Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast blocked by group policy


  • This topic is locked This topic is locked
33 replies to this topic

#1 worden

worden

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 06 February 2013 - 03:11 PM

Hi,

IE has taken to crashing randomly, and so I finally downloaded Google Chrome to use instead, only to find it would not open. Only then did I notice Avast had stopped appearing in my lower right tray, and I get the "This program is blocked by group policy" error.

I found this topic:

http://forums.malwarebytes.org/index.php?showtopic=118179

...and tried following it, but frankly got a bit lost as the OP seems to have a lot more computer knowledge than I....

I also tried the instructions here:

http://forums.majorgeeks.com/showthread.php?t=139681

...and most of the malware ass-kicking programs won't run at all.

For the few that did, I have the following logs to offer:

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.06.08

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Peter :: PETER-PC [administrator]

06/02/2013 18:56:45
mbam-log-2013-02-06 (18-56-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231927
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

-------------------------------------------

HitmanPro 3.7.2.188
www.hitmanpro.com

   Computer name . . . . : PETER-PC
   Windows . . . . . . . : 6.0.2.6002.X86/4
   User name . . . . . . : Peter-PC\Peter
   UAC . . . . . . . . . : Disabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-02-06 19:19:21
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 1m 55s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 1

   Objects scanned . . . : 1,690,793
   Files scanned . . . . : 40,635
   Remnants scanned  . . : 381,657 files / 1,268,501 keys

Suspicious files ____________________________________________________________

   C:\$RECYCLE.BIN\S-1-5-21-480916403-1561097500-3401745183-1000\$RJGS0ZY.exe
      Size . . . . . . . : 2,126,936 bytes
      Age  . . . . . . . : 0.0 days (2013-02-06 19:10:57)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : D9F0780A369FB15C7BF60A9C7483A490D02D749B75C7F142F032D8B94414B45A
      Copyright  . . . . : © 1997-2012 xxxxxxxxx⸠xxx xxx.
      RSA Key Size . . . : 2048
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 34.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
         Authors name is missing in version info. This is not common to most programs.




----------------------------------------------------

ComboFix 13-02-06.01 - Peter 06/02/2013 19:43:15.1.4 - x86
Running from: c:\users\Peter\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-01-06 to 2013-02-06 )))))))))))))))))))))))))))))))
.
.
2013-02-06 19:50 . 2013-02-06 19:50 -------- d-----w- c:\users\Peter\AppData\Local\temp
2013-02-06 19:50 . 2013-02-06 19:50 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-02-06 19:50 . 2013-02-06 19:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-02-06 19:23 . 2013-02-06 19:24 -------- d-----w- C:\MGtools
2013-02-06 19:17 . 2013-02-06 19:18 -------- d-----w- c:\programdata\HitmanPro
2013-02-06 18:56 . 2013-02-06 18:56 -------- d-----w- C:\Malwarebytes' Anti-Malware
2013-02-06 18:26 . 2013-02-06 18:26 -------- d-----w- c:\program files\CCleaner
2013-02-06 12:56 . 2013-02-06 12:56 102400 ----a-w- c:\windows\system32\pcalesvc.dll
2013-02-05 19:51 . 2013-01-08 04:57 6991832 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{33311AAE-3BE6-4A72-BB3F-11A0DEA22A71}\mpengine.dll
2013-01-29 23:59 . 2013-01-29 23:59 -------- d-----w- c:\programdata\WindowsSearch
2013-01-11 20:06 . 2013-01-11 20:06 -------- d-----w- c:\users\Peter\AppData\Roaming\Template
2013-01-09 13:05 . 2013-01-09 13:05 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2013-01-09 12:34 . 2012-11-23 01:35 2048000 ----a-w- c:\windows\system32\win32k.sys
2013-01-09 12:32 . 2012-11-20 04:22 204288 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-09 12:32 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\system32\msxml6.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-06 19:24 . 2013-02-06 19:23 40466 ----a-w- C:\MGlogs.zip
2013-01-17 01:28 . 2012-04-26 12:32 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-09 12:38 . 2012-04-27 15:54 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-09 12:38 . 2012-04-27 15:54 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 13:12 . 2012-12-23 00:05 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50 . 2012-12-23 00:05 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-12-14 16:49 . 2012-10-27 14:05 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-14 02:09 . 2012-12-12 19:31 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58 . 2012-12-12 19:31 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57 . 2012-12-12 19:31 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49 . 2012-12-12 19:31 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48 . 2012-12-12 19:31 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44 . 2012-12-12 19:31 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-13 01:29 . 2012-12-12 18:50 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-12-17 19:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-12-17 19:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-12-17 19:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-12-17 19:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^TP-LINK Wireless Configuration Utility.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\TP-LINK Wireless Configuration Utility.lnk
backup=c:\windows\pss\TP-LINK Wireless Configuration Utility.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-03-08 11:38 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 14:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BkupTray]
2008-02-26 01:57 34040 ----a-w- c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleDriveSync]
2012-12-17 19:50 16328976 ----a-w- c:\program files\Google\Drive\googledrivesync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
2005-10-31 23:00 307200 ----a-w- c:\program files\Syncrosoft\POS\H2O\cledx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-11-29 00:49 151952 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
2009-07-29 13:28 252424 ----a-w- c:\windows\System32\MAFWTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-05-20 10:06 6144000 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 12:33 17418928 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-20 10:15 1826816 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify]
2012-08-21 19:46 5576408 ----a-w- c:\users\Peter\AppData\Roaming\Spotify\spotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-08-21 19:46 1193176 ----a-w- c:\users\Peter\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 10:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]
2006-11-05 20:48 57344 ----a-w- c:\acer\WR_PopUp\WarReg_PopUp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-480916403-1561097500-3401745183-1000]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-06 13:18 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-27 12:38]
.
2013-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-13 17:07]
.
2013-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-13 17:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://forums.majorgeeks.com/showthread.php?t=139681
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20120502053704
DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-06 19:50
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CakewalkPlugIns\˜º:*]
"Description"="Cakewal"
"HelpFilePath"=""
"HelpFileTopic"=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-02-06 19:52:50
ComboFix-quarantined-files.txt 2013-02-06 19:52
.
Pre-Run: 91,082,887,168 bytes free
Post-Run: 90,500,169,728 bytes free
.
- - End Of File - - 04DAAAC206BB315D6ECF6A10326B9591

----------------------------------------------------------------------

Thanks in advance.........


Edit: Since there is a Combofix log I am moving this to the More appropriate Forum from the Am I Infected forum.
Roger

Edited by rotor123, 06 February 2013 - 04:08 PM.


BC AdBot (Login to Remove)

 


#2 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:07:00 AM

Posted 09 February 2013 - 06:12 PM

Hello and welcome to BleepingComputer. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. :welcome:

 

Pleas be aware that running ComboFix without the supervision of a helper can be dangerous as ComboFix sports some very powerful functions.

 

Please download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#3 bgardner_31

bgardner_31

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 09 February 2013 - 11:32 PM

I am having a similar issue.  "This program is blocked by group policy. For more information, contact your system administrator" comes up.  I was able to scan avast by creating a guest accout and opening by the small icon on the bottom of the screen.  I also was able to scan, I found the following:

                                                                                      -C:Users\...\BetterInstaller.exe               (status)Win32-Ezula-AGE    

                                                                                       -C:\...\websChamberSquishy.Class                Java:Agent-CLW

When I tried to move them to chast in avast nothing happend,  the result is an error.

 

Hope this may help.  With this thread.  I downloaded OldTimer also.

 

I am new to these forums, please advise.

 

Thanks



#4 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:07:00 AM

Posted 10 February 2013 - 12:14 AM

@bgardner_31: Please start your own thread. :)


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#5 worden

worden
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 10 February 2013 - 09:04 PM

OTL logfile created on: 11/02/2013 01:52:45 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Peter\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
 
3.25 Gb Total Physical Memory | 2.29 Gb Available Physical Memory | 70.58% Memory free
6.71 Gb Paging File | 5.89 Gb Available in Paging File | 87.74% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.59 Gb Total Space | 86.76 Gb Free Space | 37.30% Space Free | Partition Type: NTFS
Drive D: | 348.93 Gb Total Space | 275.47 Gb Free Space | 78.95% Space Free | Partition Type: NTFS
Drive H: | 3.68 Gb Total Space | 3.68 Gb Free Space | 100.00% Space Free | Partition Type: FAT32
 
Computer Name: PETER-PC | User Name: Peter | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013/02/11 01:51:49 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Peter\Desktop\OTL.exe
PRC - [2012/10/30 22:50:59 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2009/04/11 06:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
 
 
========== Modules (No Company Name) ==========
 
 
========== Services (SafeList) ==========
 
SRV - [2013/02/08 12:38:24 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/10/30 22:50:59 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2012/10/10 21:15:04 | 001,258,856 | ---- | M] (NVIDIA Corporation) [Disabled | Stopped] -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2012/10/02 13:15:38 | 000,382,824 | ---- | M] (NVIDIA Corporation) [Disabled | Stopped] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2012/07/03 12:19:28 | 000,160,944 | R--- | M] (Skype Technologies) [Disabled | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/04/27 22:29:23 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [Disabled | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/03/31 14:36:56 | 000,061,440 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\WJATH\WpsSupplicant.exe -- (WpsSupplicant)
SRV - [2011/03/31 14:36:52 | 000,954,368 | ---- | M] (Wireless) [Disabled | Stopped] -- C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\WPS\jswpsapi.exe -- (jswpsapi)
SRV - [2008/01/21 02:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Peter\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2012/10/30 22:51:58 | 000,738,504 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/10/30 22:51:58 | 000,361,032 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/10/30 22:51:58 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/10/30 22:51:58 | 000,035,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2012/10/30 22:51:57 | 000,058,680 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2012/10/30 22:51:56 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/10/10 21:14:28 | 010,837,352 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2011/08/02 15:38:44 | 000,018,432 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netaapl.sys -- (Netaapl)
DRV - [2011/04/20 02:17:02 | 001,445,888 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athur.sys -- (athur)
DRV - [2011/03/31 14:36:50 | 000,020,384 | ---- | M] (Atheros Communications, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\jswpslwf.sys -- (jswpslwf)
DRV - [2009/07/29 13:28:18 | 000,192,392 | ---- | M] (Avid Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mafw.sys -- (MAFW)
DRV - [2009/04/30 21:55:58 | 002,687,512 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LV302V32.SYS -- (PID_PEPI)
DRV - [2007/12/19 06:45:00 | 000,170,000 | ---- | M] (AMD Technologies Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\ahcix86s.sys -- (ahcix86s)
DRV - [2006/10/30 03:23:12 | 000,007,680 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AtiPcie.sys -- (AtiPcie)
DRV - [2005/05/09 19:08:40 | 000,033,792 | ---- | M] (Team H2O) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cledx.sys -- (CLEDX)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/forums/topic484365.html
IE - HKCU\..\SearchScopes,DefaultScope = {DECA3892-BA8F-44b8-A993-A466AD694AE4}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://uk.search.yahoo.com/search?p={searchTerms}&fr=chr-acer
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
 
 
 
========== Chrome  ==========
 
 
O1 HOSTS File: ([2006/09/18 21:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No CLSID value found.
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No CLSID value found.
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} http://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20120502053704 (PhotoboxPhotowaysUploader5 Control)
O16 - DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} https://www.icloud.com/system/iCloud.cab (iCloud Web App Plugin)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab (ScorchPlugin Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{35F36AEF-1F3F-4F55-BCD6-3D7EBDEF5C87}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9FCA12F7-02F4-4C4E-881B-BE9A75E053E5}: DhcpNameServer = 109.249.185.224 109.249.188.32
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Peter\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Peter\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
NetSvcs: FastUserSwitchingCompatibility -  File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla -  File not found
NetSvcs: Ntmssvc -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: SRService -  File not found
NetSvcs: WmdmPmSp -  File not found
NetSvcs: LogonHours -  File not found
NetSvcs: PCAudit -  File not found
NetSvcs: helpsvc -  File not found
NetSvcs: uploadmgr -  File not found
 
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - C:\Windows\System32\lvcodec2.dll (Logitech Inc.)
 
 CREATERESTOREPOINT
System Restore Service not available.
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/02/11 01:51:48 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Peter\Desktop\OTL.exe
[2013/02/11 01:49:31 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{87613218-9B3B-4E06-8883-81AC41130E2B}
[2013/02/09 15:16:29 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{AB1866DA-FE0F-4889-972B-C46B81B1D581}
[2013/02/08 11:45:15 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{B1434B4B-5B70-4C71-A044-80353BEB2F65}
[2013/02/07 11:12:15 | 000,000,000 | ---D | C] -- C:\Users\Peter\Desktop\bass
[2013/02/07 10:44:29 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{DCF7424E-CC95-43C5-A36C-E74E0DC789CD}
[2013/02/06 19:52:52 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\temp
[2013/02/06 19:51:53 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/02/06 19:41:44 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/02/06 19:41:44 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/02/06 19:41:44 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/02/06 19:41:27 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/02/06 19:41:00 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/02/06 19:40:20 | 005,030,751 | R--- | C] (Swearware) -- C:\Users\Peter\Desktop\ComboFix.exe
[2013/02/06 19:23:07 | 000,000,000 | ---D | C] -- C:\MGtools
[2013/02/06 19:17:22 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2013/02/06 18:56:02 | 000,000,000 | ---D | C] -- C:\Malwarebytes' Anti-Malware
[2013/02/06 18:39:08 | 008,984,048 | ---- | C] (SurfRight B.V.) -- C:\Users\Peter\Desktop\HitmanPro.exe
[2013/02/06 18:38:44 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Peter\Desktop\TDSSKiller.exe
[2013/02/06 18:37:42 | 010,156,344 | ---- | C] (Malwarebytes Corporation                                    ) -- C:\Users\Peter\Desktop\mb.exe
[2013/02/06 18:26:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2013/02/06 18:26:03 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2013/02/06 18:25:10 | 003,145,768 | ---- | C] (Piriform Ltd) -- C:\Users\Peter\Desktop\ccsetup327_slim.exe
[2013/02/06 18:04:51 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2013/02/06 13:18:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2013/02/06 12:56:49 | 000,102,400 | ---- | C] (ORG-1.216.75.171.024) -- C:\Windows\System32\pcalesvc.dll
[2013/02/06 12:48:20 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{8FF86120-B776-468A-A774-A2A1DE32975D}
[2013/02/05 20:37:40 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{DD0853FE-8662-47E6-9D82-2A5B5C4635B2}
[2013/02/04 16:00:40 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{36F5C082-785C-4AAD-9757-D55B9D593681}
[2013/02/02 18:08:45 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{FEE64DD0-DE4D-4DB5-8E5F-EB9A256C1707}
[2013/02/01 17:47:49 | 000,000,000 | ---D | C] -- C:\Users\Peter\Documents\AdobeStockPhotos
[2013/02/01 12:27:45 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{6268BC3C-A247-4D69-8FF0-9B3292946722}
[2013/01/31 17:13:00 | 000,000,000 | ---D | C] -- C:\Users\Peter\Desktop\My XS1100
[2013/01/31 12:17:08 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{638FDB1A-3DFB-437E-8B61-8AC16C02A05A}
[2013/01/30 22:43:14 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{72F00406-9C79-4051-B2D2-DA75B2AA73A4}
[2013/01/29 23:59:46 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2013/01/29 23:36:04 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{29EE1C4B-86E2-46D2-AD64-406C6C93E1A8}
[2013/01/29 23:34:24 | 000,000,000 | ---D | C] -- C:\Users\Peter\Desktop\Hastings Jan 2013
[2013/01/28 23:01:32 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{C5A15E71-AF31-4DFB-B3CD-B778364D9637}
[2013/01/27 13:25:35 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{CB2A466E-BC57-4DD8-A773-38605B706006}
[2013/01/24 13:24:23 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{61BC6B1E-F359-4292-86B9-7F3C06F96E58}
[2013/01/24 01:24:09 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{66F75573-8F27-4C92-9B59-0BCDE812339A}
[2013/01/23 13:19:17 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{EDB19FAD-1A1B-4C22-B0CE-2EB7C8218C71}
[2013/01/22 21:07:46 | 000,000,000 | ---D | C] -- C:\Users\Peter\Desktop\Garden Birdies
[2013/01/22 12:36:57 | 000,000,000 | ---D | C] -- C:\Users\Peter\Desktop\Yamaha XS
[2013/01/22 12:33:46 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{522D8C67-0F5A-477C-BF93-510E66386670}
[2013/01/22 00:33:31 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{019680CB-4D27-476D-8C0D-2EF78A1DA206}
[2013/01/21 12:33:17 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{A98E1560-B097-4940-9D25-CAEB9481109E}
[2013/01/20 17:59:56 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{254F47F6-BD46-4C1A-8DD8-CE451A634606}
[2013/01/19 12:58:03 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{1FE9FD5E-29F6-4D75-961F-2A1DDA9455AF}
[2013/01/18 19:00:39 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{97077D34-6716-4E39-8849-31E1E70F0FB3}
[2013/01/16 21:21:16 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{D8A2BA66-2779-4D53-BE3A-91BEF78E0722}
[2013/01/14 16:54:08 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\{C6C381BE-BB78-4D95-B5AC-DA4488FB2BDA}
 
========== Files - Modified Within 30 Days ==========
 
[2013/02/11 01:51:49 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Peter\Desktop\OTL.exe
[2013/02/11 01:41:42 | 000,608,760 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/02/11 01:41:42 | 000,108,268 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/02/11 01:38:16 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/02/11 01:37:22 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/02/11 01:37:22 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/02/11 01:37:21 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/02/11 01:37:18 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/02/11 01:37:16 | 3488,800,768 | -HS- | M] () -- C:\hiberfil.sys
[2013/02/09 15:27:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/02/08 12:38:24 | 000,697,712 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/02/08 12:38:24 | 000,074,096 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/02/06 19:40:43 | 005,030,751 | R--- | M] (Swearware) -- C:\Users\Peter\Desktop\ComboFix.exe
[2013/02/06 19:24:10 | 000,040,466 | ---- | M] () -- C:\Users\Peter\Desktop\MGlogs.zip
[2013/02/06 19:24:10 | 000,040,466 | ---- | M] () -- C:\MGlogs.zip
[2013/02/06 19:23:15 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2013/02/06 19:23:15 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2013/02/06 18:56:05 | 000,000,664 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/02/06 18:47:00 | 002,672,265 | ---- | M] () -- C:\Users\Peter\Desktop\IMG_1165.JPG
[2013/02/06 18:44:57 | 002,551,232 | ---- | M] () -- C:\Users\Peter\Desktop\IMG_1164.JPG
[2013/02/06 18:40:01 | 001,897,963 | ---- | M] () -- C:\MGtools.exe
[2013/02/06 18:39:11 | 008,984,048 | ---- | M] (SurfRight B.V.) -- C:\Users\Peter\Desktop\HitmanPro.exe
[2013/02/06 18:38:32 | 010,156,344 | ---- | M] (Malwarebytes Corporation                                    ) -- C:\Users\Peter\Desktop\mb.exe
[2013/02/06 18:37:10 | 000,778,240 | ---- | M] () -- C:\Users\Peter\Desktop\RogueKiller.exe
[2013/02/06 18:26:04 | 000,000,808 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2013/02/06 18:25:54 | 003,145,768 | ---- | M] (Piriform Ltd) -- C:\Users\Peter\Desktop\ccsetup327_slim.exe
[2013/02/06 18:23:20 | 000,000,000 | ---- | M] () -- C:\Users\Peter\defogger_reenable
[2013/02/06 18:22:55 | 000,050,477 | ---- | M] () -- C:\Users\Peter\Desktop\Defogger.exe
[2013/02/06 13:52:05 | 001,056,768 | ---- | M] () -- C:\Windows\System32\defltbase.sdb
[2013/02/06 13:21:06 | 000,001,999 | ---- | M] () -- C:\Users\Peter\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/02/06 13:18:48 | 000,001,668 | ---- | M] () -- C:\Users\Peter\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2013/02/06 12:56:49 | 000,102,400 | ---- | M] (ORG-1.216.75.171.024) -- C:\Windows\System32\pcalesvc.dll
[2013/02/01 16:35:32 | 000,013,432 | ---- | M] () -- C:\Users\Peter\Desktop\Pete Debts.ods
[2013/02/01 14:15:47 | 000,014,816 | ---- | M] () -- C:\Users\Peter\Desktop\Pete Heat Stag.ods
[2013/01/24 01:49:34 | 000,026,113 | ---- | M] () -- C:\Users\Peter\Desktop\MARRIED MONEY.ods
[2013/01/21 21:42:44 | 000,100,792 | ---- | M] () -- C:\Users\Peter\Desktop\Pete Heat_Stag_Contact_List-1.numbers
[2013/01/19 13:23:58 | 000,011,877 | ---- | M] () -- C:\Users\Peter\Desktop\PC 12749 WARDEN PDR November 2012.pdf
[2013/01/17 01:28:58 | 000,232,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2013/01/14 18:02:03 | 000,248,547 | ---- | M] () -- C:\Users\Peter\Desktop\Tuscany-Unglazed.jpg
[2013/01/14 16:58:08 | 000,283,912 | ---- | M] () -- C:\Users\Peter\Desktop\Warden 2.pdf
[2013/01/14 16:57:29 | 000,348,426 | ---- | M] () -- C:\Users\Peter\Desktop\Warden 1.pdf
 
========== Files Created - No Company Name ==========
 
[2013/02/07 11:12:38 | 002,672,265 | ---- | C] () -- C:\Users\Peter\Desktop\IMG_1165.JPG
[2013/02/07 11:12:38 | 002,551,232 | ---- | C] () -- C:\Users\Peter\Desktop\IMG_1164.JPG
[2013/02/06 19:41:44 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/02/06 19:41:44 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/02/06 19:41:44 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/02/06 19:41:44 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/02/06 19:41:44 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/02/06 19:25:01 | 000,040,466 | ---- | C] () -- C:\Users\Peter\Desktop\MGlogs.zip
[2013/02/06 19:23:15 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2013/02/06 19:23:15 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2013/02/06 19:23:12 | 000,040,466 | ---- | C] () -- C:\MGlogs.zip
[2013/02/06 18:56:04 | 000,000,664 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/02/06 18:40:01 | 001,897,963 | ---- | C] () -- C:\MGtools.exe
[2013/02/06 18:37:10 | 000,778,240 | ---- | C] () -- C:\Users\Peter\Desktop\RogueKiller.exe
[2013/02/06 18:26:04 | 000,000,808 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2013/02/06 18:23:20 | 000,000,000 | ---- | C] () -- C:\Users\Peter\defogger_reenable
[2013/02/06 18:22:55 | 000,050,477 | ---- | C] () -- C:\Users\Peter\Desktop\Defogger.exe
[2013/02/06 13:52:04 | 001,056,768 | ---- | C] () -- C:\Windows\System32\defltbase.sdb
[2013/02/06 13:18:48 | 000,001,668 | ---- | C] () -- C:\Users\Peter\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2013/02/06 13:18:28 | 000,001,999 | ---- | C] () -- C:\Users\Peter\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/01/27 14:18:07 | 000,014,816 | ---- | C] () -- C:\Users\Peter\Desktop\Pete Heat Stag.ods
[2013/01/21 21:42:44 | 000,100,792 | ---- | C] () -- C:\Users\Peter\Desktop\Pete Heat_Stag_Contact_List-1.numbers
[2013/01/19 13:23:58 | 000,011,877 | ---- | C] () -- C:\Users\Peter\Desktop\PC 12749 WARDEN PDR November 2012.pdf
[2013/01/14 18:02:22 | 000,248,547 | ---- | C] () -- C:\Users\Peter\Desktop\Tuscany-Unglazed.jpg
[2013/01/14 16:58:08 | 000,283,912 | ---- | C] () -- C:\Users\Peter\Desktop\Warden 2.pdf
[2013/01/14 16:57:29 | 000,348,426 | ---- | C] () -- C:\Users\Peter\Desktop\Warden 1.pdf
[2013/01/11 20:06:52 | 000,000,208 | ---- | C] () -- C:\Users\Peter\AppData\Roaming\wklnhst.dat
[2012/11/06 23:34:40 | 000,122,798 | ---- | C] () -- C:\Windows\hpoins14.dat
[2012/11/06 23:34:40 | 000,001,996 | ---- | C] () -- C:\Windows\hpomdl14.dat
[2012/06/14 15:31:12 | 000,163,840 | ---- | C] () -- C:\Windows\System32\ArtFfct.dll
[2012/05/01 15:39:21 | 000,023,552 | ---- | C] () -- C:\Users\Peter\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/04/27 23:12:20 | 000,118,784 | ---- | C] () -- C:\Windows\dsdxirmv.exe
[2012/04/26 12:51:52 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2012/04/26 12:51:52 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2012/04/26 01:24:51 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
 
========== ZeroAccess Check ==========
 
[2006/11/02 12:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 17:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 06:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 06:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== Custom Scans ==========
 
<  %SYSTEMDRIVE%\*.* >
[2008/03/15 22:42:09 | 000,091,973 | ---- | M] () -- C:\-20080315.log
[2006/09/18 21:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009/04/11 06:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2008/03/15 07:19:11 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2012/04/26 12:34:44 | 000,000,090 | ---- | M] () -- C:\CLMS.log
[2013/02/06 19:52:50 | 000,012,253 | ---- | M] () -- C:\ComboFix.txt
[2006/09/18 21:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2012/04/26 12:35:57 | 000,000,090 | ---- | M] () -- C:\Creator.log
[2013/02/11 01:37:16 | 3488,800,768 | -HS- | M] () -- C:\hiberfil.sys
[2013/02/06 19:23:15 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2012/04/26 12:33:22 | 000,000,090 | ---- | M] () -- C:\MDisc.log
[2012/04/26 12:34:00 | 000,000,090 | ---- | M] () -- C:\MDR.log
[2013/02/06 19:24:10 | 000,040,466 | ---- | M] () -- C:\MGlogs.zip
[2013/02/06 18:40:01 | 001,897,963 | ---- | M] () -- C:\MGtools.exe
[2013/02/06 19:23:15 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2013/02/11 01:37:15 | 3802,411,008 | -HS- | M] () -- C:\pagefile.sys
[2012/04/26 12:35:17 | 000,000,090 | ---- | M] () -- C:\PnR.log
[2012/04/26 12:35:40 | 000,000,090 | ---- | M] () -- C:\PSD.log
[2012/04/25 23:24:11 | 000,000,477 | ---- | M] () -- C:\RHDSetup.log
[2012/10/27 13:49:23 | 000,000,370 | ---- | M] () -- C:\rkill.log
[2012/04/26 12:34:22 | 000,000,090 | ---- | M] () -- C:\SDMA.log
[2013/02/06 19:13:06 | 000,000,156 | ---- | M] () -- C:\TDSSKiller.2.7.37.0_06.02.2013_19.13.04_log.txt
[2013/02/06 19:13:18 | 000,000,156 | ---- | M] () -- C:\TDSSKiller.2.7.37.0_06.02.2013_19.13.16_log.txt
[2013/02/06 19:13:27 | 000,000,348 | ---- | M] () -- C:\TDSSKiller.2.7.37.0_06.02.2013_19.13.26_log.txt
[2013/02/06 19:14:10 | 000,000,348 | ---- | M] () -- C:\TDSSKiller.2.7.37.0_06.02.2013_19.14.08_log.txt
[2013/02/06 19:06:43 | 000,004,392 | ---- | M] () -- C:\TDSSKiller.2.8.15.0_06.02.2013_19.06.41_log.txt
[2013/02/06 19:07:43 | 000,029,620 | ---- | M] () -- C:\TDSSKiller.2.8.15.0_06.02.2013_19.07.38_log.txt
[2013/02/06 19:07:59 | 000,032,920 | ---- | M] () -- C:\TDSSKiller.2.8.15.0_06.02.2013_19.07.52_log.txt
[2013/02/06 19:08:11 | 000,029,392 | ---- | M] () -- C:\TDSSKiller.2.8.15.0_06.02.2013_19.08.06_log.txt
[2013/02/06 19:08:21 | 000,033,616 | ---- | M] () -- C:\TDSSKiller.2.8.15.0_06.02.2013_19.08.16_log.txt
[2013/02/06 19:08:33 | 000,033,902 | ---- | M] () -- C:\TDSSKiller.2.8.15.0_06.02.2013_19.08.27_log.txt
[2013/02/06 19:08:43 | 000,038,414 | ---- | M] () -- C:\TDSSKiller.2.8.15.0_06.02.2013_19.08.38_log.txt
[2013/02/06 19:14:19 | 000,004,392 | ---- | M] () -- C:\TDSSKiller.2.8.15.0_06.02.2013_19.14.18_log.txt
[2013/02/06 19:15:25 | 000,031,402 | ---- | M] () -- C:\TDSSKiller.2.8.15.0_06.02.2013_19.15.20_log.txt
 
<  %systemroot%\*. /mp /s >
 
<  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
 
<  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2013-02-08 11:53:09
 
<   >

< End of report >


OTL Extras logfile created on: 11/02/2013 01:52:45 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Peter\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.25 Gb Total Physical Memory | 2.29 Gb Available Physical Memory | 70.58% Memory free
6.71 Gb Paging File | 5.89 Gb Available in Paging File | 87.74% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.59 Gb Total Space | 86.76 Gb Free Space | 37.30% Space Free | Partition Type: NTFS
Drive D: | 348.93 Gb Total Space | 275.47 Gb Free Space | 78.95% Space Free | Partition Type: NTFS
Drive H: | 3.68 Gb Total Space | 3.68 Gb Free Space | 100.00% Space Free | Partition Type: FAT32

Computer Name: PETER-PC | User Name: Peter | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-480916403-1561097500-3401745183-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1B93D7A2-6B65-48DF-BF2F-E3A4D54CD418}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{EBC61D0D-D10B-4534-9B9E-C416DE510AC8}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{09085228-7305-4D87-B74A-49AB77D14C89}" = protocol=17 | dir=in | app=c:\users\peter\appdata\roaming\spotify\spotify.exe |
"{244081A4-F606-479A-8847-74FBD08B3D34}" = protocol=17 | dir=in | app=c:\users\peter\appdata\roaming\spotify\spotify.exe |
"{35335F4F-8F78-4115-8677-69DBA9E93A0D}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{5250CFD2-3A1D-4EF0-9D60-E6A3416A6DA3}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{5594115A-58CF-4B18-B6F7-BBCB4857430F}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{73F254DB-5526-425A-B267-FA69C6465AAA}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{8E4E5F70-B657-480F-9A16-A6721F59FCAE}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{92827FDC-4F8D-4C47-8E96-311C796C7EC3}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{AE25F898-9B59-4D80-A624-170C1C921267}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\client\agentsvc.exe |
"{BCEC63C9-9970-41DB-B7A1-2368E097BF72}" = protocol=6 | dir=in | app=c:\users\peter\appdata\roaming\spotify\spotify.exe |
"{D60C65F9-B1FC-4A5F-93C7-3D650A77480D}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe |
"{DCE5BB6B-210E-4C26-8171-0E16DB113DE4}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{E04AC6CD-DBF7-4A01-9D2E-863D3FE24767}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{E240B5E8-EC97-4926-9834-ED0E9894C852}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\client\agentsvc.exe |
"{E2C215F4-37AD-4ADD-9E07-996149881F5D}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{E4C179BC-1E8C-4A78-A345-8048207A2FFA}" = protocol=6 | dir=in | app=c:\users\peter\appdata\roaming\spotify\spotify.exe |
"{EACF3A79-7442-45FF-A3A9-3655717E4976}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{F2F6D2C8-B5A1-448F-8E7D-1371FEB5A597}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe |
"{F4261412-8FFE-4A9F-9391-7F932CD6EDF5}" = dir=in | app=c:\program files\itunes\itunes.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now Standard
"{166FCF01-AC98-4288-A01C-90BEB808C059}" = Sony RAW Driver
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{1B6C0E95-182C-48E0-9C4B-4F916308249C}" = iTunes
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java™ 7 Update 5
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{319D91C6-3D44-436C-9F79-36C0D22372DC}" = TP-LINK Wireless Configuration Utility
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{459699C3-9430-4381-964B-4248D87B49F9}" = Apple Mobile Device Support
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C4D25EB-6513-4702-8355-F4194DE2E1D9}" = Waves 4.0
"{4C7F547E-DDE3-51BF-1D2E-04816F30AD66}" = ATI Catalyst Install Manager
"{51071D66-D034-4239-94E0-723FCA10B6FE}" = OpenOffice.org 3.4
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{62FE0726-9652-4CD2-9F09-C769D8699C21}" = TL-WN822N/TL-WN821N Driver
"{64522D5F-4743-4939-8E22-B1878FB68772}" = M-Audio FireWire Driver 6.0.1 (x86)
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7A21C722-F259-4976-B7AA-6658E5FDEDAF}" = Google Drive
"{7D0E9A21-712B-41EC-B328-D344C8C6197F}" = Account Unity Profile Manager
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{812E40AB-3433-4BEF-BEA5-E37878DDC884}" = FINIS
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{868291A4-229E-4795-B0B0-E60E87AF53CD}" = Sibelius Scorch (ActiveX Only)
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
"{B2C61EBB-F47C-48ba-B375-27A40F8F48F7}" = HP Deskjet All-In-One Software 9.0
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 306.97
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 306.97
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 306.97
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.10.8
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B4F35A00-24FD-4fb3-BF5E-413D5423434D}" = DJ_AIO_Software_min
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C49624DD-C504-4279-B9E0-65A2EB6E1619}" = PG583_32_inf
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CCE825DB-347A-4004-A186-5F4A6FDD8547}" = Apple Application Support
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe  1.4.142.1
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D1BB4446-AE9C-4256-9A7F-4D46604D2462}" = Adobe Setup
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe_2ac78060bc5856b0c1cf873bb919b58" = Adobe Photoshop CS3
"Antares Auto-Tune v4.39" = Antares Auto-Tune v4.39
"Arturia Moog Modular V2 v1.0" = Arturia Moog Modular V2 v1.0
"avast" = avast! Free Antivirus
"CCleaner" = CCleaner
"D7EC1A6C98F357A7E4C53FF66325D99F66B1F590" = Windows Driver Package - YUAN High-Tech Development Co. Ltd. (OmniTV) Media  (12/14/2007 6.1.32.42)
"DreamStation DXi2" = DreamStation DXi2
"Edirol HQ Orchestral v1.01" = Edirol HQ Orchestral v1.01
"Free RAR Extract Frog" = Free RAR Extract Frog
"GForce.Software.Minimonsta.RTAS.VSTi.v1.02-DAC" = GForce.Software.Minimonsta.RTAS.VSTi.v1.02-DAC
"Google Chrome" = Google Chrome
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now 5
"InstallShield_{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"Keyword Pad_is1" = Keyword Pad v1.0.112706
"KORG Legacy Collection - DIGITAL EDITION v1.0.0 " = KORG Legacy Collection - DIGITAL EDITION v1.0.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Native Instruments Elektrik Piano" = Native Instruments Elektrik Piano
"Native Instruments Guitar Rig 3" = Native Instruments Guitar Rig 3
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Sonalksis Plugins Bundle VST DX RTAS v1.0" = Sonalksis Plugins Bundle VST DX RTAS v1.0
"SONAR8Producer_is1" = SONAR 8.0 Producer Edition
"Steinberg VoiceMachine v1.0" = Steinberg VoiceMachine v1.0
"SyncroSoft Emu" = SyncroSoft Emu (Remove only)
"Syncrosoft's License Control" = Syncrosoft's License Control
"TimewARP 2600 v1.10" = TimewARP 2600 v1.10
"UltraISO_is1" = UltraISO Premium V9.52
"Waves Diamond Bundle v5.0" = Waves Diamond Bundle v5.0
"Waves SSL Collection v1.2" = Waves SSL Collection v1.2
"Waves Znoise v1.0" = Waves Znoise v1.0
"WinLiveSuite" = Windows Live Essentials
"WinRAR archiver" = WinRAR 4.20 (32-bit)
"Wizoo WizooVerb W2  VST RTAS v1.0" = Wizoo WizooVerb W2  VST RTAS v1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Spotify" = Spotify

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 06/02/2013 13:49:10 | Computer Name = Peter-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 9.0.8112.16457, time stamp
0x50a2f9e3, faulting module MSHTML.dll, version 9.0.8112.16457, time stamp 0x50a30507,
exception code 0xc0000005, fault offset 0x004252e3,  process id 0x62c, application
start time 0x01ce049235ed8b81.

Error - 06/02/2013 13:57:56 | Computer Name = Peter-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 9.0.8112.16457, time stamp
0x50a2f9e3, faulting module ole32.dll, version 6.0.6002.18277, time stamp 0x4c28d53e,
exception code 0xc0000005, fault offset 0x0002f18e,  process id 0x6bc, application
start time 0x01ce049365395031.

Error - 06/02/2013 13:58:09 | Computer Name = Peter-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 9.0.8112.16457, time stamp
0x50a2f9e3, faulting module ole32.dll, version 6.0.6002.18277, time stamp 0x4c28d53e,
exception code 0xc0000005, fault offset 0x0002f19f,  process id 0x12d4, application
start time 0x01ce049383f2e9f1.

Error - 06/02/2013 14:00:13 | Computer Name = Peter-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 9.0.8112.16457, time stamp
0x50a2f9e3, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x00000527,  process id 0xf34, application start time
0x01ce04938ca6f0f1.

Error - 06/02/2013 14:09:08 | Computer Name = Peter-PC | Source = WinMgmt | ID = 10
Description =

Error - 06/02/2013 14:24:44 | Computer Name = Peter-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 9.0.8112.16457, time stamp
0x50a2f9e3, faulting module MSHTML.dll, version 9.0.8112.16457, time stamp 0x50a30507,
exception code 0xc0000005, fault offset 0x00117f5a,  process id 0xcb0, application
start time 0x01ce0495155c8a5b.

Error - 06/02/2013 14:44:42 | Computer Name = Peter-PC | Source = WinMgmt | ID = 10
Description =

Error - 06/02/2013 14:49:06 | Computer Name = Peter-PC | Source = Application Error | ID = 1000
Description = Faulting application RogueKiller.exe, version 8.4.4.0, time stamp
0x5110eb80, faulting module pcalesvc.dll, version 3.3.7.6, time stamp 0x510f9348,
exception code 0xc0000005, fault offset 0x00005722,  process id 0xb78, application
start time 0x01ce049aa0ecddbc.

Error - 06/02/2013 14:49:16 | Computer Name = Peter-PC | Source = Application Error | ID = 1000
Description = Faulting application RogueKiller.exe, version 8.4.4.0, time stamp
0x5110eb80, faulting module pcalesvc.dll, version 3.3.7.6, time stamp 0x510f9348,
exception code 0xc0000005, fault offset 0x00005722,  process id 0xcf4, application
start time 0x01ce049aa9fb977c.

Error - 06/02/2013 14:50:09 | Computer Name = Peter-PC | Source = Application Error | ID = 1000
Description = Faulting application RogueKiller.exe, version 8.4.4.0, time stamp
0x5110eb80, faulting module pcalesvc.dll, version 3.3.7.6, time stamp 0x510f9348,
exception code 0xc0000005, fault offset 0x00005722,  process id 0xcec, application
start time 0x01ce049ac974b0ac.

[ System Events ]
Error - 09/05/2012 20:07:47 | Computer Name = Peter-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 09/05/2012 20:11:26 | Computer Name = Peter-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 09/05/2012 20:11:26 | Computer Name = Peter-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 09/05/2012 20:12:38 | Computer Name = Peter-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 09/05/2012 20:12:38 | Computer Name = Peter-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 09/05/2012 20:17:33 | Computer Name = Peter-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 09/05/2012 20:17:33 | Computer Name = Peter-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 09/05/2012 20:17:33 | Computer Name = Peter-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 09/05/2012 20:17:33 | Computer Name = Peter-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 24/05/2012 16:29:35 | Computer Name = Peter-PC | Source = Service Control Manager | ID = 7023
Description =


< End of report >
 



#6 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:07:00 AM

Posted 11 February 2013 - 12:23 AM

Good afternoon worden,

I would like to see the results of this scan please.

For x32 (x86) bit systems please download the Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems please download the Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • To enter System Recovery Options by using the Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt.
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select Computer, find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter.
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Press the Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your reply.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#7 worden

worden
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 12 February 2013 - 08:39 AM

Thanks for your help so far.

 

I've tried several times now but this isn't working.  After choosing 'repair your computer' it boots to a login screen, asking for a name and password I don't have.  I've never set one up since I restored the PC last.  I've tried it from a USB drive and from a flash card, both do the same.......



#8 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:07:00 AM

Posted 13 February 2013 - 04:28 AM

Good evening worden,

Time to try something else.

Please download to the Desktop RogueKiller (by tigzy).
  • Please quit all programs.
  • Start RogueKiller.exe.
  • Wait until Prescan has finished.
  • Click on Scan.
  • Click on Report and copy/paste the contents of the report in your next reply.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#9 worden

worden
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 13 February 2013 - 09:14 AM

It won't run.  As soon as I double click I get an error message "roguekiller.exe has stopped working."



#10 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:07:00 AM

Posted 13 February 2013 - 03:34 PM

Hello worden,

 

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com).

  • There are 3 different versions. If one of them won't run then download and try to run the other one.
  • Vista and Win7 users need to right click and choose Run as Admin.
  • You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the Desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Before proceeding any further the processes that belong to Windows Recovery need to be terminated so that it does not interfere with the cleaning procedure.

Double-click on the RKill.exe icon in order to automatically attempt to stop any processes associated with Windows Recovery and other Rogue programs.
===

Please do not reboot your computer.

 

Bow try running RogueKiller.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#11 worden

worden
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 13 February 2013 - 08:46 PM

Ok, success....

 

rkill.exe worked.  I've run roguekiller and have the following report......

 

RogueKiller V8.5.1 [Feb 12 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Peter [Admin rights]
Mode : Scan -- Date : 02/14/2013 01:44:32
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost
::1             localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400AAKS-22A7B0 ATA Device +++++
--- User ---
[MBR] 40a6aeb14a41546388aa5600d70c41dd
[BSP] 5b16f27ed4f219e9391068f799c19e79 : Acer tatooed MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 15005 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30734336 | Size: 238170 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 518506496 | Size: 357302 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive3: Generic- SD/MMC USB Device +++++
--- User ---
[MBR] e1081c0feb0c15b931ef016b4c9f1ce1
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8192 | Size: 3776 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_02142013_02d0144.txt >>
RKreport[1]_S_02142013_02d0144.txt



#12 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:07:00 AM

Posted 14 February 2013 - 03:30 AM

Hey worden,

 

Please re-run RKill.

 


  • Then, please re-run RogueKiller.
  • Click on the Delete button.
  • The report has been created on the Desktop. Please post it in your reply.

 

What issues remain?


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#13 worden

worden
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 16 February 2013 - 11:32 AM

Done.  Avast still won't open however.....

 

RogueKiller V8.5.1 [Feb 12 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Peter [Admin rights]
Mode : Remove -- Date : 02/16/2013 16:26:42
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost
::1             localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400AAKS-22A7B0 ATA Device +++++
--- User ---
[MBR] 40a6aeb14a41546388aa5600d70c41dd
[BSP] 5b16f27ed4f219e9391068f799c19e79 : Acer tatooed MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 15005 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30734336 | Size: 238170 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 518506496 | Size: 357302 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive3: Generic- SD/MMC USB Device +++++
--- User ---
[MBR] e1081c0feb0c15b931ef016b4c9f1ce1
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8192 | Size: 3776 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[3]_D_02162013_02d1626.txt >>
RKreport[1]_S_02142013_02d0144.txt ; RKreport[2]_S_02162013_02d1559.txt ; RKreport[3]_D_02162013_02d1626.txt



#14 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:07:00 AM

Posted 16 February 2013 - 05:54 PM

Hey worden,

 

OK please uninstall avast! via your Control Panel.

 

Then download a new version from here:

 

avast!

 

Does avast! work now?


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#15 worden

worden
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 16 February 2013 - 09:15 PM

"You do not have sufficient access to uninstall avast! Free Antivirus.  Please contact your system administrator."

 

ARRRGGGHHH!!!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users