Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Post trojan hangover


  • This topic is locked This topic is locked
21 replies to this topic

#1 blueade7

blueade7

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 23 July 2012 - 11:06 AM

Hi,

I recently removed a trojan virus using combofix which I caught (very stupidly) from an email.
Since then my computer is a lot better, but I am still experiencing problems... my processing speed seems slow, my internet is running very slow and I am getting lots of SPAM pop up windows.

Any advice to help me clear these problems would be very much appreciated.

Thanks

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:54 PM

Posted 23 July 2012 - 12:20 PM

Since you ran Combofix...

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 blueade7

blueade7
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 24 July 2012 - 05:24 AM

Hi, things have taken turn for the worse. I was going to put some time aside this evening to follow your instructions, but I have had a screen pop up saying...

"Your Computer is locked" Your computer has been locked by the automated information control system (AICS). It says I need to make a £100 payment to UKASH to get it unlocketed. Obviosuly this is a virus. I am unable to access my desktop, or ctr-alt-delete, or do anything at all, except force-switch off the computer (I assume) - although I haven't tried this yet either as I wanted to make sure it was the best option before doing so. I have another laptop available to me.

Please let me know what to do!

Thanks very much for any help you can offer.

Edited by blueade7, 24 July 2012 - 05:28 AM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:54 PM

Posted 24 July 2012 - 10:34 AM

I'll report this topic to appropriate malware helpers.
Hold on there.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 blueade7

blueade7
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 25 July 2012 - 08:05 AM

Thanks

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,980 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:54 AM

Posted 30 July 2012 - 04:34 AM

Hello, have you tried booting in Safe mode (try all 3 options) and logging in using the Administrator account?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 blueade7

blueade7
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 30 July 2012 - 05:01 AM

Hi Elise,

I am able to log into Safe Mode as admin. I have run Malwarebytes, which found a trojan, and deleted it. However, I'm pretty sure it will return (as it did previously).
What should I do now? I am still in safe mode.

Thanks, Andy

Edited by blueade7, 30 July 2012 - 05:05 AM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,980 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:54 AM

Posted 30 July 2012 - 05:07 AM

Please do the following. Very important, make sure to click the All users check box!

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 blueade7

blueade7
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 30 July 2012 - 05:36 AM

OTL:

OTL logfile created on: 30/07/2012 11:15:51 - Run 1
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Users\Andrew\Desktop
64bit- Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

7.80 Gb Total Physical Memory | 5.71 Gb Available Physical Memory | 73.21% Memory free
15.60 Gb Paging File | 13.35 Gb Available in Paging File | 85.58% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 297.99 Gb Total Space | 84.15 Gb Free Space | 28.24% Space Free | Partition Type: NTFS

Computer Name: ENVCS-PC | User Name: Andrew | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/30 11:14:35 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
PRC - [2012/07/18 14:41:37 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2012/07/08 07:19:02 | 000,976,728 | ---- | M] (Trusteer Ltd.) -- C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2012/07/08 07:19:00 | 001,668,952 | ---- | M] (Trusteer Ltd.) -- C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe
PRC - [2012/05/08 12:44:26 | 000,348,624 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012/05/08 12:44:26 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
PRC - [2012/05/08 12:44:26 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
PRC - [2012/01/03 14:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2008/03/14 05:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe


========== Modules (No Company Name) ==========

MOD - [2012/07/18 14:41:37 | 002,003,424 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2012/05/28 21:51:10 | 000,520,464 | ---- | M] () -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\39624\RapportMS.dll
MOD - [2012/02/01 14:43:10 | 000,557,056 | ---- | M] () -- C:\Program Files (x86)\Trusteer\Rapport\bin\js32.dll
MOD - [2011/12/22 16:02:13 | 008,527,008 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
MOD - [2011/10/05 04:52:30 | 000,756,048 | ---- | M] () -- C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\MSPTLS.DLL
MOD - [2005/08/22 16:38:16 | 003,264,512 | ---- | M] () -- C:\Program Files (x86)\McAfee\Common Framework\cryptocme2.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/07/19 19:08:30 | 001,429,776 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV:64bit: - [2010/07/19 18:46:54 | 000,838,928 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV:64bit: - [2009/07/14 02:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/14 02:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2012/07/18 14:41:37 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/07/08 07:19:02 | 000,976,728 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2012/05/08 12:44:26 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012/05/08 12:44:26 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/05/03 08:31:10 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/01/03 14:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2010/07/15 22:28:45 | 000,379,400 | ---- | M] (J. River, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\J River\Media Jukebox 14\JRService.exe -- (Media Jukebox 14 Service)
SRV - [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/19 14:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009/06/10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/07/08 07:19:18 | 000,101,464 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\RapportKE64.sys -- (RapportKE64)
DRV:64bit: - [2012/05/08 12:44:27 | 000,132,832 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avipbb.sys -- (avipbb)
DRV:64bit: - [2012/05/08 12:44:27 | 000,098,848 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2012/03/01 07:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/10/21 18:30:04 | 012,310,112 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2011/09/16 00:55:03 | 000,027,760 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avkmgr.sys -- (avkmgr)
DRV:64bit: - [2011/06/22 04:56:12 | 000,043,856 | ---- | M] (F5 Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\covpnv64.sys -- (urvpndrv)
DRV:64bit: - [2011/06/22 04:56:06 | 000,018,512 | ---- | M] (F5 Networks, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\urfltv64.sys -- (f5ipfw)
DRV:64bit: - [2011/03/11 07:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 07:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 14:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 12:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 12:03:42 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2010/11/20 10:37:42 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2010/07/29 00:25:10 | 000,029,720 | ---- | M] (Initio Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ivusb.sys -- (ivusb)
DRV:64bit: - [2010/07/14 05:42:58 | 007,821,312 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETwNs64.sys -- (NETwNs64)
DRV:64bit: - [2010/06/21 14:07:24 | 000,304,760 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Apfiltr.sys -- (ApfiltrService)
DRV:64bit: - [2009/09/17 20:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64)
DRV:64bit: - [2009/09/09 18:19:38 | 000,085,280 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\oz776x64.sys -- (guardian2)
DRV:64bit: - [2009/07/14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2012/07/08 07:19:20 | 000,055,096 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys -- (RapportEI64)
DRV - [2012/07/08 07:19:18 | 000,297,048 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys -- (RapportPG64)
DRV - [2012/06/10 20:00:54 | 000,397,520 | ---- | M] () [Kernel | System | Running] -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_34302.sys -- (RapportCerberus_34302)
DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-612944760-984166335-3390874272-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
IE - HKU\S-1-5-21-612944760-984166335-3390874272-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A4 09 8A BD 1C 64 CD 01 [binary data]
IE - HKU\S-1-5-21-612944760-984166335-3390874272-1001\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-612944760-984166335-3390874272-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-612944760-984166335-3390874272-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-612944760-984166335-3390874272-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q="
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/07/18 14:41:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2011/12/22 15:59:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Andrew\AppData\Roaming\Mozilla\Extensions
[2012/07/17 08:38:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\zp3qob01.default\extensions
[2012/02/26 22:47:36 | 000,000,000 | ---D | M] (Garmin Communicator) -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\zp3qob01.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2012/07/17 08:38:55 | 000,000,000 | ---D | M] (uTorrentBar Community Toolbar) -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\zp3qob01.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
[2012/01/25 12:48:41 | 000,000,000 | ---D | M] (F5 Networks Host Plugin) -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\zp3qob01.default\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}
[2012/05/03 10:18:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/07/18 14:41:37 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/05/03 10:17:55 | 000,001,525 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/02/15 14:49:24 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/05/03 10:17:55 | 000,000,935 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/05/03 10:17:55 | 000,001,166 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/05/03 10:17:56 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml
[2012/05/03 10:17:55 | 000,001,121 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-en-GB.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://www.google.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Andrew\AppData\Local\Google\Chrome\Application\16.0.912.75\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Andrew\AppData\Local\Google\Chrome\Application\16.0.912.75\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Andrew\AppData\Local\Google\Chrome\Application\16.0.912.75\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.300.12 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U30 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Andrew\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: uTorrentBar = C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\bejbohlohkkgompgecdcbbglkpjfjgdj\2.3.2.4_0\
CHR - Extension: F5 Networks Plugin Host = C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfjhelpopbdbnlfmjkbkfkbfmbneaeob\7000.2011.622.1023_0\
CHR - Extension: YouTube = C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Search = C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\
CHR - Extension: Gmail = C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\

O1 HOSTS File: ([2012/07/17 18:49:12 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [euszkmzyfdrkswk] C:\ProgramData\euszkmzy.exe File not found
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKU\S-1-5-21-612944760-984166335-3390874272-1001..\Run: [euszkmzyfdrkswk] C:\ProgramData\euszkmzy.exe File not found
O4 - HKU\S-1-5-21-612944760-984166335-3390874272-1001..\Run: [mnixl] C:\Users\Andrew\AppData\Local\Temp\mnixl.exe File not found
O4 - HKU\S-1-5-21-612944760-984166335-3390874272-1001..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_Plugin.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doc1.docx ()
O4 - Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rems.docx ()
O4 - Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$Doc1.docx ()
O4 - Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$rems.docx ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-612944760-984166335-3390874272-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-612944760-984166335-3390874272-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKU\S-1-5-21-612944760-984166335-3390874272-1001\..Trusted Domains: uea.ac.uk ([vpn] https in Trusted sites)
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} C:\Users\Andrew\AppData\Local\Temp\f5tmp\urxvpn.cab (F5 Networks VPN Manager)
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} C:\Users\Andrew\AppData\Local\Temp\f5tmp\f5tunsrv.cab (F5 Networks Dynamic Application Tunnel Control)
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} C:\Users\Andrew\AppData\Local\Temp\IXP000.TMP\InstallerControl.cab#-1,-1,-1,-1 (F5 Networks Auto Update)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} C:\Users\Andrew\AppData\Local\Temp\f5tmp\urxshost.cab (F5 Networks SuperHost Class)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} C:\Users\Andrew\AppData\Local\Temp\f5tmp\urxhost.cab (F5 Networks Host Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{32A6E8B0-AF05-4005-A616-1BEF83A9C7AC}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{71599382-CA41-4E5B-BB5E-8FED0F960605}: DhcpNameServer = 192.168.0.1
O18:64bit: - Protocol\Handler\grooveLocalGWS - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/30 11:14:23 | 000,597,504 | ---- | C] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
[2012/07/24 11:07:08 | 000,000,000 | ---D | C] -- C:\ProgramData\dhmdsdhgfykjzsj
[2012/07/18 13:23:48 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\Recent
[2012/07/17 19:03:02 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/07/17 18:57:22 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/07/17 18:42:31 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/07/17 18:42:31 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/07/17 18:42:31 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/07/17 18:42:26 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/07/13 03:12:31 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\m-files
[2012/07/11 09:31:36 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2012/07/11 09:31:36 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2012/07/11 09:31:35 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2012/07/11 09:31:35 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2012/07/11 09:31:34 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2012/07/11 09:31:34 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2012/07/11 09:31:34 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2012/07/11 09:31:34 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2012/07/11 09:31:33 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2012/07/11 09:31:33 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2012/07/11 09:31:32 | 002,311,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2012/07/11 09:31:32 | 000,818,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2012/07/11 09:31:32 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2012/07/10 22:04:12 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msxml3r.dll
[2012/07/10 22:04:12 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msxml3r.dll
[2012/07/10 22:04:04 | 000,307,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ncrypt.dll
[2012/07/10 22:04:01 | 000,805,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\cdosys.dll
[2012/07/10 22:04:00 | 001,133,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cdosys.dll
[2012/07/08 13:54:28 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\New folder (3)
[2012/07/08 10:33:07 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\040211_10_b_24hr_N
[2012/07/08 10:32:46 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\040211_10_b_24hr
[2012/07/07 15:47:38 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\Cleeve Hill
[2012/07/07 15:47:19 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\lakes
[2012/07/05 23:18:14 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\New folder (2)
[2012/07/04 21:17:12 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/07/04 13:42:56 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Roaming\Malwarebytes
[2012/07/04 13:42:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/07/04 13:42:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/07/04 13:42:50 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/07/04 13:42:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/07/04 13:42:29 | 010,063,024 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Andrew\Desktop\mbam-setup.exe
[2012/07/04 13:39:23 | 002,135,640 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Andrew\Desktop\123.com.exe
[2012/07/02 02:14:05 | 000,000,000 | R--D | C] -- C:\Users\Andrew\Dropbox
[2012/07/02 02:11:19 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
[2012/07/02 02:10:07 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Roaming\Dropbox

========== Files - Modified Within 30 Days ==========

[2012/07/30 11:24:24 | 000,012,400 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/07/30 11:24:24 | 000,012,400 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/07/30 11:14:35 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
[2012/07/30 11:11:17 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/07/30 11:11:07 | 1988,505,599 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/24 11:07:11 | 000,000,051 | ---- | M] () -- C:\ProgramData\gziyliflxptkytn
[2012/07/19 16:37:40 | 000,779,266 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/07/19 16:37:40 | 000,664,992 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/07/19 16:37:40 | 000,125,696 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/07/18 21:56:14 | 000,000,600 | ---- | M] () -- C:\Users\Andrew\AppData\Roaming\winscp.rnd
[2012/07/17 18:49:12 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/07/17 14:12:45 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/17 13:49:33 | 000,000,600 | ---- | M] () -- C:\Users\Andrew\AppData\Local\PUTTY.RND
[2012/07/11 15:24:28 | 004,981,920 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/07/10 19:33:20 | 002,252,702 | ---- | M] () -- C:\Users\Andrew\Desktop\poit.fig
[2012/07/09 14:26:20 | 003,484,800 | ---- | M] () -- C:\Users\Andrew\Desktop\ECMWF_EI_2010_20101109-20101119.grb
[2012/07/08 07:19:18 | 000,101,464 | ---- | M] (Trusteer Ltd.) -- C:\Windows\SysNative\drivers\RapportKE64.sys
[2012/07/04 13:41:48 | 010,063,024 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Andrew\Desktop\mbam-setup.exe
[2012/07/04 13:35:52 | 002,135,640 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Andrew\Desktop\123.com.exe
[2012/07/04 13:25:54 | 001,012,656 | ---- | M] () -- C:\Users\Andrew\Desktop\rkill.exe
[2012/07/03 21:17:18 | 000,035,061 | ---- | M] () -- C:\Users\Andrew\Desktop\NERC logo transparent bkg.png
[2012/07/03 21:17:18 | 000,000,132 | ---- | M] () -- C:\Users\Andrew\AppData\Roaming\Adobe PNG Format CS5 Prefs
[2012/07/03 21:11:50 | 001,192,340 | ---- | M] () -- C:\Users\Andrew\Desktop\NERC logo transparent bkg.tga
[2012/07/03 21:11:50 | 000,000,132 | ---- | M] () -- C:\Users\Andrew\AppData\Roaming\Adobe Targa Format CS5 Prefs
[2012/07/03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/07/02 02:14:05 | 000,001,040 | ---- | M] () -- C:\Users\Andrew\Desktop\Dropbox.lnk

========== Files Created - No Company Name ==========

[2012/07/24 11:07:06 | 000,000,051 | ---- | C] () -- C:\ProgramData\gziyliflxptkytn
[2012/07/17 18:42:31 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/07/17 18:42:31 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/07/17 18:42:31 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/07/17 18:42:31 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/07/17 18:42:31 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/07/17 14:12:45 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/10 19:33:20 | 002,252,702 | ---- | C] () -- C:\Users\Andrew\Desktop\poit.fig
[2012/07/09 14:26:31 | 003,484,800 | ---- | C] () -- C:\Users\Andrew\Desktop\ECMWF_EI_2010_20101109-20101119.grb
[2012/07/04 14:55:18 | 000,002,515 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2012/07/04 14:55:18 | 000,002,453 | ---- | C] () -- C:\Users\Public\Desktop\SeaTools for Windows.lnk
[2012/07/04 14:55:18 | 000,002,081 | ---- | C] () -- C:\Users\Public\Desktop\Media Jukebox 14.lnk
[2012/07/04 14:55:18 | 000,002,066 | ---- | C] () -- C:\Users\Public\Desktop\Avira Control Center.lnk
[2012/07/04 14:55:18 | 000,002,019 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2012/07/04 14:55:18 | 000,001,547 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2012/07/04 14:55:18 | 000,001,441 | ---- | C] () -- C:\Users\Public\Desktop\MATLAB R2010a Student.lnk
[2012/07/04 14:55:18 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2012/07/04 14:55:18 | 000,001,330 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
[2012/07/04 14:55:18 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2012/07/04 14:55:18 | 000,001,246 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
[2012/07/04 14:55:18 | 000,001,210 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
[2012/07/04 14:55:18 | 000,001,150 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/07/04 14:55:18 | 000,001,138 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/07/04 14:55:18 | 000,001,066 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2012/07/04 14:55:18 | 000,000,943 | ---- | C] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2012/07/04 14:55:18 | 000,000,796 | ---- | C] () -- C:\Users\Public\Desktop\Speccy.lnk
[2012/07/04 14:55:17 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2012/07/04 14:55:17 | 000,001,666 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Illustrator CS5.1.lnk
[2012/07/04 14:55:17 | 000,001,551 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe ExtendScript Toolkit CS5.5.lnk
[2012/07/04 14:55:17 | 000,001,379 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Extension Manager CS5.5.lnk
[2012/07/04 14:55:17 | 000,001,278 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Device Central CS5.5.lnk
[2012/07/04 14:55:17 | 000,001,223 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CS5.1.lnk
[2012/07/04 14:55:17 | 000,001,185 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge CS5.1.lnk
[2012/07/04 14:55:17 | 000,001,093 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CS5.1 (64 Bit).lnk
[2012/07/04 14:55:17 | 000,000,997 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Help.lnk
[2012/07/04 14:55:17 | 000,000,993 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BBC iPlayer Desktop.lnk
[2012/07/04 13:33:17 | 001,012,656 | ---- | C] () -- C:\Users\Andrew\Desktop\rkill.exe
[2012/07/03 21:15:56 | 000,035,061 | ---- | C] () -- C:\Users\Andrew\Desktop\NERC logo transparent bkg.png
[2012/07/03 21:11:50 | 000,000,132 | ---- | C] () -- C:\Users\Andrew\AppData\Roaming\Adobe Targa Format CS5 Prefs
[2012/07/03 21:11:47 | 001,192,340 | ---- | C] () -- C:\Users\Andrew\Desktop\NERC logo transparent bkg.tga
[2012/07/02 02:14:05 | 000,001,040 | ---- | C] () -- C:\Users\Andrew\Desktop\Dropbox.lnk
[2012/04/18 17:17:41 | 000,000,132 | ---- | C] () -- C:\Users\Andrew\AppData\Roaming\Adobe PNG Format CS5 Prefs
[2012/03/16 11:49:31 | 000,764,810 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/02/16 18:07:05 | 000,000,600 | ---- | C] () -- C:\Users\Andrew\AppData\Roaming\winscp.rnd
[2012/01/06 16:09:36 | 000,000,600 | ---- | C] () -- C:\Users\Andrew\AppData\Local\PUTTY.RND
[2011/12/23 13:18:49 | 000,000,000 | ---- | C] () -- C:\Windows\f5unistall.INI
[2011/12/21 15:52:14 | 000,001,025 | ---- | C] () -- C:\Windows\SysWow64\sysprs7.dll
[2011/12/21 15:52:14 | 000,000,205 | ---- | C] () -- C:\Windows\SysWow64\lsprst7.dll
[2011/10/21 18:27:54 | 000,867,020 | ---- | C] () -- C:\Windows\SysWow64\igkrng575.bin
[2011/10/21 18:27:54 | 000,128,204 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng575.bin
[2011/10/21 18:27:54 | 000,105,608 | ---- | C] () -- C:\Windows\SysWow64\igfcg575m.bin
[2011/10/21 18:03:04 | 013,903,872 | ---- | C] () -- C:\Windows\SysWow64\ig4icd32.dll

< End of report >


Extras:

OTL Extras logfile created on: 30/07/2012 11:15:51 - Run 1
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Users\Andrew\Desktop
64bit- Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

7.80 Gb Total Physical Memory | 5.71 Gb Available Physical Memory | 73.21% Memory free
15.60 Gb Paging File | 13.35 Gb Available in Paging File | 85.58% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 297.99 Gb Total Space | 84.15 Gb Free Space | 28.24% Space Free | Partition Type: NTFS

Computer Name: ENVCS-PC | User Name: Andrew | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-612944760-984166335-3390874272-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5.1\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5.1\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0D3CCE1F-D627-49B4-9CC5-14D02D726A88}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{11CEADD3-8E87-45E0-AEB8-E6B34A8F7F17}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{2C549755-8017-4954-AA08-93683778ECF6}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{30197BB3-9FF3-4849-AF1E-6D4103BEC5E1}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{5407BE67-DCB0-4CC3-A262-C9659CC77558}" = rport=137 | protocol=17 | dir=out | app=system |
"{54B0EAD6-3527-4724-AF0B-E89BBA000A8B}" = rport=10243 | protocol=6 | dir=out | app=system |
"{5768EF59-CD82-46B6-8801-D86497593A0F}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{5DC349FE-F47A-4E89-8D51-44884F5A74B8}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\outlook.exe |
"{6B05946F-010D-45D6-9C40-ACC6D81D4288}" = lport=2869 | protocol=6 | dir=in | app=system |
"{87C0521E-A1F4-48E5-8567-AEFE628F6DF5}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{8DAFAC1E-CD4B-42D0-A2EF-23822F06A00D}" = lport=10243 | protocol=6 | dir=in | app=system |
"{A067F55B-B562-4A7A-A755-912652EAF60C}" = lport=137 | protocol=17 | dir=in | app=system |
"{A29038C7-2A5D-4773-991A-00E78D384E8A}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A95FAFE8-1A58-4C58-840F-B40DFF22DD16}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{C9C2707C-7978-462F-8255-38595EDE4D19}" = rport=445 | protocol=6 | dir=out | app=system |
"{CCDE9C68-A3D2-4C5A-B39D-9E87EE0B3B9F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{CEAF4A72-D59F-45D5-ADF6-9C61E07DE3CA}" = lport=139 | protocol=6 | dir=in | app=system |
"{D2FC047C-C320-4EC5-AA29-EAE694FB991A}" = rport=138 | protocol=17 | dir=out | app=system |
"{D5375EBA-0D68-4030-95E4-F747B36C1249}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{D68273C1-041D-4FCA-9BE6-95C9B0183C55}" = lport=138 | protocol=17 | dir=in | app=system |
"{D73E484D-B3E0-40AA-A0D6-E4230C402AA6}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{E9F08020-14C1-4351-99FD-0568C45C378D}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{F2A6D9B5-5040-4E8B-8E98-78FEA4C0D279}" = lport=445 | protocol=6 | dir=in | app=system |
"{F2C0F62D-7D31-4A30-BD9F-D4458FA70CAF}" = rport=139 | protocol=6 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1C57DAC6-6B35-46A1-AFA0-5EEA5DB8EB32}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{1C9A3952-DE2B-416C-BFF9-ACFFC88AC63D}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{20CF9A89-CB47-4DF3-BA37-0CEF15FCA616}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{20F663B3-5135-4A15-B536-65A2BD7F460B}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{3A78D447-AE66-4C08-AF2A-0D1A770D3DB1}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{4B313303-BCC9-458F-B4CF-9EEC4001DAAB}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{4EEF1A30-1999-4EBF-A93B-A325CD372D70}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{57FC9849-8623-4CBC-BB52-961F46E6D81B}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{58EE7643-840D-4F73-84B6-978E763A5A7F}" = protocol=17 | dir=in | app=c:\users\andrew\appdata\roaming\dropbox\bin\dropbox.exe |
"{5B3D2324-305F-40D7-9283-847E3C90828A}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{5C66E2DA-17C9-4D95-97E2-BCB7261C393D}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\groove.exe |
"{6589CAF1-060E-439B-A1EC-35DFB0F4C34C}" = protocol=6 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
"{6FC9788C-3811-4318-B09C-49B4465DF7F7}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{7109CD67-E595-481C-A453-EED07A4587BF}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{7DE3E01C-641C-449E-8C09-7D151679EE45}" = protocol=6 | dir=in | app=c:\users\andrew\appdata\roaming\dropbox\bin\dropbox.exe |
"{9B4FA3BD-2B78-4F95-80E5-AEE5408FED77}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
"{A1E25035-BDD2-4318-ABDF-90FA328295F1}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{ABBAA937-0C3A-41FE-B80C-A2004E2798EF}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{AD1B2E8E-52C3-4BEA-A682-920BFA81A78D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{B0726F72-1E36-449B-83D6-7C69E6E421D6}" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{B4D923F1-52E7-4255-ABA8-EBBBBCDA0133}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
"{C81A6E67-1005-4D6B-AB59-618FB8802B06}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{C8FE013E-036B-4497-AE9E-D4D2EC83B5E2}" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{CBF5923D-FC20-4057-8EBA-5E587EE81FE2}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{CE36E2EC-B302-4E82-AB11-25E3694A0669}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{CF305A25-EBC9-40FE-B8CB-9E803FBC0902}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{D3BBF165-A74E-4867-AB4B-4C02EDDCD99F}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\groove.exe |
"{D52DFEAC-2B89-4FD7-82EE-0A6802DBE13C}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{D8F5F54E-EED5-4061-A05D-71A01CB347F2}" = protocol=6 | dir=out | app=system |
"{F518F211-7EEB-4CDB-8669-012737FA6BB9}" = protocol=17 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
"TCP Query User{00BCF1C5-B607-4018-8F10-9081EE6535B5}C:\program files (x86)\xming\xming.exe" = protocol=6 | dir=in | app=c:\program files (x86)\xming\xming.exe |
"TCP Query User{356FFCFD-A7C5-4D25-800B-F6AF4CF3C379}C:\users\andrew\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\andrew\appdata\roaming\dropbox\bin\dropbox.exe |
"TCP Query User{48C9A2A1-1105-4288-B820-D995FD29A134}C:\users\andrew\downloads\utorrent.exe" = protocol=6 | dir=in | app=c:\users\andrew\downloads\utorrent.exe |
"TCP Query User{78FA6D0E-767E-4A39-A96A-6EF64C5012EC}C:\users\andrew\downloads\utorrent.exe" = protocol=6 | dir=in | app=c:\users\andrew\downloads\utorrent.exe |
"TCP Query User{9FBF6A82-F7F5-448F-9A00-52C9A942ABA7}D:\tl-wa830re\easysetupassistant.exe" = protocol=6 | dir=in | app=d:\tl-wa830re\easysetupassistant.exe |
"TCP Query User{B872FCEC-72DB-4635-8418-F8F1451C3336}D:\easysetupassistant\wr941n\easysetupassistant.exe" = protocol=6 | dir=in | app=d:\easysetupassistant\wr941n\easysetupassistant.exe |
"UDP Query User{0DC73A6F-7A57-4506-AD12-6BB7339800EB}C:\users\andrew\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\andrew\appdata\roaming\dropbox\bin\dropbox.exe |
"UDP Query User{1069B30B-20CF-4DFC-962A-E27B21F6C144}D:\easysetupassistant\wr941n\easysetupassistant.exe" = protocol=17 | dir=in | app=d:\easysetupassistant\wr941n\easysetupassistant.exe |
"UDP Query User{4198AC6C-A9FA-4340-922C-96FA52926F30}C:\users\andrew\downloads\utorrent.exe" = protocol=17 | dir=in | app=c:\users\andrew\downloads\utorrent.exe |
"UDP Query User{6373D26A-FE2D-441D-81A3-3297425DBCC3}D:\tl-wa830re\easysetupassistant.exe" = protocol=17 | dir=in | app=d:\tl-wa830re\easysetupassistant.exe |
"UDP Query User{7E76A9B0-235F-4C9D-9C94-EAB765D5CD51}C:\users\andrew\downloads\utorrent.exe" = protocol=17 | dir=in | app=c:\users\andrew\downloads\utorrent.exe |
"UDP Query User{F965AC02-DDD1-437C-AE9D-81880A67DA9B}C:\program files (x86)\xming\xming.exe" = protocol=17 | dir=in | app=c:\program files (x86)\xming\xming.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{1E9FC118-651D-4934-97BE-E53CAE5C7D45}" = Microsoft_VC80_MFCLOC_x86_x64
"{4327107B-E95E-415C-9194-458FCED6BF12}" = Intel® PROSet/Wireless WiFi Software
"{4569AD91-47F4-4D9E-8FC9-717EC32D7AE1}" = Microsoft_VC80_CRT_x86_x64
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{8557397C-A42D-486F-97B3-A2CBC2372593}" = Microsoft_VC90_ATL_x86_x64
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{90BF0360-A1DB-4599-A643-95AB90A52C1E}" = Microsoft_VC90_MFCLOC_x86_x64
"{925D058B-564A-443A-B4B2-7E90C6432E55}" = Microsoft_VC80_ATL_x86_x64
"{92A3CA0D-55CD-4C5D-BA95-5C2600C20F26}" = Microsoft_VC90_CRT_x86_x64
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A472B9E4-0AFF-4F7B-B25D-F64F8E928AAB}" = Microsoft_VC90_MFC_x86_x64
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{C25215FC-5900-48B0-B93C-8D3379027312}" = PASW Statistics 18
"{C8C1BAD5-54E6-4146-AD07-3A8AD36569C3}" = Microsoft_VC80_MFC_x86_x64
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin 64-bit
"CPUID CPU-Z_is1" = CPUID CPU-Z 1.60
"MatlabR2011a" = MATLAB R2011a
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"MiKTeX 2.9" = MiKTeX 2.9
"ProInst" = Intel PROSet Wireless
"Speccy" = Speccy

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{22613FA5-4D3B-4EE5-8E4A-39EBE649324E}" = Garmin BaseCamp
"{23767F5D-A80C-4264-B8EA-ED4085FC332A}" = Adobe Illustrator CS5.1
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java™ 6 Update 31
"{32E05824-A0AC-4DFE-B965-5F52C28FBE9F}_is1" = EPS Viewer
"{3521BDBD-D453-5D9F-AA55-44B75D214629}" = Adobe Community Help
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{86B3F2D6-AC2B-0014-8AE1-F2F77F781B0C}" = EndNote X4
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISE_{664655D8-B9BB-455D-8A58-7EAF7B0B2862}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-002A-0409-1000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0116-0409-1000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9158FF30-78D7-40EF-B83E-451AC5334640}" = Adobe Photoshop CS5.1
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{A638557B-1F13-40A0-9627-C892FBCA6960}" = McAfee Agent
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{AC76BA86-7AD7-5760-0000-A00000000003}" = Japanese Fonts Support For Adobe Reader X
"{B6D38690-755E-4F40-A35A-23F8BC2B86AC}" = Microsoft_VC90_MFCLOC_x86
"{C7E636D6-835D-4EBA-87B5-412F857D7470}" = Creative Docs .NET
"{CC085605-79A6-3D50-6AE8-42D213ECBAFC}" = BBC iPlayer Desktop
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.9
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"7-Zip" = 7-Zip 9.22beta
"Adobe AIR" = Adobe AIR
"Avira AntiVir Desktop" = Avira Free Antivirus
"BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1" = BBC iPlayer Desktop
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"ENTERPRISE" = Microsoft Office Enterprise 2007
"F5 Networks Client Components" = BIG-IP Edge Client Components (All Users)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"MatlabR2010a" = MATLAB Student R2010a
"Media Jukebox 14" = Media Jukebox 14
"Mozilla Firefox 14.0.1 (x86 en-GB)" = Mozilla Firefox 14.0.1 (x86 en-GB)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Rapport_msi" = Rapport
"ResearchSoft Direct Export Helper" = ResearchSoft Direct Export Helper
"TeXnicCenter_is1" = TeXnicCenter Version 1.0 Stable RC1
"uTorrent" = µTorrent
"uTorrentBar Toolbar" = uTorrentBar Toolbar
"VLC media player" = VLC media player 1.1.11
"winscp3_is1" = WinSCP 4.3.6
"Xming_is1" = Xming 6.9.0.31

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-612944760-984166335-3390874272-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 06/07/2012 10:56:55 | Computer Name = envcs-PC | Source = Application Hang | ID = 1002
Description = The program MATLAB.exe version 1.0.0.1 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: e70 Start Time:
01cd5b78180ee1dc Termination Time: 26 Application Path: C:\Program Files (x86)\MATLAB\R2010a
Student\bin\win32\MATLAB.exe Report Id:

Error - 09/07/2012 09:56:35 | Computer Name = envcs-PC | Source = Application Hang | ID = 1002
Description = The program MATLAB.exe version 1.0.0.1 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: c24 Start Time:
01cd5d5e0340880d Termination Time: 15 Application Path: C:\Program Files (x86)\MATLAB\R2010a
Student\bin\win32\MATLAB.exe Report Id:

Error - 10/07/2012 19:00:30 | Computer Name = envcs-PC | Source = Application Hang | ID = 1002
Description = The program MATLAB.exe version 1.0.0.1 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: a48 Start Time:
01cd5e23b646718e Termination Time: 108 Application Path: C:\Program Files (x86)\MATLAB\R2010a
Student\bin\win32\MATLAB.exe Report Id:

Error - 11/07/2012 04:31:03 | Computer Name = envcs-PC | Source = Windows Search Service | ID = 3007
Description =

Error - 17/07/2012 10:04:25 | Computer Name = envcs-PC | Source = Application Hang | ID = 1002
Description = The program MATLAB.exe version 1.0.0.1 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: 1338 Start Time:
01cd6424b4249c1c Termination Time: 10 Application Path: C:\Program Files (x86)\MATLAB\R2010a
Student\bin\win32\MATLAB.exe Report Id: 4c01b138-d018-11e1-b30b-463500000031

Error - 17/07/2012 10:06:42 | Computer Name = envcs-PC | Source = Application Hang | ID = 1002
Description = The program MATLAB.exe version 1.0.0.1 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: 590 Start Time:
01cd642514567fe1 Termination Time: 7 Application Path: C:\Program Files (x86)\MATLAB\R2010a
Student\bin\win32\MATLAB.exe Report Id: 9e096db5-d018-11e1-b30b-463500000031

Error - 17/07/2012 10:32:51 | Computer Name = envcs-PC | Source = Application Hang | ID = 1002
Description = The program MATLAB.exe version 1.0.0.1 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: ca4 Start Time:
01cd6425664d733f Termination Time: 16 Application Path: C:\Program Files (x86)\MATLAB\R2010a
Student\bin\win32\MATLAB.exe Report Id: 3e856624-d01c-11e1-b30b-463500000031

Error - 19/07/2012 18:50:44 | Computer Name = envcs-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Photoshop.exe, version: 12.1.0.0, time
stamp: 0x4d90d339 Faulting module name: Photoshop.exe, version: 12.1.0.0, time stamp:
0x4d90d339 Exception code: 0xc0000005 Fault offset: 0x000000000070875e Faulting process
id: 0x1360 Faulting application start time: 0x01cd65d3a076a493 Faulting application
path: C:\Program Files\Adobe\Adobe Photoshop CS5.1 (64 Bit)\Photoshop.exe Faulting
module path: C:\Program Files\Adobe\Adobe Photoshop CS5.1 (64 Bit)\Photoshop.exe
Report
Id: 2bfa5319-d1f4-11e1-9d91-463500000031

Error - 22/07/2012 15:18:58 | Computer Name = envcs-PC | Source = Application Hang | ID = 1002
Description = The program MATLAB.exe version 1.0.0.1 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: 318 Start Time:
01cd671e474eaba9 Termination Time: 51 Application Path: C:\Program Files (x86)\MATLAB\R2010a
Student\bin\win32\MATLAB.exe Report Id:

Error - 30/07/2012 06:10:34 | Computer Name = envcs-PC | Source = Microsoft-Windows-CAPI2 | ID = 512
Description = The Cryptographic Services service failed to initialize the VSS backup
"System Writer" object. Details: Could not query the status of the EventSystem service.

System
Error: A system shutdown is in progress. .

[ OSession Events ]
Error - 07/01/2012 08:23:27 | Computer Name = envcs-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1766
seconds with 120 seconds of active time. This session ended with a crash.

Error - 07/01/2012 08:23:36 | Computer Name = envcs-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1
seconds with 0 seconds of active time. This session ended with a crash.

Error - 08/01/2012 05:26:55 | Computer Name = envcs-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 54469
seconds with 1140 seconds of active time. This session ended with a crash.

Error - 08/01/2012 05:27:08 | Computer Name = envcs-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 30/07/2012 06:04:20 | Computer Name = envcs-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 30/07/2012 06:04:20 | Computer Name = envcs-PC | Source = DCOM | ID = 10005
Description =

Error - 30/07/2012 06:04:20 | Computer Name = envcs-PC | Source = DCOM | ID = 10005
Description =

Error - 30/07/2012 06:04:20 | Computer Name = envcs-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 30/07/2012 06:04:20 | Computer Name = envcs-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 30/07/2012 06:04:20 | Computer Name = envcs-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 30/07/2012 06:04:20 | Computer Name = envcs-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 30/07/2012 06:04:20 | Computer Name = envcs-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 30/07/2012 06:04:20 | Computer Name = envcs-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 30/07/2012 06:04:20 | Computer Name = envcs-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068


< End of report >

Edited by blueade7, 30 July 2012 - 05:37 AM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,980 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:54 AM

Posted 30 July 2012 - 05:41 AM

Hi again, I see some possible rootkit indicators as well, but lets make sure the screenlocker is gone first. After this fix please let me know if you can get in normal mode.

It looks like some documents are starting automatically when the computer is started; is this something you set yourself? I've included them for removal for now; that doesn't meean however they'll be deleted, so if necessary we can copy them back.

OTL FIX
------------
We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :otl
    O4 - HKLM..\Run: [euszkmzyfdrkswk] C:\ProgramData\euszkmzy.exe File not found
    O4 - HKU\S-1-5-21-612944760-984166335-3390874272-1001..\Run: [euszkmzyfdrkswk] C:\ProgramData\euszkmzy.exe File not found
    O4 - HKU\S-1-5-21-612944760-984166335-3390874272-1001..\Run: [mnixl] C:\Users\Andrew\AppData\Local\Temp\mnixl.exe File not found
    [2012/07/24 11:07:08 | 000,000,000 | ---D | C] -- C:\ProgramData\dhmdsdhgfykjzsj
    
    :commands
    [emptytemp]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 blueade7

blueade7
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 30 July 2012 - 05:52 AM

Yes, I put those 2 files in the startup folder. I'm not sure the fix worked, as they still opened up when windows was restarted..?

All processes killed
Error: Unable to interpret <O4 - HKLM..\Run: [euszkmzyfdrkswk] C:\ProgramData\euszkmzy.exe File not found> in the current context!
Error: Unable to interpret <O4 - HKU\S-1-5-21-612944760-984166335-3390874272-1001..\Run: [euszkmzyfdrkswk] C:\ProgramData\euszkmzy.exe File not found> in the current context!
Error: Unable to interpret <O4 - HKU\S-1-5-21-612944760-984166335-3390874272-1001..\Run: [mnixl] C:\Users\Andrew\AppData\Local\Temp\mnixl.exe File not found> in the current context!
Error: Unable to interpret <O4 - Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doc1.docx ()> in the current context!
Error: Unable to interpret <O4 - Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rems.docx ()> in the current context!
Error: Unable to interpret <O4 - Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$Doc1.docx ()> in the current context!
Error: Unable to interpret <O4 - Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$rems.docx ()> in the current context!
Error: Unable to interpret <[2012/07/24 11:07:08 | 000,000,000 | ---D | C] -- C:\ProgramData\dhmdsdhgfykjzsj> in the current context!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Andrew
->Temp folder emptied: 3438766 bytes
->Temporary Internet Files folder emptied: 12053060 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 96437320 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 8945 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: envcs
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 18224 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50400 bytes
RecycleBin emptied: 96232471 bytes

Total Files Cleaned = 199.00 mb


OTL by OldTimer - Version 3.2.55.0 log created on 07302012_114447

Files\Folders moved on Reboot...
C:\Users\Andrew\AppData\Local\Temp\EndNote\Templates.3868\EndNote Cwyw.dotm moved successfully.
C:\Users\Andrew\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4E9B8850-2183-4D54-8BB0-DC0532391EC4}.tmp moved successfully.
File\Folder C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2D7955C0-B4E0-452F-867A-25BBD7A80F2B}.tmp not found!
File\Folder C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{99345507-3EB2-447E-BEEA-1D9C54D0360D}.tmp not found!
File\Folder C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AD3EFAC3-E8A0-41E9-9A01-908D998359C6}.tmp not found!
File\Folder C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C87B095E-CAD1-47B8-8508-FFCCF18A7BC9}.tmp not found!

PendingFileRenameOperations files...
File C:\Users\Andrew\AppData\Local\Temp\EndNote\Templates.3868\EndNote Cwyw.dotm not found!
File C:\Users\Andrew\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
File C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4E9B8850-2183-4D54-8BB0-DC0532391EC4}.tmp not found!
File C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2D7955C0-B4E0-452F-867A-25BBD7A80F2B}.tmp not found!
File C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{99345507-3EB2-447E-BEEA-1D9C54D0360D}.tmp not found!
File C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AD3EFAC3-E8A0-41E9-9A01-908D998359C6}.tmp not found!
File C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C87B095E-CAD1-47B8-8508-FFCCF18A7BC9}.tmp not found!

Registry entries deleted on Reboot...

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,980 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:54 AM

Posted 30 July 2012 - 05:59 AM

My apologies, I forgot to add something to the script. Could you please rerun it? I took out the two documents, so they should open now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 blueade7

blueade7
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 30 July 2012 - 06:06 AM

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\euszkmzyfdrkswk deleted successfully.
Registry value HKEY_USERS\S-1-5-21-612944760-984166335-3390874272-1001\Software\Microsoft\Windows\CurrentVersion\Run\\euszkmzyfdrkswk deleted successfully.
Registry value HKEY_USERS\S-1-5-21-612944760-984166335-3390874272-1001\Software\Microsoft\Windows\CurrentVersion\Run\\mnixl deleted successfully.
C:\ProgramData\dhmdsdhgfykjzsj folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Andrew
->Temp folder emptied: 165487 bytes
->Temporary Internet Files folder emptied: 33300 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 22044345 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: envcs
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 608 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 3342848 bytes

Total Files Cleaned = 24.00 mb


OTL by OldTimer - Version 3.2.55.0 log created on 07302012_120119

Files\Folders moved on Reboot...
C:\Users\Andrew\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...
File C:\Users\Andrew\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

Registry entries deleted on Reboot...

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,980 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:54 AM

Posted 30 July 2012 - 06:13 AM

How is normal mode behaving now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 blueade7

blueade7
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 30 July 2012 - 06:15 AM

It seems fine... but its difficult to compare until I have been using it for a while. Hopefully its a lot better though! Thanks very much. Is there anything else you would recommend?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users