TechSpot

Some help with my computer?

Solved
By Allst-half
Oct 23, 2012
  1. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    I tried to start windows in normal mode, and the issue with the script error report seems to have dissappeared.
    When connected to internet, the pages takes between 4-5 minutes downloading. I only use the startup site and this site, and I never open emails (except related to Techspot) with this infected PC.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Go ahead with my previous reply.
     
  3. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Report 5:

    RogueKiller V8.2.0 [10/22/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : Allan [Admin rights]
    Mode : Scan -- Date : 10/25/2012 05:21:57
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 0 ¤¤¤
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [LOADED] ¤¤¤
    IRP[IRP_MJ_CREATE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_CLOSE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_POWER] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_PNP] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    ¤¤¤ Extern Hives: ¤¤¤
    -> D:\windows\system32\config\SOFTWARE
    -> D:\Users\AS\NTUSER.DAT
    -> D:\Users\Default\NTUSER.DAT
    -> D:\Users\Default User\NTUSER.DAT
    -> D:\Documents and Settings\Default\NTUSER.DAT
    -> D:\Documents and Settings\Default User\NTUSER.DAT
    -> D:\Documents and Settings\JEJ\NTUSER.DAT
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD6401AALS-00L3B2 ATA Device +++++
    --- User ---
    [MBR] 3abadc3e0a09666d883124ca372a879d
    [BSP] 27436fbfff8fd41db5b6f7a2b92e7b24 : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 149900 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 307202048 | Size: 120000 Mo
    3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 552962048 | Size: 340478 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    +++++ PhysicalDrive1: USB Flash Memory USB Device +++++
    --- User ---
    [MBR] 08d4a4ff7771df7294cef168b07ba0fe
    [BSP] 0b303904ef3a366223eac251a6bd315d : MBR Code unknown
    Partition table:
    0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7682 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!
    Finished : << RKreport[5].txt >>
    RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt
     
  4. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Report 6 after deleting files:

    RogueKiller V8.2.0 [10/22/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : Allan [Admin rights]
    Mode : Remove -- Date : 10/25/2012 05:24:13
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 0 ¤¤¤
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [LOADED] ¤¤¤
    IRP[IRP_MJ_CREATE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_CLOSE] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_POWER] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    IRP[IRP_MJ_PNP] : \SystemRoot\System32\drivers\mountmgr.sys -> HOOKED ([MAJOR] Unknown @ 0x86CE91E8)
    ¤¤¤ Extern Hives: ¤¤¤
    -> D:\windows\system32\config\SOFTWARE
    -> D:\Users\AS\NTUSER.DAT
    -> D:\Users\Default\NTUSER.DAT
    -> D:\Users\Default User\NTUSER.DAT
    -> D:\Documents and Settings\Default\NTUSER.DAT
    -> D:\Documents and Settings\Default User\NTUSER.DAT
    -> D:\Documents and Settings\JEJ\NTUSER.DAT
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD6401AALS-00L3B2 ATA Device +++++
    --- User ---
    [MBR] 3abadc3e0a09666d883124ca372a879d
    [BSP] 27436fbfff8fd41db5b6f7a2b92e7b24 : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 149900 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 307202048 | Size: 120000 Mo
    3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 552962048 | Size: 340478 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    +++++ PhysicalDrive1: USB Flash Memory USB Device +++++
    --- User ---
    [MBR] 08d4a4ff7771df7294cef168b07ba0fe
    [BSP] 0b303904ef3a366223eac251a6bd315d : MBR Code unknown
    Partition table:
    0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7682 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!
    Finished : << RKreport[6].txt >>
    RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;
    RKreport[6].txt
     
  5. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    I'm not so sure this would be a good time to make a restore point in the system. The reason is that the old restore point would be deleted, where connection to internet is perhaps possible without safety mode. What do you think?
    Is it absolutly necessary?
     
  6. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    New restore point (if the limit is reached) will erase only the oldest restore point.
    Go ahead and do it.
     
  7. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    It's done!
    I must also inform you that last session in safety mode with network crashed. So it's gonna be a close shave if we get this machine operational again :)
     
  8. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    I still need Combofix log.
     
  9. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Yes, I have just run combofix as prescribed. One major fix is that now it's possible to turn the firewall on :) It's been done! But the problem with internet connections are still there. Perhaps I need to re-install explorer or delete the cookies and such? I still have to use the safety mode to post this messages and logs.

    Thank you so much this far, there have been a lot of improvements I think!

    Here's the combo log:

    ComboFix 12-10-24.02 - Allan 25.10.2012 6:20.1.4 - x86
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.47.1044.18.3579.2600 [GMT 2:00]
    Kjører fra: c:\users\Allan\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\ErrLog.txt
    C:\prefs.js
    c:\program files\facemoods.com
    c:\program files\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll
    c:\program files\facemoods.com\facemoods\1.4.17.11\facemoods.crx
    c:\program files\facemoods.com\facemoods\1.4.17.11\facemoods.png
    c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsApp.dll
    c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsEng.dll
    c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe
    c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll
    c:\program files\facemoods.com\facemoods\1.4.17.11\uninstall.exe
    c:\program files\INSTALL.LOG
    c:\users\Allan\AppData\Local\.#
    c:\windows\IsUn0414.exe
    c:\windows\system32\drivers\hwinterface.sys
    c:\windows\system32\roboot.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivere/Tjenester )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_nvsvc
    -------\Legacy_hwinterface
    -------\Service_hwinterface
    .
    .
    ((((((((((((((((((((((((((( Filer Opprettet Fra 2012-09-25 til 2012-10-25 )))))))))))))))))))))))))))))))))
    .
    .
    2012-10-25 04:26 . 2012-10-25 04:29 -------- d-----w- c:\users\Allan\AppData\Local\temp
    2012-10-25 04:26 . 2012-10-25 04:26 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2012-10-25 02:40 . 2012-10-17 00:32 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{163AEA63-3079-48E4-92BF-BB4C8B34EA63}\mpengine.dll
    2012-10-24 23:33 . 2012-10-24 23:33 -------- d-----w- C:\FRST
    2012-10-23 21:46 . 2012-10-17 00:32 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-10-23 01:58 . 2012-08-23 09:31 32120 ----a-w- c:\windows\system32\TURegOpt.exe
    2012-10-23 01:58 . 2012-08-23 09:31 21880 ----a-w- c:\windows\system32\authuitu.dll
    2012-10-23 01:57 . 2012-10-23 01:57 -------- d-----w- c:\users\Allan\AppData\Roaming\AVG
    2012-10-23 01:57 . 2012-10-23 01:58 -------- d-----w- c:\programdata\AVG
    2012-10-23 01:56 . 2012-10-23 01:56 -------- d-sh--w- c:\programdata\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
    2012-10-23 00:44 . 2012-10-23 00:44 -------- d-----w- c:\users\Allan\AppData\Roaming\Malwarebytes
    2012-10-23 00:44 . 2012-10-23 00:44 -------- d-----w- c:\programdata\Malwarebytes
    2012-10-23 00:43 . 2012-10-23 00:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-10-23 00:43 . 2012-09-29 17:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-10-20 18:21 . 2012-10-20 18:21 -------- d-----w- c:\program files\Common Files\Java
    2012-10-20 18:21 . 2012-10-20 18:21 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-10-20 18:21 . 2012-10-20 18:21 -------- d-----w- c:\program files\Java
    2012-10-20 18:20 . 2012-10-20 18:20 -------- d-----w- c:\programdata\McAfee
    2012-10-20 15:18 . 2012-10-20 15:18 19076 ----a-w- C:\FixitRegBackup.reg
    2012-10-20 13:52 . 2012-10-20 13:52 -------- d-----w- c:\users\Allan\AppData\Local\AVG Secure Search
    2012-10-20 13:52 . 2012-10-20 13:52 -------- d-----w- c:\users\Allan\AppData\Roaming\TuneUp Software
    2012-10-20 13:52 . 2012-10-24 17:08 -------- d-----w- c:\programdata\AVG Secure Search
    2012-10-20 13:52 . 2012-10-20 13:52 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2012-10-20 13:52 . 2012-10-20 13:52 -------- d-----w- c:\program files\Common Files\AVG Secure Search
    2012-10-20 13:51 . 2012-10-20 13:51 -------- d-----w- C:\$AVG
    2012-10-20 13:51 . 2012-10-24 17:11 -------- d-----w- c:\program files\AVG
    2012-10-20 13:49 . 2012-10-20 13:49 -------- d--h--w- c:\programdata\Common Files
    2012-10-16 23:42 . 2012-10-16 23:42 -------- d-sh--w- c:\windows\system32\%APPDATA%
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-10-20 18:21 . 2011-12-24 12:46 473072 ----a-w- c:\windows\system32\deployJava1.dll
    2012-10-08 22:01 . 2012-05-05 11:25 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-10-08 22:01 . 2011-06-08 09:41 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-08-30 20:03 . 2012-08-30 20:03 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
    2012-08-30 20:03 . 2010-10-24 20:25 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
    2012-08-07 14:18 . 2010-03-07 00:47 237072 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    (((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2012-01-03 15:31 1514152 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-02-28 321328]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-25 7547424]
    "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-09 2595792]
    "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-09 909208]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-09 136472]
    "vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-01-22 129584]
    "ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2009-06-03 237568]
    "SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2009-06-03 131072]
    "ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]
    "NBAgent"="c:\program files\Nero\Nero 11\Nero BackItUp\NBAgent.exe" [2011-09-20 1493288]
    "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2011-11-15 312376]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    "EnableLinkedConnections"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    .
    R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [x]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]
    R3 hidmini;Filter Driver Service for HID-KMDF Interface layer;c:\windows\system32\DRIVERS\hidmini.sys [x]
    R3 hidtopgun;HID Minidriver for EMS TopGun;c:\windows\system32\DRIVERS\hidtopgun.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 SaiH075C;SaiH075C;c:\windows\system32\DRIVERS\SaiH075C.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\DRIVERS\NBVol.sys [x]
    S0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\DRIVERS\NBVolUp.sys [x]
    S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
    S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [x]
    S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
    S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [x]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [x]
    S2 TuneUp.UtilitiesSvc;AVG PC TuneUp Service;c:\program files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe [x]
    S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [x]
    S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [x]
    S2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver32.sys [x]
    .
    .
    Innholdet I mappen 'Scheduled Tasks' (planlagte oppgaver)
    .
    2012-10-24 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 22:01]
    .
    .
    ------- Tilleggsskanning -------
    .
    uStart Page = hxxp://www.online.no/
    mStart Page = hxxp://no.woofi.info/
    uInternet Settings,ProxyOverride = *.local
    LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
    Trusted Zone: cnet.com\download
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
    .
    - - - - TOMME PEKERE FJERNET - - - -
    .
    URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)
    WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    HKCU-Run-DAEMON Tools Lite - g:\utilities\Daemon Tools Lite\DTLite.exe
    HKLM-Run-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe
    HKLM-Run-vProt - c:\program files\AVG Secure Search\vprot.exe
    HKLM-Run-ROC_roc_ssl_v12 - c:\program files\AVG Secure Search\ROC_roc_ssl_v12.exe
    AddRemove-12noon Display Changer - g:\utilities\Display Changer\12noon Display Changer\Uninstall.exe
    AddRemove-Atari800Win PLus - g:\systems\ATARI 800\EMULATORS\Atari 800Win Plus 4.0 beta 7\Atari800WinPLus\Uninstall.exe
    AddRemove-BeebEm_is1 - g:\systems\BBC MICRO\EMULATORS\BeebEm\BeebEm\unins000.exe
    AddRemove-DAEMON Tools Lite - g:\utilities\Daemon Tools Lite\uninst.exe
    AddRemove-DemonStar Full v3.25 - g:\systems\PC SYSTEM\INSTALLS\DEMONSTAR\Uninstal.exe
    AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.11\uninstall.exe
    AddRemove-Free Audio Converter_is1 - g:\utilities\Audio Converter\Free Audio Converter\unins000.exe
    AddRemove-Free Screen To Video_is1 - h:\video programmer\Free Screen To Video\unins000.exe
    AddRemove-Gamebase 264_is1 - g:\frontends\GAMEBASE\C264\unins000.exe
    AddRemove-GameBase_is1 - g:\frontends\GAMEBASE\unins000.exe
    AddRemove-Half-Life Source - g:\systems\PC SYSTEM\INSTALLS\Half Life Source Super\Game\uninstall.exe
    AddRemove-Hurrican_is1 - g:\systems\PC SYSTEM\INSTALLS\Hurrican (from POKE 53280)\Hurrican\unins000.exe
    AddRemove-JoyIDs - g:\utilities\JoyIDs\uninstall.exe
    AddRemove-kat5200_is1 - g:\systems\ATARI 5200\EMULATORS\KAT 5200 0.62\kat5200\unins000.exe
    AddRemove-Khameleon_is1 - g:\frontends\Khameleon\unins000.exe
    AddRemove-ModPlug Player v1.46_is1 - g:\frontends\GAMEBASE\GameBase Amiga\modplugplayer\unins000.exe
    AddRemove-pcsx2-r4600 - g:\systems\PLAYSTATION 2\EMULATORS\PCSX2 0.98\PCSX2 0.9.8\Uninst-pcsx2-r4600.exe
    AddRemove-S4Uninst - c:\windows\IsUn0414.exe
    AddRemove-The GameBase64 Collection_is1 - g:\frontends\GAMEBASE\GBC_v07\unins000.exe
    AddRemove-Vcc - g:\systems\TRS-80\EMULATORS\VCC 1.42\Vcc\uninstall.exe
    AddRemove-WinUAE - g:\frontends\GAMEBASE\GameBase Amiga\Emulators\uninstall_winuae.exe
    AddRemove-ZD Soft Game Recorder - h:\zd soft game recorder\Game Recorder\Uninstall.exe
    AddRemove-{BFC63ABB-E036-4B84-9796-051C06C0A82E}_is1 - g:\systems\PC SYSTEM\INSTALLS\Defenstar\Defenstar 1.1 version\Defenstar\unins000.exe
    AddRemove-{EA426461-31AA-4AB3-B15D-EDD748F08394}_is1 - h:\video programmer\YouTube FLW\YouTube FLV Downloader\unins000.exe
    AddRemove-Defenstar - g:\systems\PC SYSTEM\INSTALLS\Defenstar\The Game\Uninstal.exe
    .
    .
    .
    --------------------- LÅSTE REGISTERNØKLER ---------------------
    .
    [HKEY_USERS\S-1-5-21-2559753181-3935304610-3998308970-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:eb,ee,d5,b7,79,44,c1,fc,89,b0,c0,26,26,ec,3a,a4,1a,dd,0f,82,26,c7,25,
    75,07,83,29,f2,ce,ec,1d,49,71,92,34,a6,c8,ac,68,c6,c6,6d,16,e5,16,bf,30,0e,\
    "??"=hex:3e,64,52,59,fb,62,fa,b9,18,98,f0,4e,32,ff,d8,81
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------
    .
    - - - - - - - > 'lsass.exe'(864)
    c:\windows\system32\relog_ap.DLL
    .
    ------------------------ Andre Kjørende Prosesser ------------------------
    .
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    c:\windows\system32\vmnat.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\VMware\VMware Workstation\vmware-authd.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\vmnetdhcp.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\program files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\DllHost.exe
    c:\windows\system32\sppsvc.exe
    .
    **************************************************************************
    .
    Tidspunkt ferdig: 2012-10-25 06:32:05 - maskinen ble startet på nytt
    ComboFix-quarantined-files.txt 2012-10-25 04:32
    .
    Pre-Run: 43 395 043 328 byte ledig
    Post-Run: 43 460 362 240 byte ledig
    .
    - - End Of File - - A0027D4105AE71C136141550A07CE608
     
  10. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    I'll have to take a break now for some hours sleep, so we'll continue the process later. A million thanks this far!
     
  11. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    :)

    Uninstall:
    Ask Toolbar
    Ask Toolbar Updater
    ...typical foistware.

    Combofix log looks good.

    I need to know what exact problems you're experiencing in normal mode.
     
     
  12. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    I'm writing this response in normal Windows mode, but it takes a lot of time between each step. It's like this:
    Opening explorer and the screen is white for about 1 minute.
    Then the startup site with email loggin appear, but I can't click on username and password for another 2-4 minutes.
    After this the email posts enters the screen relativly quickly, within 5-10 seconds.
    Then I select the latest email from the Techspot and it shows the content within 5 seconds.
    When I'm clicking the link inside the email to return to the forum, I'll have to wait 3-4 minutes again.
    Entering the forum, but can't respond immediatly as the marker for text is not visible. Have to wait another 2-3 minutes.
    And so it continues. I wonder what could be the reason for the delays?
    Anyway, this must be some minor fault. All in all it works, just taking a bit of extra time :)

    I'm gonna remove the ASK addons in the Explorer menu-bar, if I'm able to. Perhaps that could resolve some of the delays.

    Great help you've provided, Broni. Where would I been without you? Thank you so much!

    Today I received the DVD with Windows 7 Home Premium 32-bit English, and without your help the formatting process would've taken place this evening.
     
  13. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    :)

    Open IE go Tools>Internet options>Advanced tab and click on "Reset" button.
    Restart IE.
    Better?

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  14. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    I'm so sorry for the long delay in responding. It's not me you know. I did what you said, removed the ASK bar and then I reseted the computer, then I had to wait at least 10 minutes to get to the advanced settings in IE, since they options in the IE menu where ghosted at start. Reseted the computer again. The passwords to my email accounts had to be written this time, so I guess all passwords and logins have been removed now.

    The problem is still there, even seems worse than earlier. I'm using the laptop to write this response.
    Tried from safetymode with net connection, but even there the same thing happend.

    A requester came up while I was connected on the other machine, wishing me to upgrade to IE 9. I refused. I think the viruses got to my machine last through some JAVA updates. Don't trust these anymore.
    I have turned of the JAVA updates on this laptop, but still they appear every time, like hoping I'm gonna push a wrong button.

    I was able to download OTL to the desktop before I shut down. But it complicates the process of responding and leaving posts of course. I will try to respond within 2 hours from now. Dinner you see! :)
     
  15. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    OTL logfile created on: 25.10.2012 22:51:00 - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Allan\Desktop
    Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000414 | Country: Norge | Language: NOR | Date Format: dd.MM.yyyy

    3,50 Gb Total Physical Memory | 2,55 Gb Available Physical Memory | 73,01% Memory free
    6,99 Gb Paging File | 6,04 Gb Available in Paging File | 86,39% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 146,39 Gb Total Space | 40,59 Gb Free Space | 27,73% Space Free | Partition Type: NTFS
    Drive D: | 117,19 Gb Total Space | 100,74 Gb Free Space | 85,97% Space Free | Partition Type: NTFS
    Drive E: | 332,50 Gb Total Space | 51,96 Gb Free Space | 15,63% Space Free | Partition Type: NTFS

    Computer Name: UD6 | User Name: Allan | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012.10.25 20:35:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Allan\Desktop\OTL.exe
    PRC - [2012.10.20 15:52:01 | 000,711,112 | ---- | M] () -- C:\Programfiler\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
    PRC - [2012.09.29 19:54:26 | 000,766,536 | ---- | M] (Malwarebytes Corporation) -- C:\Programfiler\Malwarebytes' Anti-Malware\mbamgui.exe
    PRC - [2012.09.29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) -- C:\Programfiler\Malwarebytes' Anti-Malware\mbamservice.exe
    PRC - [2012.09.29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Programfiler\Malwarebytes' Anti-Malware\mbamscheduler.exe
    PRC - [2012.09.12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- C:\Programfiler\Microsoft Security Client\MsMpEng.exe
    PRC - [2012.09.12 17:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Programfiler\Microsoft Security Client\msseces.exe
    PRC - [2012.08.23 11:31:24 | 001,532,280 | ---- | M] (AVG) -- C:\Programfiler\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe
    PRC - [2012.08.23 11:31:24 | 001,222,008 | ---- | M] (AVG) -- C:\Programfiler\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe
    PRC - [2012.02.28 04:34:31 | 000,321,328 | ---- | M] (BitTorrent, Inc.) -- C:\Programfiler\uTorrent\uTorrent.exe
    PRC - [2011.11.15 05:50:22 | 000,312,376 | ---- | M] (Power Software Ltd) -- C:\Programfiler\PowerISO\PWRISOVM.EXE
    PRC - [2011.09.23 19:37:42 | 000,641,832 | ---- | M] (Nero AG) -- C:\Programfiler\Nero\Update\NASvc.exe
    PRC - [2011.05.21 07:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) -- C:\Programfiler\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2010.11.20 14:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) -- C:\Programfiler\Windows Media Player\wmpnetwk.exe
    PRC - [2010.11.20 14:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2010.09.21 14:03:14 | 001,710,464 | ---- | M] (Microsoft Corp.) -- C:\Programfiler\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
    PRC - [2010.09.21 14:03:14 | 000,193,408 | ---- | M] (Microsoft Corp.) -- C:\Programfiler\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
    PRC - [2010.01.22 23:13:24 | 000,395,824 | ---- | M] (VMware, Inc.) -- C:\Windows\System32\vmnat.exe
    PRC - [2010.01.22 23:13:08 | 000,129,584 | ---- | M] (VMware, Inc.) -- C:\Programfiler\VMware\VMware Workstation\vmware-tray.exe
    PRC - [2010.01.22 23:13:02 | 000,334,384 | ---- | M] (VMware, Inc.) -- C:\Windows\System32\vmnetdhcp.exe
    PRC - [2010.01.22 23:12:46 | 000,113,200 | ---- | M] (VMware, Inc.) -- C:\Programfiler\VMware\VMware Workstation\vmware-authd.exe
    PRC - [2010.01.22 22:00:48 | 000,563,760 | ---- | M] (VMware, Inc.) -- C:\Programfiler\Common Files\VMware\USB\vmware-usbarbitrator.exe
    PRC - [2009.06.03 11:49:18 | 000,131,072 | ---- | M] (Saitek) -- C:\Programfiler\Saitek\SD6\Software\SaiMfd.exe
    PRC - [2009.06.03 11:49:00 | 000,237,568 | ---- | M] (Saitek) -- C:\Programfiler\Saitek\SD6\Software\ProfilerU.exe
    PRC - [2008.04.09 22:42:00 | 000,492,896 | ---- | M] () -- C:\Programfiler\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    PRC - [2008.04.09 21:23:22 | 000,909,208 | ---- | M] (Acronis) -- C:\Programfiler\Acronis\TrueImageHome\TimounterMonitor.exe
    PRC - [2008.04.09 21:14:28 | 000,136,472 | ---- | M] (Acronis) -- C:\Programfiler\Common Files\Acronis\Schedule2\schedhlp.exe
    PRC - [2008.04.09 21:14:18 | 000,431,384 | ---- | M] (Acronis) -- C:\Programfiler\Common Files\Acronis\Schedule2\schedul2.exe
    PRC - [2008.04.09 21:11:24 | 002,595,792 | ---- | M] (Acronis) -- C:\Programfiler\Acronis\TrueImageHome\TrueImageMonitor.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012.01.08 15:41:12 | 000,093,696 | ---- | M] () -- C:\Programfiler\FileZilla FTP Client\fzshellext.dll
    MOD - [2008.04.09 19:46:56 | 001,328,408 | ---- | M] () -- C:\Programfiler\Acronis\TrueImageHome\fox.dll


    ========== Services (SafeList) ==========

    SRV - [2012.10.20 15:52:01 | 000,711,112 | ---- | M] () [Auto | Running] -- C:\Programfiler\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe -- (vToolbarUpdater13.2.0)
    SRV - [2012.10.09 00:01:16 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012.09.29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programfiler\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2012.09.29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programfiler\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
    SRV - [2012.09.12 17:25:24 | 000,287,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programfiler\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV - [2012.09.12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programfiler\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV - [2012.08.23 11:31:24 | 001,532,280 | ---- | M] (AVG) [Auto | Running] -- C:\Programfiler\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
    SRV - [2011.09.23 19:37:42 | 000,641,832 | ---- | M] (Nero AG) [Auto | Running] -- C:\Programfiler\Nero\Update\NASvc.exe -- (NAUpdate)
    SRV - [2011.05.21 07:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Programfiler\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
    SRV - [2010.11.20 14:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programfiler\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
    SRV - [2010.10.26 12:17:20 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Programfiler\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2010.09.21 14:03:14 | 001,710,464 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Programfiler\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
    SRV - [2010.08.22 03:00:41 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
    SRV - [2010.01.22 23:13:24 | 000,395,824 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Windows\System32\vmnat.exe -- (VMware NAT Service)
    SRV - [2010.01.22 23:13:02 | 000,334,384 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Windows\System32\vmnetdhcp.exe -- (VMnetDHCP)
    SRV - [2010.01.22 23:12:46 | 000,113,200 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Programfiler\VMware\VMware Workstation\vmware-authd.exe -- (VMAuthdService)
    SRV - [2010.01.22 22:00:48 | 000,563,760 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Programfiler\Common Files\VMware\USB\vmware-usbarbitrator.exe -- (VMUSBArbService)
    SRV - [2009.10.12 15:32:24 | 000,191,024 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Programfiler\VMware\VMware Workstation\vmware-ufad.exe -- (ufad-ws60)
    SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programfiler\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2008.04.09 22:42:00 | 000,492,896 | ---- | M] () [Auto | Running] -- C:\Programfiler\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe -- (TryAndDecideService)
    SRV - [2008.04.09 21:14:18 | 000,431,384 | ---- | M] (Acronis) [Auto | Running] -- C:\Programfiler\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\gdrv.sys -- (gdrv)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Allan\AppData\Local\Temp\catchme.sys -- (catchme)
    DRV - File not found [Kernel | System | Stopped] -- system32\DRIVERS\avgidsdriverx.sys -- (AVGIDSDriver)
    DRV - File not found [Kernel | On_Demand | Unknown] -- -- (a73sollc)
    DRV - [2012.10.20 15:52:01 | 000,026,984 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtpx86.sys -- (avgtp)
    DRV - [2012.09.29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2012.08.30 22:03:50 | 000,099,272 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV - [2012.07.04 15:26:12 | 000,010,088 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Programfiler\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
    DRV - [2011.11.15 05:50:16 | 000,112,096 | ---- | M] (Power Software Ltd) [Kernel | System | Running] -- C:\Windows\System32\drivers\scdemu.sys -- (SCDEmu)
    DRV - [2011.07.13 14:39:10 | 000,056,496 | ---- | M] (Nero AG) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\NBVol.sys -- (NBVol)
    DRV - [2011.07.13 14:39:10 | 000,012,464 | ---- | M] (Nero AG) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\NBVolUp.sys -- (NBVolUp)
    DRV - [2011.05.21 07:01:00 | 010,589,800 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2011.03.19 11:54:49 | 000,431,672 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
    DRV - [2010.11.20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV - [2010.03.08 00:37:29 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\timntr.sys -- (timounter)
    DRV - [2010.03.08 00:37:29 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\Windows\System32\drivers\tifsfilt.sys -- (tifsfilter)
    DRV - [2010.03.08 00:37:28 | 000,132,224 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\snapman.sys -- (snapman)
    DRV - [2010.03.08 00:37:27 | 000,368,480 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\tdrpman.sys -- (tdrpman)
    DRV - [2010.01.22 23:14:16 | 000,026,288 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmnetuserif.sys -- (VMnetuserif)
    DRV - [2010.01.22 23:14:14 | 000,023,216 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VMkbd.sys -- (vmkbd)
    DRV - [2010.01.22 23:14:12 | 000,854,192 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmx86.sys -- (vmx86)
    DRV - [2010.01.22 23:14:12 | 000,070,704 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmci.sys -- (vmci)
    DRV - [2010.01.22 22:00:42 | 000,032,304 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\hcmon.sys -- (hcmon)
    DRV - [2010.01.22 18:13:00 | 000,036,400 | R--- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmnetbridge.sys -- (VMnetBridge)
    DRV - [2010.01.22 18:13:00 | 000,031,280 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vmusb.sys -- (vmusb)
    DRV - [2010.01.22 18:13:00 | 000,016,560 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vmnetadapter.sys -- (VMnetAdapter)
    DRV - [2009.10.12 15:31:52 | 000,022,448 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Programfiler\VMware\VMware Workstation\vstor2-ws60.sys -- (vstor2-ws60)
    DRV - [2009.07.17 17:31:58 | 000,093,024 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\jraid.sys -- (JRAID)
    DRV - [2009.06.10 12:23:04 | 000,036,992 | ---- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SaiBus.sys -- (SaiNtBus)
    DRV - [2009.06.10 12:23:04 | 000,014,080 | ---- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SaiMini.sys -- (SaiMini)
    DRV - [2009.03.23 09:58:36 | 000,016,384 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\dc3d.sys -- (dc3d)
    DRV - [2008.04.21 21:03:34 | 000,025,728 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hidtopgun.sys -- (hidtopgun)
    DRV - [2008.04.21 21:03:34 | 000,003,712 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hidmini.sys -- (hidmini)
    DRV - [2006.07.27 13:49:27 | 000,176,640 | ---- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SaiH075C.sys -- (SaiH075C)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://no.woofi.info/
    IE - HKLM\..\SearchScopes,DefaultScope = {9AEAC2DB-005F-4F8D-A78E-E818111F94BC}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKLM\..\SearchScopes\{9AEAC2DB-005F-4F8D-A78E-E818111F94BC}: "URL" = http://no.woofi.info/


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
    IE - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.online.no/
    IE - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = no
    IE - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..\SearchScopes,DefaultScope = {FF7457AD-B091-461A-B6A2-F4AB81B7DB7B}
    IE - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A}: "URL" = http://start.facemoods.com/?a=ddrnw&s={searchTerms}&f=4
    IE - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..\SearchScopes\{955F7BB0-830C-45DE-BC46-20C667E58E4E}: "URL" = http://www.amazon.co.uk/gp/search/r...=search-alias=aps&field-keywords={searchTerms}
    IE - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = https://isearch.avg.com/search?cid=...5a1c4320f76&lang=en&ds=AVG&pr=fr&d=2012-10-20 15:52:12&v=13.2.0.3&sap=dsp&q={searchTerms}
    IE - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..\SearchScopes\{9AEAC2DB-005F-4F8D-A78E-E818111F94BC}: "URL" = http://no.woofi.info/
    IE - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..\SearchScopes\{A6558B6F-C1FA-47F4-B4E9-F96C0CDEDF42}: "URL" = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
    IE - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..\SearchScopes\{F969501E-1485-43C4-ABED-3428C8022C12}: "URL" = http://rover.ebay.com/rover/1/710-61977-23097-0/4?satitle={searchTerms}
    IE - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..\SearchScopes\{FF7457AD-B091-461A-B6A2-F4AB81B7DB7B}: "URL" = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=
    IE - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



    ========== FireFox ==========

    FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\13.2.0\\npsitesafety.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_37: C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@Nero.com/KM: C:\PROGRA~1\COMMON~1\Nero\BROWSE~1\NPBROW~1.DLL (Nero AG)
    FF - HKLM\Software\MozillaPlugins\@xmlauthor.com/downloads: C:\Windows\system32\npmirage.dll (XMLAuthor Inc.)


    [2012.02.09 05:34:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Allan\AppData\Roaming\mozilla\Firefox\extensions
    [2012.02.09 05:34:18 | 000,000,000 | ---D | M] (uTorrentControl2 Community Toolbar) -- C:\Users\Allan\AppData\Roaming\mozilla\Firefox\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}
    [2011.09.27 14:16:37 | 000,002,048 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\fcmdSrch.xml

    O1 HOSTS File: ([2012.10.25 06:28:53 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
    O2 - BHO: (CatcherBHO Class) - {9B4DF450-DCC7-4B07-935D-0CD757A64583} - H:\Video programmer\YouTube FLW\YouTube FLV Downloader\MoyeaCatcher.dll File not found
    O3 - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - No CLSID value found.
    O3 - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
    O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Programfiler\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
    O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe ()
    O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [NBAgent] C:\Program Files\Nero\Nero 11\Nero BackItUp\NBAgent.exe (Nero AG)
    O4 - HKLM..\Run: [ProfilerU] C:\Programfiler\Saitek\SD6\Software\ProfilerU.exe (Saitek)
    O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE (Power Software Ltd)
    O4 - HKLM..\Run: [SaiMfd] C:\Programfiler\Saitek\SD6\Software\SaiMfd.exe (Saitek)
    O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Programfiler\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
    O4 - HKLM..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe (VMware, Inc.)
    O4 - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
    O4 - HKU\S-1-5-21-2559753181-3935304610-3998308970-1006..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
    O7 - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
    O7 - HKU\S-1-5-21-2559753181-3935304610-3998308970-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programfiler\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Programfiler\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programfiler\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.)
    O15 - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..Trusted Domains: cnet.com ([download] http in Klarerte områder)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
    O16 - DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 193.213.112.4 130.67.15.198
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{48598603-491D-4990-AD40-82492B2B11EA}: DhcpNameServer = 193.213.112.4 130.67.15.198
    O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Programfiler\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll ()
    O18 - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Programfiler\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O30 - LSA: Authentication Packages - (relog_ap) - C:\Windows\System32\relog_ap.dll (Acronis)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012.10.25 20:35:32 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Allan\Desktop\OTL.exe
    [2012.10.25 06:28:56 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
    [2012.10.25 06:26:01 | 000,000,000 | ---D | C] -- C:\Users\Allan\AppData\Local\temp
    [2012.10.25 06:17:47 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012.10.25 06:17:47 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012.10.25 06:17:47 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012.10.25 06:17:42 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012.10.25 06:17:30 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012.10.25 06:01:49 | 004,989,133 | R--- | C] (Swearware) -- C:\Users\Allan\Desktop\ComboFix.exe
    [2012.10.25 01:33:50 | 000,000,000 | ---D | C] -- C:\FRST
    [2012.10.24 19:27:09 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Allan\Desktop\aswMBR.exe
    [2012.10.24 19:19:18 | 000,000,000 | ---D | C] -- C:\Users\Allan\Desktop\RK_Quarantine
    [2012.10.24 19:05:35 | 002,586,752 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Users\Allan\Desktop\avg_remover_stf_x86_2013_2706.exe
    [2012.10.24 06:12:29 | 000,687,724 | R--- | C] (Swearware) -- C:\Users\Allan\Desktop\dds.com
    [2012.10.23 03:58:05 | 000,032,120 | ---- | C] (AVG) -- C:\Windows\System32\TURegOpt.exe
    [2012.10.23 03:58:03 | 000,021,880 | ---- | C] (AVG) -- C:\Windows\System32\authuitu.dll
    [2012.10.23 03:57:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG PC TuneUp
    [2012.10.23 03:57:34 | 000,000,000 | ---D | C] -- C:\Users\Allan\AppData\Roaming\AVG
    [2012.10.23 03:57:01 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG
    [2012.10.23 03:56:32 | 000,000,000 | -HSD | C] -- C:\ProgramData\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
    [2012.10.23 02:44:17 | 000,000,000 | ---D | C] -- C:\Users\Allan\AppData\Roaming\Malwarebytes
    [2012.10.23 02:44:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012.10.23 02:44:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012.10.23 02:43:59 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012.10.23 02:43:59 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012.10.20 20:21:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2012.10.20 20:21:08 | 000,000,000 | ---D | C] -- C:\Program Files\Java
    [2012.10.20 20:20:09 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
    [2012.10.20 15:52:29 | 000,000,000 | ---D | C] -- C:\Users\Allan\AppData\Local\AVG Secure Search
    [2012.10.20 15:52:21 | 000,000,000 | ---D | C] -- C:\Users\Allan\AppData\Roaming\TuneUp Software
    [2012.10.20 15:52:19 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG Secure Search
    [2012.10.20 15:52:10 | 000,026,984 | ---- | C] (AVG Technologies) -- C:\Windows\System32\drivers\avgtpx86.sys
    [2012.10.20 15:52:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AVG Secure Search
    [2012.10.20 15:51:34 | 000,000,000 | ---D | C] -- C:\$AVG
    [2012.10.20 15:51:28 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
    [2012.10.20 15:49:20 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
    [2012.10.20 06:41:51 | 000,000,000 | ---D | C] -- C:\Users\Allan\Documents\TEMP DOCS
    [2012.10.17 01:42:11 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
    [2012.10.15 03:14:41 | 000,000,000 | ---D | C] -- C:\Users\Allan\Documents\Utskrifter fra bank

    ========== Files - Modified Within 30 Days ==========

    [2012.10.25 22:47:10 | 000,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
    [2012.10.25 22:47:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012.10.25 22:47:01 | 2814,873,600 | -HS- | M] () -- C:\hiberfil.sys
    [2012.10.25 20:35:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Allan\Desktop\OTL.exe
    [2012.10.25 20:29:32 | 000,014,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012.10.25 20:29:32 | 000,014,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012.10.25 20:01:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012.10.25 06:28:53 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012.10.25 06:02:23 | 004,989,133 | R--- | M] (Swearware) -- C:\Users\Allan\Desktop\ComboFix.exe
    [2012.10.24 19:39:45 | 000,000,512 | ---- | M] () -- C:\Users\Allan\Desktop\MBR.dat
    [2012.10.24 19:27:14 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Allan\Desktop\aswMBR.exe
    [2012.10.24 19:17:14 | 001,580,544 | ---- | M] () -- C:\Users\Allan\Desktop\RogueKiller.exe
    [2012.10.24 19:05:35 | 002,586,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Users\Allan\Desktop\avg_remover_stf_x86_2013_2706.exe
    [2012.10.24 06:12:29 | 000,687,724 | R--- | M] (Swearware) -- C:\Users\Allan\Desktop\dds.com
    [2012.10.24 05:31:06 | 000,302,592 | ---- | M] () -- C:\Users\Allan\Desktop\ww4t5lph.exe
    [2012.10.23 05:02:31 | 000,000,632 | RHS- | M] () -- C:\Users\Allan\ntuser.pol
    [2012.10.23 03:57:52 | 000,002,177 | ---- | M] () -- C:\Users\Public\Desktop\AVG 1-Click Maintenance.lnk
    [2012.10.23 03:57:52 | 000,002,129 | ---- | M] () -- C:\Users\Public\Desktop\AVG PC TuneUp.lnk
    [2012.10.23 02:44:04 | 000,001,073 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012.10.20 17:53:23 | 000,001,912 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2012.10.20 17:48:28 | 000,654,622 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012.10.20 17:48:28 | 000,494,966 | ---- | M] () -- C:\Windows\System32\perfh014.dat
    [2012.10.20 17:48:28 | 000,122,080 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012.10.20 17:48:28 | 000,095,282 | ---- | M] () -- C:\Windows\System32\perfc014.dat
    [2012.10.20 17:18:06 | 000,019,076 | ---- | M] () -- C:\FixitRegBackup.reg
    [2012.10.20 15:52:01 | 000,026,984 | ---- | M] (AVG Technologies) -- C:\Windows\System32\drivers\avgtpx86.sys
    [2012.10.19 01:17:53 | 000,001,119 | ---- | M] () -- C:\Windows\Sidplay2w.ini
    [2012.10.17 01:28:17 | 000,090,176 | ---- | M] () -- C:\Users\Allan\AppData\Roaming\gmzdanb.dat
    [2012.10.17 01:28:16 | 000,086,080 | ---- | M] () -- C:\Users\Allan\AppData\Roaming\asfebji.dat
    [2012.10.17 01:28:14 | 000,060,992 | ---- | M] () -- C:\Users\Allan\AppData\Roaming\ekseldi.dat
    [2012.10.06 22:14:27 | 000,000,128 | ---- | M] () -- C:\ProgramData\Tempest 2000.eeprom
    [2012.09.29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

    ========== Files Created - No Company Name ==========

    [2012.10.25 06:27:59 | 000,065,536 | ---- | C] () -- C:\Windows\System32\Ikeext.etl
    [2012.10.25 06:17:47 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012.10.25 06:17:47 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012.10.25 06:17:47 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012.10.25 06:17:47 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012.10.25 06:17:47 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012.10.24 19:39:45 | 000,000,512 | ---- | C] () -- C:\Users\Allan\Desktop\MBR.dat
    [2012.10.24 19:17:14 | 001,580,544 | ---- | C] () -- C:\Users\Allan\Desktop\RogueKiller.exe
    [2012.10.24 05:31:06 | 000,302,592 | ---- | C] () -- C:\Users\Allan\Desktop\ww4t5lph.exe
    [2012.10.23 05:02:31 | 000,000,632 | RHS- | C] () -- C:\Users\Allan\ntuser.pol
    [2012.10.23 03:57:52 | 000,002,177 | ---- | C] () -- C:\Users\Public\Desktop\AVG 1-Click Maintenance.lnk
    [2012.10.23 03:57:52 | 000,002,129 | ---- | C] () -- C:\Users\Public\Desktop\AVG PC TuneUp.lnk
    [2012.10.23 03:57:41 | 000,002,141 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG PC TuneUp.lnk
    [2012.10.23 02:44:04 | 000,001,073 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012.10.20 17:18:05 | 000,019,076 | ---- | C] () -- C:\FixitRegBackup.reg
    [2012.10.17 01:28:17 | 000,090,176 | ---- | C] () -- C:\Users\Allan\AppData\Roaming\gmzdanb.dat
    [2012.10.17 01:28:16 | 000,086,080 | ---- | C] () -- C:\Users\Allan\AppData\Roaming\asfebji.dat
    [2012.10.17 01:28:14 | 000,060,992 | ---- | C] () -- C:\Users\Allan\AppData\Roaming\ekseldi.dat
    [2011.12.17 04:43:44 | 000,000,600 | ---- | C] () -- C:\Users\Allan\PUTTY.RND
    [2011.12.11 18:31:19 | 000,000,310 | ---- | C] () -- C:\Windows\apf_emuw.ini
    [2011.10.19 11:45:42 | 000,007,606 | ---- | C] () -- C:\Users\Allan\AppData\Local\Resmon.ResmonCfg
    [2011.10.11 16:17:35 | 000,000,600 | ---- | C] () -- C:\Users\Allan\AppData\Roaming\PUTTY.RND
    [2011.10.08 00:42:42 | 000,000,600 | ---- | C] () -- C:\Users\Allan\AppData\Local\PUTTY.RND
    [2011.09.19 19:39:25 | 000,098,344 | ---- | C] () -- C:\Windows\unTMV.exe
    [2011.09.19 14:38:06 | 000,000,128 | ---- | C] () -- C:\ProgramData\Tempest 2000.eeprom
    [2011.09.19 13:44:10 | 000,000,128 | ---- | C] () -- C:\ProgramData\ALIEN VS PREDATOR.eeprom
    [2011.09.19 13:42:21 | 000,000,128 | ---- | C] () -- C:\ProgramData\DEFENDER 2000.eeprom
    [2011.09.11 22:22:41 | 000,002,021 | ---- | C] () -- C:\Windows\APL24WIN.INI
    [2011.09.11 22:22:41 | 000,000,886 | ---- | C] () -- C:\Windows\ADMANAGR.INI
    [2010.11.10 21:45:52 | 000,155,648 | ---- | C] () -- C:\Windows\System32\nY.exe
    [2010.11.10 01:21:47 | 000,017,769 | ---- | C] () -- C:\Windows\scunin.dat
    [2010.05.05 03:40:58 | 000,003,584 | ---- | C] () -- C:\Users\Allan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    ========== ZeroAccess Check ==========

    [2009.07.14 06:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 14:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
    "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 03:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    ========== LOP Check ==========

    [2011.05.01 08:58:00 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\AnvSoft
    [2012.10.23 03:57:34 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\AVG
    [2012.03.11 09:12:03 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\bsnes
    [2012.01.12 11:29:46 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\calibre
    [2010.05.07 04:46:15 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\CCS64
    [2011.03.14 20:17:18 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\DAEMON Tools Lite
    [2012.03.18 11:04:06 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\FileZilla
    [2010.03.27 05:11:08 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\Free Audio Converter
    [2011.05.21 14:17:38 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\FreeScreenToVideo
    [2012.01.12 10:17:06 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\jomic
    [2011.05.21 14:51:01 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\Moyea
    [2011.05.24 22:30:02 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\Namco
    [2011.09.19 19:40:30 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\SoftMaker
    [2011.07.10 14:26:11 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\Spectaculator
    [2010.03.25 19:51:33 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\Stella
    [2012.03.15 19:46:36 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\Systweak
    [2012.10.20 15:52:21 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\TuneUp Software
    [2012.10.25 22:47:22 | 000,000,000 | ---D | M] -- C:\Users\Allan\AppData\Roaming\uTorrent
    [2010.03.07 16:22:25 | 000,000,000 | ---D | M] -- C:\Users\JEJ\AppData\Roaming\HD Tune Pro

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 181 bytes -> C:\ProgramData\TEMP:CD30FA91
    < End of report >
     
  16. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    OTL Extras logfile created on: 25.10.2012 22:51:00 - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Allan\Desktop
    Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000414 | Country: Norge | Language: NOR | Date Format: dd.MM.yyyy

    3,50 Gb Total Physical Memory | 2,55 Gb Available Physical Memory | 73,01% Memory free
    6,99 Gb Paging File | 6,04 Gb Available in Paging File | 86,39% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 146,39 Gb Total Space | 40,59 Gb Free Space | 27,73% Space Free | Partition Type: NTFS
    Drive D: | 117,19 Gb Total Space | 100,74 Gb Free Space | 85,97% Space Free | Partition Type: NTFS
    Drive E: | 332,50 Gb Total Space | 51,96 Gb Free Space | 15,63% Space Free | Partition Type: NTFS

    Computer Name: UD6 | User Name: Allan | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
    "{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
    "{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
    "{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
    "{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
    "{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
    "{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
    "{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
    "{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
    "{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "TCP Query User{1324EBB8-F67F-4FB0-952C-905DE9E0E883}C:\program files\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
    "UDP Query User{C1542F06-B72C-4615-BC79-3932CE93A212}C:\program files\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    "{003BFBBD-6C67-419E-A24D-0DCAFC3A5249}" = tools-freebsd
    "{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
    "{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
    "{01E9B2FF-DAF4-4529-9CC9-2101625517C7}" = nero.prerequisites.msi
    "{034DCAF9-96E7-4936-9A07-712F80B5181E}" = Nero RescueAgent 11
    "{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
    "{0713D1F9-DD77-42C1-8C7D-54D479E2E743}" = Nero SoundTrax 11
    "{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
    "{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
    "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
    "{0D7A4289-99CF-4B8D-B812-86BE50A54552}" = Nero Video 11
    "{0FAF6738-12D4-3D63-A15D-341D012FB84F}" = Microsoft .NET Framework 4 Extended NOR Language Pack
    "{11D3EF85-63E1-4AE4-A7C1-9241BDB16B51}" = Nero ControlCenter 11
    "{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
    "{197597A7-AD33-4898-9D8E-73066818B464}" = tools-netware
    "{1C71DC57-1388-4C1C-AB2F-2B9C0EF83409}" = Windows Live UX Platform Language Pack
    "{1EA6244A-C8E4-4C10-AA1D-037C0C12D4F5}" = calibre
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
    "{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
    "{26A24AE4-039D-4CA4-87B4-2F83216037FF}" = Java(TM) 6 Update 37
    "{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
    "{2CA7225D-CB12-462A-9DD1-50319E158BA5}" = Nero 11 PiP Effects Basic
    "{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
    "{390757AA-8830-43DC-AEE0-4E5B6F8439EB}" = Nero SoundTrax 11 Help (CHM)
    "{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = Gigabyte Raid Configurer
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
    "{49480197-4A67-4EAB-AD44-001862FCEEB7}" = Saitek SD6 Programming Software 6.6.6.9
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
    "{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
    "{53F7746A-96AA-49A5-86B8-59989680DAC5}" = Nero Burning ROM 11 Help (CHM)
    "{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
    "{55C2143E-FBA5-442F-9AFA-726FF068F39D}" = Nero CoverDesigner 11 Help (CHM)
    "{57F80ECF-E27C-4EEE-AB58-E971BACE2639}" = Nero Recode 11 Help (CHM)
    "{5A212B2D-140D-46F4-B625-2D1CA5A00594}" = Nero 11 Kwik Themes Basic
    "{5C2F5C1B-9732-4F81-8FBF-6711627DC508}" = Windows Live Fotogalleri
    "{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
    "{633A06C3-B709-479A-AAB3-5EE94AD9EE4B}" = Acronis True Image Home
    "{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
    "{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}" = Nero Update
    "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
    "{6AB2427E-A18F-4809-9A12-29F5EBABBB3A}" = Nero BackItUp 11 Help (CHM)
    "{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
    "{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
    "{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{7A65E382-1843-4B46-861B-1BECB8354911}" = Falcon 4.0: Allied Force
    "{7ADFA72D-2A9F-4DEC-80A5-2FAA27E23F0F}" = Windows Live Photo Common
    "{7B73DFF7-995D-46DF-81A0-2E3AFA88B8C6}" = Hoxs64
    "{8014FACB-1D1D-48C2-94AA-E29EE2E6B9CE}" = Nero WaveEditor 11
    "{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{85BF0E64-6ABB-4EA1-A026-A3DEA6554A60}" = Do It Again
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
    "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
    "{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
    "{8EA79DBF-D637-448A-89D6-410A087A4493}" = Samsung_MonSetup
    "{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
    "{9193490D-5229-4FC4-9BB9-A6D63C09574A}" = High-Definition Video Playback
    "{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
    "{95120000-003F-0409-0000-0000000FF1CE}" = Microsoft Office Excel Viewer
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
    "{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
    "{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
    "{97BBECCF-B1FD-4010-8D4B-EFC9E3CCEECF}" = Driver Whiz
    "{98EABC7F-B1A1-43A5-B505-5B4EC3908DCD}" = Microsoft Security Client
    "{98FDEE80-04DE-4C27-83C4-E3E59D4AC097}" = Spectaculator 7.0.1
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9A44DC95-026F-4A07-98A0-EBDB9ED2DE19}" = Windows Live Sync
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
    "{A1981877-5B9F-4001-A070-A05DD352EA23}" = Secret Weapons Over Normandy
    "{A1A30F3A-642A-46ae-B325-163B92FAC037}_is1" = «Achtung Panzer - Kharkov 1943»
    "{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
    "{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
    "{A3499A41-41EA-3567-977C-29E9E226A360}" = Microsoft .NET Framework 4 Client Profile NOR Language Pack
    "{A3FF5CB2-FB35-4658-8751-9EDE1D65B3AA}" = VMware Workstation
    "{A7A0BF2E-31CC-49E3-9913-52C503EB969D}" = Nero Audio Pack 1
    "{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Microsoft Flight Simulator X: Acceleration
    "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
    "{AB1C87CB-1807-4CF0-B4C2-CEE14C18CDB4}" = tools-solaris
    "{AB2BBC64-8AC8-4E66-BBF3-E22D5EACEECA}" = Nero BackItUp 11
    "{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
    "{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.5
    "{AE0F62A7-A1A2-407F-9F4C-48939BD9AD8D}" = tools-winPre2k
    "{B1846721-A8E6-46C7-83B6-0DCF7ADB4267}" = Nero Burning ROM 11
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA kontrollpanel 275.33
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafikkdriver 275.33
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA oppdateringer 1.3.5
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
    "{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
    "{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
    "{B7B5A370-3DFF-4F0E-AE11-FD267C4938AA}" = CCS64 V3.8
    "{B7E01095-8BAA-456E-8AED-504C3CCADBA0}" = Nero 11
    "{B81C7FF5-C67B-459F-91D6-557E91DFAAEA}" = EMU7800 v0.95
    "{B9B1BA7F-7E07-49DD-A713-5B397A5BB66B}" = Nero Kwik Media Help (CHM)
    "{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
    "{BE814218-3919-4EA3-868A-2F60BC135CB4}" = Nero Kwik Media
    "{BEBEE34D-84A2-4EDD-8BEA-96CC54371263}" = Nero Core Components 11
    "{CCE210DF-7EEF-4A76-A63C-3EB091FDB992}" = welcome
    "{CD442136-9115-4236-9C14-278F6A9DCB3F}" = Windows Live Movie Maker
    "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
    "{D01CE99A-8802-483C-A79F-298B691EB432}" = Nero RescueAgent 11 Help (CHM)
    "{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
    "{D102611A-6466-4101-A51D-51069303AC65}" = tools-linux
    "{D1BB4446-AE9C-4256-9A7F-4D46604D2462}" = Adobe Setup
    "{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}" = AVG PC TuneUp
    "{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
    "{D2CBEFA4-F2D3-4E97-A171-8BFD6A31A5EC}" = Nero Express 11 Help (CHM)
    "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
    "{D4D66270-9147-4BDF-9946-FCA2B303AA8F}" = Nero ControlCenter 11 Help (CHM)
    "{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
    "{DEA314C4-0929-4250-BC92-98E4C105F28D}" = NVIDIA PhysX
    "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
    "{E10AAE4A-98B8-420A-BD93-E0520C23D624}" = Nero Express 11
    "{E51BC4B0-EA5E-49CC-AF3B-93B5C627EC22}" = Nero 11 Effects Basic
    "{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
    "{EB8DED20-A887-4A9C-BB5A-F3E7523DFB44}" = Nero WaveEditor 11 Help (CHM)
    "{EFBFA09B-2E6F-4056-9D90-DDA539DDC5C7}_is1" = CBR to PDF converter version 2.5
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    "{F0F9505B-3ACF-4158-9311-D0285136AA00}" = Windows Live Essentials
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F3743A2C-5D5F-4456-8F98-5DF36A954C50}" = Nero 11 Image Samples
    "{F49EF443-B2BD-4F10-8A46-87AFCDB90EDD}" = Nero 11 Disc Menus Basic
    "{F69FB940-5031-4FE8-AFAD-085802D0BF63}" = Nero Recode 11
    "{F8EF9B71-53E7-41F5-8E54-47B4C979CB38}" = Nero Backup Drivers
    "{FAC3C37E-EDAB-4F3A-A173-A7C70CC88F09}" = Nero Video 11 Help (CHM)
    "{FB03A941-815E-42F2-B604-FCE5636DB90B}" = AVG PC TuneUp Language Pack (en-US)
    "{FBEF468D-8887-4DEC-93E6-37792EF0840A}" = RPCEmu
    "{FF44BCE5-5A18-4051-85F0-BC172D7B4695}" = Nero CoverDesigner 11
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "{FFD9383C-01D5-4897-A954-43AF599AED30}" = tools-windows
    "3D Rad_is1" = 3D Rad v7.12
    "5513-1208-7298-9440" = JDownloader 0.9
    "7-Zip" = 7-Zip 4.65
    "A2 Oasis" = A2 Oasis
    "Adobe Acrobat Reader 3.02" = Adobe Acrobat Reader 3.02
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe_2ac78060bc5856b0c1cf873bb919b58" = Adobe Photoshop CS3
    "Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
    "Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
    "Age of Empires" = Microsoft Age of Empires
    "Age of Empires 2.0" = Microsoft Age of Empires II
    "Age of Mythology 1.0" = Age of Mythology
    "Age of Mythology Expansion Pack 1.0" = Age of Mythology - The Titans Expansion
    "Any Video Converter Professional_is1" = Any Video Converter Professional 3.1.1
    "Any Video Converter_is1" = Any Video Converter 3.2.2
    "AnyToISO_is1" = AnyToISO
    "AVG PC TuneUp" = AVG PC TuneUp
    "Blockbuster Entertainment ® Guide To Movies & Videos v2.1" = Blockbuster Ent., 2nd Ed.
    "CDisplay_is1" = CDisplay 1.8
    "CinemaForge" = CinemaForge
    "CopyFilenames_is1" = CopyFilenames 3.1
    "DebugMode Wax 2.0" = DebugMode Wax 2.0
    "D-Fend Reloaded" = D-Fend Reloaded 1.1.0 (deinstall)
    "DVD Decrypter" = DVD Decrypter (Remove Only)
    "DVD Shrink_is1" = DVD Shrink 3.2
    "Eye Candy 4000" = Eye Candy 4000
    "FileZilla Client" = FileZilla Client 3.5.3
    "FlightSim_{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Microsoft Flight Simulator X: Acceleration
    "Fraps" = Fraps (remove only)
    "GameBase Amiga_is1" = GameBase Amiga v1.6
    "HD Tune Pro_is1" = HD Tune Pro 4.01
    "InstallShield_{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
    "Magic ISO Maker v5.5 (build 0281)" = Magic ISO Maker v5.5 (build 0281)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware versjon 1.65.1.1000
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Client Profile NOR Language Pack" = Microsoft .NET Framework 4 Client Profile NOR Language Pack
    "Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
    "Microsoft .NET Framework 4 Extended NOR Language Pack" = Microsoft .NET Framework 4 Extended NOR Language Pack
    "Microsoft Security Client" = Microsoft Security Essentials
    "NVIDIA Display Control Panel" = NVIDIA Display Control Panel
    "PDF Reader 3" = PDF Reader 3
    "PowerISO" = PowerISO
    "Red Alert" = Red Alert Windows 95
    "Red Alert Themes" = Red Alert Themes
    "RTMshadow_{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Flight Simulator X
    "SolveigMM AVI Trimmer" = SolveigMM AVI Trimmer
    "SP1shadow_{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Flight Simulator X Service Pack 1
    "ST6UNST #1" = VB64
    "Starcraft" = Starcraft
    "TED Notepad" = TED Notepad
    "TextMaker Viewer" = TextMaker Viewer
    "The KMPlayer" = The KMPlayer (remove only)
    "Total Annihilation" = Total Annihilation
    "uTorrent" = µTorrent
    "VLC media player" = VLC media player 1.1.7
    "VMware_Workstation" = VMware Workstation
    "WinLiveSuite" = Windows Live Essentials
    "WinRAR archiver" = WinRAR archiver
    "Xvid_is1" = Xvid 1.1.3 final uninstall
    "ZMBV" = Zip Motion Block Video codec (Remove Only)

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 22.10.2012 22:39:53 | Computer Name = UD6 | Source = Application Hang | ID = 1002
    Description = Programmet iexplore.exe versjon 9.0.8112.16448 sluttet å samhandle
    med Windows og ble lukket. Hvis du vil se om det finnes mer informasjon tilgjengelig
    om problemet, ser du I problemloggen I kontrollpanelet for Handlingssenter. Prosess-ID:
    1110 Starttidspunkt: 01cdb0c78b0dadf3 Avslutningstidspunkt: 205 Programbane: C:\Program
    Files\Internet Explorer\iexplore.exe Rapport-ID:

    Error - 22.10.2012 22:57:56 | Computer Name = UD6 | Source = Application Hang | ID = 1002
    Description = Programmet iexplore.exe versjon 9.0.8112.16448 sluttet å samhandle
    med Windows og ble lukket. Hvis du vil se om det finnes mer informasjon tilgjengelig
    om problemet, ser du I problemloggen I kontrollpanelet for Handlingssenter. Prosess-ID:
    af4 Starttidspunkt: 01cdb0c86c8abbfc Avslutningstidspunkt: 172 Programbane: C:\Program
    Files\Internet Explorer\iexplore.exe Rapport-ID:

    Error - 22.10.2012 22:58:16 | Computer Name = UD6 | Source = Application Hang | ID = 1002
    Description = Programmet iexplore.exe versjon 9.0.8112.16448 sluttet å samhandle
    med Windows og ble lukket. Hvis du vil se om det finnes mer informasjon tilgjengelig
    om problemet, ser du I problemloggen I kontrollpanelet for Handlingssenter. Prosess-ID:
    c50 Starttidspunkt: 01cdb0ca34052722 Avslutningstidspunkt: 28 Programbane: C:\Program
    Files\Internet Explorer\iexplore.exe Rapport-ID:

    Error - 23.10.2012 22:04:01 | Computer Name = UD6 | Source = SideBySide | ID = 16842785
    Description = Generering av aktiveringskontekst mislyktes for c:\program files\VMware\vmware
    workstation\vssSnapVista64.exe. Finner ikke den avhengige samlingen Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762".
    Bruk
    sxstrace.exe for detaljert diagnostisering.

    Error - 23.10.2012 22:04:01 | Computer Name = UD6 | Source = SideBySide | ID = 16842787
    Description = Generering av aktiveringskontekst mislyktes for c:\program files\VMware\vmware
    workstation\resources\imgCustPrep64.exe. Feil I manifest- eller policyfilen c:\program
    files\VMware\vmware workstation\resources\Microsoft.VC80.CRT.MANIFEST I linje 4.
    Komponentidentiteten
    I manifestet stemmer ikke overens med den forespurte komponenten. Referansen er
    Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762".
    Definisjonen
    er Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762".
    Bruk
    sxstrace.exe for detaljert diagnostisering.

    Error - 23.10.2012 22:04:39 | Computer Name = UD6 | Source = SideBySide | ID = 16842785
    Description = Generering av aktiveringskontekst mislyktes for c:\program files\Nero\Nero
    11\nero backitup\NBVSSTool_x64.exe. Finner ikke den avhengige samlingen Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0".
    Bruk
    sxstrace.exe for detaljert diagnostisering.

    Error - 23.10.2012 23:41:05 | Computer Name = UD6 | Source = PerfNet | ID = 2004
    Description =

    Error - 23.10.2012 23:41:05 | Computer Name = UD6 | Source = PerfNet | ID = 2002
    Description =

    Error - 24.10.2012 23:20:39 | Computer Name = UD6 | Source = Application Hang | ID = 1002
    Description = Programmet iexplore.exe versjon 9.0.8112.16448 sluttet å samhandle
    med Windows og ble lukket. Hvis du vil se om det finnes mer informasjon tilgjengelig
    om problemet, ser du I problemloggen I kontrollpanelet for Handlingssenter. Prosess-ID:
    6a4 Starttidspunkt: 01cdb25dcb880ca2 Avslutningstidspunkt: 0 Programbane: C:\Program
    Files\Internet Explorer\iexplore.exe Rapport-ID:

    Error - 25.10.2012 01:20:33 | Computer Name = UD6 | Source = Application Hang | ID = 1002
    Description = Programmet iexplore.exe versjon 9.0.8112.16448 sluttet å samhandle
    med Windows og ble lukket. Hvis du vil se om det finnes mer informasjon tilgjengelig
    om problemet, ser du I problemloggen I kontrollpanelet for Handlingssenter. Prosess-ID:
    e38 Starttidspunkt: 01cdb2704ed992ea Avslutningstidspunkt: 94 Programbane: C:\Program
    Files\Internet Explorer\iexplore.exe Rapport-ID:

    [ Media Center Events ]
    Error - 27.05.2010 03:38:36 | Computer Name = UD6 | Source = MCUpdate | ID = 0
    Description = 09:38:33 - Feil under tilkobling til Internett. 09:38:33 - Får
    ikke kontakt med serveren..

    Error - 28.05.2010 05:20:02 | Computer Name = UD6 | Source = MCUpdate | ID = 0
    Description = 11:20:02 - Feil under tilkobling til Internett. 11:20:02 - Får
    ikke kontakt med serveren..

    Error - 28.05.2010 05:20:11 | Computer Name = UD6 | Source = MCUpdate | ID = 0
    Description = 11:20:07 - Feil under tilkobling til Internett. 11:20:07 - Får
    ikke kontakt med serveren..

    Error - 29.05.2010 04:54:03 | Computer Name = UD6 | Source = MCUpdate | ID = 0
    Description = 10:54:03 - Feil under tilkobling til Internett. 10:54:03 - Får
    ikke kontakt med serveren..

    Error - 29.05.2010 04:54:11 | Computer Name = UD6 | Source = MCUpdate | ID = 0
    Description = 10:54:08 - Feil under tilkobling til Internett. 10:54:08 - Får
    ikke kontakt med serveren..

    Error - 29.05.2010 20:00:03 | Computer Name = UD6 | Source = MCUpdate | ID = 0
    Description = 02:00:03 - Feil under tilkobling til Internett. 02:00:03 - Får
    ikke kontakt med serveren..

    Error - 29.05.2010 20:00:11 | Computer Name = UD6 | Source = MCUpdate | ID = 0
    Description = 02:00:08 - Feil under tilkobling til Internett. 02:00:08 - Får
    ikke kontakt med serveren..

    Error - 30.05.2010 19:40:32 | Computer Name = UD6 | Source = MCUpdate | ID = 0
    Description = 01:40:32 - Feil under tilkobling til Internett. 01:40:32 - Får
    ikke kontakt med serveren..

    Error - 30.05.2010 19:40:40 | Computer Name = UD6 | Source = MCUpdate | ID = 0
    Description = 01:40:38 - Feil under tilkobling til Internett. 01:40:38 - Får
    ikke kontakt med serveren..

    Error - 31.05.2010 19:52:12 | Computer Name = UD6 | Source = MCUpdate | ID = 0
    Description = 01:52:09 - Feil under tilkobling til Internett. 01:52:09 - Får
    ikke kontakt med serveren..

    [ System Events ]
    Error - 25.10.2012 14:41:26 | Computer Name = UD6 | Source = Service Control Manager | ID = 7001
    Description = Tjenesten Computer Browser avhenger av tjenesten Server som ikke kan
    starte på grunn av følgende feil: %%1068

    Error - 25.10.2012 14:41:26 | Computer Name = UD6 | Source = Service Control Manager | ID = 7001
    Description = Tjenesten Computer Browser avhenger av tjenesten Server som ikke kan
    starte på grunn av følgende feil: %%1068

    Error - 25.10.2012 14:41:26 | Computer Name = UD6 | Source = Service Control Manager | ID = 7001
    Description = Tjenesten Computer Browser avhenger av tjenesten Server som ikke kan
    starte på grunn av følgende feil: %%1068

    Error - 25.10.2012 14:41:26 | Computer Name = UD6 | Source = Service Control Manager | ID = 7001
    Description = Tjenesten Computer Browser avhenger av tjenesten Server som ikke kan
    starte på grunn av følgende feil: %%1068

    Error - 25.10.2012 14:41:26 | Computer Name = UD6 | Source = Service Control Manager | ID = 7001
    Description = Tjenesten Computer Browser avhenger av tjenesten Server som ikke kan
    starte på grunn av følgende feil: %%1068

    Error - 25.10.2012 14:41:40 | Computer Name = UD6 | Source = Service Control Manager | ID = 7001
    Description = Tjenesten Computer Browser avhenger av tjenesten Server som ikke kan
    starte på grunn av følgende feil: %%1068

    Error - 25.10.2012 14:41:40 | Computer Name = UD6 | Source = Service Control Manager | ID = 7001
    Description = Tjenesten Computer Browser avhenger av tjenesten Server som ikke kan
    starte på grunn av følgende feil: %%1068

    Error - 25.10.2012 14:41:40 | Computer Name = UD6 | Source = Service Control Manager | ID = 7001
    Description = Tjenesten Computer Browser avhenger av tjenesten Server som ikke kan
    starte på grunn av følgende feil: %%1068

    Error - 25.10.2012 16:47:14 | Computer Name = UD6 | Source = Service Control Manager | ID = 7026
    Description = Følgende oppstarts- eller systemstartdriver(e) kan ikke lastes inn:
    AVGIDSDriver

    Error - 25.10.2012 16:48:24 | Computer Name = UD6 | Source = DCOM | ID = 10010
    Description =


    < End of report >
     
  17. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - File not found [Kernel | On_Demand | Unknown] -- -- (a73sollc)
      IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://no.woofi.info/
      IE - HKLM\..\SearchScopes,DefaultScope = {9AEAC2DB-005F-4F8D-A78E-E818111F94BC}
      IE - HKLM\..\SearchScopes\{9AEAC2DB-005F-4F8D-A78E-E818111F94BC}: "URL" = http://no.woofi.info/
      IE - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..\SearchScopes\{9AEAC2DB-005F-4F8D-A78E-E818111F94BC}: "URL" = http://no.woofi.info/
      O2 - BHO: (CatcherBHO Class) - {9B4DF450-DCC7-4B07-935D-0CD757A64583} - H:\Video programmer\YouTube FLW\YouTube FLV Downloader\MoyeaCatcher.dll File not found
      O3 - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - No CLSID value found.
      O3 - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
      O15 - HKU\S-1-5-21-2559753181-3935304610-3998308970-1005\..Trusted Domains: cnet.com ([download] http in Klarerte områder)
      [2012.10.25 01:33:50 | 000,000,000 | ---D | C] -- C:\FRST
      @Alternate Data Stream - 181 bytes -> C:\ProgramData\TEMP:CD30FA91
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

    ===================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    3. Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    Next...

    • Double click on adwcleaner.exe to run the tool.
    • Click on Uninstall.
    • Confirm with yes.

    4. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    5. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  18. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    The troubles with explorer are still there after running the fix, sorry about that!
    Here's the OTL log:

    All processes killed
    ========== OTL ==========
    Error: No service named a73sollc was found to stop!
    Service\Driver key a73sollc not found.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9AEAC2DB-005F-4F8D-A78E-E818111F94BC}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9AEAC2DB-005F-4F8D-A78E-E818111F94BC}\ not found.
    Registry key HKEY_USERS\S-1-5-21-2559753181-3935304610-3998308970-1005\Software\Microsoft\Internet Explorer\SearchScopes\{9AEAC2DB-005F-4F8D-A78E-E818111F94BC}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9AEAC2DB-005F-4F8D-A78E-E818111F94BC}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B4DF450-DCC7-4B07-935D-0CD757A64583}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B4DF450-DCC7-4B07-935D-0CD757A64583}\ deleted successfully.
    Registry value HKEY_USERS\S-1-5-21-2559753181-3935304610-3998308970-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{00000000-0000-0000-0000-000000000000} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000000}\ not found.
    Registry value HKEY_USERS\S-1-5-21-2559753181-3935304610-3998308970-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
    Registry key HKEY_USERS\S-1-5-21-2559753181-3935304610-3998308970-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cnet.com\download\ deleted successfully.
    C:\FRST\Quarantine folder moved successfully.
    C:\FRST\Logs folder moved successfully.
    C:\FRST\Hives folder moved successfully.
    C:\FRST folder moved successfully.
    ADS C:\ProgramData\TEMP:CD30FA91 deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Allan
    ->Temp folder emptied: 44064064 bytes
    ->Temporary Internet Files folder emptied: 28472392 bytes
    ->Java cache emptied: 48986 bytes
    ->Flash cache emptied: 869 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: JEJ
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 26570126 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 635 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 85566 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 95,00 mb


    [EMPTYJAVA]

    User: All Users

    User: Allan
    ->Java cache emptied: 0 bytes

    User: Default

    User: Default User

    User: JEJ
    ->Java cache emptied: 0 bytes

    User: Public

    User: UpdatusUser

    Total Java Files Cleaned = 0,00 mb


    [EMPTYFLASH]

    User: All Users

    User: Allan
    ->Flash cache emptied: 0 bytes

    User: Default

    User: Default User

    User: JEJ
    ->Flash cache emptied: 0 bytes

    User: Public

    User: UpdatusUser

    Total Flash Files Cleaned = 0,00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 10252012_234731
    Files\Folders moved on Reboot...
    C:\Windows\temp\vmware-SYSTEM\vmware-usbarb-SYSTEM-2152.log moved successfully.
    PendingFileRenameOperations files...
    Registry entries deleted on Reboot...
     
  19. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Results of screen317's Security Check version 0.99.53
    Windows 7 Service Pack 1 x86 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware versjon 1.65.1.1000
    Java(TM) 6 Update 37
    Java version out of Date!
    Adobe Reader 8 Adobe Reader out of Date!
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    Malwarebytes' Anti-Malware mbamscheduler.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:
    ````````````````````End of Log``````````````````````
     
  20. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Farbar Service Scanner Version: 19-10-2012
    Ran by Allan (administrator) on 26-10-2012 at 00:09:21
    Running from "C:\Users\Allan\Desktop"
    Microsoft Windows 7 Home Premium Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Action Center:
    ============
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.

    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1

    Other Services:
    ==============

    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit

    **** End of log ****
     
  21. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    The delays for each posting is enormous because I'll have to wait on IE updating pages which takes up to 10 minutes each time. Sometimes it just crashes and I'll have to start all over again. Makes the posting of reports a very difficult task. Moving up or down an already loaded page can result in hangs. I'll try to continue with step 3 now and ADWcleaner, but expect long waits.
     
  22. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    I suggest you switch to Firefox for the time being.
     
  23. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    # AdwCleaner v2.005 - Logfile created 10/26/2012 at 00:42:38
    # Updated 14/10/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
    # User : Allan - UD6
    # Boot Mode : Normal
    # Running from : C:\Users\Allan\Desktop\adwcleaner.exe
    # Option [Delete]

    ***** [Services] *****

    ***** [Files / Folders] *****
    Deleted on reboot : C:\Program Files\Common Files\AVG Secure Search
    File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\fcmdSrch.xml
    Folder Deleted : C:\Program Files\Conduit
    Folder Deleted : C:\ProgramData\AVG Secure Search
    Folder Deleted : C:\Users\Allan\AppData\Local\AVG Secure Search
    Folder Deleted : C:\Users\Allan\AppData\Local\Conduit
    Folder Deleted : C:\Users\Allan\AppData\LocalLow\Conduit
    Folder Deleted : C:\Users\Allan\AppData\LocalLow\facemoods.com
    ***** [Registry] *****
    Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
    Key Deleted : HKCU\Software\facemoods.com
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0D7562AE-8EF6-416D-A838-AB665251703A}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{AD25754E-D76C-42B3-A335-2F81478B722F}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A5B99E41-E157-4209-8AAC-DB003A816079}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AD20D01C-C939-4DD2-8C55-56935A48987E}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DDE2C74F-58CC-4D71-8CE1-09DEBB8CFB78}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
    Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane
    Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane.1
    Key Deleted : HKLM\SOFTWARE\Classes\escort.escrtBtn.1
    Key Deleted : HKLM\SOFTWARE\Classes\esrv.escrtSrvc
    Key Deleted : HKLM\SOFTWARE\Classes\esrv.escrtSrvc.1
    Key Deleted : HKLM\SOFTWARE\Classes\facemoods.xtrnl
    Key Deleted : HKLM\SOFTWARE\Classes\facemoods.xtrnl.1
    Key Deleted : HKLM\SOFTWARE\Classes\facemoodsApp.appCore
    Key Deleted : HKLM\SOFTWARE\Classes\facemoodsApp.appCore.1
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F7EC6286-297C-4981-9DCC-FD7F57BC24C9}
    Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
    Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
    Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3072253
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{12A5F606-B1EC-474C-83ED-95E99FD8058E}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
    Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
    Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\Software\facemoods.com
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ihflimipbcaljfnojhhknppphnnciiif
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FFDF9EF3-3C3A-4F05-9A6E-5D3B778EC567}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
    Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
    ***** [Internet Browsers] *****
    -\\ Internet Explorer v9.0.8112.16421
    Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://start.facemoods.com/?a=ddrnw&f=2 --> hxxp://www.google.com
    *************************
    AdwCleaner[S1].txt - [6946 octets] - [26/10/2012 00:42:38]
    ########## EOF - C:\AdwCleaner[S1].txt - [7006 octets] ##########
     
  24. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    Thanks for the advice about Firefox, but I'm only used to IE and I don't want to download any more programs to the PC while it's being cleaned. My desktop has never been filled with so many cleaners before, it almost look "dirty". :D

    The ESET online scanner is working now, so this will take some time.

    When the cleaning is finnished, I'll have to mount the 2 other HDD's. Please advice me on the procedure to be safe from getting infected again.
     
  25. Allst-half

    Allst-half TS Rookie Topic Starter Posts: 37

    E:\gamebase downloads\NINTENDO 64\Nintendo 64\Emulator\Project64\Project64.bak probably a variant of Win32/Agent.YHVXLK trojan cleaned by deleting - quarantined
    E:\Underground-Gamer DL\PC DOS COLLECTION\DOSCollection-N.to.Z\Thunder Blade (1988)(Us Gold).zip probably unknown CRYPT.TSR.COM.EXE virus deleted - quarantined
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.