Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible fake av stopping install of MBAM service


  • This topic is locked This topic is locked
11 replies to this topic

#1 villandra

villandra

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 08 January 2012 - 05:04 PM

Problem is that I had, may still have, infection with fake antivirus malware. It had changed some of my file associations but this is fixed. I am able to install Malabyte anti-Malware but the service mbamservice does not appear in services.msc or the services list in msconfig. Tried all fixes suggested on malabyte web site and it didn't work. Searched registry but see nothing obviously blocking it. Three other antivirus programs and their services installed and ran normally, so nothing blocking installs in general. I want to know if there is something blocking the MBAM service from installing. Thanks!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:35:04 AM, on 1/8/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

****RKILL STOPPED wINDOWS/EXPLORER.EXE*****

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe
E:\Program Files\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe
E:\WINDOWS\System32\snmp.exe **********WHAT IS?******************
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
E:\WINDOWS\system32\Rundll32.exe ******* WHY ARE THERE TWO RUNDELL32.EXE RUNNING?*******
E:\WINDOWS\system32\RunDLL32.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\PROGRA~1\Webshots\315~1.761\webshots.scr
E:\Program Files\GIGABYTE\Smart6\Timelock\AlarmClock.exe
E:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe ****************
E:\Program Files\GFI Software\VIPRE\sbamui.exe ************ THESE ARE VIPRE*******
E:\Program Files\GFI Software\VIPRE\SBAMSvc.exe
E:\Program Files\GFI Software\VIPRE\SBAMTray.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\explorer.exe ***** RKILL SAID IT STOPPED THIS - GUESS IT'S STILL RUNNING.*****
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: agihelper.AGUtils - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - mscoree.dll (file missing)
R3 - URLSearchHook: (no name) - {f78bf7a8-cf12-4de7-a6da-c463d1b539a7} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: agihelper.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing) *************??????*******
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - E:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {ccb24e92-62c4-4c53-95d2-65f9eed476bc} - (no file) ***********???????????*****************
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - E:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper *********?????????*************
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE **********????????????***********
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login **********?????????????NORMAL?**********************
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] E:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [ArcSoft Connection Service] E:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Intuit SyncManager] e:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [APSDaemon] "E:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [SBAMTray] "E:\Program Files\GFI Software\VIPRE\SBAMTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pcsafedoctor.exe] E:\Program Files\PCSafeDoctor\pcsafedoctor.exe
O4 - HKLM\..\Run: [MSC] "E:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - S-1-5-21-484763869-1844823847-839522115-1004 Startup: Webshots.lnk = E:\Program Files\Webshots\3.1.5.7619\Launcher.exe (User 'UpdatusUser')
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\3.1.5.7619\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - F:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing) *******????????************
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - E:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - E:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - E:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - E:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - E:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - E:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - E:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VIPRE Antivirus (SBAMSvc) - GFI Software - E:\Program Files\GFI Software\VIPRE\SBAMSvc.exe
O23 - Service: SB Recovery Service (SBPIMSvc) - GFI Software - E:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe
O23 - Service: Smart TimeLock Service (Smart TimeLock) - Gigabyte Technology CO., LTD. - E:\Program Files\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - E:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: WPEServ - Unknown owner - E:\Program Files\Common Files\WPE\wpeserv.exe

--
End of file - 8631 bytes

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:00 AM

Posted 13 January 2012 - 03:06 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 villandra

villandra
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 14 January 2012 - 12:46 PM

I am running Windows XP Pro, 32 whatevers.

I looked through the Extras log, and see some registry entries that I wonder if they should be changed or removed.

Microsoft Security Essentials WAS a communication error, and has been uninstalled. It couldn't even communicate with my system.

In addition to the reports you asked for, I have these registry entries that I want to know whether I should or can remove, especially as at the moment Malaware Malabytes is uninstalled and their clean program has been run.

The specific problem that I am having is that I can't install Malwarebytes Anti-Malware. The files appear to install in the folder that is created for them, and the program often tries to open and disappears or else asks if I want to update my definitions and then disappears. The MBAMService service does not appear in my services.msc list or my msconfig services list after installing the program and rebooting. The service not only does not run, it does not install.

A week ago I suffered a fake antivirus infection. No exe file would run, I couldn't connect to the Internet, and shortcuts didn't work. All of this has been repaired for the most part. I manually removed most of the infected files. Vipre, the antivirus program that I was running at the time - and have pretty well given up on becuase it's clearly worthless - found just one of a scadzillion files associated with this virus and one registry entry - and deleted one of its own drivers, causing system errors on startup. Vipre support suggested reinstsalling it and that fixed that.

I have been able to install and run three other antivirus programs with no trouble - complete with their services.

I want to know if any of these registry entries are specifically blocking the MBAMService service from installing or running.

Just so you know, I will NOT be running ComboFix under any circumstances, but can make registry edits with guidance.
HKEY_LOCAL_MACHINE
System
Control Set 002 (after folder for Control Set 001 w/ + in front of it)
Enum
Root

LEGACY_MBAMCHAMELEON Default REG_SZ (value not set)
NextInstance REG_DWORD 0x00000001 (1)

0000 (Default) REG_SZ (value not set)
Class " LegacyDriver
ClassGUID " {BECCO55D-047F-11D1-AS37-0000F8753ED1}
ConfigFlags REG_DWORD 0x00000000 (0)
Device Desc REG_SZ mbamchameleon
Legacy REG_DWORD 0x00000001 (1)
Service REG_SZ mbamchameleon


LEGACY_MBAMPROTECTOR {Default} REG_SZ (value not set)
NextInstance REG_DWORD 0x00000001(1)

0000 - values the same as above except MBAMProtector instead of mbamchamelon

LEGACY_MBAMSERVICE same values as above.

0000 same values as above except MBAMService

LEGACY_MBAMSWISSARMY same values as above. 0x00000001 (1)





ControlSet003 - the same entries.

CurrentControlSet the same entries.



HKEY_USERS
5-1-5-21-4 long series numbers and dashes
Softare
Microsoft
Windows
Current Version
Applets
Regedit
{Default} REG_SZ (value not set)
FindFlags REG_DWORD 0x0000000e (14)
LastKey REG_SZ My computer]HKEY_LOCALMACHINE]SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShExt
View REG_BINARY 2c long strings of numbers. /f, ae, et.

HKEY_CURRENT_USERS
everything above except the line 5-1-5-21 etc.

----------------------------------------

There was also this value, which I removed; it referrs to a file that is no longer in E:\Program Files.

HKEY_CURRENT_USER
Software
Microsoft
Windows
ShellNoRoam/ MUI Cache
E:\ Program Files\REG_SZ Malabytes Anti-Malware

-------------------------------------------------------------------------------------------------------------
***************************************************************************************************************

OTL logfile created on: 1/14/2012 11:23:59 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = H:\Fix programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.98 Gb Total Physical Memory | 1.03 Gb Available Physical Memory | 51.84% Memory free
3.83 Gb Paging File | 3.14 Gb Available in Paging File | 81.80% Paging File free
Paging file location(s): E:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive E: | 39.06 Gb Total Space | 18.17 Gb Free Space | 46.51% Space Free | Partition Type: NTFS
Drive F: | 259.02 Gb Total Space | 225.41 Gb Free Space | 87.02% Space Free | Partition Type: NTFS
Drive H: | 74.53 Gb Total Space | 18.88 Gb Free Space | 25.33% Space Free | Partition Type: NTFS

Computer Name: DORA | User Name: Dora Smith | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/14 11:21:44 | 000,584,192 | ---- | M] (OldTimer Tools) -- H:\Fix programs\OTL.exe
PRC - [2011/11/28 12:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- E:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/11/28 12:01:23 | 000,044,768 | ---- | M] (AVAST Software) -- E:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/11/01 00:41:00 | 000,173,424 | ---- | M] (GFI Software) -- E:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe
PRC - [2011/08/10 14:52:54 | 000,138,760 | R--- | M] (Symantec Corporation) -- E:\Program Files\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe
PRC - [2011/08/03 05:49:00 | 002,255,464 | ---- | M] (NVIDIA Corporation) -- E:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2010/10/05 20:04:12 | 002,655,768 | ---- | M] (Intel Corporation) -- E:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
PRC - [2010/10/05 20:04:08 | 000,325,656 | ---- | M] (Intel Corporation) -- E:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
PRC - [2010/08/22 13:49:10 | 012,317,016 | ---- | M] (Microsoft Corporation) -- F:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
PRC - [2010/07/26 23:01:58 | 003,474,848 | ---- | M] (Webshots.com) -- E:\Program Files\Webshots\3.1.5.7619\Webshots.scr
PRC - [2010/06/29 07:04:18 | 000,020,480 | ---- | M] (AG Interactive) -- E:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe
PRC - [2010/06/23 16:17:12 | 000,196,440 | ---- | M] (Microsoft Corporation) -- F:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2010/04/22 14:05:26 | 001,011,712 | ---- | M] (Gigabyte Technology CO., LTD.) -- E:\Program Files\Gigabyte\SMART6\timelock\AlarmClock.exe
PRC - [2009/10/13 15:39:46 | 000,114,688 | ---- | M] (Gigabyte Technology CO., LTD.) -- E:\Program Files\Gigabyte\SMART6\timelock\TimeMgmtDaemon.exe
PRC - [2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\explorer.exe
PRC - [2005/12/16 16:10:08 | 000,577,536 | ---- | M] () -- E:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
PRC - [2005/12/16 16:09:58 | 000,194,048 | ---- | M] () -- E:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
PRC - [2005/12/16 16:09:56 | 000,241,152 | ---- | M] () -- E:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
PRC - [2005/09/09 02:24:30 | 000,102,400 | ---- | M] () -- F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
PRC - [2005/02/15 15:10:16 | 000,057,344 | ---- | M] (Creative Technology Ltd) -- E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
PRC - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) -- E:\WINDOWS\system32\HPZipm12.exe


========== Modules (No Company Name) ==========

MOD - [2012/01/14 09:46:22 | 001,678,336 | ---- | M] () -- E:\Program Files\AVAST Software\Avast\defs\12011401\algo.dll
MOD - [2011/11/28 08:00:24 | 001,619,456 | ---- | M] () -- E:\Program Files\AVAST Software\Avast\defs\11112801\algo.dll
MOD - [2011/11/28 05:19:40 | 000,241,528 | ---- | M] () -- E:\Program Files\AVAST Software\Avast\defs\11112801\aswRep.dll
MOD - [2011/09/09 17:05:37 | 000,212,992 | ---- | M] () -- E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\70a1400affdc775d7c7398e036359286\System.ServiceProcess.ni.dll
MOD - [2011/09/09 17:05:33 | 000,141,312 | ---- | M] () -- E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\585e68739b2a8aff61ee6b2786513245\System.Configuration.Install.ni.dll
MOD - [2011/09/09 17:05:32 | 000,627,712 | ---- | M] () -- E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\75f452279422a7898e840ee5768c9d2e\System.EnterpriseServices.ni.dll
MOD - [2011/09/09 17:04:59 | 000,971,264 | ---- | M] () -- E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\77df2cd21a5b85a1605b335aa9ad9d44\System.Configuration.ni.dll
MOD - [2011/09/09 15:24:37 | 005,450,752 | ---- | M] () -- E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\10154dcad2d62f226af2fd4211460a4b\System.Xml.ni.dll
MOD - [2011/09/09 15:23:54 | 007,950,848 | ---- | M] () -- E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e6c79e1d71b0c9000afd7e5e439b5c54\System.ni.dll
MOD - [2011/09/09 15:23:49 | 011,490,816 | ---- | M] () -- E:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
MOD - [2011/02/28 16:37:32 | 000,180,624 | ---- | M] () -- E:\WINDOWS\system32\Primomonnt.dll
MOD - [2009/08/05 09:45:04 | 000,106,312 | ---- | M] () -- F:\Program Files\Microsoft Office\OFFICE11\OUTLCTL.DLL
MOD - [2007/08/21 12:32:44 | 000,098,304 | ---- | M] () -- E:\WINDOWS\system32\redmonnt.dll
MOD - [2005/12/22 17:28:40 | 000,160,768 | ---- | M] () -- E:\Program Files\GFI Software\VIPRE\unrar.dll
MOD - [2005/12/16 16:10:08 | 000,577,536 | ---- | M] () -- E:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
MOD - [2005/12/16 16:09:58 | 000,194,048 | ---- | M] () -- E:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
MOD - [2005/12/16 16:09:56 | 000,241,152 | ---- | M] () -- E:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
MOD - [2005/09/09 02:24:30 | 000,102,400 | ---- | M] () -- F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
MOD - [2005/05/02 21:38:42 | 000,064,512 | R--- | M] () -- E:\WINDOWS\system32\P17.dll
MOD - [2003/07/03 11:08:18 | 000,045,056 | ---- | M] () -- E:\WINDOWS\system32\spool\prtprocs\w32x86\wpeproc.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/11/28 12:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- E:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/11/01 00:41:20 | 003,287,472 | ---- | M] (GFI Software) [Auto | Stopped] -- E:\Program Files\GFI Software\VIPRE\SBAMSvc.exe -- (SBAMSvc)
SRV - [2011/11/01 00:41:00 | 000,173,424 | ---- | M] (GFI Software) [Auto | Running] -- E:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe -- (SBPIMSvc)
SRV - [2011/08/10 14:52:54 | 000,138,760 | R--- | M] (Symantec Corporation) [Unknown | Running] -- E:\Program Files\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe -- (NSL)
SRV - [2011/08/03 05:49:00 | 002,255,464 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- E:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2010/10/05 20:04:12 | 002,655,768 | ---- | M] (Intel Corporation) [Auto | Running] -- E:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS) Intel®
SRV - [2010/10/05 20:04:08 | 000,325,656 | ---- | M] (Intel Corporation) [Auto | Running] -- E:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS) Intel®
SRV - [2010/06/29 07:04:18 | 000,020,480 | ---- | M] (AG Interactive) [Auto | Running] -- E:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe -- (AGCoreService)
SRV - [2010/04/06 15:30:38 | 000,031,272 | ---- | M] () [Disabled | Stopped] -- E:\WINDOWS\system32\AppleChargerSrv.exe -- (AppleChargerSrv)
SRV - [2010/03/18 10:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Disabled | Stopped] -- E:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/10/13 15:39:46 | 000,114,688 | ---- | M] (Gigabyte Technology CO., LTD.) [Auto | Running] -- E:\Program Files\Gigabyte\SMART6\timelock\TimeMgmtDaemon.exe -- (Smart TimeLock)
SRV - [2009/09/03 00:09:42 | 000,024,576 | ---- | M] (Intuit) [Disabled | Stopped] -- e:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2009/07/23 20:10:38 | 000,061,440 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- e:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2005/12/16 16:09:58 | 000,194,048 | ---- | M] () [Auto | Running] -- E:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe -- (IOLO_SRV)
SRV - [2005/09/09 02:24:30 | 000,102,400 | ---- | M] () [Auto | Running] -- F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor4.0)
SRV - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- E:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2004/02/11 15:33:58 | 000,065,536 | ---- | M] () [On_Demand | Stopped] -- E:\Program Files\Common Files\WPE\wpeserv.exe -- (WPEServ)


========== Driver Services (SafeList) ==========

DRV - [2011/11/28 11:53:53 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- E:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/11/28 11:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Running] -- E:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/11/28 11:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- E:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/11/28 11:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Running] -- E:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/11/28 11:52:02 | 000,111,320 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- E:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/11/28 11:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- E:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/11/28 11:48:49 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- E:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/11/01 00:08:12 | 000,217,976 | ---- | M] (GFI Software) [Kernel | System | Running] -- E:\WINDOWS\system32\drivers\sbtis.sys -- (sbtis)
DRV - [2011/10/26 15:40:02 | 000,101,112 | ---- | M] (GFI Software) [Kernel | System | Stopped] -- E:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2011/09/09 10:10:40 | 000,077,816 | ---- | M] (GFI Software) [File_System | Auto | Running] -- E:\WINDOWS\system32\drivers\sbapifs.sys -- (sbapifs)
DRV - [2011/09/09 10:10:40 | 000,021,240 | ---- | M] (GFI Software) [Kernel | System | Running] -- E:\WINDOWS\system32\drivers\sbaphd.sys -- (sbaphd)
DRV - [2011/09/08 20:18:53 | 000,024,944 | ---- | M] () [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\GVTDrv.sys -- (GVTDrv)
DRV - [2011/09/08 20:18:47 | 000,017,488 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2011/08/09 16:33:58 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- E:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2011/08/08 17:38:11 | 000,132,744 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- E:\WINDOWS\system32\drivers\NST\0200000.010\ccSetx86.sys -- (ccSet_NST)
DRV - [2011/07/22 10:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- E:\Documents and Settings\Dora Smith\Local Settings\Temp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 15:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- E:\Documents and Settings\Dora Smith\Local Settings\Temp\SAS_SelfExtract\saskutil.sys -- (SASKUTIL)
DRV - [2011/01/14 01:06:40 | 000,277,352 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2011/01/10 17:16:16 | 000,018,544 | ---- | M] () [Kernel | System | Running] -- E:\WINDOWS\system32\drivers\AppleCharger.sys -- (AppleCharger)
DRV - [2011/01/04 05:51:14 | 006,295,656 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2010/12/30 10:54:06 | 000,034,736 | ---- | M] () [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\RKHit.sys -- (RkHit)
DRV - [2010/12/13 21:54:12 | 000,036,384 | R--- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\RTLTEAMING.SYS -- (RTLTEAMING)
DRV - [2010/12/13 21:54:12 | 000,022,016 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | Auto | Running] -- E:\WINDOWS\system32\drivers\RtNdPt5x.sys -- (RtNdPt5x)
DRV - [2010/12/13 21:54:12 | 000,017,536 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\RTLVLAN.SYS -- (RTLVLAN)
DRV - [2010/09/21 08:59:02 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\HECI.sys -- (MEI) Intel®
DRV - [2009/11/17 17:17:00 | 001,395,800 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2009/11/17 17:16:00 | 001,691,480 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2005/07/06 18:14:30 | 001,389,056 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\P17.sys -- (P17)
DRV - [2005/01/09 20:15:30 | 000,106,496 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2005/01/09 20:15:24 | 000,138,752 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-484763869-1844823847-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-484763869-1844823847-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-484763869-1844823847-839522115-1003\..\URLSearchHook: - No CLSID value found
IE - HKU\S-1-5-21-484763869-1844823847-839522115-1003\..\URLSearchHook: {f78bf7a8-cf12-4de7-a6da-c463d1b539a7} - No CLSID value found
IE - HKU\S-1-5-21-484763869-1844823847-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-484763869-1844823847-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: E:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: E:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: E:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: E:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: E:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: E:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: E:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: E:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: E:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@nsroblox.roblox.com/launcher: E:\Documents and Settings\Dora Smith\Local Settings\Application Data\RobloxVersions\version-09a201d8e5f247c7\\NPRobloxProxy.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{203FB6B2-2E1E-4474-863B-4C483ECCE78E}: E:\Documents and Settings\All Users\Application Data\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2.0.0.16\coFFNST\ [2012/01/14 08:37:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: E:\Program Files\Mozilla Firefox\components [2011/11/10 22:05:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: E:\Program Files\Mozilla Firefox\plugins [2012/01/07 17:17:37 | 000,000,000 | ---D | M]

[2011/09/23 17:37:14 | 000,000,000 | ---D | M] (No name found) -- E:\Documents and Settings\Dora Smith\Application Data\Mozilla\Extensions
[2011/09/26 09:09:58 | 000,000,000 | ---D | M] (No name found) -- E:\Documents and Settings\Dora Smith\Application Data\Mozilla\Firefox\Profiles\8d477zmb.default\extensions
[2011/09/11 19:42:54 | 000,000,000 | ---D | M] (No name found) -- E:\Program Files\Mozilla Firefox\extensions
[2011/09/11 19:42:54 | 000,000,000 | ---D | M] (Java Console) -- E:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
() (No name found) -- E:\DOCUMENTS AND SETTINGS\DORA SMITH\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\8D477ZMB.DEFAULT\EXTENSIONS\{C07D1A49-9894-49FF-A594-38960EDE8FB9}.XPI
[2011/09/11 19:42:49 | 000,000,000 | ---D | M] (Java Quick Starter) -- E:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/09/08 15:21:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- E:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/11/10 22:05:34 | 000,134,104 | ---- | M] (Mozilla Foundation) -- E:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/03/18 12:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- E:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2011/09/11 19:42:49 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- E:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/03/18 12:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- E:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
[2010/05/25 10:09:48 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- E:\Program Files\mozilla firefox\plugins\npwachk.dll
[2011/10/01 07:19:09 | 000,002,252 | ---- | M] () -- E:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/01/20 15:10:26 | 000,002,242 | ---- | M] () -- E:\Program Files\mozilla firefox\searchplugins\mystarttb.xml
[2011/11/10 22:05:34 | 000,002,040 | ---- | M] () -- E:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = E:\Program Files\Google\Chrome\Application\15.0.874.121\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = E:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = E:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = E:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = E:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = E:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = E:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = E:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = E:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Silverlight Plug-In (Enabled) = E:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = E:\Documents and Settings\Dora Smith\Application Data\Mozilla\plugins\np-mswmp.dll
CHR - plugin: Microsoft Office 2003 (Enabled) = E:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
CHR - plugin: Chrome NaCl (Enabled) = E:\Program Files\Google\Chrome\Application\15.0.874.121\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = E:\Program Files\Google\Chrome\Application\15.0.874.121\pdf.dll
CHR - plugin: Winamp Application Detector (Enabled) = E:\Program Files\Mozilla Firefox\plugins\npwachk.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = E:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = E:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = E:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll
CHR - plugin: iTunes Application Detector (Enabled) = E:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = E:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Foxit Reader Plugin for Mozilla (Enabled) = F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Angry Birds = E:\Documents and Settings\Dora Smith\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.1.2.1_0\
CHR - Extension: Angry Birds = E:\Documents and Settings\Dora Smith\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.1.2_0\
CHR - Extension: Cloud Reader = E:\Documents and Settings\Dora Smith\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\icdipabjmbhpdkjaihfjoikhjjeneebd\1.0.0.0_0\

Hosts file not found
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - E:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (Norton Safe Web Lite BHO) - {F0DA78E9-6B60-42fb-BC26-EF2CFB8C8FF3} - E:\Program Files\Norton Safe Web Lite\Engine\2.0.0.16\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Norton Safe Web Lite) - {30CEEEA2-3742-40e4-85DD-812BF1CBB83D} - E:\Program Files\Norton Safe Web Lite\Engine\2.0.0.16\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - E:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - {ccb24e92-62c4-4c53-95d2-65f9eed476bc} - No CLSID value found.
O3 - HKU\S-1-5-21-484763869-1844823847-839522115-1003\..\Toolbar\WebBrowser: (Norton Safe Web Lite) - {30CEEEA2-3742-40E4-85DD-812BF1CBB83D} - E:\Program Files\Norton Safe Web Lite\Engine\2.0.0.16\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [APSDaemon] E:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ArcSoft Connection Service] E:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [avast] E:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Intuit SyncManager] e:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [NvCplDaemon] E:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] E:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] E:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [P17Helper] E:\WINDOWS\System32\P17.dll ()
O4 - HKLM..\Run: [RegistryMechanic] File not found
O4 - HKLM..\Run: [SBAMTray] E:\Program Files\GFI Software\VIPRE\SBAMTray.exe (GFI Software)
O4 - HKLM..\Run: [SystemGuardAlerter] E:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe ()
O4 - HKLM..\Run: [UpdReg] E:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - HKU\S-1-5-21-484763869-1844823847-839522115-1003..\Run: [SMSystemAnalyzer] E:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe ()
O4 - Startup: E:\Documents and Settings\Dora Smith\Start Menu\Programs\Startup\Webshots.lnk = E:\Program Files\Webshots\3.1.5.7619\Launcher.exe (Webshots.com)
O4 - Startup: E:\Documents and Settings\UpdatusUser\Start Menu\Programs\Startup\Webshots.lnk = E:\Program Files\Webshots\3.1.5.7619\Launcher.exe (Webshots.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-484763869-1844823847-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-484763869-1844823847-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - F:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - E:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - E:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - E:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - E:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - E:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - E:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - E:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - E:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - E:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - E:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - E:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - E:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.15.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3343C4E3-AED4-43A9-BE86-1294DCA09555}: DhcpNameServer = 192.168.15.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - E:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - F:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -E:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (E:\WINDOWS\system32\userinit.exe) -E:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: E:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: E:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{542d72e9-fb1f-11e0-96be-1c6f65de68a3}\Shell - "" = AutoRun
O33 - MountPoints2\{542d72e9-fb1f-11e0-96be-1c6f65de68a3}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{542d72e9-fb1f-11e0-96be-1c6f65de68a3}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (aswBoot.exe /A:"*" /L:"1033" /heur:80 /RA:ask /pup /archives /IA:0 /KBD:2 /dir:"E:\Program Files\AVAST Software\Avast")
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - Services: "QBFCService"
MsConfig - Services: "QBCFMonitorService"
MsConfig - Services: "mnmsrvc"
MsConfig - Services: "iPod Service"
MsConfig - Services: "Fax"
MsConfig - Services: "Apple Mobile Device"
MsConfig - Services: "ACDaemon"
MsConfig - StartUpFolder: E:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk - E:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe - (Intuit Inc.)
MsConfig - StartUpReg: Adobe Photo Downloader - hkey= - key= - F:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Aim - hkey= - key= - E:\Program Files\AIM\aim.exe (AOL Inc.)
MsConfig - StartUpReg: Anti-phishing Domain Advisor - hkey= - key= - File not found
MsConfig - StartUpReg: DW6 - hkey= - key= - E:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe (The Weather Channel Interactive, Inc.)
MsConfig - StartUpReg: HP Software Update - hkey= - key= - F:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - E:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: Messenger (Yahoo!) - hkey= - key= - F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
MsConfig - StartUpReg: MSMSGS - hkey= - key= - E:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: pcsafedoctor.exe - hkey= - key= - E:\Program Files\PCSafeDoctor\pcsafedoctor.exe ()
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - E:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - StartUpReg: RemoteControl - hkey= - key= - F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - E:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: swg - hkey= - key= - E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SBAMSvc - E:\Program Files\GFI Software\VIPRE\SBAMSvc.exe (GFI Software)
SafeBootMin: SBPIMSvc - E:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe (GFI Software)
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2F6EFCE6-10DF-49F9-9E64-9AE3775B2588} - Microsoft .NET Framework 1.1 Security Update (KB2416447)
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection E:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA851-CC51-11CF-AAFA-00AA00B6015C} - rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015C} - Microsoft DirectX
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection E:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - E:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - E:\WINDOWS\system32\Rundll32.exe E:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection E:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - Fax Provider
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - E:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - E:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - E:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "E:\WINDOWS\system32\rundll32.exe" "E:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - E:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - E:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - E:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - E:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.vorbis - E:\WINDOWS\System32\vorbis.acm (HMS http://hp.vector.co.jp/authors/VA012897/)
Drivers32: vidc.cvid - E:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - E:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - E:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - E:\WINDOWS\System32\ir41_32.ax ()
Drivers32: vidc.iv50 - E:\WINDOWS\System32\ir50_32.dll ()
Drivers32: vidc.LEAD - LCODCCMP.DLL File not found
Drivers32: vidc.XVID - E:\WINDOWS\System32\xvidvfw.dll ()

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/01/14 09:18:42 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Start Menu\Programs\avast! Pro Antivirus
[2012/01/14 09:18:41 | 000,314,456 | ---- | C] (AVAST Software) -- E:\WINDOWS\System32\drivers\aswSP.sys
[2012/01/14 09:18:41 | 000,020,568 | ---- | C] (AVAST Software) -- E:\WINDOWS\System32\drivers\aswFsBlk.sys
[2012/01/14 09:18:40 | 000,052,952 | ---- | C] (AVAST Software) -- E:\WINDOWS\System32\drivers\aswTdi.sys
[2012/01/14 09:18:40 | 000,034,392 | ---- | C] (AVAST Software) -- E:\WINDOWS\System32\drivers\aswRdr.sys
[2012/01/14 09:18:39 | 000,435,032 | ---- | C] (AVAST Software) -- E:\WINDOWS\System32\drivers\aswSnx.sys
[2012/01/14 09:18:39 | 000,111,320 | ---- | C] (AVAST Software) -- E:\WINDOWS\System32\drivers\aswmon2.sys
[2012/01/14 09:18:39 | 000,105,176 | ---- | C] (AVAST Software) -- E:\WINDOWS\System32\drivers\aswmon.sys
[2012/01/14 09:18:38 | 000,030,808 | ---- | C] (AVAST Software) -- E:\WINDOWS\System32\drivers\aavmker4.sys
[2012/01/14 09:18:22 | 000,199,816 | ---- | C] (AVAST Software) -- E:\WINDOWS\System32\aswBoot.exe
[2012/01/14 09:18:22 | 000,041,184 | ---- | C] (AVAST Software) -- E:\WINDOWS\avastSS.scr
[2012/01/14 09:18:13 | 000,000,000 | ---D | C] -- E:\Program Files\AVAST Software
[2012/01/14 09:18:13 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\AVAST Software
[2012/01/14 08:13:42 | 000,000,000 | RHSD | C] -- E:\cmdcons
[2012/01/14 08:13:41 | 000,000,000 | ---D | C] -- E:\WINDOWS\setup.pss
[2012/01/14 08:13:30 | 000,000,000 | ---D | C] -- E:\WINDOWS\setupupd
[2012/01/14 08:09:55 | 000,000,000 | ---D | C] -- E:\REGBACK
[2012/01/14 08:04:10 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Start Menu\Programs\System Mechanic 6
[2012/01/14 08:03:27 | 000,000,000 | ---D | C] -- E:\Program Files\iolo
[2012/01/14 07:58:52 | 000,024,576 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\STKIT432.DLL
[2012/01/14 07:58:51 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Start Menu\Programs\Registry Mechanic
[2012/01/14 07:58:49 | 000,000,000 | ---D | C] -- E:\Program Files\Registry Mechanic
[2012/01/14 07:52:39 | 000,000,000 | -H-D | C] -- E:\WINDOWS\System32\GroupPolicy
[2012/01/12 20:56:41 | 000,077,816 | ---- | C] (GFI Software) -- E:\WINDOWS\System32\drivers\sbapifs.sys
[2012/01/12 20:56:41 | 000,021,240 | ---- | C] (GFI Software) -- E:\WINDOWS\System32\drivers\sbaphd.sys
[2012/01/12 20:56:39 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\GFI Software
[2012/01/12 20:56:32 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Start Menu\Programs\GFI Software
[2012/01/12 20:56:31 | 000,217,976 | ---- | C] (GFI Software) -- E:\WINDOWS\System32\drivers\sbtis.sys
[2012/01/12 20:56:27 | 000,000,000 | ---D | C] -- E:\WINDOWS\System32\drivers\VDD
[2012/01/12 20:55:21 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Dora Smith\Application Data\GFI Software
[2012/01/12 20:33:11 | 000,000,000 | RH-D | C] -- E:\Documents and Settings\Dora Smith\Recent
[2012/01/10 20:55:13 | 010,847,608 | ---- | C] (Malwarebytes Corporation ) -- E:\Documents and Settings\Dora Smith\Desktop\mbam-setup-1.60.0.1800.exe
[2012/01/10 18:50:30 | 000,000,000 | ---D | C] -- F:\My Documents\Malabytes problem
[2012/01/08 19:10:54 | 000,132,744 | R--- | C] (Symantec Corporation) -- E:\WINDOWS\System32\drivers\NST\0200000.010\ccSetx86.sys
[2012/01/08 19:10:51 | 000,000,000 | ---D | C] -- E:\WINDOWS\System32\drivers\NST
[2012/01/08 19:10:51 | 000,000,000 | ---D | C] -- E:\WINDOWS\System32\drivers\NST\0200000.010
[2012/01/08 19:10:50 | 000,000,000 | ---D | C] -- E:\Program Files\Norton Safe Web Lite
[2012/01/08 19:00:18 | 000,000,000 | ---D | C] -- E:\Program Files\Common Files\Symantec Shared
[2012/01/08 19:00:15 | 000,000,000 | ---D | C] -- E:\WINDOWS\System32\drivers\NSS
[2012/01/08 19:00:15 | 000,000,000 | ---D | C] -- E:\Program Files\Norton Security Scan
[2012/01/08 19:00:15 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Start Menu\Programs\Norton Security Scan
[2012/01/08 19:00:15 | 000,000,000 | ---D | C] -- E:\WINDOWS\System32\drivers\NSS\0306010.00B
[2012/01/08 19:00:14 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Norton
[2012/01/08 19:00:12 | 000,000,000 | ---D | C] -- E:\Program Files\NortonInstaller
[2012/01/08 19:00:12 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\NortonInstaller
[2012/01/08 14:54:13 | 000,000,000 | -H-D | C] -- E:\WINDOWS\PIF
[2012/01/08 10:56:42 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Dora Smith\Application Data\SUPERAntiSpyware.com
[2012/01/08 10:56:42 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2012/01/08 07:57:25 | 000,000,000 | ---D | C] -- F:\My Documents\Visual Studio 2005
[2012/01/08 07:57:17 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Start Menu\Programs\Microsoft .NET Framework SDK v2.0
[2012/01/08 07:57:15 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Dora Smith\Local Settings\Application Data\Microsoft Help
[2012/01/08 07:53:10 | 000,000,000 | ---D | C] -- E:\Program Files\Microsoft Visual Studio 8
[2012/01/08 07:53:09 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Microsoft Help
[2012/01/07 22:52:02 | 000,222,080 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\MpSigStub.exe
[2012/01/07 22:39:29 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Start Menu\Programs\PCSafeDoctor
[2012/01/07 22:39:24 | 000,000,000 | ---D | C] -- E:\Program Files\PCSafeDoctor
[2012/01/07 08:25:31 | 000,000,000 | -HSD | C] -- E:\WINDOWS\CSC
[2011/12/23 19:38:15 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Dora Smith\Start Menu\Programs\Roblox
[2011/12/23 19:38:02 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Dora Smith\Local Settings\Application Data\RobloxVersions
[2011/12/23 19:38:02 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Dora Smith\Local Settings\Application Data\RobloxDownloads
[2011/12/23 19:38:01 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Dora Smith\Local Settings\Application Data\Roblox
[2002/04/10 03:41:06 | 000,065,536 | R--- | C] ( ) -- E:\WINDOWS\System32\A3d.dll
[5 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp -> ]
[12 F:\My Documents\*.tmp files -> F:\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/14 10:55:00 | 000,000,894 | ---- | M] () -- E:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/14 10:16:25 | 000,000,456 | -H-- | M] () -- E:\WINDOWS\tasks\Norton Security Scan for Administrator.job
[2012/01/14 09:18:42 | 000,001,689 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\avast! Pro Antivirus.lnk
[2012/01/14 09:18:39 | 000,002,625 | ---- | M] () -- E:\WINDOWS\System32\CONFIG.NT
[2012/01/14 08:53:49 | 000,001,901 | ---- | M] () -- F:\My Documents\AVAST License key.htm
[2012/01/14 08:38:59 | 000,002,422 | ---- | M] () -- E:\WINDOWS\System32\wpa.dbl
[2012/01/14 08:38:58 | 000,000,890 | ---- | M] () -- E:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/14 08:37:24 | 000,002,048 | --S- | M] () -- E:\WINDOWS\bootstat.dat
[2012/01/14 08:31:22 | 000,000,450 | -H-- | M] () -- E:\WINDOWS\tasks\Norton Security Scan for Dora Smith.job
[2012/01/14 08:14:00 | 000,000,281 | RHS- | M] () -- E:\boot.ini
[2012/01/14 08:04:31 | 000,000,822 | ---- | M] () -- E:\Documents and Settings\Dora Smith\Desktop\System Mechanic 6.lnk
[2012/01/14 07:58:51 | 000,000,738 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\Registry Mechanic.lnk
[2012/01/14 07:53:03 | 000,001,945 | ---- | M] () -- E:\WINDOWS\epplauncher.mif
[2012/01/12 20:56:32 | 000,001,752 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\VIPRE.lnk
[2012/01/10 21:07:35 | 000,174,462 | ---- | M] () -- E:\Processes.pdf
[2012/01/10 21:02:48 | 000,215,882 | ---- | M] () -- E:\Services.pdf
[2012/01/10 20:55:33 | 010,847,608 | ---- | M] (Malwarebytes Corporation ) -- E:\Documents and Settings\Dora Smith\Desktop\mbam-setup-1.60.0.1800.exe
[2012/01/09 19:42:01 | 000,000,284 | ---- | M] () -- E:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/01/08 19:00:17 | 000,000,979 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\Norton Security Scan.lnk
[2012/01/08 18:05:29 | 000,001,840 | ---- | M] () -- F:\My Documents\Registry entries MBAM.bak
[2012/01/08 16:05:56 | 000,000,290 | ---- | M] () -- E:\Documents and Settings\Dora Smith\Desktop\possible fake av stopping install of MBAM service.url
[2012/01/08 15:47:09 | 000,000,243 | ---- | M] () -- E:\Documents and Settings\Dora Smith\Desktop\HijackThis Logs (analyze).url
[2012/01/08 10:50:08 | 000,000,350 | ---- | M] () -- E:\Documents and Settings\Dora Smith\Desktop\malwarebytes and hijackthis log interpretation - CNET Spyware, viruses, & security Forums.url
[2012/01/08 10:48:48 | 000,001,014 | ---- | M] () -- E:\Documents and Settings\Dora Smith\Desktop\Solved PC Antivirus 2010 Hijack this-malwarebytes will not run - Tech Support Guy Forums.url
[2012/01/08 10:24:03 | 000,002,925 | ---- | M] () -- F:\My Documents\MBAM post.bak
[2012/01/07 22:39:46 | 000,000,020 | ---- | M] () -- E:\WINDOWS\tpcsd
[2012/01/07 22:18:35 | 000,000,146 | ---- | M] () -- E:\Documents and Settings\Dora Smith\Desktop\MBAM reinstall.url
[2012/01/07 20:53:35 | 000,002,457 | ---- | M] () -- E:\Documents and Settings\Dora Smith\Desktop\HiJackThis.lnk
[2012/01/07 19:25:25 | 082,959,168 | ---- | M] () -- E:\RegBack.reg
[2012/01/07 08:15:40 | 000,013,520 | -HS- | M] () -- E:\Documents and Settings\All Users\Application Data\01w18tx807njcym21n2ma4y8nio6g0jckwtt8f1i0l341
[2012/01/07 07:08:13 | 000,013,630 | -HS- | M] () -- E:\Documents and Settings\Dora Smith\Local Settings\Application Data\01w18tx807njcym21n2ma4y8nio6g0jckwtt8f1i0l341
[2012/01/04 22:57:34 | 000,000,267 | ---- | M] () -- E:\Documents and Settings\Dora Smith\Desktop\The Hobbit An Unexpected Journey - Movie Trailers - iTunes.url
[2012/01/04 22:29:01 | 000,280,276 | ---- | M] () -- E:\WINDOWS\System32\nvdrsdb1.bin
[2012/01/04 22:29:01 | 000,000,001 | ---- | M] () -- E:\WINDOWS\System32\nvdrssel.bin
[2012/01/01 21:42:40 | 000,000,715 | ---- | M] () -- E:\Documents and Settings\Dora Smith\Desktop\Free Topo Maps - MyTopo-Maptech MapServer.url
[2011/12/31 17:57:03 | 000,000,354 | ---- | M] () -- E:\Documents and Settings\Dora Smith\Desktop\McKinstry Web Site.url
[2011/12/30 20:41:14 | 000,000,446 | ---- | M] () -- E:\WINDOWS\tasks\EasyShare Registration Task.job
[2011/12/29 21:58:47 | 000,010,003 | ---- | M] () -- F:\My Documents\SOPA2.bak
[2011/12/26 23:37:27 | 000,010,631 | ---- | M] () -- F:\My Documents\SOPA.bak
[2011/12/24 13:12:54 | 000,000,848 | -HS- | M] () -- E:\WINDOWS\System32\KGyGaAvL.sys
[2011/12/24 11:55:41 | 000,000,664 | ---- | M] () -- E:\WINDOWS\System32\d3d9caps.dat
[2011/12/23 19:38:15 | 000,001,139 | ---- | M] () -- E:\Documents and Settings\Dora Smith\Desktop\Play Roblox.lnk
[2011/12/18 21:40:11 | 000,000,481 | ---- | M] () -- E:\Documents and Settings\Dora Smith\Desktop\Directory listing for http--freepages.genealogy.rootsweb.com-~villandra-.url
[5 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp -> ]
[12 F:\My Documents\*.tmp files -> F:\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/14 09:18:42 | 000,001,689 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\avast! Pro Antivirus.lnk
[2012/01/14 08:53:49 | 000,001,901 | ---- | C] () -- F:\My Documents\AVAST License key.htm
[2012/01/14 08:14:00 | 000,000,210 | -HS- | C] () -- E:\BOOT.BAK
[2012/01/14 08:13:57 | 000,260,272 | RHS- | C] () -- E:\cmldr
[2012/01/14 08:04:31 | 000,000,822 | ---- | C] () -- E:\Documents and Settings\Dora Smith\Desktop\System Mechanic 6.lnk
[2012/01/14 08:03:36 | 000,025,264 | ---- | C] () -- E:\WINDOWS\System32\smrgdf.exe
[2012/01/14 08:03:35 | 000,041,472 | ---- | C] () -- E:\WINDOWS\System32\iolobtdfg.exe
[2012/01/14 08:03:34 | 001,212,416 | ---- | C] () -- E:\WINDOWS\System32\Incinerator.dll
[2012/01/14 07:58:51 | 000,000,738 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\Registry Mechanic.lnk
[2012/01/13 19:14:05 | 000,000,456 | -H-- | C] () -- E:\WINDOWS\tasks\Norton Security Scan for Administrator.job
[2012/01/12 20:56:32 | 000,001,752 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\VIPRE.lnk
[2012/01/10 21:07:35 | 000,174,462 | ---- | C] () -- E:\Processes.pdf
[2012/01/10 21:02:48 | 000,215,882 | ---- | C] () -- E:\Services.pdf
[2012/01/08 19:10:51 | 000,007,510 | R--- | C] () -- E:\WINDOWS\System32\drivers\NST\0200000.010\ccSetx86.cat
[2012/01/08 19:10:51 | 000,000,828 | R--- | C] () -- E:\WINDOWS\System32\drivers\NST\0200000.010\ccSetx86.inf
[2012/01/08 19:10:51 | 000,000,172 | ---- | C] () -- E:\WINDOWS\System32\drivers\NST\0200000.010\isolate.ini
[2012/01/08 19:00:18 | 000,000,450 | -H-- | C] () -- E:\WINDOWS\tasks\Norton Security Scan for Dora Smith.job
[2012/01/08 19:00:17 | 000,000,979 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\Norton Security Scan.lnk
[2012/01/08 19:00:15 | 000,000,172 | ---- | C] () -- E:\WINDOWS\System32\drivers\NSS\0306010.00B\isolate.ini
[2012/01/08 17:03:48 | 000,001,840 | ---- | C] () -- F:\My Documents\Registry entries MBAM.bak
[2012/01/08 16:05:56 | 000,000,290 | ---- | C] () -- E:\Documents and Settings\Dora Smith\Desktop\possible fake av stopping install of MBAM service.url
[2012/01/08 15:47:09 | 000,000,243 | ---- | C] () -- E:\Documents and Settings\Dora Smith\Desktop\HijackThis Logs (analyze).url
[2012/01/08 10:50:08 | 000,000,350 | ---- | C] () -- E:\Documents and Settings\Dora Smith\Desktop\malwarebytes and hijackthis log interpretation - CNET Spyware, viruses, & security Forums.url
[2012/01/08 10:48:48 | 000,001,014 | ---- | C] () -- E:\Documents and Settings\Dora Smith\Desktop\Solved PC Antivirus 2010 Hijack this-malwarebytes will not run - Tech Support Guy Forums.url
[2012/01/08 10:24:03 | 000,002,925 | ---- | C] () -- F:\My Documents\MBAM post.bak
[2012/01/07 22:50:23 | 000,001,945 | ---- | C] () -- E:\WINDOWS\epplauncher.mif
[2012/01/07 22:39:46 | 000,000,020 | ---- | C] () -- E:\WINDOWS\tpcsd
[2012/01/07 22:39:24 | 000,034,736 | ---- | C] () -- E:\WINDOWS\System32\drivers\RKHit.sys
[2012/01/07 22:18:03 | 000,000,146 | ---- | C] () -- E:\Documents and Settings\Dora Smith\Desktop\MBAM reinstall.url
[2012/01/07 19:24:59 | 082,959,168 | ---- | C] () -- E:\RegBack.reg
[2012/01/06 21:50:42 | 000,013,630 | -HS- | C] () -- E:\Documents and Settings\Dora Smith\Local Settings\Application Data\01w18tx807njcym21n2ma4y8nio6g0jckwtt8f1i0l341
[2012/01/06 21:50:42 | 000,013,520 | -HS- | C] () -- E:\Documents and Settings\All Users\Application Data\01w18tx807njcym21n2ma4y8nio6g0jckwtt8f1i0l341
[2012/01/03 20:44:44 | 000,000,267 | ---- | C] () -- E:\Documents and Settings\Dora Smith\Desktop\The Hobbit An Unexpected Journey - Movie Trailers - iTunes.url
[2012/01/01 21:42:40 | 000,000,715 | ---- | C] () -- E:\Documents and Settings\Dora Smith\Desktop\Free Topo Maps - MyTopo-Maptech MapServer.url
[2011/12/29 21:02:03 | 000,010,003 | ---- | C] () -- F:\My Documents\SOPA2.bak
[2011/12/26 21:37:41 | 000,010,631 | ---- | C] () -- F:\My Documents\SOPA.bak
[2011/12/23 19:38:15 | 000,001,139 | ---- | C] () -- E:\Documents and Settings\Dora Smith\Desktop\Play Roblox.lnk
[2011/12/18 21:40:11 | 000,000,481 | ---- | C] () -- E:\Documents and Settings\Dora Smith\Desktop\Directory listing for http--freepages.genealogy.rootsweb.com-~villandra-.url
[2011/11/15 21:34:30 | 000,053,960 | -H-- | C] () -- E:\WINDOWS\System32\mlfcache.dat
[2011/10/30 13:54:43 | 000,650,752 | ---- | C] () -- E:\WINDOWS\System32\xvidcore.dll
[2011/10/30 13:54:43 | 000,240,640 | ---- | C] () -- E:\WINDOWS\System32\xvidvfw.dll
[2011/10/30 13:54:02 | 000,192,512 | ---- | C] () -- E:\Documents and Settings\Dora Smith\Local Settings\Application Data\store-ds.db
[2011/10/10 20:46:59 | 000,000,095 | ---- | C] () -- E:\WINDOWS\QBChanUtil_Trigger.ini
[2011/10/01 12:22:05 | 000,000,664 | ---- | C] () -- E:\WINDOWS\System32\d3d9caps.dat
[2011/10/01 11:19:34 | 000,013,824 | ---- | C] () -- E:\Documents and Settings\Dora Smith\Application Data\Settings.cfg
[2011/09/24 22:26:32 | 000,098,304 | ---- | C] () -- E:\WINDOWS\System32\redmonnt.dll
[2011/09/14 15:38:21 | 000,001,793 | ---- | C] () -- E:\WINDOWS\System32\fxsperf.ini
[2011/09/13 08:56:54 | 000,000,100 | -H-- | C] () -- E:\Documents and Settings\Dora Smith\Local Settings\Application Data\syskbs4.dat
[2011/09/13 08:54:34 | 000,000,003 | ---- | C] () -- E:\WINDOWS\kbs2_1.ini
[2011/09/12 19:31:05 | 000,003,840 | ---- | C] () -- E:\WINDOWS\System32\drivers\BANTExt.sys
[2011/09/09 22:43:09 | 000,001,384 | ---- | C] () -- E:\WINDOWS\backg.ini
[2011/09/09 22:33:38 | 000,000,585 | ---- | C] () -- E:\WINDOWS\cpd.ini
[2011/09/09 22:33:29 | 000,051,776 | ---- | C] () -- E:\WINDOWS\System32\Gbtse2.Dll
[2011/09/09 22:16:29 | 000,455,168 | ---- | C] () -- E:\WINDOWS\System32\redllw32.dll
[2011/09/09 22:16:29 | 000,240,128 | ---- | C] () -- E:\WINDOWS\System32\PDDLLW32.DLL
[2011/09/09 21:32:24 | 000,192,512 | ---- | C] () -- E:\WINDOWS\System32\srkey.exe
[2011/09/09 21:22:25 | 000,000,254 | ---- | C] () -- E:\WINDOWS\PowerReg.dat
[2011/09/09 21:22:23 | 000,010,240 | ---- | C] () -- E:\WINDOWS\System32\vidx16.dll
[2011/09/09 21:16:10 | 000,001,224 | ---- | C] () -- E:\WINDOWS\Solitaire.ini
[2011/09/09 21:13:58 | 000,000,000 | ---- | C] () -- E:\WINDOWS\popcinfo.dat
[2011/09/09 20:11:18 | 000,000,016 | ---- | C] () -- E:\WINDOWS\System32\syspvm-14.dll
[2011/09/09 19:08:03 | 000,180,624 | ---- | C] () -- E:\WINDOWS\System32\Primomonnt.dll
[2011/09/09 18:28:30 | 000,000,058 | ---- | C] () -- E:\WINDOWS\System32\DonationCoder_ScreenshotCaptor_InstallInfo.dat
[2011/09/09 18:28:30 | 000,000,058 | ---- | C] () -- E:\Documents and Settings\Dora Smith\Local Settings\Application Data\DonationCoder_ScreenshotCaptor_InstallInfo.dat
[2011/09/09 18:21:44 | 000,000,042 | ---- | C] () -- E:\WINDOWS\PCSPATS.DAT
[2011/09/09 18:21:30 | 000,343,040 | ---- | C] () -- E:\WINDOWS\System32\lffpx7.dll
[2011/09/09 18:21:30 | 000,116,736 | ---- | C] () -- E:\WINDOWS\System32\lfkodak.dll
[2011/09/09 17:54:15 | 000,000,176 | ---- | C] () -- E:\WINDOWS\typeinst.ini
[2011/09/09 17:54:12 | 000,000,583 | ---- | C] () -- E:\WINDOWS\xtreme.ini
[2011/09/09 17:38:37 | 000,000,053 | ---- | C] () -- E:\WINDOWS\WININIT.INI
[2011/09/09 17:38:31 | 000,000,000 | ---- | C] () -- E:\WINDOWS\SETUP32.INI
[2011/09/09 16:43:37 | 000,000,319 | ---- | C] () -- E:\WINDOWS\ULEAD32.INI
[2011/09/09 16:05:28 | 000,000,848 | -HS- | C] () -- E:\WINDOWS\System32\KGyGaAvL.sys
[2011/09/09 15:57:40 | 000,354,816 | ---- | C] () -- E:\WINDOWS\System32\psisdecd.dll
[2011/09/09 15:32:13 | 000,021,504 | ---- | C] () -- E:\WINDOWS\System32\WBCustomizer.dll
[2011/09/09 15:11:32 | 000,000,376 | ---- | C] () -- E:\WINDOWS\ODBC.INI
[2011/09/09 15:06:25 | 000,016,384 | ---- | C] () -- E:\WINDOWS\System32\FileOps.exe
[2011/09/08 21:20:30 | 000,000,133 | ---- | C] () -- E:\Documents and Settings\Dora Smith\Local Settings\Application Data\fusioncache.dat
[2011/09/08 21:01:02 | 000,068,965 | ---- | C] () -- E:\WINDOWS\hpoins05.dat
[2011/09/08 21:01:02 | 000,019,696 | ---- | C] () -- E:\WINDOWS\hpomdl05.dat
[2011/09/08 20:38:01 | 000,280,276 | ---- | C] () -- E:\WINDOWS\System32\nvdrsdb1.bin
[2011/09/08 20:38:01 | 000,280,276 | ---- | C] () -- E:\WINDOWS\System32\nvdrsdb0.bin
[2011/09/08 20:38:01 | 000,000,001 | ---- | C] () -- E:\WINDOWS\System32\nvdrssel.bin
[2011/09/08 20:37:45 | 002,128,778 | ---- | C] () -- E:\WINDOWS\System32\nvdata.data
[2011/09/08 20:11:48 | 000,005,627 | R--- | C] () -- E:\WINDOWS\System32\Ludap17.ini
[2011/09/08 20:11:48 | 000,000,039 | R--- | C] () -- E:\WINDOWS\System32\ctzapxx.ini
[2011/09/08 14:25:07 | 000,016,896 | ---- | C] () -- E:\Documents and Settings\Dora Smith\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/08 13:08:55 | 000,081,936 | R--- | C] () -- E:\WINDOWS\System32\RtNicProp32.dll
[2011/09/08 12:46:06 | 000,024,944 | ---- | C] () -- E:\WINDOWS\System32\drivers\GVTDrv.sys
[2011/09/08 12:19:36 | 000,031,272 | ---- | C] () -- E:\WINDOWS\System32\AppleChargerSrv.exe
[2011/09/08 12:19:36 | 000,018,544 | ---- | C] () -- E:\WINDOWS\System32\drivers\AppleCharger.sys
[2011/09/08 12:19:23 | 000,008,192 | ---- | C] () -- E:\WINDOWS\System32\drivers\IntelMEFWVer.dll
[2011/09/08 11:54:50 | 000,207,400 | R--- | C] () -- E:\WINDOWS\GSetup.exe
[2011/09/08 11:54:50 | 000,000,010 | ---- | C] () -- E:\WINDOWS\GSetup.ini
[2011/09/08 10:21:50 | 000,002,048 | --S- | C] () -- E:\WINDOWS\bootstat.dat
[2011/09/08 10:18:10 | 000,021,640 | ---- | C] () -- E:\WINDOWS\System32\emptyregdb.dat
[2011/09/07 18:06:10 | 000,004,161 | ---- | C] () -- E:\WINDOWS\ODBCINST.INI
[2011/09/07 18:05:06 | 000,259,840 | ---- | C] () -- E:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/09 22:03:48 | 000,000,314 | ---- | C] () -- E:\WINDOWS\primopdf.ini
[2008/05/16 10:25:50 | 000,286,720 | ---- | C] () -- E:\WINDOWS\System32\nvnt4cpl.dll
[2005/05/02 21:38:42 | 000,064,512 | R--- | C] () -- E:\WINDOWS\System32\P17.dll
[2004/12/01 23:00:00 | 000,921,600 | ---- | C] () -- E:\WINDOWS\System32\vorbisenc.dll
[2004/12/01 23:00:00 | 000,237,568 | ---- | C] () -- E:\WINDOWS\System32\OggDS.dll
[2004/12/01 23:00:00 | 000,188,416 | ---- | C] () -- E:\WINDOWS\System32\vorbis.dll
[2004/12/01 23:00:00 | 000,045,056 | ---- | C] () -- E:\WINDOWS\System32\ogg.dll
[2004/08/04 06:00:00 | 013,107,200 | ---- | C] () -- E:\WINDOWS\System32\oembios.bin
[2004/08/04 06:00:00 | 000,755,200 | ---- | C] () -- E:\WINDOWS\System32\ir50_32.dll
[2004/08/04 06:00:00 | 000,673,088 | ---- | C] () -- E:\WINDOWS\System32\mlang.dat
[2004/08/04 06:00:00 | 000,445,260 | ---- | C] () -- E:\WINDOWS\System32\perfh009.dat
[2004/08/04 06:00:00 | 000,338,432 | ---- | C] () -- E:\WINDOWS\System32\ir41_qcx.dll
[2004/08/04 06:00:00 | 000,272,128 | ---- | C] () -- E:\WINDOWS\System32\perfi009.dat
[2004/08/04 06:00:00 | 000,218,003 | ---- | C] () -- E:\WINDOWS\System32\dssec.dat
[2004/08/04 06:00:00 | 000,200,192 | ---- | C] () -- E:\WINDOWS\System32\ir50_qc.dll
[2004/08/04 06:00:00 | 000,183,808 | ---- | C] () -- E:\WINDOWS\System32\ir50_qcx.dll
[2004/08/04 06:00:00 | 000,120,320 | ---- | C] () -- E:\WINDOWS\System32\ir41_qc.dll
[2004/08/04 06:00:00 | 000,072,722 | ---- | C] () -- E:\WINDOWS\System32\perfc009.dat
[2004/08/04 06:00:00 | 000,046,258 | ---- | C] () -- E:\WINDOWS\System32\mib.bin
[2004/08/04 06:00:00 | 000,028,626 | ---- | C] () -- E:\WINDOWS\System32\perfd009.dat
[2004/08/04 06:00:00 | 000,004,569 | ---- | C] () -- E:\WINDOWS\System32\secupd.dat
[2004/08/04 06:00:00 | 000,004,461 | ---- | C] () -- E:\WINDOWS\System32\oembios.dat
[2004/08/04 06:00:00 | 000,001,804 | ---- | C] () -- E:\WINDOWS\System32\dcache.bin
[2004/08/04 06:00:00 | 000,000,741 | ---- | C] () -- E:\WINDOWS\System32\noise.dat
[2003/10/01 20:48:18 | 000,053,248 | R--- | C] () -- E:\WINDOWS\System32\P17CPI.dll
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- E:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- E:\WINDOWS\explorer.exe
[2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- E:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[2004/08/04 06:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- E:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 06:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- E:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/14 04:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- E:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 18:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
[2008/04/14 04:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- E:\WINDOWS\system32\winlogon.exe

< >

< End of report >



------------------------------------------------------------------------------------------------------------------
******************************************************************************************************************

OTL Extras logfile created on: 1/14/2012 11:23:59 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = H:\Fix programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.98 Gb Total Physical Memory | 1.03 Gb Available Physical Memory | 51.84% Memory free
3.83 Gb Paging File | 3.14 Gb Available in Paging File | 81.80% Paging File free
Paging file location(s): E:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive E: | 39.06 Gb Total Space | 18.17 Gb Free Space | 46.51% Space Free | Partition Type: NTFS
Drive F: | 259.02 Gb Total Space | 225.41 Gb Free Space | 87.02% Space Free | Partition Type: NTFS
Drive H: | 74.53 Gb Total Space | 18.88 Gb Free Space | 25.33% Space Free | Partition Type: NTFS

Computer Name: DORA | User Name: Dora Smith | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-484763869-1844823847-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "F:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "F:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"ANTIVIRUSDISABLENOTIFY" = 0
"FIREWALLDISABLENOTIFY" = 0
"UPDATESDISABLENOTIFY" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"E:\WINDOWS\system32\usmt\migwiz.exe" = E:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)
"E:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe" = E:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe:*:Enabled:Daemonu.exe -- (NVIDIA Corporation)
"F:\Program Files\Kodak EasyShare software\bin\EasyShare.exe" = F:\Program Files\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- (Eastman Kodak Company)
"E:\Program Files\mystarttb\dtUser.exe" = E:\Program Files\mystarttb\dtUser.exe:*:Enabled:MyStart Toolbar DTX Broker
"E:\Program Files\Google\Google Earth\client\googleearth.exe" = E:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"E:\Program Files\Dogpile Bundle Toolbar\TroubleShooter.exe" = E:\Program Files\Dogpile Bundle Toolbar\TroubleShooter.exe:*:Enabled:Dogpile Bundle Toolbar (Helper)
"E:\Program Files\Dogpile Bundle Toolbar\ToolbarUpdate.exe" = E:\Program Files\Dogpile Bundle Toolbar\ToolbarUpdate.exe:*:Enabled:Dogpile Bundle Toolbar (Update)
"F:\Program Files\Namo\WebEditor 2006\bin\WebEditor.exe" = F:\Program Files\Namo\WebEditor 2006\bin\WebEditor.exe:*:Enabled:Namo WebEditor 2006 -- (Sejoong Namo Interactive, Inc.)
"F:\Program Files\Intuit\QuickBooks 2010\QBDBMgrN.exe" = F:\Program Files\Intuit\QuickBooks 2010\QBDBMgrN.exe:*:Enabled:QuickBooks 2010 Data Manager -- (Intuit, Inc.)
"E:\Program Files\AIM\aim.exe" = E:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL Inc.)
"F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"E:\Documents and Settings\Dora Smith\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe" = E:\Documents and Settings\Dora Smith\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Enabled:Octoshape add-in for Adobe Flash Player
"E:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = E:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"E:\WINDOWS\system32\mmc.exe" = E:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{007B37D9-0C45-4202-834B-DD5FAAE99D63}" = ArcSoft Print Creations - Slimline Card
"{06A9E630-DBA6-4D92-9DE7-A235AA6496C7}" = QuickBooks
"{0700E22B-A419-40A5-BD20-04BF618CA0F9}" = QuickBooks Simple Start 2010 Free Edition
"{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1" = Core Temp 1.0 RC2
"{0B721EA9-076B-466C-B09E-5A8FC59A6105}" = Hoyle Word Games 3
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{0FF18B53-CA57-40BB-B562-21A27B662005}" = 1600
"{11E9DB47-6A91-43ED-8B8D-C3260456C3BB}" = Ancestry World Archives Project - Keying Tool
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1A15507A-8551-4626-915D-3D5FA095CC1B}" = Corel Paint Shop Pro X
"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare
"{1B18B5A4-13EC-4D7D-AB48-4BC1CA3D6A0D}" = Ka Kuro Classic
"{1B1DDAD2-C704-49F8-8FC2-18DAAD9A87C5}" = Sound Blaster Audigy
"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216027FF}" = Java™ 6 Update 27
"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1
"{2857dbef-0b50-361c-8690-7d505747009f}" = Webshots Desktop
"{2B2F9A84-7E8C-4BD6-991C-CD41DBA4289C}" = PDF QuickConverter Pro
"{2C0A655C-61E7-428A-8ED2-23A3D20E7DD2}" = Data Lifeguard Tools
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{2D8D1F61-B119-4434-9CC2-A70C2C6F8CF3}" = Internet Radio Recorder
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload
"{2F7D5734-056F-4A0A-A1C7-CA1AAE5BB1EB}" = Angry Birds
"{3127F76D-5335-4AC7-BD1E-2F5247A23C24}" = iTunes
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
"{3AA7FDD6-E358-453D-BC77-22E3CF81DA83}" = Super Glinx!
"{3B35725F-C623-4A1E-B5CC-99C0868679E3}" = Smart 6 B10.1221.1
"{3DECD372-76A1-4483-BF10-B547790A3261}" = ON_OFF Charge B11.0110.1
"{3FC62993-E139-460A-94E2-4C791794A745}" = ZipMagic Personal Edition
"{40B739E1-40CC-4F0D-9BA1-B75492FFA732}" = Super Nisqually!
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{457D7505-D665-4F95-91C3-ECB8C56E9ACA}" = Easy Tune 6 B10.1216.1
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{519C4DB6-B53B-4F5C-8297-89B2BE949FA5}_is1" = Data Lifeguard Diagnostic for Windows 1.24
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{5BE5E212-4E14-406C-9CD2-DD42064E1EE7}" = FlowCharts&More Express
"{5E8D588F-307C-4250-B622-26969027319A}" = PanoStandAlone
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{639159C2-B27B-4208-8965-D8A0AEDBDED2}" = Microsoft .NET Framework 2.0 SDK - ENU
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects
"{646A65DD-23FC-418E-B9F0-E0500FB42CB1}" = PhotoGallery
"{64FC0C98-B035-4530-B15D-3D30610B6DF1}" = HP Software Update
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel® Management Engine Components
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations
"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{7E36A3A4-9652-4200-AF89-C839CE4F1F2A}" = VIPRE Antivirus
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}" = SkinsHP1
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}" = DocProc
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{8FFC924C-ED06-44CB-8867-3CA778ECE903}" = Adobe Help Center 2.0
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{91490409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Primary Interop Assemblies
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{91AFACB3-CA46-4C1E-AF2D-F72EE0B112E4}" = Personal Ancestral File Companion 5.5
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9591C049-5CAE-4E89-A8D9-191F1899628B}" = ArcSoft Print Creations - Funhouse
"{980A3C34-1652-472D-84AC-2A4D3D4955BF}" = Namo WebEditor 2006
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{A0C0A1C7-4C08-4AB4-B35B-B1850782F7AF}" = Super WHATword
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A301896D-9F55-4492-B518-30EAC4C723E1}" = Super Collapse!
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5B9D22C-755A-4AC6-9904-875E80838BB6}" = CP_AtenaShokunin1Config
"{A7B5CF5F-6BB3-4616-950E-0CF3C9A023AD}" = Namo WebUtilities 2006
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9DE7D74-A4D9-465A-9EE1-49D1577983AA}" = Namo WebCanvas 2006
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B0D83FCD-9D42-43ED-8315-250326AADA02}" = ArcSoft Print Creations - Scrapbook
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B2DC3F08-2EB2-49A5-AA24-15DFC8B1CB83}" = @BIOS
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 280.26
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 280.26
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView" = NVIDIA nView 135.94
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.4.28
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B642EC22-0915-11D5-B3F1-00485486D0B6}" = Rings of the Magi
"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
"{BD29EBAC-AD7D-4b27-B727-4CC6AC52D36B}" = MarketResearch
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}" = VIPRE Antivirus
"{C75FAD21-EC08-42F3-92D6-C9C0AB355345}" = AutoGreen B10.1021.1
"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
"{CAE8A0F1-B498-4C23-95FA-55047E730C8F}" = ArcSoft Print Creations
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB449D5A-7710-47aa-B9F5-352B877C90E6}" = 1600_Help
"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg
"{CE0C8CC5-E396-442B-A50E-D1D374A9E820}" = DocumentViewer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2023740-9AAC-11D4-B54D-006008571948}" = Pac-Man Adventures in Time
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D94A8E22-DF2B-4107-9E51-608A60A7671D}" = Personal Ancestral File 5
"{DADC7AB0-E554-4705-9F6A-83EA82ED708E}" = Realtek Ethernet Diagnostic Utility
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DEE9F5CD-831C-474D-B4E0-550640518350}" = Ka Kuro Classic
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E6B4117F-AC59-4B13-9274-EB136E8897EE}" = ArcSoft Print Creations - Album Page
"{EA2BD6CF-2EB7-4BE4-9CAC-471F351BF24D}" = Hoyle Board Games 2007
"{EBB7C1C1-D439-4D9B-9FDC-954C10F266B0}" = Adobe Photoshop Elements 4.0
"{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2A69CA0-8BBF-4404-BA68-DB79A3548E34}" = PCStitch 7
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F4C6CC40-1142-49be-A28C-7BBD36F0B41A}" = 1600Trb
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FABC59F1-0694-4C73-B603-EA1388E8EEB8}" = Super TextTwist
"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"AceFTP 3 Freeware" = AceFTP 3 Freeware
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 4" = Adobe Photoshop Elements 4.0
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"AIM_7" = AIM 7
"avast" = avast! Pro Antivirus
"Belarc Advisor" = Belarc Advisor 8.2
"Bogglev1" = Boggle
"Britannica Puzzle Potpourri" = Britannica Puzzle Potpourri
"Captain Keyboard" = Captain Keyboard
"CCleaner" = CCleaner
"Classic Entertainment Online" = Classic Entertainment Online
"CoreFTP" = Core FTP LE
"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
"Defraggler" = Defraggler
"EGREEN" = ASUS E-Green Uninstall
"Enable S3 for USB Device" = Enable S3 for USB Device
"Foxit Reader_is1" = Foxit Reader 5.1
"Hardwood Backgammon_is1" = Hardwood Backgammon
"HP Photo & Imaging" = HP Image Zone 4.7
"HPExtendedCapabilities" = HP Extended Capabilities 4.7
"ie8" = Windows Internet Explorer 8
"InstallShield_{3FC62993-E139-460A-94E2-4C791794A745}" = ZipMagic Personal Edition
"InstallShield_{457D7505-D665-4F95-91C3-ECB8C56E9ACA}" = Easy Tune 6 B10.1216.1
"InstallShield_{C75FAD21-EC08-42F3-92D6-C9C0AB355345}" = AutoGreen B10.1021.1
"Jigsaw Landscapes" = Jigsaw Landscapes (remove only)
"Keyboarding Skills Test 2011_is1" = Keyboarding Skills Test 2011 Version 3.0.1
"Kid CAD" = Kid CAD
"Legacy 6.0" = Legacy 6.0
"Mavis Beacon Teaches Typing Deluxe 17" = Mavis Beacon Teaches Typing Deluxe 17
"Mediaplayer Lite_is1" = Mediaplayer Lite v1.0
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0 SDK - ENU" = Microsoft .NET Framework 2.0 SDK - ENU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Microsoft Visual Studio 2005 Tools for Office Runtime
"Moraff's Maximum MahJongg" = Moraff's Maximum MahJongg
"Mozilla Firefox 8.0 (x86 en-US)" = Mozilla Firefox 8.0 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MVP Backgammon Professional" = MVP Backgammon Professional Trial
"MVP Mancala Deluxe" = MVP Mancala Deluxe
"Non Driver CIO Components" = Non Driver CIO Components
"NoteTab Light 6_is1" = NoteTab Light 6 (Remove only)
"NSS" = Norton Security Scan
"NST" = Norton Safe Web Lite
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"PCSafeDoctor_is1" = PCSafeDoctor
"Personal Historian_is1" = Personal Historian 1.1.7.10
"Phlinx To Go" = Phlinx To Go
"Poppit To Go" = Poppit To Go
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"Professor Teaches Accounting Fundamentals" = Professor Teaches Accounting Fundamentals
"Professor Teaches Business Planning" = Professor Teaches Business Planning
"Professor Teaches Outlook 2003" = Professor Teaches Outlook 2003
"Professor Teaches Outlook 2003 Advanced" = Professor Teaches Outlook 2003 Advanced
"Professor Teaches QuickBooks 2008" = Professor Teaches QuickBooks 2008
"Puzzle Master 2" = Puzzle Master 2
"R for Windows 2.14.0_is1" = R for Windows 2.14.0
"Registry Mechanic_is1" = Registry Mechanic 6.0
"RootsMagic_is1" = RootsMagic 3.0
"Scrabble" = Scrabble
"ScreenshotCaptor_is1" = Screenshot Captor 2.99.02
"Solitaire Plus!_is1" = Solitaire Plus!
"Speccy" = Speccy
"SysInfo" = Creative System Information
"System Mechanic 6_is1" = iolo technologies' System Mechanic 6
"Ten Pro Board Games" = Ten Pro Board Games
"The Weather Channel Desktop 6" = The Weather Channel Desktop 6
"TwInbox" = TwInbox (remove only)
"Typing Instructor" = Typing Instructor
"Typing Tutor For Dummies" = Typing Tutor For Dummies
"Ulead Photo Express JR 3.0" = Ulead Photo Express 3.0
"WebPost" = Microsoft Web Publishing Wizard 1.52
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"Winstep Organizer_is1" = Winstep Start Menu Organizer 1.5
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XCrossDeinstKey" = Crosswords and More
"Xvid Video Codec 1.3.1" = Xvid Video Codec
"Yahoo! Messenger" = Yahoo! Messenger
"Zuma Deluxe 1.0" = Zuma Deluxe 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-484763869-1844823847-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{373B1718-8CC5-4567-8EE2-9033AD08A680}" = Roblox for Dora Smith
"FoxTab PDF Converter" = FoxTab PDF Converter
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player
"Puzzle Master 3" = Puzzle Master 3
"Puzzle Master 4" = Puzzle Master 4
"Puzzle Master 5" = Puzzle Master 5
"Puzzle Master Amusement Park" = Puzzle Master Amusement Park
"Puzzle Master Autumn " = Puzzle Master Autumn
"Puzzle Master Spring Fling" = Puzzle Master Spring Fling
"Puzzle Master Variety Pack" = Puzzle Master Variety Pack
"Winamp Detect" = Winamp Detector Plug-in

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/12/2012 10:09:10 PM | Computer Name = DORA | Source = MsiInstaller | ID = 1013
Description = Product: VIPRE Antivirus -- You are trying to install a product in
the VIPRE family that is older than your currently installed version. To downgrade
you will need to manually uninstall your current VIPRE product using Add/Remove
Programs.

Error - 1/12/2012 10:37:59 PM | Computer Name = DORA | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/12/2012 11:10:01 PM | Computer Name = DORA | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/13/2012 5:46:30 AM | Computer Name = DORA | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/13/2012 9:22:57 PM | Computer Name = DORA | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/13/2012 9:24:11 PM | Computer Name = DORA | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/13/2012 9:24:14 PM | Computer Name = DORA | Source = Microsoft Security Client | ID = 5000
Description =

Error - 1/13/2012 9:25:41 PM | Computer Name = DORA | Source = Microsoft Security Client | ID = 5000
Description =

Error - 1/14/2012 6:28:53 AM | Computer Name = DORA | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/14/2012 8:55:23 AM | Computer Name = DORA | Source = MPSampleSubmission | ID = 5000
Description =

[ Application Events ]
Error - 1/12/2012 10:09:10 PM | Computer Name = DORA | Source = MsiInstaller | ID = 1013
Description = Product: VIPRE Antivirus -- You are trying to install a product in
the VIPRE family that is older than your currently installed version. To downgrade
you will need to manually uninstall your current VIPRE product using Add/Remove
Programs.

Error - 1/12/2012 10:37:59 PM | Computer Name = DORA | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/12/2012 11:10:01 PM | Computer Name = DORA | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/13/2012 5:46:30 AM | Computer Name = DORA | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/13/2012 9:22:57 PM | Computer Name = DORA | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/13/2012 9:24:11 PM | Computer Name = DORA | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/13/2012 9:24:14 PM | Computer Name = DORA | Source = Microsoft Security Client | ID = 5000
Description =

Error - 1/13/2012 9:25:41 PM | Computer Name = DORA | Source = Microsoft Security Client | ID = 5000
Description =

Error - 1/14/2012 6:28:53 AM | Computer Name = DORA | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/14/2012 8:55:23 AM | Computer Name = DORA | Source = MPSampleSubmission | ID = 5000
Description =

[ System Events ]
Error - 1/13/2012 9:22:57 PM | Computer Name = DORA | Source = Microsoft Antimalware | ID = 2001
Description =

Error - 1/13/2012 9:24:11 PM | Computer Name = DORA | Source = Microsoft Antimalware | ID = 2001
Description =

Error - 1/13/2012 9:44:57 PM | Computer Name = DORA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service MSIServer with
arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

Error - 1/13/2012 9:44:57 PM | Computer Name = DORA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service MSIServer with
arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

Error - 1/13/2012 9:57:55 PM | Computer Name = DORA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 1/13/2012 10:16:58 PM | Computer Name = DORA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 1/13/2012 10:17:20 PM | Computer Name = DORA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 1/14/2012 6:28:53 AM | Computer Name = DORA | Source = Microsoft Antimalware | ID = 2001
Description =

Error - 1/14/2012 8:44:31 AM | Computer Name = DORA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/14/2012 8:55:23 AM | Computer Name = DORA | Source = Microsoft Antimalware | ID = 2001
Description =

[ System Events ]
Error - 1/13/2012 9:22:57 PM | Computer Name = DORA | Source = Microsoft Antimalware | ID = 2001
Description =

Error - 1/13/2012 9:24:11 PM | Computer Name = DORA | Source = Microsoft Antimalware | ID = 2001
Description =

Error - 1/13/2012 9:44:57 PM | Computer Name = DORA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service MSIServer with
arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

Error - 1/13/2012 9:44:57 PM | Computer Name = DORA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service MSIServer with
arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

Error - 1/13/2012 9:57:55 PM | Computer Name = DORA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 1/13/2012 10:16:58 PM | Computer Name = DORA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 1/13/2012 10:17:20 PM | Computer Name = DORA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 1/14/2012 6:28:53 AM | Computer Name = DORA | Source = Microsoft Antimalware | ID = 2001
Description =

Error - 1/14/2012 8:44:31 AM | Computer Name = DORA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/14/2012 8:55:23 AM | Computer Name = DORA | Source = Microsoft Antimalware | ID = 2001
Description =


< End of report >

---------------------------------------------------------------------------------------------------------------

#4 villandra

villandra
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 14 January 2012 - 01:24 PM

It's a 32 bit machine. I have my Windows cd handy, but I'm highly unlikely to do anything that would be likely to lead to requiring using it. If I wanted to reinstall my system, I'd just use ComboFix.

Just tell me how to restore my windows registry should I need to (I've uncovered how to back it up), and what registry entries to change or delete.

Dora

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:00 AM

Posted 14 January 2012 - 01:49 PM

Hi,

I'm not quite sure what you want to do now: Do you want to remove all trace of MBAM form your PC or do you want to install MBAM onto your PC?

When you try to install MBAM do you get any kind of error message?

There's a many different things you can do with your Windows CD besides reformatting, which is why it is always useful to know if it is at hand or not. Whether we'll need it or not will depend on how the whole thing evolves.

Can I ask why oyu won't run ComboFix? Have you made bad experiences in the past?

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Regarding your questions for the Hijackthis log:
  • E:\WINDOWS\System32\snmp.exe **********WHAT IS?******************
    This is Simple Network Management Protocol, part of Windows
  • E:\WINDOWS\system32\Rundll32.exe ******* WHY ARE THERE TWO RUNDELL32.EXE RUNNING?*******
    there will be rundll schowing for each dll that is executed through it. It's normal to have several running. Just as you would normally have several svchost.exe running.
  • E:\WINDOWS\explorer.exe ***** RKILL SAID IT STOPPED THIS - GUESS IT'S STILL RUNNING.*****
    Explorer runs everything from your file browser to your icons and taskbars. If it's stopped you're unable to do anything.
  • O2 - BHO: agihelper.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing) *************??????*******
    Part of a toolbar: http://www.systemlookup.com/CLSID/42938-agcutils_pyd_agcutils_dll_mscoree_dll_MS_file.html
  • O3 - Toolbar: (no name) - {ccb24e92-62c4-4c53-95d2-65f9eed476bc} - (no file) ***********???????????*****************
    leftover from a diferent toolbar: http://www.systemlookup.com/CLSID/42938-agcutils_pyd_agcutils_dll_mscoree_dll_MS_file.html
  • O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper *********?????????*************
    Part of soundblaster: http://www.systemlookup.com/Startup/9171-Rundll32_P17_dll_P17Helper.html
  • O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE **********????????????***********
    part of creative labs soundblaster: http://www.systemlookup.com/Startup/13586-Updreg_exe.html
  • O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login **********?????????????NORMAL?**********************
    Yes, but unneeded:http://www.systemlookup.com/Startup/8915-RunDLL32_exe_NvMCTray_dll_NvTaskbarInit.html
    (note how this entry and the P17Helper entry both use rundll32.exe to launch their dlls, this is why you see the process running twice.
  • O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing) *******????????************
    This is part of Quickbooks: http://www.systemlookup.com/O18/79-SYSDIR_mscoree_dll.html It looks however as if someone deleted a system file.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 villandra

villandra
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 14 January 2012 - 07:19 PM

Are these files and registry entries that I need to delete? Except for the Avast entries, of course.

You didn't tell me if I should delete those mbam registry entries. I thought I clearly explained that I suspect they are preventing malabytes anti-malware from installing properly - the service won't install. You did not tell me if they are blocking the service from installing. I explained that I have anti-malware uninstalled at the moment and question if any registry entries that refer to it need to be there.

Also, I thought that the point of running the last two logs I ran for you was so you could see what the virus had changed in my registry. I notice that there are a bunch of security center settings set to 1. From my reading this looks like something a virus might have done. Should I delete these entries or change the settings to 0?

Are there other registry changes I should fix?

I am wondering if this seeming CombFix tech support lemming syndrome is caused by inability to read and edit a registry file. If you can't read a registry file you aren't going to be able to tell me how to fix it, so if that's why you would want me to run ComboFix, can you direct me to a forum where there are people who can, and do, read registry files?

What did you have me generate that big file full of possibly messed up registry entries for, if you aren't specifically prepared to tell me what to fix and how to fix it?

ComboFix has a 50% permanently mess up your system rate. It even says something to that effect on its web site. Y ou need specific advanced skills to even mess with it. This program is way too aggressive and doesn't let you choose what it fixes. At the very least people end up with their drivers destroyed and permanently unable to connect to the Internet. Many have their systems permanently destroyed.

Now. My computer us not some kind of geeky toy. And it definitely is not YOUR geeky toy. It is what I live on. Even though my files are backed up, it would take me days to reinstall everything. Which I don't have. And which it would be ridiculous to want to do. I'm not running Combo Fix. Period.

It is far safer to make a few select changes in the registry. Just tell me what changes I need to make.

Dora



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-14 18:04:09
Windows 5.1.2600 Service Pack 3
Running: snpxsmiu.exe; Driver: E:\DOCUME~1\DORASM~1\LOCALS~1\Temp\pxtdapoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xB0651510]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xB0659452]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xB065930A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xB0659916]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xB065982C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xB0658EDC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xB06515C0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xB06593E6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xB0658E14]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xB0658E7C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xB0651658]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xB065952E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xB06599E6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xB06594EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xB0659672]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB06657A2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xB06655CC]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xB0665700]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2F14 805047B0 4 Bytes JMP D8B06594
PAGE ntkrnlpa.exe!ZwLoadDriver 80584160 7 Bytes JMP B0665704 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!NtCreateSection 805AB3C8 7 Bytes JMP B06655D0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC556 5 Bytes JMP B066269C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2FDA 5 Bytes JMP B066415C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D117A 7 Bytes JMP B06657A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text E:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6E1F3A0, 0x8A1A15, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text E:\Program Files\Internet Explorer\iexplore.exe[2964] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[2964] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[2964] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[2964] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[2964] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[2964] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[2964] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[2964] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[2964] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3064] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3064] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3064] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3064] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3064] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2546A6 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3064] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3064] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3064] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3064] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3064] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3064] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3064] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3064] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB98 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3064] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E569F E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\AVAST Software\Avast\AvastUI.exe[3328] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text E:\Program Files\AVAST Software\Avast\AvastUI.exe[3328] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text E:\Program Files\AVAST Software\Avast\AvastSvc.exe[3964] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text E:\Program Files\AVAST Software\Avast\AvastSvc.exe[3964] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text E:\Program Files\AVAST Software\Avast\AvastSvc.exe[3964] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003E1014
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003E0804
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003E0A08
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003E0C0C
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003E0E10
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003E01F8
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003E03FC
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003E0600
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2546A6 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003F0600
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003F01F8
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003F03FC
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB98 E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[4308] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E569F E:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text H:\Fix programs\snpxsmiu.exe[5992] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
.text H:\Fix programs\snpxsmiu.exe[5992] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text H:\Fix programs\snpxsmiu.exe[5992] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
.text H:\Fix programs\snpxsmiu.exe[5992] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text H:\Fix programs\snpxsmiu.exe[5992] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003F0804
.text H:\Fix programs\snpxsmiu.exe[5992] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003F0A08
.text H:\Fix programs\snpxsmiu.exe[5992] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003F0600
.text H:\Fix programs\snpxsmiu.exe[5992] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003F01F8
.text H:\Fix programs\snpxsmiu.exe[5992] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003F03FC
.text H:\Fix programs\snpxsmiu.exe[5992] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 004C1014
.text H:\Fix programs\snpxsmiu.exe[5992] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 004C0804
.text H:\Fix programs\snpxsmiu.exe[5992] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 004C0A08
.text H:\Fix programs\snpxsmiu.exe[5992] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 004C0C0C
.text H:\Fix programs\snpxsmiu.exe[5992] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 004C0E10
.text H:\Fix programs\snpxsmiu.exe[5992] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 004C01F8
.text H:\Fix programs\snpxsmiu.exe[5992] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 004C03FC
.text H:\Fix programs\snpxsmiu.exe[5992] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 004C0600

---- User IAT/EAT - GMER 1.0.15 ----

IAT E:\WINDOWS\system32\services.exe[780] @ E:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00CE0002
IAT E:\WINDOWS\system32\services.exe[780] @ E:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00CE0000
IAT E:\Program Files\Internet Explorer\iexplore.exe[3064] @ E:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] E:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT E:\Program Files\Internet Explorer\iexplore.exe[4308] @ E:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] E:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (GFI Firewall SDK Transport Inspection System Driver/GFI Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (GFI Firewall SDK Transport Inspection System Driver/GFI Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (GFI Firewall SDK Transport Inspection System Driver/GFI Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (GFI Firewall SDK Transport Inspection System Driver/GFI Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{76D50904-6780-4c8b-8986-1A7EE0B1716D}\iexplore@Flags 4
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{76D50904-6780-4c8b-8986-1A7EE0B1716D}\iexplore\AllowedDomains
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{76D50904-6780-4c8b-8986-1A7EE0B1716D}\iexplore\AllowedDomains\roblox.com

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk2\DR5 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File E:\WINDOWS\$NtUninstallKB43398$\109817613 0 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\@ 2048 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\bckfg.tmp 870 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\cfg.ini 198 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\Desktop.ini 4608 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\keywords 0 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\L 0 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\L\uptssctp 217976 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\lsflt7.ver 5176 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\U 0 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\U\00000001.@ 2048 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\U\00000002.$ 0 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\U\00000004.@ 1024 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\U\80000000.@ 11264 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\U\80000004.@ 12800 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\U\80000032.@ 77312 bytes
File E:\WINDOWS\$NtUninstallKB43398$\3615730991 0 bytes

---- EOF - GMER 1.0.15 ----

#7 villandra

villandra
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 15 January 2012 - 09:49 AM

I tried to delete the mbam entries from the registry, but it would not let me delete the ControlSet_/LEGACY entries.

Do these need to be deleted? Would they interfere with installing the mbam service?

I did not try to delete the Regedit/Last Key entry. Does this merely say that I was last looking at a key that had to do with mbam? However, there doesn't appear to be any key ContextMenuHandlers\MBAMShExt View. What's up with that?

Dora

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:00 AM

Posted 15 January 2012 - 11:01 AM

I seriously do not appreciate your tone, you are getting help for free from someone who is doing this as a volunteer. That means you do not get to insult me as you please. If you need to talk down to someone while they're fixing what you borked, then I would recommend a repair shop. I will not take it.

First I never asked you to run ComboFix, I asked why you wouldn't run ComboFix. Completely different things.

Let me assure you, I do understand the logs, I even went out of my way to explain to you the lines you said you did not understand, instead of refering you to google, where anybody would have found the answers themselves. I also do know how to edit the registry and I can tell you right here and now, you won't fix this by editing a registry file.


For what it's worth you have caught yourself a rootkit, namely ZeroAccess:

File E:\WINDOWS\$NtUninstallKB43398$\109817613 0 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\@ 2048 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\bckfg.tmp 870 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\cfg.ini 198 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\Desktop.ini 4608 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\keywords 0 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\L 0 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\L\uptssctp 217976 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\lsflt7.ver 5176 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\U 0 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\U\00000001.@ 2048 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\U\00000002.$ 0 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\U\00000004.@ 1024 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\U\80000000.@ 11264 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\U\80000004.@ 12800 bytes
File E:\WINDOWS\$NtUninstallKB43398$\109817613\U\80000032.@ 77312 bytes
File E:\WINDOWS\$NtUninstallKB43398$\3615730991 0 bytes


Since you won't do a reformat, my recommendation would be to run ComboFix. Since you won't do that I'd recommend to no longer do online banking or enter passwords into the site.

I would counsel you to disconnect this PC from the Internet. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

I'll ask if someone else wants to help you with your problem, but I wouldn't hold my breath. I'm certainly done helping you.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:00 AM

Posted 15 January 2012 - 11:26 AM

Hello villandra,

As it appears you had some concerns, I'll address these for you:

I am wondering if this seeming CombFix tech support lemming syndrome is caused by inability to read and edit a registry file. If you can't read a registry file you aren't going to be able to tell me how to fix it, so if that's why you would want me to run ComboFix, can you direct me to a forum where there are people who can, and do, read registry files?

What you call a "combFix tech support lemming syndrome" is simply a helpers' decision to use the tool best fit to combat this infection (as already pointed out, the ZeroAccess rootkit).

If you cannot accept this or do not trust the advice you receive here at BC, then I suggest you go looking elsewhere for help. I can assure you that your helper is quite competent, but you can only take my word for that.

As you chose to come with your problem to a free help forum, the least I can ask from you is to show some consideration towards our helpers, as they offer their own free time to help perfect stranger like you.
If you wish to continue to clean your computer of malware, please be polite towards your helper at the very least. Any other rude behavior will not be tolerated and will lead to this topic being closed without further warning.

Please let me know how you wish to continue. I can however tell you beforehand that continuing the clean-up will involve running Combofix as it makes no sense at all to go through the trouble of cleaning this infection manually when there is a tool that does a good job on it; that would be a waste of both my time and yours.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 villandra

villandra
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 15 January 2012 - 04:55 PM

I call that laziness, Elyse.

Now, I posted a whole bunch of stuff that was specifically asked for, and noone has even looked at the results.

Dora

#11 villandra

villandra
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 15 January 2012 - 06:23 PM

I'm particularly concerned about this entry.


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk2\DR5 sector 00: rootkit-like behavior

Did GMER delete it? It is not clear if GMER fixes what it finds.

Otherwise, what do I specifically do to get rid of it?

Yours,
Dora Smith

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:00 AM

Posted 16 January 2012 - 01:41 AM

I call that laziness, Elyse.

I don't see why I or anyone else should help a person who in thanks calls us lazy. I asked you to be polite, you chose not to, there really isn't anything to discuss about it anymore.

If you need your computer, which is obviously infected, fixed, I suggest you take it to a repair shop or something similar and pay for it to get it cleaned.

This topic is now closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users