semloh
2012-09-12, 07:47
I recently picked up something while downloading a free video recording program. I ran Spybot several times and in safe mode but it only finds Mediaplex. Spybot always finds Mediaplex and has been for a long time and it fixes it but it always comes back so I know it is not the problem.
I downloaded another program Spyware 4 ( something like that) it found a bunch of stuff the worst of it was Whatzit but I didnt pay to have Spyware 4 fix it all.
So here is my DDS and I backed up with erunt
Thanks in advance
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Dad at 22:46:06 on 2012-09-11
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.638 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\bgsvcgen.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Panasonic\VideoCam Suite 2\VideoCamSuiteAutoStart.exe
C:\Users\Dad\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wermgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Windows\System32\svchost.exe" -k LocalServiceDns
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = hxxp://yahoo.com/
uDefault_Page_URL = hxxp://www.lenovo.com
uSearch Bar =
mStart Page = hxxp://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutDtDtC0EzytDzy0CtDyDyEtCtB0AtAzytN0D0Tzu0CtBtByCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1239308023
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Funmoods Helper Object: {75ebb0aa-4214-4cb4-90ec-e3e07ecd04f7} - c:\progra~1\funmoods\1.5.23.22\bh\escort.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: Funmoods Toolbar: {a4c272ec-ed9e-4ace-a6f2-9558c7f29ef3} - c:\progra~1\funmoods\1.5.23.22\escorTlbr.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\dad\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\dad\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\videoc~1.lnk - c:\program files\panasonic\videocam suite 2\VideoCamSuiteAutoStart.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: www.dsvanywhere.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {413D6754-BFD4-47FE-9346-319559290BFA} - hxxps://www.webpcfos.com/webpcfos/websabre/HTEweb_v.cab
DPF: {82836898-30F4-4813-9A2F-120C012E44E7} - hxxp://www.dsvanywhere.com/appeon/weblibrary_ax/ceondownloadcenter.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {C1417ACD-9FFB-4B26-8060-ED6B55F04CCE} - (local)
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.11.1
TCP: Interfaces\{41CA0DD7-703F-448D-9A5D-4BDE77152612} : DhcpNameServer = 192.168.11.1
.
============= SERVICES / DRIVERS ===============
.
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-6-6 21504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-22 136176]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-10-5 1153368]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-10 250568]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-22 136176]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-09-04 22:37:35 -------- d-----w- c:\program files\Enigma Software Group
2012-09-04 22:36:58 -------- d-----w- c:\windows\ADAFC0B4FC1545D9BAB3BC7A8829D0C4.TMP
2012-09-02 15:04:11 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-09-02 04:50:39 -------- d-----w- c:\program files\ieSpell
2012-09-02 00:29:56 49664 ----a-w- c:\windows\system32\CamCodec.dll
2012-09-02 00:29:56 -------- d-----w- c:\program files\CamStudio 2.6b
2012-08-31 07:39:08 7022536 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{125e9b9e-9bf8-458f-9795-d3bbfcd90f10}\mpengine.dll
2012-08-15 08:00:48 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 06:17:42 623616 ----a-w- c:\windows\system32\localspl.dll
2012-08-14 05:52:48 -------- d-----w- c:\program files\WinPcap
2012-08-14 05:37:17 -------- d-----w- c:\program files\Applian Technologies
2012-08-14 05:36:50 33958 ----a-w- c:\programdata\uninstaller.exe
2012-08-14 05:36:48 -------- d-----w- c:\programdata\WeCareReminder
2012-08-14 05:36:28 -------- d-----w- c:\programdata\Tarma Installer
.
==================== Find3M ====================
.
2012-09-02 14:59:01 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-02 14:59:01 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-12 14:29:52 4534272 ----a-w- c:\programdata\ReadOnlyInstaller.msi
2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2010-01-22 02:57:58 58540784 ----a-w- c:\program files\Garmin_HomePort_203.exe
.
============= FINISH: 22:47:36.93 ===============
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-11 22:52:52
-----------------------------
22:52:52.726 OS Version: Windows 6.0.6002 Service Pack 2
22:52:52.726 Number of processors: 2 586 0xF0D
22:52:52.726 ComputerName: DAD-PC UserName: Dad
22:52:54.910 Initialize success
22:54:20.001 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
22:54:20.012 Disk 0 Vendor: WDC_WD3200AAJS-08B4A0 01.03A01 Size: 305245MB BusType: 3
22:54:20.080 Disk 0 MBR read successfully
22:54:20.089 Disk 0 MBR scan
22:54:20.096 Disk 0 Windows VISTA default MBR code
22:54:20.137 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 286752 MB offset 2048
22:54:20.189 Disk 0 Partition 2 00 12 Compaq diag MSWIN4.1 18488 MB offset 587272140
22:54:20.201 Disk 0 scanning sectors +625137345
22:54:20.377 Disk 0 scanning C:\Windows\system32\drivers
22:54:28.379 Service scanning
22:55:08.420 Modules scanning
22:55:14.000 Disk 0 trace - called modules:
22:55:14.050 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
22:55:14.060 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x849f1528]
22:55:14.075 3 CLASSPNP.SYS[87d9d8b3] -> nt!IofCallDriver -> [0x84825538]
22:55:14.090 5 acpi.sys[8069b6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0x84825030]
22:55:14.105 Scan finished successfully
22:55:37.095 Disk 0 MBR has been saved successfully to "C:\Users\Dad\Documents\MBR.dat"
22:55:37.109 The log file has been saved successfully to "C:\Users\Dad\Documents\aswMBR.txt"
Spybot log (top only)
--- Search result list ---
MediaPlex: Tracking cookie (Internet Explorer: Dad) (Cookie, nothing done)
Log: Activity: ntbtlog.txt (Backup file, nothing done)
C:\Windows\ntbtlog.txt
Log: Install: setupact.log (Backup file, nothing done)
C:\Windows\setupact.log
Log: Install: setupapi.log (Backup file, nothing done)
C:\Windows\setupapi.log
Log: Install: DtcInstall.log (Backup file, nothing done)
C:\Windows\DtcInstall.log
Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\Windows\System32\wbem\logs\wmiprov.log
Internet Explorer: [SBI $FF589D0C] Download directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Internet Explorer\Download Directory
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Isobuster: [SBI $FFCD5808] Last save folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Smart Projects\IsoBuster\LastSavedPath
MS Management Console: [SBI $ECD50EAD] Recent command list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Microsoft Management Console\Recent File List
MS Media Player: [SBI $E48560B4] Recent file list (9 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\MediaPlayer\Player\RecentFileList
MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
MS DirectInput: [SBI $9A063C91] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\DirectInput\MostRecentApplication\Name
MS DirectInput: [SBI $7B184199] Most recent application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\DirectInput\MostRecentApplication\Id
MS Office 10.0: [SBI $98B69A5E] Used cliparts (6 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\Clip Organizer\Search\Last Query
MS Office 10.0: [SBI $65F660A1] Internet history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\Common\Internet\UseRWHlinkNavigation
MS Office 10.0 (Word): [SBI $51FE086C] Recently used documents list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\Word\Data\Settings
MS Office 10.0 (Word): [SBI $B928A857] Templates history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\Word\Recent Templates
MS Office 10.0 (Word): [SBI $E97870AB] Disabled items history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\Word\Resiliency\DisabledItems
MS Office 10.0 (Excel): [SBI $16D8675C] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\Excel\Recent Files
MS Office 10.0 (PowerPoint): [SBI $5DEA78E3] recent file list (9 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\PowerPoint\Recent File List
MS Office 10.0 (PowerPoint): [SBI $69597F08] Used templates history (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\PowerPoint\Recent Templates
MS Office 10.0 (PowerPoint): [SBI $1FFA979A] Recently used templates (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\PowerPoint\RecentTemplateList
MS Paint: [SBI $07867C39] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
Windows.OpenWith: [SBI $CDE7D0A6] Open with list - .ASX extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASX\OpenWithList
Windows.OpenWith: [SBI $F7204896] Open with list - .AVI extension (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList
Windows.OpenWith: [SBI $A1C94E79] Open with list - .BMP extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList
Windows.OpenWith: [SBI $63036C95] Open with list - .CAB extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CAB\OpenWithList
Windows Explorer: [SBI $A2C7B3CD] Recent wallpaper list (314 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (190 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID
Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows Media\WMSDK\General\UniqueID
Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows Media\WMSDK\General\UniqueID
Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\UniqueID
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
WinRAR: [SBI $0B56E92B] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\WinRAR\ArcHistory
WinRAR: [SBI $A59A1C0A] Recent exe file list (16 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\WinRAR\DialogEditHistory\ArcName
WinRAR: [SBI $B84F9965] Last used directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\WinRAR\General\LastFolder
WinRAR: [SBI $B510882E] Extraction directory history (16 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\WinRAR\DialogEditHistory\ExtrPath
Cookie: [SBI $49804B54] Cookie (142) (Cookie, nothing done)
Cache: [SBI $49804B54] Cache (2304) (Cache, nothing done)
History: [SBI $49804B54] History (12) (History, nothing done)
I downloaded another program Spyware 4 ( something like that) it found a bunch of stuff the worst of it was Whatzit but I didnt pay to have Spyware 4 fix it all.
So here is my DDS and I backed up with erunt
Thanks in advance
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Dad at 22:46:06 on 2012-09-11
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.638 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\bgsvcgen.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Panasonic\VideoCam Suite 2\VideoCamSuiteAutoStart.exe
C:\Users\Dad\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wermgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Windows\System32\svchost.exe" -k LocalServiceDns
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = hxxp://yahoo.com/
uDefault_Page_URL = hxxp://www.lenovo.com
uSearch Bar =
mStart Page = hxxp://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutDtDtC0EzytDzy0CtDyDyEtCtB0AtAzytN0D0Tzu0CtBtByCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1239308023
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Funmoods Helper Object: {75ebb0aa-4214-4cb4-90ec-e3e07ecd04f7} - c:\progra~1\funmoods\1.5.23.22\bh\escort.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: Funmoods Toolbar: {a4c272ec-ed9e-4ace-a6f2-9558c7f29ef3} - c:\progra~1\funmoods\1.5.23.22\escorTlbr.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\dad\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\dad\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\videoc~1.lnk - c:\program files\panasonic\videocam suite 2\VideoCamSuiteAutoStart.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: www.dsvanywhere.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {413D6754-BFD4-47FE-9346-319559290BFA} - hxxps://www.webpcfos.com/webpcfos/websabre/HTEweb_v.cab
DPF: {82836898-30F4-4813-9A2F-120C012E44E7} - hxxp://www.dsvanywhere.com/appeon/weblibrary_ax/ceondownloadcenter.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {C1417ACD-9FFB-4B26-8060-ED6B55F04CCE} - (local)
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.11.1
TCP: Interfaces\{41CA0DD7-703F-448D-9A5D-4BDE77152612} : DhcpNameServer = 192.168.11.1
.
============= SERVICES / DRIVERS ===============
.
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-6-6 21504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-22 136176]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-10-5 1153368]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-10 250568]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-22 136176]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-09-04 22:37:35 -------- d-----w- c:\program files\Enigma Software Group
2012-09-04 22:36:58 -------- d-----w- c:\windows\ADAFC0B4FC1545D9BAB3BC7A8829D0C4.TMP
2012-09-02 15:04:11 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-09-02 04:50:39 -------- d-----w- c:\program files\ieSpell
2012-09-02 00:29:56 49664 ----a-w- c:\windows\system32\CamCodec.dll
2012-09-02 00:29:56 -------- d-----w- c:\program files\CamStudio 2.6b
2012-08-31 07:39:08 7022536 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{125e9b9e-9bf8-458f-9795-d3bbfcd90f10}\mpengine.dll
2012-08-15 08:00:48 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 06:17:42 623616 ----a-w- c:\windows\system32\localspl.dll
2012-08-14 05:52:48 -------- d-----w- c:\program files\WinPcap
2012-08-14 05:37:17 -------- d-----w- c:\program files\Applian Technologies
2012-08-14 05:36:50 33958 ----a-w- c:\programdata\uninstaller.exe
2012-08-14 05:36:48 -------- d-----w- c:\programdata\WeCareReminder
2012-08-14 05:36:28 -------- d-----w- c:\programdata\Tarma Installer
.
==================== Find3M ====================
.
2012-09-02 14:59:01 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-02 14:59:01 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-12 14:29:52 4534272 ----a-w- c:\programdata\ReadOnlyInstaller.msi
2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2010-01-22 02:57:58 58540784 ----a-w- c:\program files\Garmin_HomePort_203.exe
.
============= FINISH: 22:47:36.93 ===============
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-11 22:52:52
-----------------------------
22:52:52.726 OS Version: Windows 6.0.6002 Service Pack 2
22:52:52.726 Number of processors: 2 586 0xF0D
22:52:52.726 ComputerName: DAD-PC UserName: Dad
22:52:54.910 Initialize success
22:54:20.001 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
22:54:20.012 Disk 0 Vendor: WDC_WD3200AAJS-08B4A0 01.03A01 Size: 305245MB BusType: 3
22:54:20.080 Disk 0 MBR read successfully
22:54:20.089 Disk 0 MBR scan
22:54:20.096 Disk 0 Windows VISTA default MBR code
22:54:20.137 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 286752 MB offset 2048
22:54:20.189 Disk 0 Partition 2 00 12 Compaq diag MSWIN4.1 18488 MB offset 587272140
22:54:20.201 Disk 0 scanning sectors +625137345
22:54:20.377 Disk 0 scanning C:\Windows\system32\drivers
22:54:28.379 Service scanning
22:55:08.420 Modules scanning
22:55:14.000 Disk 0 trace - called modules:
22:55:14.050 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
22:55:14.060 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x849f1528]
22:55:14.075 3 CLASSPNP.SYS[87d9d8b3] -> nt!IofCallDriver -> [0x84825538]
22:55:14.090 5 acpi.sys[8069b6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0x84825030]
22:55:14.105 Scan finished successfully
22:55:37.095 Disk 0 MBR has been saved successfully to "C:\Users\Dad\Documents\MBR.dat"
22:55:37.109 The log file has been saved successfully to "C:\Users\Dad\Documents\aswMBR.txt"
Spybot log (top only)
--- Search result list ---
MediaPlex: Tracking cookie (Internet Explorer: Dad) (Cookie, nothing done)
Log: Activity: ntbtlog.txt (Backup file, nothing done)
C:\Windows\ntbtlog.txt
Log: Install: setupact.log (Backup file, nothing done)
C:\Windows\setupact.log
Log: Install: setupapi.log (Backup file, nothing done)
C:\Windows\setupapi.log
Log: Install: DtcInstall.log (Backup file, nothing done)
C:\Windows\DtcInstall.log
Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\Windows\System32\wbem\logs\wmiprov.log
Internet Explorer: [SBI $FF589D0C] Download directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Internet Explorer\Download Directory
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Isobuster: [SBI $FFCD5808] Last save folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Smart Projects\IsoBuster\LastSavedPath
MS Management Console: [SBI $ECD50EAD] Recent command list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Microsoft Management Console\Recent File List
MS Media Player: [SBI $E48560B4] Recent file list (9 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\MediaPlayer\Player\RecentFileList
MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
MS DirectInput: [SBI $9A063C91] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\DirectInput\MostRecentApplication\Name
MS DirectInput: [SBI $7B184199] Most recent application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\DirectInput\MostRecentApplication\Id
MS Office 10.0: [SBI $98B69A5E] Used cliparts (6 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\Clip Organizer\Search\Last Query
MS Office 10.0: [SBI $65F660A1] Internet history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\Common\Internet\UseRWHlinkNavigation
MS Office 10.0 (Word): [SBI $51FE086C] Recently used documents list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\Word\Data\Settings
MS Office 10.0 (Word): [SBI $B928A857] Templates history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\Word\Recent Templates
MS Office 10.0 (Word): [SBI $E97870AB] Disabled items history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\Word\Resiliency\DisabledItems
MS Office 10.0 (Excel): [SBI $16D8675C] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\Excel\Recent Files
MS Office 10.0 (PowerPoint): [SBI $5DEA78E3] recent file list (9 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\PowerPoint\Recent File List
MS Office 10.0 (PowerPoint): [SBI $69597F08] Used templates history (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\PowerPoint\Recent Templates
MS Office 10.0 (PowerPoint): [SBI $1FFA979A] Recently used templates (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Office\10.0\PowerPoint\RecentTemplateList
MS Paint: [SBI $07867C39] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
Windows.OpenWith: [SBI $CDE7D0A6] Open with list - .ASX extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASX\OpenWithList
Windows.OpenWith: [SBI $F7204896] Open with list - .AVI extension (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList
Windows.OpenWith: [SBI $A1C94E79] Open with list - .BMP extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList
Windows.OpenWith: [SBI $63036C95] Open with list - .CAB extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CAB\OpenWithList
Windows Explorer: [SBI $A2C7B3CD] Recent wallpaper list (314 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (190 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID
Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows Media\WMSDK\General\UniqueID
Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows Media\WMSDK\General\UniqueID
Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\UniqueID
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
WinRAR: [SBI $0B56E92B] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\WinRAR\ArcHistory
WinRAR: [SBI $A59A1C0A] Recent exe file list (16 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\WinRAR\DialogEditHistory\ArcName
WinRAR: [SBI $B84F9965] Last used directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\WinRAR\General\LastFolder
WinRAR: [SBI $B510882E] Extraction directory history (16 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4234410714-4276595648-1207258791-1000\Software\WinRAR\DialogEditHistory\ExtrPath
Cookie: [SBI $49804B54] Cookie (142) (Cookie, nothing done)
Cache: [SBI $49804B54] Cache (2304) (Cache, nothing done)
History: [SBI $49804B54] History (12) (History, nothing done)