-PC | Source = DCOM | ID = 10010
Description =

Error - 9/2/2010 7:16:09 PM | Computer Name = Mary-PC | Source = Service Control Manager | ID = 7032
Description =


< End of report >

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3023599555-3989719847-863854613-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3023599555-3989719847-863854613-1000]
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0C4A8158-0866-4910-9E2D-48F14CCCD643}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{14368C64-4F78-4EDC-A0D8-FF5C9C7F9EB8}" = lport=138 | protocol=17 | dir=in | app=system |
"{1ECBCCFD-E97C-4435-ADD3-394A7E9710DA}" = rport=445 | protocol=6 | dir=out | app=system |
"{2868247E-6B4D-40CB-AFAB-1B4238EC7052}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{2E444732-A06E-4E3A-BCCD-8477660D9F63}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{2FA52115-9FF2-4EA3-A861-84AD51D540E9}" = rport=138 | protocol=17 | dir=out | app=system |
"{3A4EA785-9349-4D8C-8D50-8EDEC343BF9D}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{45C69E15-AA7B-4BF7-A76B-10E7FB1AB95C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{4D0D83F4-A35E-4423-A320-B3B822340CBB}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{4E867632-5366-4DAA-B72A-F09585318F3B}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{5542C915-D016-4AE9-835F-C7FB2C5DB2A5}" = rport=139 | protocol=6 | dir=out | app=system |
"{5BED486E-BBFB-43BE-B3C8-1A6039316A0E}" = lport=139 | protocol=6 | dir=in | app=system |
"{6BC19D42-09B5-4C2D-8949-41D8A9B24177}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{7AD669ED-DF48-4A09-BB3E-7BF83B8DA043}" = lport=137 | protocol=17 | dir=in | app=system |
"{AAC7FEE0-8CB4-41C2-AC6A-99A1CCE0AB2F}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{B4724D5D-F81E-4E88-B7FF-30C77B28E9C3}" = lport=3540 | protocol=17 | dir=in | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{BF80FCA2-2A5E-4B5A-AA3D-1E8C63D6D768}" = lport=445 | protocol=6 | dir=in | app=system |
"{C1F1C4C8-FCD0-4991-8066-E6C2B980140F}" = lport=3540 | protocol=17 | dir=in | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{DE26D1FA-6624-46F2-9B6F-7FB13863F51D}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{E173C5ED-B56D-48B1-95D8-C6556F0F160F}" = rport=137 | protocol=17 | dir=out | app=system |
"{EDFCB7C1-E8D1-4487-A5D2-3C0DDC0DCC69}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{F69B54FB-04D9-43D6-9953-0BF7357FFE73}" = rport=3540 | protocol=17 | dir=out | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{FECF86B2-B608-4C95-83A8-D4ADCCEDA618}" = rport=3540 | protocol=17 | dir=out | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{038DDB65-01FC-416E-B6B1-09FC8385DAB8}" = protocol=17 | dir=in | app=c:\program files\lexmark 5600-6600 series\lxdufax.exe |
"{04FE85FE-693E-476B-B26C-960C2577F1A7}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{051779D6-D437-4831-8737-06E8F84C06C4}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{05345546-571F-477C-A475-FCE75E24F2D9}" = protocol=6 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{08108BAD-46A4-4A28-9D55-059564D4D2A3}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{15F50D75-BCCE-4650-9B25-1AB947CB5551}" = protocol=6 | dir=in | app=c:\windows\system32\lxducoms.exe |
"{16829F84-A53A-41B8-82CF-92CAC0B5ED3B}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{1AA63575-B37B-4ACA-9662-BA97AB46A42F}" = protocol=17 | dir=in | app=c:\program files\aol 9.1\waol.exe |
"{20A1FDD1-13B4-4786-8F84-F0CC86DD011F}" = protocol=17 | dir=in | app=c:\program files\common files\aol\1234042782\ee\aolsoftware.exe |
"{21F9CF88-A7A4-45C5-92B6-F60DA992C5B4}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{2886C9D7-BD50-4D2D-A48F-ABAB6272FF83}" = protocol=6 | dir=in | app=c:\program files\common files\aol\acs\aoldial.exe |
"{39B1B313-A138-4509-A295-F414F488ED0C}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{3CEE5186-9180-4217-AAF2-98CB1CD0F1BC}" = protocol=6 | dir=in | app=c:\program files\common files\aol\system information\sinf.exe |
"{44B6AE1E-99A9-4261-98C8-35703B61B971}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{45B6ADC2-8FD7-481B-A623-E27BB3B97BD5}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{47EBFEAA-0B9A-4063-A0A9-43B443F3AE54}" = protocol=6 | dir=in | app=c:\program files\lexmark 5600-6600 series\lxdufax.exe |
"{47F3BA84-CB4B-4F53-9986-C457765C1A92}" = protocol=6 | dir=in | app=c:\program files\common files\aol\topspeed\3.0\aoltpsd3.exe |
"{5502B3D1-21BC-4CC6-BFE4-C904C5CC5D36}" = protocol=17 | dir=in | app=c:\program files\lexmark 5600-6600 series\lxduamon.exe |
"{579120B8-C3E5-49E9-B987-AAEB8CCDDA21}" = protocol=17 | dir=in | app=c:\program files\common files\aol\topspeed\3.0\aoltpsd3.exe |
"{6075BAAE-BE39-4887-957A-776EF911F2AD}" = protocol=6 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{6142C6DC-ED09-452B-ADF2-6CAB84333FC2}" = protocol=6 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{656396AB-3116-49B0-BBD3-63DC212239D7}" = protocol=17 | dir=in | app=c:\program files\common files\aol\acs\aoldial.exe |
"{75A9EF69-033C-4606-8874-C304FAF6BA8F}" = protocol=6 | dir=in | app=c:\program files\common files\aol\acs\aolacsd.exe |
"{7CA9846D-4FA6-467C-AF9E-FBFA5C463FDF}" = protocol=6 | dir=in | app=c:\program files\common files\aol\1234042782\ee\aolsoftware.exe |
"{80A077F0-D392-465E-B3D7-399AD22E7951}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{81B5E260-CF81-4B50-8062-D474050E23E1}" = protocol=17 | dir=in | app=c:\windows\system32\lxducoms.exe |
"{86D87A0E-D713-4C3E-AD93-9CAB4C36C991}" = protocol=6 | dir=in | app=c:\program files\aol 9.1\waol.exe |
"{89703AF6-A147-4F5B-B541-DFD95211340F}" = protocol=6 | dir=in | app=c:\program files\lexmark 5600-6600 series\lxduamon.exe |
"{96277DB9-79D6-444B-B7D1-37A732C418DF}" = protocol=6 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{9684AA99-51D5-4675-968D-7E0AE75EC7F0}" = protocol=17 | dir=in | app=c:\program files\common files\aol\system information\sinf.exe |
"{9EA63397-60A1-472A-9CED-80D344703556}" = protocol=17 | dir=in | app=c:\program files\common files\aol\acs\aolacsd.exe |
"{A1D0B9F8-20CE-4686-9A38-6FDAD8B70C8A}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{AC2D62BD-DF80-4656-A5B7-6BCB379989F1}" = protocol=6 | dir=in | app=c:\windows\system32\lxducoms.exe |
"{BC93473D-CA16-4E42-A7EB-0F355E48A2E6}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{C722D50F-3EF2-4F37-BF42-6F26E74B6A53}" = protocol=6 | dir=in | app=c:\program files\lexmark 5600-6600 series\frun.exe |
"{CA7EA9ED-5602-4A99-BCF0-1EC12437C73E}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{CF105387-23A9-401B-A374-0F3030B8683F}" = protocol=17 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{DAC00B2B-97CF-47BB-9CDD-3FFE1345AB87}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{DC386EFC-6F4E-4B4C-8DAE-6C59AA6E08D7}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{DD3018BF-4F63-42DA-B1C8-15869644CF71}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{EB729E98-4723-4E52-84D7-F16AA40AC33C}" = protocol=6 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{ECCAF9DB-58CB-471E-998A-75ECABB48AF9}" = protocol=17 | dir=in | app=c:\program files\lexmark 5600-6600 series\frun.exe |
"{EFE1DB28-9274-416C-9365-4BB24EACE3CE}" = protocol=17 | dir=in | app=c:\windows\system32\lxducoms.exe |
"{F3D865F0-1CD6-4052-A64D-02E02E416753}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{F52A1979-B4AE-45EF-AC15-405F305BFC57}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{FD4986AE-B689-4389-973E-511571011CF1}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{FD4ADD30-AA71-4C2A-99B8-93BEC5340F2D}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"TCP Query User{08138EB3-C22A-4441-8AE3-EBD52A064CFF}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{BE0F5B2F-29C6-4638-88C2-3810B56395E8}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{6DBC1D4E-565E-4EB0-9B67-7D247E8B5071}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{9CEFE32F-5A5C-4CA0-8215-15C96FFBDD42}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{007B37D9-0C45-4202-834B-DD5FAAE99D63}" = ArcSoft Print Creations - Slimline Card
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0D5D0BEE-FBA9-4928-A50D-6CDFAB827755}" = TOSHIBA ConfigFree
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{10812DE7-2E57-4740-B226-6B3BE34AF9D7}" = Lexmark Tools for Office
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{13F2D4A5-E141-4BBF-898F-E36293348540}" = PC SpeedScan Pro
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{19991EAD-C273-47EB-87E8-0D274925230B}" = OEB Resource Driver
"{224821ED-CADA-4A8A-AC8D-3734CC0F0931}" = Amazon Links
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skypeâ„¢ 4.0
"{2883F6F5-0509-43F3-868C-D50330DD9DD3}" = TOSHIBA Hardware Setup
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{415B2719-AD3A-4944-B404-C472DB6085B3}" = Cisco EAP-FAST Module
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{44CDBD1B-89FB-4E02-8319-2A4C550F664A}" = RTC Client API v1.2
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{4571CC76-42C4-7D67-E024-0AEB166E1C6F}" = Acrobat.com
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B1E87C3-00DE-4898-8E39-E390AAEF2391}" = TOSHIBA Supervisor Password
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5F81DD84-6A2F-11D4-903E-00E0293397B7}" = Bible Data Type System Files
"{5F81DD89-6A2F-11D4-903E-00E0293397B7}" = Common System Files
"{5F81DD92-6A2F-11D4-903E-00E0293397B7}" = Libronix Digital Library System
"{5F81DD97-6A2F-11D4-903E-00E0293397B7}" = Libronix DLS Application
"{5F81DD9B-6A2F-11D4-903E-00E0293397B7}" = LibronixUpdate
"{5F81DD9F-6A2F-11D4-903E-00E0293397B7}" = LLS Resource Driver
"{5F81DDA3-6A2F-11D4-903E-00E0293397B7}" = PDF Resource Driver
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}" = fflink
"{612AD33D-9824-4E87-8396-92374E91C4BB}_is1" = Inbox Toolbar
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{6C6F0968-2B86-42B4-AF34-46A5F06E8FA4}" = MySoftware Fonts
"{72CB5335-6D2A-4207-B811-6CB6C6925039}" = Batch Update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110542703}" = Word Whomp To Go
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{890EF3F8-742F-46BD-9E8E-084B3A1F4364}" = QuickBooks Financial Center
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8C3F7B7D-21A0-4C8E-A055-8B814CAF8482}" = Design & Print, Business Edition
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9591C049-5CAE-4E89-A8D9-191F1899628B}" = ArcSoft Print Creations - Funhouse
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D44A1FA-ED59-47D4-B1C2-4E561D8BFEEB}" = Wal-Mart Digital Photo Manager
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A0EFB06D-0C7C-4A85-B1D3-65AF82536A7B}" = Sentence Diagramming
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A732B597-83FF-4E5B-BF49-B388653E822E}" = Spyware Striker
"{AC6569FA-6919-442A-8552-073BE69E247A}" = TOSHIBA Service Station
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B0BCDCBD-863D-4CAB-BF68-8D1F6B1BDC13}" = Atheros Wi-Fi Protected Setup Library
"{B0D83FCD-9D42-43ED-8315-250326AADA02}" = ArcSoft Print Creations - Scrapbook
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B1CF6225-211E-4B4C-B466-5F224E348FF3}_is1" = Inbox.com Weather
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Disc Creator
"{C1E11C46-E6EB-4BD2-9ADF-2A98ACBEB216}" = iTunes
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}" = Toshiba Registration
"{CA0AF735-4583-413E-897F-E91A237EE2E1}" = Libronix DLS Shortcuts
"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
"{CAE8A0F1-B498-4C23-95FA-55047E730C8F}" = ArcSoft Print Creations
"{CC351B44-5610-43C5-81E6-A2C760CB0A20}" = Graphical Query Editor
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CED3DF1E-01D1-45AD-BF33-64AE5E8843B8}" = SpyHunter
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark Printable Web
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{E1E56B8A-1AAF-422A-91DB-625059FB9863}" = TOSHIBA Desktop Links
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E33E9496-820B-4BAF-86B2-8E6E484F7675}" = Cribbage 2D
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{E6B4117F-AC59-4B13-9274-EB136E8897EE}" = ArcSoft Print Creations - Album Page
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Arora" = Arora 0.10.0
"Bejeweled Blitz" = Bejeweled Blitz
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CToolbar_UNINSTALL" = Inbox.com Toolbar
"EASEUS Todo Backup 1.1_is1" = EASEUS Todo Backup 1.1
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Lexmark 5600-6600 Series" = Lexmark 5600-6600 Series
"Libronix DLS" = Libronix Digital Library System
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Essentials" = Microsoft Security Essentials
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"The Weather Channel Desktop 6" = The Weather Channel Desktop 6
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Trivia Machine" = Trivia Machine (remove only)
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Encoder 9" = Windows Media Encoder 9 Series

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3023599555-3989719847-863854613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/2/2010 7:12:42 PM | Computer Name = Mary-PC | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 6.0.6001.18000, time stamp
0x47918b89, faulting module ntdll.dll, version 6.0.6002.18005, time stamp 0x49e03821,
exception code 0xc000071b, fault offset 0x000888f5, process id 0x7b4, application
start time 0x01cb4ae0c19859e0.

Error - 9/2/2010 7:14:32 PM | Computer Name = Mary-PC | Source = WinMgmt | ID = 10
Description =

Error - 9/2/2010 7:50:35 PM | Computer Name = Mary-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/2/2010 7:50:35 PM | Computer Name = Mary-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/2/2010 7:50:37 PM | Computer Name = Mary-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/3/2010 5:50:57 AM | Computer Name = Mary-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/3/2010 5:50:57 AM | Computer Name = Mary-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/3/2010 5:50:57 AM | Computer Name = Mary-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/3/2010 5:51:04 AM | Computer Name = Mary-PC | Source = SPP | ID = 16387
Description =

Error - 9/3/2010 5:51:04 AM | Computer Name = Mary-PC | Source = System Restore | ID = 8193
Description =

[ DFS Replication Events ]
Error - 6/16/2010 4:01:24 AM | Computer Name = Mary-PC | Source = DFSR | ID = 6104
Description = The DFS Replication service failed to register the WMI providers.
Replication is disabled until the problem is resolved. Additional Information: Error:
2147943453 (The service did not respond to the start or control request in a timely
fashion.)

Error - 6/17/2010 10:27:59 PM | Computer Name = Mary-PC | Source = DFSR | ID = 6104
Description = The DFS Replication service failed to register the WMI providers.
Replication is disabled until the problem is resolved. Additional Information: Error:
2147943453 (The service did not respond to the start or control request in a timely
fashion.)

Error - 6/18/2010 12:59:36 AM | Computer Name = Mary-PC | Source = DFSR | ID = 6104
Description = The DFS Replication service failed to register the WMI providers.
Replication is disabled until the problem is resolved. Additional Information: Error:
2147943453 (The service did not respond to the start or control request in a timely
fashion.)

Error - 6/18/2010 4:56:38 AM | Computer Name = Mary-PC | Source = DFSR | ID = 6104
Description = The DFS Replication service failed to register the WMI providers.
Replication is disabled until the problem is resolved. Additional Information: Error:
2147943453 (The service did not respond to the start or control request in a timely
fashion.)

[ System Events ]
Error - 9/2/2010 4:07:33 PM | Computer Name = Mary-PC | Source = Print | ID = 19
Description = The print spooler failed to share printer Send To OneNote 2007 with
shared resource name Send To OneNote 2007. Error 2114. The printer cannot be used
by others on the network.

Error - 9/2/2010 4:07:34 PM | Computer Name = Mary-PC | Source = Print | ID = 19
Description = The print spooler failed to share printer Organizer PDF Creator with
shared resource name Organizer PDF Creator. Error 2114. The printer cannot be used
by others on the network.

Error - 9/2/2010 4:07:34 PM | Computer Name = Mary-PC | Source = Print | ID = 19
Description = The print spooler failed to share printer Lexmark 5600-6600 Series
(USB) with shared resource name Lexmark 5600-6600 Series (USB). Error 2114. The
printer cannot be used by others on the network.

Error - 9/2/2010 4:07:34 PM | Computer Name = Mary-PC | Source = Print | ID = 19
Description = The print spooler failed to share printer Fax Lexmark 5600-6600 Series
with shared resource name Fax Lexmark 5600-6600 Series. Error 2114. The printer
cannot be used by others on the network.

Error - 9/2/2010 4:31:51 PM | Computer Name = Mary-PC | Source = Service Control Manager | ID = 7032
Description =

Error - 9/2/2010 4:31:52 PM | Computer Name = Mary-PC | Source = Service Control Manager | ID = 7032
Description =

Error - 9/2/2010 4:53:39 PM | Computer Name = Mary-PC | Source = Service Control Manager | ID = 7032
Description =

Error - 9/2/2010 4:56:39 PM | Computer Name = Mary-PC | Source = Service Control Manager | ID = 7032
Description =

Error - 9/2/2010 7:06:15 PM | Computer Name = Mary-PC | Source = DCOM | ID = 10010
Description =

Error - 9/2/2010 7:16:09 PM | Computer Name = Mary-PC | Source = Service Control Manager | ID = 7032
Description =


< End of report >

Attached Files


Edited by Blade Zephon, 04 September 2010 - 10:21 PM.
Posted log in reply to facilitate analysis. Please do not attach logs unless the board software will not let you post them directly. Thanks!


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:06 PM

Posted 04 September 2010 - 10:22 PM

Hello.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 joecool111

joecool111
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 05 September 2010 - 03:17 AM

ComboFix 10-09-04.05 - Mary 09/05/2010 3:17.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.1149 [GMT -4:00]
Running from: c:\users\Mary\Desktop\renemed.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\separator.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\webserver
c:\programdata\.wtav
c:\windows\system32\%appdata%

.
((((((((((((((((((((((((( Files Created from 2010-08-05 to 2010-09-05 )))))))))))))))))))))))))))))))
.

2010-09-05 07:26 . 2010-09-05 07:48 -------- d-----w- c:\users\Mary\AppData\Local\temp
2010-09-05 07:26 . 2010-09-05 07:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-02 19:57 . 2009-12-02 16:21 21896 ----a-w- c:\windows\system32\drivers\eufs.sys
2010-09-02 19:57 . 2009-12-02 16:20 15240 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2010-09-02 19:57 . 2009-12-02 16:20 27016 ----a-w- c:\windows\system32\drivers\eubakup.sys
2010-09-02 19:57 . 2009-12-02 16:20 123784 ----a-w- c:\windows\system32\drivers\EuDisk.sys
2010-09-02 19:57 . 2010-09-02 19:57 -------- d-----w- c:\program files\EASEUS
2010-08-27 01:22 . 2010-09-03 13:07 -------- d-----w- c:\users\Mary\AppData\Local\Arora
2010-08-27 01:22 . 2010-08-27 01:22 -------- d-----w- c:\program files\Arora
2010-08-27 01:17 . 2010-08-27 01:17 -------- d-----w- c:\users\Mary\AppData\Roaming\Canneverbe Limited
2010-08-27 01:17 . 2010-08-27 01:17 -------- d-----w- c:\programdata\Canneverbe Limited
2010-08-27 01:17 . 2009-11-12 18:48 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-08-27 01:17 . 2010-08-27 01:17 -------- d-----w- c:\program files\CDBurnerXP
2010-08-27 01:13 . 2010-08-27 01:13 -------- d-----w- c:\users\Mary\AppData\Local\Yahoo!
2010-08-27 00:38 . 2010-08-27 00:38 -------- d-----w- c:\program files\Trend Micro
2010-08-25 00:41 . 2010-08-25 00:41 110080 ----a-r- c:\users\Mary\AppData\Roaming\Microsoft\Installer\{CED3DF1E-01D1-45AD-BF33-64AE5E8843B8}\IconF7A21AF7.exe
2010-08-25 00:41 . 2010-08-25 00:41 110080 ----a-r- c:\users\Mary\AppData\Roaming\Microsoft\Installer\{CED3DF1E-01D1-45AD-BF33-64AE5E8843B8}\IconD7F16134.exe
2010-08-25 00:41 . 2010-08-25 00:41 -------- d-----w- C:\sh4ldr
2010-08-25 00:41 . 2010-08-25 00:41 -------- d-----w- c:\program files\Enigma Software Group
2010-08-25 00:40 . 2010-08-25 00:41 -------- d-----w- c:\windows\CED3DF1E01D145ADBF3364AE5E8843B8.TMP
2010-08-25 00:40 . 2010-08-25 00:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-08-24 20:53 . 2010-08-24 20:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-24 06:49 . 2010-08-24 06:49 -------- d-----w- c:\windows\Sun
2010-08-21 13:57 . 2010-08-21 13:57 1930752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{1D18778D-8543-86F4-6CF5-9C9BD52AE138}-antivirusGT.exe
2010-08-16 12:28 . 2010-07-23 21:22 1496064 ----a-w- c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-08-16 12:28 . 2010-07-23 21:22 43008 ----a-w- c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-08-16 12:28 . 2010-07-23 21:22 338944 ----a-w- c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-08-16 12:28 . 2010-07-23 21:22 346112 ----a-w- c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-08-16 12:26 . 2010-04-20 14:22 161104 ----a-w- c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\MailUtil.dll
2010-08-16 12:20 . 2010-09-02 20:25 -------- d-----w- c:\program files\Google
2010-08-12 10:44 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-08-12 10:44 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 10:44 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 10:44 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 06:14 . 2009-03-01 13:04 -------- d-----w- c:\users\Mary\AppData\Roaming\Skype
2010-09-05 06:14 . 2009-03-01 13:11 -------- d-----w- c:\users\Mary\AppData\Roaming\skypePM
2010-09-05 06:12 . 2009-12-20 14:45 720 ----a-w- c:\programdata\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-09-02 20:06 . 2009-05-28 08:46 -------- d-----w- c:\program files\Inbox
2010-08-27 06:57 . 2009-02-10 01:35 1356 ----a-w- c:\users\Mary\AppData\Local\d3d9caps.dat
2010-08-24 21:00 . 2009-05-21 15:29 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-24 16:59 . 2009-05-21 04:56 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-21 15:54 . 2008-11-26 01:48 -------- d-----w- c:\programdata\Microsoft Help
2010-08-12 13:03 . 2008-11-26 01:46 -------- d-----w- c:\program files\Microsoft Works
2010-08-12 12:59 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-22 15:34 . 2010-07-22 15:33 -------- d-----w- c:\program files\iTunes
2010-07-22 15:33 . 2010-07-22 15:33 -------- d-----w- c:\program files\iPod
2010-07-22 15:33 . 2009-09-11 15:50 -------- d-----w- c:\program files\Common Files\Apple
2010-07-22 15:33 . 2009-03-17 02:09 -------- d-----w- c:\programdata\Apple Computer
2010-07-22 15:28 . 2010-07-22 15:28 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe
2010-07-14 16:38 . 2010-07-14 16:37 -------- d-----w- c:\programdata\PopCap Games
2010-07-14 16:37 . 2010-07-14 16:37 -------- d-----w- c:\program files\PopCap Games
2010-06-26 06:05 . 2010-08-12 10:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-12 10:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-12 10:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-12 10:45 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-21 13:37 . 2010-08-12 10:45 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-18 23:10 . 2010-06-18 22:56 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-18 22:56 . 2010-06-18 22:56 0 ----a-w- c:\windows\system32\REN52B9.tmp
2010-06-18 22:56 . 2010-06-18 22:56 0 ----a-w- c:\windows\system32\REN52B8.tmp
2010-06-18 22:56 . 2010-06-18 22:56 0 ----a-w- c:\windows\system32\REN52A7.tmp
2010-06-18 17:31 . 2010-08-12 10:45 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-06-11 16:16 . 2010-08-12 10:45 274944 ----a-w- c:\windows\system32\schannel.dll
2010-06-08 17:35 . 2010-08-12 10:45 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35 . 2010-08-12 10:45 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-12-28 19:51 . 2008-12-28 19:51 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-12-28 19:51 . 2008-12-28 19:51 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2009-6-17 3656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Newsflash.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Newsflash.lnk
backup=c:\windows\pss\Newsflash.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Mary^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^AVG Free Tray Icon.lnk]
path=c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AVG Free Tray Icon.lnk
backup=c:\windows\pss\AVG Free Tray Icon.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Mary^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanzarP2006
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteRanker
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 15:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CrawlerMail]
2009-06-08 18:43 1395200 ----a-w- c:\progra~1\Inbox\CMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
2010-04-16 15:25 818288 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 11:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5600-6600 Series Fax Server]
2008-09-10 11:10 311976 ----a-w- c:\program files\Lexmark 5600-6600 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-06-01 18:53 1093208 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Performance Center]
2009-01-23 14:44 3231744 ----a-w- c:\program files\Ascentive\Performance Center\ApcMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunWeather]
2009-06-25 13:36 814592 ----a-w- c:\progra~1\Inbox\Weather\CWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-04-16 17:36 24264488 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-21 02:15 1826816 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:35 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:83,09,87,74,83,58,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3023599555-3989719847-863854613-1000]
"EnableNotificationsRef"=dword:00000001

R3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2009-12-02 15240]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [2006-06-11 4170]
R3 iscFlash;iscFlash;c:\users\Mary\AppData\Local\Temp\7zSB6EF.tmp\iscflash.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
R4 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe [2009-10-16 589824]
R4 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe [2009-10-16 94208]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R4 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
R4 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2009-12-02 27016]
S0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [2009-12-02 21896]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [2009-02-12 22312]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-29 20384]
S2 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
S3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\DRIVERS\EuDisk.sys [2009-12-02 123784]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-08-27 c:\windows\Tasks\User_Feed_Synchronization-{7740C5BF-A858-4EC9-B4C4-CBDAE476D2DB}.job
- c:\windows\system32\msfeedssync.exe [2010-08-12 04:24]
.
.
------- Supplementary Scan -------
.
IE: {{B1CF6225-211E-4B4C-B466-5F224E348FF3} - c:\program files\Inbox\Weather\CWeather.exe
FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50-ff-green-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZZ&fl=0&ptb=XRw1DJpIxGWswU6NgKSEOw&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - false.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{F6B40D73-1671-4A2F-BD6F-B1DD69E0F9A0} - (no file)
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
MSConfigStartUp-PC SpeedScan Pro - c:\program files\Ascentive\PC SpeedScan Pro\PCSpeedScan.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-05 03:48
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86681ACE]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x87911d24
\Driver\ACPI -> acpi.sys @ 0x8069fd68
\Driver\atapi -> ataport.SYS @ 0x824dea2c
\Driver\iaStor -> iaStor.sys @ 0x8243f78c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3023599555-3989719847-863854613-1000\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:8e,95,36,69,b4,ac,09,00
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\dllhost.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
c:\windows\System32\msdtc.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\windows\system32\locator.exe
c:\windows\System32\snmptrap.exe
c:\windows\system32\UI0Detect.exe
c:\windows\System32\vds.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\wbem\WmiApSrv.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\iashost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
.
**************************************************************************
.
Completion time: 2010-09-05 03:54:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-05 07:54

Pre-Run: 95,601,750,016 bytes free
Post-Run: 95,669,379,072 bytes free

- - End Of File - - 75B47FDD0C73919B35687ED56514C89A


Dealeo toolbar, huh? and some unknown one? Anyway, I had to burn this combofix log to a cd and take it to another computer to be able to send it. When I tried to start any of the many browsers on Mary's system it said 'Illegal operation on a registry entry marked for deletion', or something very very close to that. Be assured that I am going to tell her about those internet games. And for my own sanity, when we get this one clean I am making myself a backup. Soooo, how does someone learn to do what you'se guys do?

#6 joecool111

joecool111
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 05 September 2010 - 03:19 AM

Oh, BTW ComboFix didn't give me any of those windows, it just started running immediately as soon as I clicked it...

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:06 PM

Posted 07 September 2010 - 09:04 AM

Hello.

QUOTE
When I tried to start any of the many browsers on Mary's system it said 'Illegal operation on a registry entry marked for deletion', or something very very close to that.

Rebooting the computer again should resolve that issue.

***************************************************

QUOTE
Soooo, how does someone learn to do what you'se guys do?

Remind me to come back to this when we're finished. I'd love to give you some more info on this but want to focus on cleaning the machine up first smile.gif

***************************************************

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
Firefox::
FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: keyword.URL -


Save this as CFScript.txt, in the same location as renamed.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade

In your next reply, please include the following:
ComboFix Log
How is the computer running now?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 joecool111

joecool111
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 08 September 2010 - 11:25 AM

ComboFix 10-09-04.05 - Mary 09/08/2010 11:59:47.3.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.1108 [GMT -4:00]
Running from: c:\users\Mary\Desktop\renemed.exe
Command switches used :: c:\users\Mary\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
.

2010-09-08 16:08 . 2010-09-08 16:08 -------- d-----w- c:\users\Mary\AppData\Local\temp
2010-09-08 16:08 . 2010-09-08 16:08 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-08 16:08 . 2010-09-08 16:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-02 19:57 . 2009-12-02 16:21 21896 ----a-w- c:\windows\system32\drivers\eufs.sys
2010-09-02 19:57 . 2009-12-02 16:20 15240 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2010-09-02 19:57 . 2009-12-02 16:20 27016 ----a-w- c:\windows\system32\drivers\eubakup.sys
2010-09-02 19:57 . 2009-12-02 16:20 123784 ----a-w- c:\windows\system32\drivers\EuDisk.sys
2010-09-02 19:57 . 2010-09-02 19:57 -------- d-----w- c:\program files\EASEUS
2010-08-27 01:22 . 2010-09-08 13:21 -------- d-----w- c:\users\Mary\AppData\Local\Arora
2010-08-27 01:22 . 2010-08-27 01:22 -------- d-----w- c:\program files\Arora
2010-08-27 01:17 . 2010-08-27 01:17 -------- d-----w- c:\users\Mary\AppData\Roaming\Canneverbe Limited
2010-08-27 01:17 . 2010-08-27 01:17 -------- d-----w- c:\programdata\Canneverbe Limited
2010-08-27 01:17 . 2009-11-12 18:48 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-08-27 01:17 . 2010-08-27 01:17 -------- d-----w- c:\program files\CDBurnerXP
2010-08-27 01:13 . 2010-08-27 01:13 -------- d-----w- c:\users\Mary\AppData\Local\Yahoo!
2010-08-27 00:38 . 2010-08-27 00:38 -------- d-----w- c:\program files\Trend Micro
2010-08-25 00:41 . 2010-08-25 00:41 110080 ----a-r- c:\users\Mary\AppData\Roaming\Microsoft\Installer\{CED3DF1E-01D1-45AD-BF33-64AE5E8843B8}\IconF7A21AF7.exe
2010-08-25 00:41 . 2010-08-25 00:41 110080 ----a-r- c:\users\Mary\AppData\Roaming\Microsoft\Installer\{CED3DF1E-01D1-45AD-BF33-64AE5E8843B8}\IconD7F16134.exe
2010-08-25 00:41 . 2010-08-25 00:41 -------- d-----w- C:\sh4ldr
2010-08-25 00:41 . 2010-08-25 00:41 -------- d-----w- c:\program files\Enigma Software Group
2010-08-25 00:40 . 2010-08-25 00:41 -------- d-----w- c:\windows\CED3DF1E01D145ADBF3364AE5E8843B8.TMP
2010-08-25 00:40 . 2010-08-25 00:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-08-24 20:53 . 2010-08-24 20:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-24 06:49 . 2010-08-24 06:49 -------- d-----w- c:\windows\Sun
2010-08-21 13:57 . 2010-08-21 13:57 1930752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{1D18778D-8543-86F4-6CF5-9C9BD52AE138}-antivirusGT.exe
2010-08-16 12:28 . 2010-07-23 21:22 1496064 ----a-w- c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-08-16 12:28 . 2010-07-23 21:22 43008 ----a-w- c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-08-16 12:28 . 2010-07-23 21:22 338944 ----a-w- c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-08-16 12:28 . 2010-07-23 21:22 346112 ----a-w- c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-08-16 12:26 . 2010-04-20 14:22 161104 ----a-w- c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\MailUtil.dll
2010-08-16 12:20 . 2010-09-02 20:25 -------- d-----w- c:\program files\Google
2010-08-12 10:44 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-08-12 10:44 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 10:44 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 10:44 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 06:14 . 2009-03-01 13:04 -------- d-----w- c:\users\Mary\AppData\Roaming\Skype
2010-09-05 06:14 . 2009-03-01 13:11 -------- d-----w- c:\users\Mary\AppData\Roaming\skypePM
2010-09-05 06:12 . 2009-12-20 14:45 720 ----a-w- c:\programdata\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-09-02 20:06 . 2009-05-28 08:46 -------- d-----w- c:\program files\Inbox
2010-08-27 06:57 . 2009-02-10 01:35 1356 ----a-w- c:\users\Mary\AppData\Local\d3d9caps.dat
2010-08-24 21:00 . 2009-05-21 15:29 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-24 16:59 . 2009-05-21 04:56 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-21 15:54 . 2008-11-26 01:48 -------- d-----w- c:\programdata\Microsoft Help
2010-08-12 13:03 . 2008-11-26 01:46 -------- d-----w- c:\program files\Microsoft Works
2010-08-12 12:59 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-22 15:34 . 2010-07-22 15:33 -------- d-----w- c:\program files\iTunes
2010-07-22 15:33 . 2010-07-22 15:33 -------- d-----w- c:\program files\iPod
2010-07-22 15:33 . 2009-09-11 15:50 -------- d-----w- c:\program files\Common Files\Apple
2010-07-22 15:33 . 2009-03-17 02:09 -------- d-----w- c:\programdata\Apple Computer
2010-07-22 15:28 . 2010-07-22 15:28 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe
2010-07-14 16:38 . 2010-07-14 16:37 -------- d-----w- c:\programdata\PopCap Games
2010-07-14 16:37 . 2010-07-14 16:37 -------- d-----w- c:\program files\PopCap Games
2010-06-26 06:05 . 2010-08-12 10:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-12 10:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-12 10:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-12 10:45 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-21 13:37 . 2010-08-12 10:45 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-18 23:10 . 2010-06-18 22:56 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-18 22:56 . 2010-06-18 22:56 0 ----a-w- c:\windows\system32\REN52B9.tmp
2010-06-18 22:56 . 2010-06-18 22:56 0 ----a-w- c:\windows\system32\REN52B8.tmp
2010-06-18 22:56 . 2010-06-18 22:56 0 ----a-w- c:\windows\system32\REN52A7.tmp
2010-06-18 17:31 . 2010-08-12 10:45 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-06-11 16:16 . 2010-08-12 10:45 274944 ----a-w- c:\windows\system32\schannel.dll
2008-12-28 19:51 . 2008-12-28 19:51 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-12-28 19:51 . 2008-12-28 19:51 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2009-6-17 3656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Newsflash.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Newsflash.lnk
backup=c:\windows\pss\Newsflash.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Mary^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^AVG Free Tray Icon.lnk]
path=c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AVG Free Tray Icon.lnk
backup=c:\windows\pss\AVG Free Tray Icon.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Mary^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 15:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CrawlerMail]
2009-06-08 18:43 1395200 ----a-w- c:\progra~1\Inbox\CMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
2010-04-16 15:25 818288 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 11:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5600-6600 Series Fax Server]
2008-09-10 11:10 311976 ----a-w- c:\program files\Lexmark 5600-6600 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-06-01 18:53 1093208 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Performance Center]
2009-01-23 14:44 3231744 ----a-w- c:\program files\Ascentive\Performance Center\ApcMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunWeather]
2009-06-25 13:36 814592 ----a-w- c:\progra~1\Inbox\Weather\CWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-04-16 17:36 24264488 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-21 02:15 1826816 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:35 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:83,09,87,74,83,58,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3023599555-3989719847-863854613-1000]
"EnableNotificationsRef"=dword:00000001

R3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2009-12-02 15240]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [2006-06-11 4170]
R3 iscFlash;iscFlash;c:\users\Mary\AppData\Local\Temp\7zSB6EF.tmp\iscflash.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
R4 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe [2009-10-16 589824]
R4 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe [2009-10-16 94208]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R4 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
R4 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2009-12-02 27016]
S0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [2009-12-02 21896]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [2009-02-12 22312]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-29 20384]
S2 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
S3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\DRIVERS\EuDisk.sys [2009-12-02 123784]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-08-27 c:\windows\Tasks\User_Feed_Synchronization-{7740C5BF-A858-4EC9-B4C4-CBDAE476D2DB}.job
- c:\windows\system32\msfeedssync.exe [2010-08-12 04:24]
.
.
------- Supplementary Scan -------
.
IE: {{B1CF6225-211E-4B4C-B466-5F224E348FF3} - c:\program files\Inbox\Weather\CWeather.exe
FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50-ff-green-chromesbox-en-us&query=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - false.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-08 12:08
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Mary\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86723ACE]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x87910d24
\Driver\ACPI -> acpi.sys @ 0x80692d68
\Driver\atapi -> ataport.SYS @ 0x824e5a2c
\Driver\iaStor -> iaStor.sys @ 0x8244678c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3023599555-3989719847-863854613-1000\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:8e,95,36,69,b4,ac,09,00
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-08 12:13:25
ComboFix-quarantined-files.txt 2010-09-08 16:13
ComboFix2.txt 2010-09-05 07:54

Pre-Run: 95,514,243,072 bytes free
Post-Run: 95,454,199,808 bytes free

- - End Of File - - C38E1C2186E4FD4C9F6A1FA6E33A7E45


The browser (ie is all I checked) still goes bananas when I try to get spybot from cnet (my little test)...

Thanks!

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:06 PM

Posted 09 September 2010 - 09:12 AM

QUOTE
The browser (ie is all I checked) still goes bananas when I try to get spybot from cnet (my little test)...


What do you mean by "goes bananas"? Could you be more specific please?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 joecool111

joecool111
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 10 September 2010 - 11:05 AM

Yeah, go bananas is not such a technical term, sorry. I type in a search argument "spybot S&D download cnet". It brings up a list of sites I can download spybot from. I click on the link for cnet. The URL in the address entry field cycles through several different website addresses before landing at places anywhere from Walmart.com to some very iffy looking places that look like phishing sites. Sometimes it pops up the "xxx.stopwalware...." webpage, sometimes that page shows up in an advertisement pane. Net result is that I can't download spybot Using ie8 nor firefox. Arora, a little known browser I installed during antimalware/virus/spyware scanning is not afflicted by this mess...

Thx, Ernie

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:06 PM

Posted 13 September 2010 - 02:14 AM

Hi joecool111

Please download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (With Vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • A log named MBRcheck will be on your desktop
  • Copy and paste that log in your next reply

~Blade


In your next reply, please include the following:
MBRCheck Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 joecool111

joecool111
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 13 September 2010 - 04:28 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Basic Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: TOSHIBA
BIOS Manufacturer: INSYDE
System Manufacturer: TOSHIBA
System Product Name: Satellite L305
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 143):
0x81E52000 \SystemRoot\system32\ntkrnlpa.exe
0x81E1F000 \SystemRoot\system32\hal.dll
0x866A5000 \SystemRoot\system32\kdcom.dll
0x80411000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80481000 \SystemRoot\system32\PSHED.dll
0x80492000 \SystemRoot\system32\BOOTVID.dll
0x8049A000 \SystemRoot\system32\CLFS.SYS
0x804DB000 \SystemRoot\system32\CI.dll
0x8060E000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8068A000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80697000 \SystemRoot\system32\drivers\acpi.sys
0x806DD000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806E6000 \SystemRoot\system32\drivers\msisadrv.sys
0x806EE000 \SystemRoot\system32\drivers\pci.sys
0x80715000 \SystemRoot\System32\drivers\partmgr.sys
0x80724000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80727000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x80731000 \SystemRoot\system32\drivers\volmgr.sys
0x80740000 \SystemRoot\System32\drivers\volmgrx.sys
0x8078A000 \SystemRoot\System32\drivers\mountmgr.sys
0x8079A000 \SystemRoot\system32\DRIVERS\pciide.sys
0x807A1000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x8240C000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x824DA000 \SystemRoot\system32\drivers\atapi.sys
0x824E2000 \SystemRoot\system32\drivers\ataport.SYS
0x82500000 \SystemRoot\system32\drivers\msahci.sys
0x8250A000 \SystemRoot\system32\drivers\fltmgr.sys
0x8253C000 \SystemRoot\system32\drivers\fileinfo.sys
0x8254C000 \SystemRoot\System32\Drivers\ksecdd.sys
0x825BD000 \SystemRoot\system32\drivers\eufs.sys
0x82607000 \SystemRoot\system32\drivers\ndis.sys
0x82712000 \SystemRoot\system32\drivers\msrpc.sys
0x8273D000 \SystemRoot\system32\drivers\NETIO.SYS
0x8780D000 \SystemRoot\System32\drivers\tcpip.sys
0x878F7000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x87A0F000 \SystemRoot\System32\Drivers\Ntfs.sys
0x87B1F000 \SystemRoot\system32\drivers\volsnap.sys
0x87B58000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
0x87B5D000 \SystemRoot\system32\DRIVERS\tos_sps32.sys
0x87BA0000 \SystemRoot\System32\Drivers\spldr.sys
0x87BA8000 \SystemRoot\System32\Drivers\mup.sys
0x87BB7000 \SystemRoot\system32\drivers\eubakup.sys
0x87BC1000 \SystemRoot\System32\drivers\ecache.sys
0x87BE8000 \SystemRoot\system32\drivers\disk.sys
0x87912000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x87A00000 \SystemRoot\system32\drivers\crcdisk.sys
0x8B4CF000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8B4DA000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8B4E3000 \SystemRoot\system32\DRIVERS\FwLnk.sys
0x8B4EB000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8B4FA000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8BA0F000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8C0F3000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8C194000 \SystemRoot\System32\drivers\watchdog.sys
0x8C1A0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8C1AB000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8C1E9000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8B4FE000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8B58B000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x8C40D000 \SystemRoot\system32\DRIVERS\athr.sys
0x8C4F4000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8C507000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8C512000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8C542000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8C544000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8C54F000 \SystemRoot\system32\DRIVERS\tdcmdpst.sys
0x8C559000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8C571000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8C577000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8C5A6000 \SystemRoot\system32\DRIVERS\storport.sys
0x8C5E7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8B5C3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8C5F2000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8B5DA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8BA00000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x87940000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x87954000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x87969000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8C5FD000 \SystemRoot\system32\DRIVERS\swenum.sys
0x87979000 \SystemRoot\system32\DRIVERS\ks.sys
0x879A3000 \SystemRoot\system32\DRIVERS\EuDisk.sys
0x8C400000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x879C4000 \SystemRoot\system32\DRIVERS\umbus.sys
0x82778000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x879D1000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8C600000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x827AD000 \SystemRoot\system32\drivers\portcls.sys
0x827DA000 \SystemRoot\system32\drivers\drmk.sys
0x8CA05000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x8CB21000 \SystemRoot\system32\drivers\modem.sys
0x8CB2E000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x8CB51000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8CB5A000 \SystemRoot\System32\Drivers\Null.SYS
0x8CB61000 \SystemRoot\System32\Drivers\Beep.SYS
0x8CB68000 \SystemRoot\System32\drivers\vga.sys
0x8CB74000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8CB95000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8CB9D000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8CBA5000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8CBB0000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8CBBE000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8CBC7000 \SystemRoot\system32\DRIVERS\tdx.sys
0x825C6000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8CBDD000 \SystemRoot\system32\DRIVERS\smb.sys
0x807AF000 \SystemRoot\system32\drivers\afd.sys
0x879E2000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8CBF1000 \SystemRoot\system32\DRIVERS\jswpslwf.sys
0x80600000 \SystemRoot\system32\DRIVERS\netbios.sys
0x805BB000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8C80A000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8C846000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8C850000 \??\C:\Windows\system32\drivers\dddsk.sys
0x8C854000 \SystemRoot\System32\Drivers\dfsc.sys
0x8C86B000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8C878000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x8C946000 \SystemRoot\system32\drivers\RTSTOR.SYS
0x942A0000 \SystemRoot\System32\win32k.sys
0x8C95A000 \SystemRoot\System32\drivers\Dxapi.sys
0x8C964000 \SystemRoot\system32\DRIVERS\monitor.sys
0x944C0000 \SystemRoot\System32\TSDDD.dll
0x944E0000 \SystemRoot\System32\cdd.dll
0x8C973000 \SystemRoot\system32\drivers\luafv.sys
0x8B400000 \SystemRoot\system32\drivers\spsys.sys
0x8C98E000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8C99E000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8C9C8000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8C9D2000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xAA00B000 \SystemRoot\system32\drivers\HTTP.sys
0xAA078000 \SystemRoot\system32\DRIVERS\bowser.sys
0xAA091000 \SystemRoot\System32\drivers\mpsdrv.sys
0xAA0A6000 \SystemRoot\system32\drivers\mrxdav.sys
0xAA0C7000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAA0E6000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xAA11F000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xAB801000 \SystemRoot\system32\drivers\peauth.sys
0xAB8DF000 \SystemRoot\system32\drivers\qwavedrv.sys
0xAB8EB000 \SystemRoot\System32\Drivers\secdrv.SYS
0xAB8F5000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xAB912000 \SystemRoot\System32\drivers\tcpipreg.sys
0xAB91E000 \SystemRoot\System32\DRIVERS\srv2.sys
0xAB945000 \SystemRoot\System32\DRIVERS\srv.sys
0xAB993000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77B90000 \Windows\System32\ntdll.dll

Processes (total 64):
0 System Idle Process
4 System
468 C:\Windows\System32\smss.exe
536 csrss.exe
588 C:\Windows\System32\wininit.exe
596 csrss.exe
628 C:\Windows\System32\winlogon.exe
664 C:\Windows\System32\services.exe
676 C:\Windows\System32\lsass.exe
684 C:\Windows\System32\lsm.exe
852 C:\Windows\System32\svchost.exe
900 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
940 C:\Windows\System32\svchost.exe
1108 C:\Windows\System32\svchost.exe
1144 C:\Windows\System32\svchost.exe
1176 C:\Windows\System32\svchost.exe
1240 C:\Windows\System32\audiodg.exe
1272 C:\Windows\System32\svchost.exe
1308 C:\Windows\System32\SLsvc.exe
1356 C:\Windows\System32\svchost.exe
1500 C:\Windows\System32\svchost.exe
1680 C:\Windows\System32\wlanext.exe
1792 C:\Windows\System32\spoolsv.exe
1820 C:\Windows\System32\svchost.exe
1912 C:\Windows\System32\alg.exe
1960 C:\Windows\System32\dllhost.exe
1992 C:\Windows\System32\dfsr.exe
304 C:\Windows\System32\svchost.exe
860 C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
1464 C:\Program Files\Jumpstart\jswpsapi.exe
1532 C:\Windows\System32\msdtc.exe
660 C:\Windows\System32\msiexec.exe
1908 C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
2120 C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
2164 C:\Windows\System32\svchost.exe
2196 C:\Windows\System32\svchost.exe
2220 C:\Windows\System32\Locator.exe
2240 C:\Windows\System32\svchost.exe
2272 C:\Windows\System32\snmptrap.exe
2324 C:\Windows\System32\svchost.exe
2376 C:\Windows\System32\svchost.exe
2432 C:\Windows\System32\UI0Detect.exe
2540 C:\Windows\System32\vds.exe
2568 C:\Windows\System32\svchost.exe
2632 C:\Windows\System32\svchost.exe
2660 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
2672 C:\Windows\System32\wbem\WmiApSrv.exe
2700 C:\Program Files\Windows Media Player\wmpnetwk.exe
2764 C:\Windows\System32\SearchIndexer.exe
2832 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
3052 WmiPrvSE.exe
3216 iashost.exe
3260 C:\Windows\System32\taskeng.exe
3320 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
3864 C:\Windows\System32\taskeng.exe
3984 C:\Windows\System32\dwm.exe
4064 C:\Windows\explorer.exe
2496 C:\Program Files\Windows Media Player\wmpnscfg.exe
3452 C:\Program Files\Arora\arora.exe
2100 C:\Windows\System32\SearchProtocolHost.exe
1284 C:\Windows\System32\SearchFilterHost.exe
2844 dllhost.exe
3872 dllhost.exe
2304 C:\Users\Mary\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600BEVS-26VAT0, Rev: 11.01A11

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: CCF356FEC6D9BBB29EF3EF1E4270A2B799955EA4


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit): 0Dumping \\.\PhysicalDisk0...
Enter filename to dump to: mbrcheck.logDumped successfully!

Enter the physical disk number to dump (0-99, -1 to exit):


I think this is what we're looking for. Thanks again for your help. -JoeC


#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:06 PM

Posted 16 September 2010 - 03:19 AM

hi joecool111

Sorry for the delay.

Please re-run MBR check. This time when it gives you the options, select [2], then select the operating system of your machine. This will repair the MBR.

After doing so, please run ComboFix again, just as you did the first time, and post the log for me.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 joecool111

joecool111
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 16 September 2010 - 09:22 PM

No prob. ram mbrcheck, opt 2, then three, rebooted, started combofix, let it update, ran it, rebooted, finished, here's the log...

ComboFix 10-09-16.04 - Mary 09/16/2010 22:03:11.4.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.1082 [GMT -4:00]
Running from: c:\users\Mary\Desktop\renemed.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 )))))))))))))))))))))))))))))))
.

2010-09-17 02:09 . 2010-09-17 02:09 -------- d-----w- c:\users\Mary\AppData\Local\temp
2010-09-17 02:09 . 2010-09-17 02:09 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-17 02:09 . 2010-09-17 02:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-02 19:57 . 2009-12-02 16:21 21896 ----a-w- c:\windows\system32\drivers\eufs.sys
2010-09-02 19:57 . 2009-12-02 16:20 15240 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2010-09-02 19:57 . 2009-12-02 16:20 27016 ----a-w- c:\windows\system32\drivers\eubakup.sys
2010-09-02 19:57 . 2009-12-02 16:20 123784 ----a-w- c:\windows\system32\drivers\EuDisk.sys
2010-09-02 19:57 . 2010-09-02 19:57 -------- d-----w- c:\program files\EASEUS
2010-08-27 01:22 . 2010-09-08 13:21 -------- d-----w- c:\users\Mary\AppData\Local\Arora
2010-08-27 01:22 . 2010-08-27 01:22 -------- d-----w- c:\program files\Arora
2010-08-27 01:17 . 2010-08-27 01:17 -------- d-----w- c:\users\Mary\AppData\Roaming\Canneverbe Limited
2010-08-27 01:17 . 2010-08-27 01:17 -------- d-----w- c:\programdata\Canneverbe Limited
2010-08-27 01:17 . 2009-11-12 18:48 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-08-27 01:17 . 2010-08-27 01:17 -------- d-----w- c:\program files\CDBurnerXP
2010-08-27 01:13 . 2010-08-27 01:13 -------- d-----w- c:\users\Mary\AppData\Local\Yahoo!
2010-08-27 00:38 . 2010-08-27 00:38 -------- d-----w- c:\program files\Trend Micro
2010-08-25 00:41 . 2010-08-25 00:41 110080 ----a-r- c:\users\Mary\AppData\Roaming\Microsoft\Installer\{CED3DF1E-01D1-45AD-BF33-64AE5E8843B8}\IconF7A21AF7.exe
2010-08-25 00:41 . 2010-08-25 00:41 110080 ----a-r- c:\users\Mary\AppData\Roaming\Microsoft\Installer\{CED3DF1E-01D1-45AD-BF33-64AE5E8843B8}\IconD7F16134.exe
2010-08-25 00:41 . 2010-08-25 00:41 -------- d-----w- C:\sh4ldr
2010-08-25 00:41 . 2010-08-25 00:41 -------- d-----w- c:\program files\Enigma Software Group
2010-08-25 00:40 . 2010-08-25 00:41 -------- d-----w- c:\windows\CED3DF1E01D145ADBF3364AE5E8843B8.TMP
2010-08-25 00:40 . 2010-08-25 00:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-08-24 20:53 . 2010-08-24 20:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-24 06:49 . 2010-08-24 06:49 -------- d-----w- c:\windows\Sun
2010-08-21 13:57 . 2010-08-21 13:57 1930752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{1D18778D-8543-86F4-6CF5-9C9BD52AE138}-antivirusGT.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 06:14 . 2009-03-01 13:04 -------- d-----w- c:\users\Mary\AppData\Roaming\Skype
2010-09-05 06:14 . 2009-03-01 13:11 -------- d-----w- c:\users\Mary\AppData\Roaming\skypePM
2010-09-05 06:12 . 2009-12-20 14:45 720 ----a-w- c:\programdata\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-09-02 20:25 . 2010-08-16 12:20 -------- d-----w- c:\program files\Google
2010-09-02 20:06 . 2009-05-28 08:46 -------- d-----w- c:\program files\Inbox
2010-08-27 06:57 . 2009-02-10 01:35 1356 ----a-w- c:\users\Mary\AppData\Local\d3d9caps.dat
2010-08-24 21:00 . 2009-05-21 15:29 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-24 16:59 . 2009-05-21 04:56 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-21 15:54 . 2008-11-26 01:48 -------- d-----w- c:\programdata\Microsoft Help
2010-08-12 13:03 . 2008-11-26 01:46 -------- d-----w- c:\program files\Microsoft Works
2010-08-12 12:59 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-23 21:22 . 2010-08-16 12:28 1496064 ----a-w- c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-23 21:22 . 2010-08-16 12:28 43008 ----a-w- c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-23 21:22 . 2010-08-16 12:28 338944 ----a-w- c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-23 21:22 . 2010-08-16 12:28 346112 ----a-w- c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-07-22 15:34 . 2010-07-22 15:33 -------- d-----w- c:\program files\iTunes
2010-07-22 15:33 . 2010-07-22 15:33 -------- d-----w- c:\program files\iPod
2010-07-22 15:33 . 2009-09-11 15:50 -------- d-----w- c:\program files\Common Files\Apple
2010-07-22 15:33 . 2009-03-17 02:09 -------- d-----w- c:\programdata\Apple Computer
2010-07-22 15:28 . 2010-07-22 15:28 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe
2010-06-26 06:05 . 2010-08-12 10:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-12 10:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-12 10:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-12 10:45 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-21 13:37 . 2010-08-12 10:45 2037760 ----a-w- c:\windows\system32\win32k.sys
2008-12-28 19:51 . 2008-12-28 19:51 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-12-28 19:51 . 2008-12-28 19:51 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-09-08_16.08.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-09-17 00:41 84932 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2010-09-17 00:42 83902 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-28 19:53 . 2010-09-17 00:42 17152 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3023599555-3989719847-863854613-1000_UserData.bin
+ 2008-12-28 19:49 . 2010-09-17 01:18 81920 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-28 19:49 . 2010-09-08 15:52 81920 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-28 19:49 . 2010-09-08 15:52 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-28 19:49 . 2010-09-17 01:18 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-01-22 12:56 . 2010-09-08 16:26 2366 c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2010-09-08 15:52 . 2010-09-08 15:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-09-17 01:18 . 2010-09-17 01:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-09-08 15:52 . 2010-09-08 15:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-09-17 01:18 . 2010-09-17 01:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-28 22:20 . 2010-09-17 00:34 232790 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 10:33 . 2010-09-17 01:22 599826 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-09-08 15:56 599826 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-09-08 15:56 103294 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-09-17 01:22 103294 c:\windows\System32\perfc009.dat
+ 2009-04-29 15:06 . 2010-09-17 01:41 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-04-29 15:06 . 2010-09-08 15:52 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2010-06-18 04:34 . 2010-09-17 01:17 623148 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2010-06-18 04:34 . 2010-09-08 15:51 623148 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2008-12-28 19:49 . 2010-09-17 01:18 1376256 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-28 19:49 . 2010-09-08 15:52 1376256 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-20 18:07 . 2010-09-17 01:17 3115360 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-04-20 18:07 . 2010-09-08 15:51 3115360 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2009-6-17 3656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Newsflash.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Newsflash.lnk
backup=c:\windows\pss\Newsflash.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Mary^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^AVG Free Tray Icon.lnk]
path=c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AVG Free Tray Icon.lnk
backup=c:\windows\pss\AVG Free Tray Icon.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Mary^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 15:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CrawlerMail]
2009-06-08 18:43 1395200 ----a-w- c:\progra~1\Inbox\CMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
2010-04-16 15:25 818288 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 11:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5600-6600 Series Fax Server]
2008-09-10 11:10 311976 ----a-w- c:\program files\Lexmark 5600-6600 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-06-01 18:53 1093208 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Performance Center]
2009-01-23 14:44 3231744 ----a-w- c:\program files\Ascentive\Performance Center\ApcMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunWeather]
2009-06-25 13:36 814592 ----a-w- c:\progra~1\Inbox\Weather\CWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-04-16 17:36 24264488 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-21 02:15 1826816 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:35 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3023599555-3989719847-863854613-1000]
"EnableNotificationsRef"=dword:00000001

R3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2009-12-02 15240]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [2006-06-11 4170]
R3 iscFlash;iscFlash;c:\users\Mary\AppData\Local\Temp\7zSB6EF.tmp\iscflash.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
R4 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe [2009-10-16 589824]
R4 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe [2009-10-16 94208]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R4 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
R4 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2009-12-02 27016]
S0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [2009-12-02 21896]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [2009-02-12 22312]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-29 20384]
S2 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
S3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\DRIVERS\EuDisk.sys [2009-12-02 123784]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-08-27 c:\windows\Tasks\User_Feed_Synchronization-{7740C5BF-A858-4EC9-B4C4-CBDAE476D2DB}.job
- c:\windows\system32\msfeedssync.exe [2010-08-12 04:24]
.
.
------- Supplementary Scan -------
.
IE: {{B1CF6225-211E-4B4C-B466-5F224E348FF3} - c:\program files\Inbox\Weather\CWeather.exe
FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50-ff-green-chromesbox-en-us&query=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\nrftk4gi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - false.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-16 22:09
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86503ACE]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8790dd24
\Driver\ACPI -> acpi.sys @ 0x80694d68
\Driver\atapi -> ataport.SYS @ 0x824e9a2c
\Driver\iaStor -> iaStor.sys @ 0x8244a78c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3023599555-3989719847-863854613-1000\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:8e,95,36,69,b4,ac,09,00
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-16 22:13:27
ComboFix-quarantined-files.txt 2010-09-17 02:13
ComboFix2.txt 2010-09-08 16:13
ComboFix3.txt 2010-09-05 07:54

Pre-Run: 95,174,082,560 bytes free
Post-Run: 95,140,737,024 bytes free

- - End Of File - - 88AC8E8BA1CA67E91918B83238D9DCB7


#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:06 PM

Posted 19 September 2010 - 07:12 PM

Hi joecool111.

How is the computer running?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users