"Windows has encountered a critical error will restart in one minute"

Solved
By Russ66
Aug 16, 2012
  1. Hi there!
    I found this site while researching a problem that has just occurred on my laptop and this seems to be the place to get results, so here I am!
    As you have probably already guessed, I fell for the fake Adobe update and downloaded myself a heap of trouble instead. I'm not sure of the correct name for the virus is but the message in my post title comes up as soon as I log on and then everything shuts down before I can do anything. I think this is a common virus at the moment and hopefully the above is enough for you to identify it. I have Microsoft Security Essentials as my security and obviously it got around that as I ok'd the download. My laptop is running Windows Vista and is the 32bit system. Please let me know if you need any further info. Many thanks!
    Russ
  2. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===================================

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
  3. Russ66

    Russ66 Newcomer, in training Topic Starter Posts: 20

    Hi Broni! Many thanks for your swift reply. :)

    I have followed your instructions and have the two logs to attach below;

    (I will probably not be able to reply again tonight but will check back again tomorrow.)

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 14-08-2012
    Ran by SYSTEM at 14-08-2012 10:57:15
    Running from F:\
    Windows Vista (TM) Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
    HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [815104 2006-11-15] (Synaptics, Inc.)
    HKLM\...\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [90112 2006-07-11] ()
    HKLM\...\Run: [toolbar_eula_launcher] C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe [18944 2007-01-10] ( )
    HKLM\...\Run: [VX1000] C:\Windows\vVX1000.exe [709992 2007-04-10] (Microsoft Corporation)
    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-10-14] (Adobe Systems Incorporated)
    HKLM\...\Run: [Memeo Instant Backup] C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe --silent --no_ui [136416 2011-05-04] (Memeo Inc.)
    HKLM\...\Run: [Seagate Dashboard] C:\Program Files\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui [79112 2011-06-01] ()
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Russell Weller\...\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [700416 2006-08-07] ()
    HKU\Russell Weller\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
    HKU\Russell Weller\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [8704 2006-11-02] (Microsoft Corporation)
    HKU\Russell Weller\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
    Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 192.168.2.1

    ================================ Services (Whitelisted) ==================

    2 Creative Service for CDROM Access; C:\Windows\system32\CTsvcCDA.exe [44032 1999-12-12] (Creative Technology Ltd)
    2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
    2 MemeoBackgroundService; C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe [25824 2011-05-04] (Memeo)
    2 SeagateDashboardService; C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [14088 2011-06-01] (Memeo)
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
    3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

    ========================== Drivers (Whitelisted) =============

    4 adpu160m; C:\Windows\system32\drivers\adpu160m.sys [98408 2006-11-02] (Adaptec, Inc.)
    3 athrusb; C:\Windows\System32\DRIVERS\athrusb.sys [449536 2006-12-22] (Atheros Communications, Inc.)
    3 BLKWGU(Belkin); C:\Windows\System32\DRIVERS\BLKWGU.sys [402944 2005-11-10] (Belkin Corporation)
    1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [389432 2007-04-10] (Symantec Corporation)
    1 frmmottp; \??\C:\Windows\system32\drivers\frmmottp.sys [43480 2012-08-14] (Microsoft Corporation)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 MTDVC2; C:\Windows\System32\DRIVERS\mtdv2ku2.sys [12288 2003-10-15] (Matsushita Electric Industrial Co., Ltd.)
    3 MTDVC2_ENUM; C:\Windows\System32\DRIVERS\mtdv2ks2.sys [11648 2003-10-11] (Matsushita Electric Industrial Co., Ltd.)
    3 RTL8023xp; C:\Windows\System32\DRIVERS\Rtnicxp.sys [51200 2008-07-22] (Realtek Semiconductor Corporation )
    3 VX1000; C:\Windows\System32\DRIVERS\VX1000.sys [1966312 2007-04-10] (Microsoft Corporation)
    3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2006-11-01] (America Online, Inc.)
    3 ZDPSp50; C:\Windows\System32\Drivers\ZDPSp50.sys [17664 2004-10-25] (Printing Communications Assoc., Inc. (PCAUSA))
    4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
    2 CLTNetCnService; [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    2 WZCSVC; [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-14 05:28 - 2012-08-14 05:28 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\frmmottp.sys
    2012-08-14 04:34 - 2012-08-14 04:35 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-14 04:31 - 2012-08-14 04:32 - 10288512 ____A (Microsoft Corporation) C:\Users\Russell Weller\Downloads\mseinstall.exe
    2012-08-12 10:30 - 2012-08-12 10:30 - 00000000 __SHD C:\Windows\System32\%APPDATA%


    ============ 3 Months Modified Files ========================

    2012-08-14 10:17 - 2006-11-02 02:22 - 42467328 ____A C:\Windows\System32\config\software_previous
    2012-08-14 10:17 - 2006-11-02 02:22 - 41680896 ____A C:\Windows\System32\config\system_previous
    2012-08-14 10:15 - 2006-11-02 02:22 - 42991616 ____A C:\Windows\System32\config\components_previous
    2012-08-14 10:15 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
    2012-08-14 05:28 - 2012-08-14 05:28 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\frmmottp.sys
    2012-08-14 05:28 - 2010-01-08 04:21 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-14 05:28 - 2009-10-20 07:41 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-08-14 05:27 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-14 05:27 - 2006-11-02 04:47 - 00003168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-14 05:27 - 2006-11-02 04:47 - 00003168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-14 05:20 - 2010-01-08 04:21 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-14 05:10 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous
    2012-08-14 05:10 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\default_previous
    2012-08-14 04:56 - 2007-04-23 05:57 - 01228312 ____A C:\Windows\WindowsUpdate.log
    2012-08-14 04:35 - 2011-02-01 20:22 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-14 04:35 - 2006-11-02 02:33 - 00717516 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-14 04:32 - 2012-08-14 04:31 - 10288512 ____A (Microsoft Corporation) C:\Users\Russell Weller\Downloads\mseinstall.exe
    2012-08-14 04:30 - 2007-04-23 06:14 - 00000358 ____A C:\Windows\Tasks\Recovery DVD Creator.job
    2012-08-14 04:10 - 2006-11-02 05:01 - 00032552 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-12 10:26 - 2012-04-11 17:11 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-12 10:26 - 2011-07-11 09:47 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-08-12 08:09 - 2007-06-01 14:51 - 00179200 ____A C:\Users\Russell Weller\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-07-11 23:01 - 2006-11-02 04:47 - 00328808 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-11 22:59 - 2007-02-13 08:45 - 00407908 ____A C:\Windows\PFRO.log
    2012-07-11 22:35 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-07-11 22:33 - 2006-11-02 02:23 - 00000240 ____A C:\Windows\win.ini
    2012-07-03 08:43 - 2012-07-03 08:41 - 22657136 ____A C:\Users\Russell Weller\Downloads\vlc-2.0.2-win32.exe
    2012-06-30 18:57 - 2012-06-30 18:57 - 00799416 ____A C:\Users\Russell Weller\Downloads\RegpairSetup(1).exe
    2012-06-16 10:32 - 2012-06-16 10:32 - 00476936 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
    2012-06-16 10:32 - 2012-06-16 10:32 - 00157448 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
    2012-06-16 10:32 - 2012-06-16 10:32 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
    2012-06-16 10:32 - 2012-06-16 10:32 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
    2012-06-16 10:32 - 2011-05-26 16:37 - 00472840 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
    2012-06-13 05:40 - 2012-07-11 22:37 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-08 09:47 - 2012-07-11 17:10 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-05 08:47 - 2012-07-11 17:04 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 08:47 - 2012-07-11 17:04 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-04 07:26 - 2012-07-11 17:03 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-02 14:19 - 2012-06-20 20:42 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-20 20:42 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-20 20:42 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-20 20:41 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-20 20:41 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-20 20:42 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-20 20:41 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 10:19 - 2012-06-20 20:41 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 10:12 - 2012-06-20 20:41 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 01:07 - 2012-07-11 22:34 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 00:43 - 2012-07-11 22:34 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 00:33 - 2012-07-11 22:34 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 00:26 - 2012-07-11 22:34 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 00:25 - 2012-07-11 22:34 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 00:25 - 2012-07-11 22:34 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 00:23 - 2012-07-11 22:34 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 00:21 - 2012-07-11 22:34 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 00:20 - 2012-07-11 22:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-11 22:34 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 00:19 - 2012-07-11 22:34 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 00:17 - 2012-07-11 22:34 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 00:16 - 2012-07-11 22:34 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 00:14 - 2012-07-11 22:34 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-01 16:04 - 2012-07-11 17:03 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 16:03 - 2012-07-11 17:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

    ZeroAccess:
    C:\Windows\Installer\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}
    C:\Windows\Installer\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\@
    C:\Windows\Installer\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\L
    C:\Windows\Installer\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\n
    C:\Windows\Installer\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\U
    C:\Windows\Installer\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\L\00000004.@
    C:\Windows\Installer\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\L\201d3dde
    C:\Windows\Installer\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\U\00000004.@
    C:\Windows\Installer\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\U\00000008.@
    C:\Windows\Installer\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\U\000000cb.@

    ZeroAccess:
    C:\Users\Russell Weller\AppData\Local\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}
    C:\Users\Russell Weller\AppData\Local\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\@
    C:\Users\Russell Weller\AppData\Local\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\L
    C:\Users\Russell Weller\AppData\Local\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\U

    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 19%
    Total physical RAM: 1917.56 MB
    Available physical RAM: 1547.13 MB
    Total Pagefile: 1732.77 MB
    Available Pagefile: 1616.44 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1983.72 MB

    ======================= Partitions =========================

    1 Drive c: (HDD) (Fixed) (Total:47.88 GB) (Free:7.18 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    3 Drive e: (_OEMBP) (Fixed) (Total:8.01 GB) (Free:4.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive f: (FLASH DRIVE) (Removable) (Total:14.94 GB) (Free:6.06 GB) FAT32
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 56 GB 0 B
    Disk 1 Online 15 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 8 GB 32 KB
    Partition 2 Primary 48 GB 8 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E _OEMBP NTFS Partition 8 GB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C HDD NTFS Partition 48 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 15 GB 4032 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 F FLASH DRIVE FAT32 Removable 15 GB Healthy

    ==================================================================================

    Last Boot: 2012-08-14 04:17

    ======================= End Of Log ==========================



    Farbar Recovery Scan Tool Version: 14-08-2012
    Ran by SYSTEM at 2012-08-16 21:30:27
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2009-10-20 07:41] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2008-05-28 12:04] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
    [2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

    C:\Windows\System32\services.exe
    [2009-10-20 07:41] - [2012-08-14 06:06] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843

    === End Of Search ===
  4. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.

    Attached Files:

  5. Russ66

    Russ66 Newcomer, in training Topic Starter Posts: 20

    Still up so here we go;:)

    Only point I felt I should mention was that the flash drive when in my wife's 'clean' laptop at start of diagnosis was named as 'F' but just realized that when I moved it to my contaminated laptop it had it named as 'E' and I must have mistakenly had it as 'F' still on the SRO. The tool did still place file on to the flash drive, however, so perhaps it detected it..?

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 14-08-2012
    Ran by SYSTEM at 2012-08-16 22:17:49 Run:1
    Running from F:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    frmmottp service not found.
    C:\Windows\system32\drivers\frmmottp.sys not found.
    C:\Windows\Installer\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0} moved successfully.
    C:\Users\Russell Weller\AppData\Local\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0} moved successfully.
    C:\Windows\assembly\GAC\Desktop.ini moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====


    ComboFix 12-08-16.01 - Russell Weller 16/08/2012 22:34:54.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1917.1163 [GMT -3:00]
    Running from: c:\users\Russell Weller\Downloads\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Russell Weller\AppData\Local\{C9176D81-ACE4-42E7-9A3D-D91B1798F50F}
    c:\users\Russell Weller\AppData\Local\{C9176D81-ACE4-42E7-9A3D-D91B1798F50F}\chrome.manifest
    c:\users\Russell Weller\AppData\Local\{C9176D81-ACE4-42E7-9A3D-D91B1798F50F}\chrome\content\overlay.xul
    c:\users\Russell Weller\AppData\Local\{C9176D81-ACE4-42E7-9A3D-D91B1798F50F}\install.rdf
    .
    Infected copy of c:\windows\system32\userinit.exe was found and disinfected
    Restored copy from - c:\combofix\HarddiskVolumeShadowCopy2_!Windows!System32!userinit.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-17 to 2012-08-17 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-14 18:56 . 2012-08-14 18:56 -------- dc----w- C:\FRST
    2012-08-14 12:44 . 2012-07-16 05:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D1CA2785-17C3-42A8-8082-534BD582FCB2}\mpengine.dll
    2012-08-14 12:34 . 2012-08-14 12:35 -------- d-----w- c:\program files\Microsoft Security Client
    2012-08-12 18:30 . 2012-08-12 18:30 -------- d-sh--w- c:\windows\system32\%APPDATA%
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-12 18:26 . 2012-04-12 01:11 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-12 18:26 . 2011-07-11 17:47 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-16 18:32 . 2012-06-16 18:32 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-06-16 18:32 . 2011-05-27 00:37 472840 ----a-w- c:\windows\system32\deployJava1.dll
    2012-06-13 13:40 . 2012-07-12 06:37 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-06-05 16:47 . 2012-07-12 01:04 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-06-05 16:47 . 2012-07-12 01:04 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-04 15:26 . 2012-07-12 01:03 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-06-02 22:19 . 2012-06-21 04:42 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 04:42 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 04:41 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 04:41 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 04:42 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 04:42 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 04:41 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 18:19 . 2012-06-21 04:41 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 18:12 . 2012-06-21 04:41 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-02 08:33 . 2012-07-12 06:34 1800192 ----a-w- c:\windows\system32\jscript9.dll
    2012-06-02 08:25 . 2012-07-12 06:34 1129472 ----a-w- c:\windows\system32\wininet.dll
    2012-06-02 08:25 . 2012-07-12 06:34 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-06-02 08:20 . 2012-07-12 06:34 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-06-02 08:16 . 2012-07-12 06:34 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-06-02 00:04 . 2012-07-12 01:03 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 00:03 . 2012-07-12 01:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
    2012-08-08 03:07 . 2012-01-27 03:12 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-16 815104]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 90112]
    "toolbar_eula_launcher"="c:\program files\Packard Bell\GOOGLE_EULA\EULALauncher.exe" [2007-01-10 18944]
    "VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2011-05-04 136416]
    "Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-06-01 79112]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-21 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-16 01:09]
    .
    2012-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 12:21]
    .
    2012-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 12:21]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://uk.yahoo.com/
    uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
    FF - ProfilePath - c:\users\Russell Weller\AppData\Roaming\Mozilla\Firefox\Profiles\m9vxn08l.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://ca.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
    FF - user.js: yahoo.homepage.dontask - true
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\CTsvcCDA.exe
    c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe
    c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\RtHDVCpl.exe
    c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
    c:\windows\ehome\ehmsas.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\Seagate\Seagate Dashboard\MemeoDashboard.exe
    c:\program files\Memeo\AutoBackup\InstantBackup.exe
    c:\program files\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
    c:\program files\ATI Technologies\ATI.ACE\CLI.exe
    c:\program files\ATI Technologies\ATI.ACE\CLI.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-16 23:02:15 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-17 01:59
    .
    Pre-Run: 7,956,627,456 bytes free
    Post-Run: 8,348,614,656 bytes free
    .
    - - End Of File - - 36CA6ABBDD6372C23A21B7FD28E118AD
  6. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Looks good :)

    Any current issues?

    ====================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ================================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  7. Russ66

    Russ66 Newcomer, in training Topic Starter Posts: 20

    Hi again.

    No issues - apart from Windows Calendar opens on start up since infection which it never used to do. Still doing it now. Obviously I can fix that but thought I'd mention it in case it is an indicator of a problem still existing.

    However, I am unable to get MBAM onto my computer as the download for the free version only gives me a PHP file which opens in Notepad and there is no EXE file. The OTL download worked fine but I haven't run it yet until the MBAM is sorted out. Any ideas?
    Thanks
  8. Broni

    Broni Malware Annihilator Posts: 46,164   +251

  9. Russ66

    Russ66 Newcomer, in training Topic Starter Posts: 20

    Okay - got it this time.



    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.17.08

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Russell Weller :: RUSSELL-LAPTOP [administrator]

    17/08/2012 21:47:52
    mbam-log-2012-08-17 (21-47-52).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 194068
    Time elapsed: 7 minute(s), 5 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  10. Russ66

    Russ66 Newcomer, in training Topic Starter Posts: 20

    OTL Text;

    OTL logfile created on: 17/08/2012 22:01:09 - Run 1
    OTL by OldTimer - Version 3.2.57.0 Folder = C:\Users\Russell Weller\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    1.87 Gb Total Physical Memory | 1.01 Gb Available Physical Memory | 53.96% Memory free
    3.99 Gb Paging File | 2.72 Gb Available in Paging File | 68.21% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 47.88 Gb Total Space | 8.26 Gb Free Space | 17.25% Space Free | Partition Type: NTFS

    Computer Name: RUSSELL-LAPTOP | User Name: Russell Weller | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/08/17 08:44:52 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\Russell Weller\Desktop\OTL.exe
    PRC - [2012/08/08 00:07:14 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
    PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
    PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
    PRC - [2011/06/01 13:42:28 | 000,071,432 | ---- | M] (Memeo) -- C:\Program Files\Seagate\Seagate Dashboard\MemeoDashboard.exe
    PRC - [2011/06/01 13:42:28 | 000,014,088 | ---- | M] (Memeo) -- C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
    PRC - [2011/06/01 13:16:54 | 002,260,992 | ---- | M] (Axentra Corporation) -- C:\Program Files\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
    PRC - [2011/05/04 18:04:38 | 000,025,824 | ---- | M] (Memeo) -- C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
    PRC - [2011/05/04 18:04:32 | 000,325,344 | ---- | M] () -- C:\Program Files\Memeo\AutoBackup\InstantBackup.exe
    PRC - [2009/04/11 03:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2007/04/10 18:46:52 | 000,709,992 | ---- | M] (Microsoft Corporation) -- C:\Windows\vVX1000.exe
    PRC - [2006/11/08 23:57:00 | 003,784,704 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
    PRC - [2006/08/07 06:06:38 | 000,700,416 | ---- | M] () -- C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
    PRC - [2006/04/28 06:14:44 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/08/08 00:07:12 | 002,003,424 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
    MOD - [2012/06/13 04:14:58 | 001,711,616 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\2467a133aee73396c830b9b0a9c7ec0d\Microsoft.VisualBasic.ni.dll
    MOD - [2012/06/13 04:13:29 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8bbcd31ecc8edc7d1f9cdd83ef2bb2d3\System.ServiceProcess.ni.dll
    MOD - [2012/06/13 04:13:25 | 011,820,032 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\508b444db523c5cf20ff12c7f440837b\System.Web.ni.dll
    MOD - [2012/06/13 04:11:01 | 012,433,920 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f2691cfa7671cdc58179e56ba9227591\System.Windows.Forms.ni.dll
    MOD - [2012/06/13 04:10:49 | 001,592,320 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\18f9789aa214c657113e676b3a9015aa\System.Drawing.ni.dll
    MOD - [2012/05/11 04:00:12 | 000,998,400 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\f3d4d5fe5ab848fbfcf91a49960dc8ae\System.Management.ni.dll
    MOD - [2012/05/11 03:57:40 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\846b9cf2756fdd15f704c9bab9c70b6f\System.Runtime.Remoting.ni.dll
    MOD - [2012/05/11 03:56:54 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bd76aaaa03ddc15d1840207b5a480644\System.Configuration.ni.dll
    MOD - [2012/05/11 03:56:50 | 000,025,600 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\1b337cf9a031145849bc48c11b2cfe58\Accessibility.ni.dll
    MOD - [2012/05/11 03:55:14 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d2630342a066a7cb9056d9eb6157687a\System.Xml.ni.dll
    MOD - [2012/05/11 03:54:17 | 006,621,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\bfdd10e0a0aacf46bac557ffc5d55ba5\System.Data.ni.dll
    MOD - [2012/05/11 03:53:10 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll
    MOD - [2012/05/11 03:52:59 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll
    MOD - [2012/05/06 12:33:55 | 008,797,856 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32_11_2_202_235.dll
    MOD - [2011/06/01 13:46:02 | 000,030,984 | ---- | M] () -- C:\Program Files\Seagate\Seagate Dashboard\Plugins\Memeo.Dashboard.SeagateSharePlusPlugin.dll
    MOD - [2011/06/01 13:42:24 | 000,108,296 | ---- | M] () -- C:\Program Files\Seagate\Seagate Dashboard\Memeo.Progress.dll
    MOD - [2011/06/01 13:16:54 | 000,971,776 | ---- | M] () -- C:\Program Files\Seagate\Seagate Dashboard\HipServAgent\libxml2.dll
    MOD - [2011/06/01 13:16:54 | 000,241,664 | ---- | M] () -- C:\Program Files\Seagate\Seagate Dashboard\HipServAgent\libupnp.dll
    MOD - [2011/05/04 18:04:54 | 002,896,608 | ---- | M] () -- C:\Program Files\Memeo\AutoBackup\Memeo.Client.UI.dll
    MOD - [2011/05/04 18:04:50 | 000,027,360 | ---- | M] () -- C:\Program Files\Memeo\AutoBackup\Memeo.Client.DriveDetection.dll
    MOD - [2011/05/04 18:04:32 | 000,325,344 | ---- | M] () -- C:\Program Files\Memeo\AutoBackup\InstantBackup.exe
    MOD - [2010/03/22 19:59:46 | 000,504,293 | ---- | M] () -- C:\Program Files\Memeo\AutoBackup\sqlite3.dll
    MOD - [2009/12/12 16:12:03 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
    MOD - [2009/04/11 03:28:21 | 000,368,640 | ---- | M] () -- C:\Windows\System32\msjetoledb40.dll
    MOD - [2009/03/30 01:42:17 | 002,933,760 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
    MOD - [2006/11/24 10:37:38 | 000,159,744 | ---- | M] () -- C:\Windows\System32\atitmmxx.dll
    MOD - [2006/08/07 06:06:38 | 000,700,416 | ---- | M] () -- C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
    MOD - [2006/05/19 11:20:50 | 000,188,416 | ---- | M] () -- C:\Program Files\Creative\Sync Manager Unicode\CTSyncRs.crl


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (CLTNetCnService)
    SRV - [2012/08/08 00:07:13 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012/03/26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV - [2011/06/01 13:42:28 | 000,014,088 | ---- | M] (Memeo) [Auto | Running] -- C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe -- (SeagateDashboardService)
    SRV - [2011/05/04 18:04:38 | 000,025,824 | ---- | M] (Memeo) [Auto | Running] -- C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe -- (MemeoBackgroundService)
    SRV - [2008/01/19 04:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
    DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
    DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV - [2011/08/17 10:56:32 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
    DRV - [2011/08/17 10:56:30 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerflt.sys -- (upperdev)
    DRV - [2011/08/17 10:56:26 | 000,023,168 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmbo.sys -- (nmwcdc)
    DRV - [2011/08/17 10:56:22 | 000,018,176 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmb.sys -- (nmwcd)
    DRV - [2008/07/22 07:42:58 | 000,051,200 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtnicxp.sys -- (RTL8023xp)
    DRV - [2007/04/10 18:46:53 | 001,966,312 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VX1000.sys -- (VX1000)
    DRV - [2007/04/10 05:00:00 | 000,389,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2006/12/22 16:05:34 | 000,449,536 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athrusb.sys -- (athrusb)
    DRV - [2006/12/12 03:38:12 | 000,286,208 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netr61.sys -- (rt61x86)
    DRV - [2006/11/24 10:46:38 | 002,085,888 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
    DRV - [2006/11/01 17:18:15 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\wanatw4.sys -- (wanatw)
    DRV - [2005/11/10 15:54:56 | 000,402,944 | ---- | M] (Belkin Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BLKWGU.sys -- (BLKWGU(Belkin)
    DRV - [2004/10/25 09:40:58 | 000,017,664 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZDPSp50.sys -- (ZDPSp50)
    DRV - [2003/10/15 17:07:38 | 000,012,288 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mtdv2ku2.sys -- (MTDVC2)
    DRV - [2003/10/11 08:39:52 | 000,011,648 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mtdv2ks2.sys -- (MTDVC2_ENUM)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-967825510-758857322-1603075346-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
    IE - HKU\S-1-5-21-967825510-758857322-1603075346-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKU\S-1-5-21-967825510-758857322-1603075346-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-967825510-758857322-1603075346-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKU\S-1-5-21-967825510-758857322-1603075346-1000\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://uk.search.yahoo.com/search?fr=mcafee&p={searchTerms}
    IE - HKU\S-1-5-21-967825510-758857322-1603075346-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Secure Search"
    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..browser.startup.homepage: "http://ca.yahoo.com/"
    FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19.1
    FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
    FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.6.2
    FF - prefs.js..extensions.enabledItems: {C9176D81-ACE4-42E7-9A3D-D91B1798F50F}:1.9.1
    FF - prefs.js..keyword.URL: "http://uk.search.yahoo.com/search?fr=mcafee&p="


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33: C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=13: C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
    FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: File not found

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/08/08 00:07:15 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/06/16 15:32:51 | 000,000,000 | ---D | M]

    [2008/12/17 09:02:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Russell Weller\AppData\Roaming\Mozilla\Extensions
    [2012/08/13 23:50:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Russell Weller\AppData\Roaming\Mozilla\Firefox\Profiles\m9vxn08l.default\extensions
    [2012/08/13 23:50:03 | 000,000,000 | ---D | M] (Flagfox) -- C:\Users\Russell Weller\AppData\Roaming\Mozilla\Firefox\Profiles\m9vxn08l.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
    [2010/04/28 23:12:55 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Russell Weller\AppData\Roaming\Mozilla\Firefox\Profiles\m9vxn08l.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2007/10/19 07:48:16 | 000,000,000 | ---D | M] ("Cylence Theme 2: Black Diamond Edition RC1") -- C:\Users\Russell Weller\AppData\Roaming\Mozilla\Firefox\Profiles\m9vxn08l.default\extensions\{a83be38c-7731-4a6d-9059-4864a7fd55c8}
    [2010/12/15 21:35:50 | 000,000,000 | ---D | M] (British English Dictionary) -- C:\Users\Russell Weller\AppData\Roaming\Mozilla\Firefox\Profiles\m9vxn08l.default\extensions\en-GB@dictionaries.addons.mozilla.org
    [2011/03/12 12:26:28 | 000,000,000 | ---D | M] (Personas) -- C:\Users\Russell Weller\AppData\Roaming\Mozilla\Firefox\Profiles\m9vxn08l.default\extensions\personas@christopher.beard
    [2008/11/14 10:55:54 | 000,000,000 | ---D | M] (Yahoo! Canada Toolbar and Extras) -- C:\Users\Russell Weller\AppData\Roaming\Mozilla\Firefox\Profiles\m9vxn08l.default\extensions\toolbar_extras@ca.yahoo.com
    [2011/03/30 21:26:22 | 000,000,355 | ---- | M] () -- C:\Users\Russell Weller\AppData\Roaming\Mozilla\Firefox\Profiles\m9vxn08l.default\searchplugins\flickr.xml
    [2007/06/17 19:36:33 | 000,002,386 | ---- | M] () -- C:\Users\Russell Weller\AppData\Roaming\Mozilla\Firefox\Profiles\m9vxn08l.default\searchplugins\siteadvisor.xml
    [2008/06/18 14:45:38 | 000,001,108 | ---- | M] () -- C:\Users\Russell Weller\AppData\Roaming\Mozilla\Firefox\Profiles\m9vxn08l.default\searchplugins\wikipedia-en.xml
    [2012/06/16 15:32:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2012/06/16 15:32:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
    [2011/04/07 21:25:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
    [2011/04/07 21:25:16 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    [2012/02/07 09:49:47 | 000,246,025 | ---- | M] () (No name found) -- C:\USERS\RUSSELL WELLER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\M9VXN08L.DEFAULT\EXTENSIONS\AMZNUWL2@AMAZON.COM.XPI
    [2012/08/08 00:07:14 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2008/06/30 17:03:12 | 001,818,624 | ---- | M] ( ) -- C:\Program Files\mozilla firefox\plugins\npsnapfish.dll
    [2012/05/12 14:01:51 | 000,001,525 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
    [2012/02/12 22:24:10 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/05/12 14:01:51 | 000,000,935 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
    [2012/05/12 14:01:51 | 000,001,166 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
    [2010/06/09 07:54:18 | 000,002,027 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml
    [2012/05/12 14:01:57 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
    [2012/05/12 14:01:51 | 000,001,121 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

    O1 HOSTS File: ([2012/08/16 22:48:41 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
    O3 - HKU\S-1-5-21-967825510-758857322-1603075346-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
    O4 - HKLM..\Run: [Memeo Instant Backup] C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe (Memeo Inc.)
    O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
    O4 - HKLM..\Run: [Seagate Dashboard] C:\Program Files\Seagate\Seagate Dashboard\MemeoLauncher.exe ()
    O4 - HKLM..\Run: [toolbar_eula_launcher] C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe ( )
    O4 - HKLM..\Run: [VX1000] C:\Windows\vVX1000.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-21-967825510-758857322-1603075346-1000..\Run: [CTSyncU.exe] C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe ()
    O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-967825510-758857322-1603075346-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-967825510-758857322-1603075346-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-967825510-758857322-1603075346-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O15 - HKU\S-1-5-21-967825510-758857322-1603075346-1000\..Trusted Domains: internet ([]about in Trusted sites)
    O15 - HKU\S-1-5-21-967825510-758857322-1603075346-1000\..Trusted Domains: mcafee.com ([]http in Trusted sites)
    O15 - HKU\S-1-5-21-967825510-758857322-1603075346-1000\..Trusted Domains: mcafee.com ([]https in Trusted sites)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
    O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 192.168.2.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{92720274-C13D-40C8-A314-9A6F54FBD869}: DhcpNameServer = 192.168.2.1 192.168.2.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Users\Russell Weller\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
    O24 - Desktop BackupWallPaper: C:\Users\Russell Weller\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 18:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O35 - HKU\S-1-5-21-967825510-758857322-1603075346-1000..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/08/17 21:46:22 | 000,000,000 | ---D | C] -- C:\Users\Russell Weller\AppData\Roaming\Malwarebytes
    [2012/08/17 21:45:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/08/17 21:45:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/08/17 21:45:50 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/08/17 21:45:50 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/08/17 08:44:51 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Users\Russell Weller\Desktop\OTL.exe
    [2012/08/16 23:02:19 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/08/16 22:48:50 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/08/16 22:31:23 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/08/16 22:31:23 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/08/16 22:31:23 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/08/16 22:31:17 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2012/08/16 22:31:13 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/08/16 22:30:37 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012/08/14 15:56:36 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/08/14 09:34:51 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
    [2012/08/12 15:30:45 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%

    ========== Files - Modified Within 30 Days ==========

    [2012/08/17 21:45:52 | 000,000,909 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/08/17 21:42:51 | 000,000,685 | ---- | M] () -- C:\Users\Russell Weller\Desktop\mbam-setup-1.62.0.1300 - Shortcut.lnk
    [2012/08/17 21:20:10 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/08/17 21:12:40 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/08/17 21:12:40 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/08/17 09:20:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/08/17 08:44:52 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\Russell Weller\Desktop\OTL.exe
    [2012/08/17 08:28:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/08/16 22:48:41 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/08/16 22:33:18 | 000,614,674 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/08/16 22:33:17 | 000,110,990 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/08/16 22:26:22 | 000,000,615 | ---- | M] () -- C:\Users\Russell Weller\Desktop\ComboFix - Shortcut.lnk
    [2012/08/14 09:35:29 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2012/08/12 13:09:00 | 000,179,200 | ---- | M] () -- C:\Users\Russell Weller\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    ========== Files Created - No Company Name ==========

    [2012/08/17 21:45:52 | 000,000,909 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/08/17 21:42:51 | 000,000,685 | ---- | C] () -- C:\Users\Russell Weller\Desktop\mbam-setup-1.62.0.1300 - Shortcut.lnk
    [2012/08/16 22:31:23 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/08/16 22:31:23 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/08/16 22:31:23 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/08/16 22:31:23 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/08/16 22:31:23 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/08/16 22:26:22 | 000,000,615 | ---- | C] () -- C:\Users\Russell Weller\Desktop\ComboFix - Shortcut.lnk
    [2012/08/14 09:35:07 | 000,001,829 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2011/06/11 21:45:59 | 000,012,826 | -HS- | C] () -- C:\Users\Russell Weller\AppData\Local\q2f17716jns3bn8e5584
    [2011/06/11 21:45:59 | 000,012,826 | -HS- | C] () -- C:\ProgramData\q2f17716jns3bn8e5584
    [2011/05/26 21:15:07 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
    [2011/05/26 20:38:12 | 000,009,164 | -HS- | C] () -- C:\Users\Russell Weller\AppData\Local\o46m08r2kous668313xtbml47c0l680o07f
    [2011/05/26 20:38:12 | 000,009,164 | -HS- | C] () -- C:\ProgramData\o46m08r2kous668313xtbml47c0l680o07f
    [2010/07/22 09:42:40 | 000,000,120 | ---- | C] () -- C:\Users\Russell Weller\AppData\Local\Hbipevoyoxajij.dat
    [2010/07/22 09:42:40 | 000,000,000 | ---- | C] () -- C:\Users\Russell Weller\AppData\Local\Smuhehihev.bin
    [2009/05/22 10:15:12 | 000,000,000 | ---- | C] () -- C:\ProgramData\StartupItems
    [2009/05/22 10:15:12 | 000,000,000 | ---- | C] () -- C:\ProgramData\Spacious
    [2009/05/06 19:16:42 | 000,000,000 | -H-- | C] () -- C:\ProgramData\PKP_DLdu.DAT
    [2009/05/06 19:16:42 | 000,000,000 | ---- | C] () -- C:\Users\Russell Weller\AppData\Roaming\Static Library
    [2009/03/18 14:50:59 | 000,027,503 | ---- | C] () -- C:\Users\Russell Weller\AppData\Roaming\UserTile.png
    [2007/06/01 19:51:32 | 000,179,200 | ---- | C] () -- C:\Users\Russell Weller\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    ========== LOP Check ==========

    [2010/04/08 20:30:14 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\Trusteer
    [2010/04/08 20:30:14 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\Trusteer
    [2010/04/05 12:03:59 | 000,000,000 | ---D | M] -- C:\Users\Russell Weller\AppData\Roaming\BSplayer
    [2010/04/05 11:56:56 | 000,000,000 | ---D | M] -- C:\Users\Russell Weller\AppData\Roaming\BSplayer Pro
    [2011/07/11 11:01:06 | 000,000,000 | ---D | M] -- C:\Users\Russell Weller\AppData\Roaming\Coby
    [2011/09/22 22:57:28 | 000,000,000 | ---D | M] -- C:\Users\Russell Weller\AppData\Roaming\Coby Media Manager
    [2012/01/22 19:05:37 | 000,000,000 | ---D | M] -- C:\Users\Russell Weller\AppData\Roaming\Leadertech
    [2012/01/22 19:28:52 | 000,000,000 | ---D | M] -- C:\Users\Russell Weller\AppData\Roaming\Memeo
    [2009/05/06 19:19:11 | 000,000,000 | ---D | M] -- C:\Users\Russell Weller\AppData\Roaming\Nikon
    [2007/04/23 11:20:16 | 000,000,000 | ---D | M] -- C:\Users\Russell Weller\AppData\Roaming\Packard Bell
    [2009/03/18 14:50:59 | 000,000,000 | ---D | M] -- C:\Users\Russell Weller\AppData\Roaming\PeerNetworking
    [2012/01/22 19:28:30 | 000,000,000 | ---D | M] -- C:\Users\Russell Weller\AppData\Roaming\Seagate
    [2007/06/09 20:49:36 | 000,000,000 | ---D | M] -- C:\Users\Russell Weller\AppData\Roaming\Template
    [2010/03/02 14:43:24 | 000,000,000 | ---D | M] -- C:\Users\Russell Weller\AppData\Roaming\Trusteer
    [2010/12/06 01:21:14 | 000,000,000 | ---D | M] -- C:\Users\Russell Weller\AppData\Roaming\Windows Live Writer
    [2012/08/17 08:22:17 | 000,032,552 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:CF0907B4

    < End of report >
  11. Russ66

    Russ66 Newcomer, in training Topic Starter Posts: 20

    OTL Extras Txt;

    OTL Extras logfile created on: 17/08/2012 22:01:09 - Run 1
    OTL by OldTimer - Version 3.2.57.0 Folder = C:\Users\Russell Weller\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    1.87 Gb Total Physical Memory | 1.01 Gb Available Physical Memory | 53.96% Memory free
    3.99 Gb Paging File | 2.72 Gb Available in Paging File | 68.21% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 47.88 Gb Total Space | 8.26 Gb Free Space | 17.25% Space Free | Partition Type: NTFS

    Computer Name: RUSSELL-LAPTOP | User Name: Russell Weller | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    [HKEY_USERS\S-1-5-21-967825510-758857322-1603075346-1000\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "VistaSp2" = Reg Error: Unknown registry data type -- File not found

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
    "{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
    "{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
    "{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
    "{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
    "{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
    "{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
    "{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
    "{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
    "{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "TCP Query User{2E1B64B7-A685-4BCF-BC33-997E51150B2B}C:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe" = protocol=6 | dir=in | app=c:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe |
    "TCP Query User{84F0F97C-02BE-4EA6-82B8-C5C56F905862}C:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe" = protocol=6 | dir=in | app=c:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe |
    "UDP Query User{5A3A5BDA-031C-4B12-8921-5AC485A69BF6}C:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe" = protocol=17 | dir=in | app=c:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe |
    "UDP Query User{C88AA6A9-6535-4198-82C7-5ECDCAE2843C}C:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe" = protocol=17 | dir=in | app=c:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
    "{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
    "{17504ED4-DB08-40A8-81C2-27D8C01581DA}" = Windows Live Remote Service Resources
    "{19A4A990-5343-4FF7-B3B5-6F046C091EDF}" = Windows Live Remote Client
    "{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
    "{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
    "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
    "{227E8782-B2F4-4E97-B0EE-49DE9CC1C0C0}" = Windows Live Remote Service
    "{260FCE8D-30DB-48D6-A39F-FFC720EC288B}" = Liong
    "{26A24AE4-039D-4CA4-87B4-2F83216033FF}" = Java(TM) 6 Update 33
    "{294BF709-D758-4363-8D75-01479AD20927}" = Windows Live Family Safety
    "{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
    "{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
    "{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{4160DC5B-4C56-D0C3-C5FD-F5BDAD3C882B}" = ATI Catalyst Install Manager
    "{44CDBD1B-89FB-4E02-8319-2A4C550F664A}" = RTC Client API v1.2
    "{464B3406-A4D0-4914-910F-7CA4380DCC13}" = Windows Live Remote Client Resources
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
    "{50816F92-1652-4A7C-B9BC-48F682742C4B}" = Messenger Companion
    "{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
    "{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
    "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
    "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
    "{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core
    "{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
    "{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
    "{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
    "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
    "{8E666407-AC41-46a2-9692-6C7BFCBFDD37}" = Memeo Instant Backup
    "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
    "{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{95140000-007A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
    "{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
    "{9862E0CB-4727-4FFC-963A-E22A9E9EC10C}" = Creative ZEN V Series (R2)
    "{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
    "{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
    "{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility
    "{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
    "{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
    "{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
    "{AB7032FF-AFED-4C58-AA5C-8473B273793A}" = HDReg
    "{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
    "{AE46ABD3-D625-467F-B5A7-8D3FFF077F0D}" = Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista
    "{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
    "{BC4AE628-81A4-4FC6-863A-7A9BA2E2531F}" = Nokia Connectivity Cable Driver
    "{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
    "{C3A11907-930D-41AC-A135-CC3B12F92011}" = Seagate Dashboard
    "{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
    "{CFF8B8E8-E086-4DE0-935F-FE22CAB54F80}" = Microsoft Search Enhancement Pack
    "{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
    "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
    "{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
    "{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
    "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
    "{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
    "{F53D678E-238F-4A71-9742-08BB6774E9DC}" = Windows Live Family Safety
    "{FD16AF46-C8A6-4409-5F0A-66390ECB8ED7}" = ATI Catalyst Control Center Ex
    "{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "AdobeReader" = Adobe Reader 8
    "BitLord" = BitLord 1.1
    "BSPlayerf" = BS.Player FREE
    "Creative Removable Disk Manager" = Creative Removable Disk Manager
    "Flashplayer" = Flash Player plugins 9
    "Free Window Registry Repair" = Free Window Registry Repair
    "Google Updater" = Google Updater
    "InstallShield_{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Security Client" = Microsoft Security Essentials
    "Mozilla Firefox 14.0.1 (x86 en-GB)" = Mozilla Firefox 14.0.1 (x86 en-GB)
    "MozillaMaintenanceService" = Mozilla Maintenance Service
    "SynTPDeinstKey" = Synaptics Pointing Device Driver
    "SysInfo" = Creative System Information
    "VLC media player" = VLC media player 2.0.2
    "WinLiveSuite" = Windows Live Essentials
    "WinRAR archiver" = WinRAR archiver
    "ZENcast Organizer" = ZENcast Organizer

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-967825510-758857322-1603075346-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 29/07/2012 22:07:32 | Computer Name = Russell-Laptop | Source = Application Error | ID = 1000
    Description = Faulting application bsplayer.exe, version 2.5.2.1031, time stamp
    0x2a425e19, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
    code 0xc0000005, fault offset 0x0359515b, process id 0x17d4, application start time
    0x01cd6df2388d5862.

    Error - 08/08/2012 12:01:12 | Computer Name = Russell-Laptop | Source = Application Error | ID = 1000
    Description = Faulting application Explorer.EXE, version 6.0.6002.18005, time stamp
    0x49e01da5, faulting module ntdll.dll, version 6.0.6002.18541, time stamp 0x4ec3e3d5,
    exception code 0xc0000374, fault offset 0x000b06b7, process id 0x4d0, application
    start time 0x01cd7265b3de398d.

    Error - 14/08/2012 08:00:10 | Computer Name = Russell-Laptop | Source = Windows Search Service | ID = 3038
    Description =

    Error - 14/08/2012 08:00:13 | Computer Name = Russell-Laptop | Source = Windows Search Service | ID = 3028
    Description =

    Error - 14/08/2012 08:00:13 | Computer Name = Russell-Laptop | Source = Windows Search Service | ID = 3058
    Description =

    Error - 14/08/2012 08:07:19 | Computer Name = Russell-Laptop | Source = Application Error | ID = 1000
    Description = Faulting application svchost.exe, version 6.0.6001.18000, time stamp
    0x47918b89, faulting module mshtml.dll, version 9.0.8112.16447, time stamp 0x4fc9d776,
    exception code 0xc0000005, fault offset 0x002627c8, process id 0x110, application
    start time 0x01cd7a150d889080.

    Error - 14/08/2012 08:41:57 | Computer Name = Russell-Laptop | Source = Application Error | ID = 1000
    Description = Faulting application svchost.exe, version 6.0.6001.18000, time stamp
    0x47918b89, faulting module mshtml.dll, version 9.0.8112.16447, time stamp 0x4fc9d776,
    exception code 0xc0000005, fault offset 0x001d9aa6, process id 0x1408, application
    start time 0x01cd7a19a94de996.

    Error - 14/08/2012 08:45:56 | Computer Name = Russell-Laptop | Source = VSS | ID = 8194
    Description =

    Error - 14/08/2012 09:20:23 | Computer Name = Russell-Laptop | Source = VSS | ID = 8194
    Description =

    Error - 17/08/2012 07:22:02 | Computer Name = Russell-Laptop | Source = EventSystem | ID = 4621
    Description =

    [ Media Center Events ]
    Error - 05/09/2007 04:11:50 | Computer Name = Russell-Laptop | Source = Media Center Guide | ID = 0
    Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError
    returned 0D Process: DefaultDomain Object Name: Media Center Guide

    Error - 05/09/2007 04:16:50 | Computer Name = Russell-Laptop | Source = Media Center Guide | ID = 0
    Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError
    returned 0D Process: DefaultDomain Object Name: Media Center Guide

    Error - 05/09/2007 04:21:50 | Computer Name = Russell-Laptop | Source = Media Center Guide | ID = 0
    Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError
    returned 0D Process: DefaultDomain Object Name: Media Center Guide

    Error - 05/09/2007 04:26:50 | Computer Name = Russell-Laptop | Source = Media Center Guide | ID = 0
    Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError
    returned 0D Process: DefaultDomain Object Name: Media Center Guide

    Error - 05/09/2007 04:31:50 | Computer Name = Russell-Laptop | Source = Media Center Guide | ID = 0
    Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError
    returned 0D Process: DefaultDomain Object Name: Media Center Guide

    Error - 14/05/2008 06:03:51 | Computer Name = Russell-Laptop | Source = Media Center Guide | ID = 0
    Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
    returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

    [ System Events ]
    Error - 16/08/2012 21:47:59 | Computer Name = Russell-Laptop | Source = R300 | ID = 43015
    Description = I2c return failed

    Error - 16/08/2012 21:53:31 | Computer Name = Russell-Laptop | Source = Service Control Manager | ID = 7022
    Description =

    Error - 16/08/2012 22:06:31 | Computer Name = Russell-Laptop | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.131.2019.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.


    Error - 16/08/2012 22:06:31 | Computer Name = Russell-Laptop | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.131.2019.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.


    Error - 16/08/2012 23:47:51 | Computer Name = Russell-Laptop | Source = volsnap | ID = 393252
    Description = The shadow copies of volume C: were aborted because the shadow copy
    storage could not grow due to a user imposed limit.

    Error - 17/08/2012 07:22:00 | Computer Name = Russell-Laptop | Source = DCOM | ID = 10010
    Description =

    Error - 17/08/2012 07:28:31 | Computer Name = Russell-Laptop | Source = R300 | ID = 43015
    Description = I2c return failed

    Error - 17/08/2012 07:28:31 | Computer Name = Russell-Laptop | Source = R300 | ID = 43015
    Description = I2c return failed

    Error - 17/08/2012 07:41:28 | Computer Name = Russell-Laptop | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.131.2019.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.


    Error - 17/08/2012 07:41:28 | Computer Name = Russell-Laptop | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.131.2019.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.



    < End of report >
     
  12. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      SRV - File not found [Auto | Stopped] -- -- (CLTNetCnService)
      O3 - HKU\S-1-5-21-967825510-758857322-1603075346-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
      O15 - HKU\S-1-5-21-967825510-758857322-1603075346-1000\..Trusted Domains: internet ([]about in Trusted sites)
      O15 - HKU\S-1-5-21-967825510-758857322-1603075346-1000\..Trusted Domains: mcafee.com ([]http in Trusted sites)
      O15 - HKU\S-1-5-21-967825510-758857322-1603075346-1000\..Trusted Domains: mcafee.com ([]https in Trusted sites)
      [2012/08/14 15:56:36 | 000,000,000 | ---D | C] -- C:\FRST
      [2011/06/11 21:45:59 | 000,012,826 | -HS- | C] () -- C:\Users\Russell Weller\AppData\Local\q2f17716jns3bn8e5584
      [2011/06/11 21:45:59 | 000,012,826 | -HS- | C] () -- C:\ProgramData\q2f17716jns3bn8e5584
      [2011/05/26 20:38:12 | 000,009,164 | -HS- | C] () -- C:\Users\Russell Weller\AppData\Local\o46m08r2kous668313xtbml47c0l680o07f
      [2011/05/26 20:38:12 | 000,009,164 | -HS- | C] () -- C:\ProgramData\o46m08r2kous668313xtbml47c0l680o07f
      [2010/07/22 09:42:40 | 000,000,120 | ---- | C] () -- C:\Users\Russell Weller\AppData\Local\Hbipevoyoxajij.dat
      [2010/07/22 09:42:40 | 000,000,000 | ---- | C] () -- C:\Users\Russell Weller\AppData\Local\Smuhehihev.bin
      @Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:CF0907B4
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

    ============================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  13. Russ66

    Russ66 Newcomer, in training Topic Starter Posts: 20

    Here's the copy of the OTL log; (I'm going to reboot then do the final scans you gave me now.)

    Error: Unable to interpret <OTL Extras logfile created on: 17/08/2012 22:01:09 - Run 1> in the current context!
    Error: Unable to interpret <OTL by OldTimer - Version 3.2.57.0 Folder = C:\Users\Russell Weller\Desktop> in the current context!
    Error: Unable to interpret <Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation> in the current context!
    Error: Unable to interpret <Internet Explorer (Version = 9.0.8112.16421)> in the current context!
    Error: Unable to interpret <Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <1.87 Gb Total Physical Memory | 1.01 Gb Available Physical Memory | 53.96% Memory free> in the current context!
    Error: Unable to interpret <3.99 Gb Paging File | 2.72 Gb Available in Paging File | 68.21% Paging File free> in the current context!
    Error: Unable to interpret <Paging file location(s): ?:\pagefile.sys [binary data]> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files> in the current context!
    Error: Unable to interpret <Drive C: | 47.88 Gb Total Space | 8.26 Gb Free Space | 17.25% Space Free | Partition Type: NTFS> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Computer Name: RUSSELL-LAPTOP | User Name: Russell Weller | Logged in as Administrator.> in the current context!
    Error: Unable to interpret <Boot Mode: Normal | Scan Mode: All users | Quick Scan> in the current context!
    Error: Unable to interpret <Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <========== Extra Registry (SafeList) ==========> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <========== File Associations ==========> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]> in the current context!
    Error: Unable to interpret <.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*> in the current context!
    Error: Unable to interpret <.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_USERS\S-1-5-21-967825510-758857322-1603075346-1000\SOFTWARE\Classes\<extension>]> in the current context!
    Error: Unable to interpret <.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <========== Shell Spawning ==========> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]> in the current context!
    Error: Unable to interpret <batfile [open] -- "%1" %*> in the current context!
    Error: Unable to interpret <cmdfile [open] -- "%1" %*> in the current context!
    Error: Unable to interpret <comfile [open] -- "%1" %*> in the current context!
    Error: Unable to interpret <cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*> in the current context!
    Error: Unable to interpret <exefile [open] -- "%1" %*> in the current context!
    Error: Unable to interpret <helpfile [open] -- Reg Error: Key error.> in the current context!
    Error: Unable to interpret <hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)> in the current context!
    Error: Unable to interpret <piffile [open] -- "%1" %*> in the current context!
    Error: Unable to interpret <regfile [merge] -- Reg Error: Key error.> in the current context!
    Error: Unable to interpret <scrfile [config] -- "%1"> in the current context!
    Error: Unable to interpret <scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l> in the current context!
    Error: Unable to interpret <scrfile [open] -- "%1" /S> in the current context!
    Error: Unable to interpret <txtfile [edit] -- Reg Error: Key error.> in the current context!
    Error: Unable to interpret <Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1> in the current context!
    Error: Unable to interpret <Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()> in the current context!
    Error: Unable to interpret <Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)> in the current context!
    Error: Unable to interpret <Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)> in the current context!
    Error: Unable to interpret <Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()> in the current context!
    Error: Unable to interpret <Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)> in the current context!
    Error: Unable to interpret <Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)> in the current context!
    Error: Unable to interpret <Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <========== Security Center Settings ==========> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]> in the current context!
    Error: Unable to interpret <"cval" = 1> in the current context!
    Error: Unable to interpret <"FirewallDisableNotify" = 0> in the current context!
    Error: Unable to interpret <"AntiVirusDisableNotify" = 0> in the current context!
    Error: Unable to interpret <"UpdatesDisableNotify" = 0> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]> in the current context!
    Error: Unable to interpret <"DisableMonitoring" = 1> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]> in the current context!
    Error: Unable to interpret <"DisableMonitoring" = 1> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]> in the current context!
    Error: Unable to interpret <"DisableMonitoring" = 1> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]> in the current context!
    Error: Unable to interpret <"DisableMonitoring" = 1> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]> in the current context!
    Error: Unable to interpret <"AntiVirusOverride" = 0> in the current context!
    Error: Unable to interpret <"AntiSpywareOverride" = 0> in the current context!
    Error: Unable to interpret <"FirewallOverride" = 0> in the current context!
    Error: Unable to interpret <"VistaSp1" = Reg Error: Unknown registry data type -- File not found> in the current context!
    Error: Unable to interpret <"VistaSp2" = Reg Error: Unknown registry data type -- File not found> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <========== System Restore Settings ==========> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]> in the current context!
    Error: Unable to interpret <"DisableSR" = 0> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <========== Firewall Settings ==========> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]> in the current context!
    Error: Unable to interpret <"DisableNotifications" = 0> in the current context!
    Error: Unable to interpret <"EnableFirewall" = 1> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]> in the current context!
    Error: Unable to interpret <"DisableNotifications" = 0> in the current context!
    Error: Unable to interpret <"EnableFirewall" = 1> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]> in the current context!
    Error: Unable to interpret <"DisableNotifications" = 0> in the current context!
    Error: Unable to interpret <"EnableFirewall" = 1> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <========== Authorized Applications List ==========> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <========== Vista Active Open Ports Exception List ==========> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]> in the current context!
    Error: Unable to interpret <"{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system | > in the current context!
    Error: Unable to interpret <"{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system | > in the current context!
    Error: Unable to interpret <"{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system | > in the current context!
    Error: Unable to interpret <"{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | > in the current context!
    Error: Unable to interpret <"{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | > in the current context!
    Error: Unable to interpret <"{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system | > in the current context!
    Error: Unable to interpret <"{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | > in the current context!
    Error: Unable to interpret <"{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | > in the current context!
    Error: Unable to interpret <"{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | > in the current context!
    Error: Unable to interpret <"{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system | > in the current context!
    Error: Unable to interpret <"{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system | > in the current context!
    Error: Unable to interpret <"{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | > in the current context!
    Error: Unable to interpret <"{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system | > in the current context!
    Error: Unable to interpret <"{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | > in the current context!
    Error: Unable to interpret <"{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system | > in the current context!
    Error: Unable to interpret <"{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system | > in the current context!
    Error: Unable to interpret <"{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system | > in the current context!
    Error: Unable to interpret <"{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | > in the current context!
    Error: Unable to interpret <"{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | > in the current context!
    Error: Unable to interpret <"{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system | > in the current context!
    Error: Unable to interpret <"{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <========== Vista Active Application Exception List ==========> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]> in the current context!
    Error: Unable to interpret <"{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | > in the current context!
    Error: Unable to interpret <"{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | > in the current context!
    Error: Unable to interpret <"{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | > in the current context!
    Error: Unable to interpret <"{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | > in the current context!
    Error: Unable to interpret <"{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | > in the current context!
    Error: Unable to interpret <"{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | > in the current context!
    Error: Unable to interpret <"{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | > in the current context!
    Error: Unable to interpret <"{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | > in the current context!
    Error: Unable to interpret <"{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | > in the current context!
    Error: Unable to interpret <"{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | > in the current context!
    Error: Unable to interpret <"{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | > in the current context!
    Error: Unable to interpret <"{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | > in the current context!
    Error: Unable to interpret <"{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system | > in the current context!
    Error: Unable to interpret <"{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | > in the current context!
    Error: Unable to interpret <"{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | > in the current context!
    Error: Unable to interpret <"{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | > in the current context!
    Error: Unable to interpret <"{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | > in the current context!
    Error: Unable to interpret <"{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | > in the current context!
    Error: Unable to interpret <"{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | > in the current context!
    Error: Unable to interpret <"TCP Query User{2E1B64B7-A685-4BCF-BC33-997E51150B2B}C:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe" = protocol=6 | dir=in | app=c:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe | > in the current context!
    Error: Unable to interpret <"TCP Query User{84F0F97C-02BE-4EA6-82B8-C5C56F905862}C:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe" = protocol=6 | dir=in | app=c:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe | > in the current context!
    Error: Unable to interpret <"UDP Query User{5A3A5BDA-031C-4B12-8921-5AC485A69BF6}C:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe" = protocol=17 | dir=in | app=c:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe | > in the current context!
    Error: Unable to interpret <"UDP Query User{C88AA6A9-6535-4198-82C7-5ECDCAE2843C}C:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe" = protocol=17 | dir=in | app=c:\program files\seagate\seagate dashboard\hipservagent\hipservagent.exe | > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <========== HKEY_LOCAL_MACHINE Uninstall List ==========> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]> in the current context!
    Error: Unable to interpret <"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer> in the current context!
    Error: Unable to interpret <"{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client> in the current context!
    Error: Unable to interpret <"{17504ED4-DB08-40A8-81C2-27D8C01581DA}" = Windows Live Remote Service Resources> in the current context!
    Error: Unable to interpret <"{19A4A990-5343-4FF7-B3B5-6F046C091EDF}" = Windows Live Remote Client> in the current context!
    Error: Unable to interpret <"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker> in the current context!
    Error: Unable to interpret <"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update> in the current context!
    Error: Unable to interpret <"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions> in the current context!
    Error: Unable to interpret <"{227E8782-B2F4-4E97-B0EE-49DE9CC1C0C0}" = Windows Live Remote Service> in the current context!
    Error: Unable to interpret <"{260FCE8D-30DB-48D6-A39F-FFC720EC288B}" = Liong> in the current context!
    Error: Unable to interpret <"{26A24AE4-039D-4CA4-87B4-2F83216033FF}" = Java(TM) 6 Update 33> in the current context!
    Error: Unable to interpret <"{294BF709-D758-4363-8D75-01479AD20927}" = Windows Live Family Safety> in the current context!
    Error: Unable to interpret <"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3> in the current context!
    Error: Unable to interpret <"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery> in the current context!
    Error: Unable to interpret <"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery> in the current context!
    Error: Unable to interpret <"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile> in the current context!
    Error: Unable to interpret <"{4160DC5B-4C56-D0C3-C5FD-F5BDAD3C882B}" = ATI Catalyst Install Manager> in the current context!
    Error: Unable to interpret <"{44CDBD1B-89FB-4E02-8319-2A4C550F664A}" = RTC Client API v1.2> in the current context!
    Error: Unable to interpret <"{464B3406-A4D0-4914-910F-7CA4380DCC13}" = Windows Live Remote Client Resources> in the current context!
    Error: Unable to interpret <"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater> in the current context!
    Error: Unable to interpret <"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform> in the current context!
    Error: Unable to interpret <"{50816F92-1652-4A7C-B9BC-48F682742C4B}" = Messenger Companion> in the current context!
    Error: Unable to interpret <"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI> in the current context!
    Error: Unable to interpret <"{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant> in the current context!
    Error: Unable to interpret <"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE> in the current context!
    Error: Unable to interpret <"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin> in the current context!
    Error: Unable to interpret <"{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack> in the current context!
    Error: Unable to interpret <"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable> in the current context!
    Error: Unable to interpret <"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable> in the current context!
    Error: Unable to interpret <"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0> in the current context!
    Error: Unable to interpret <"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053> in the current context!
    Error: Unable to interpret <"{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core> in the current context!
    Error: Unable to interpret <"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger> in the current context!
    Error: Unable to interpret <"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync> in the current context!
    Error: Unable to interpret <"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime> in the current context!
    Error: Unable to interpret <"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT> in the current context!
    Error: Unable to interpret <"{8E666407-AC41-46a2-9692-6C7BFCBFDD37}" = Memeo Instant Backup> in the current context!
    Error: Unable to interpret <"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003> in the current context!
    Error: Unable to interpret <"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system> in the current context!
    Error: Unable to interpret <"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In> in the current context!
    Error: Unable to interpret <"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker> in the current context!
    Error: Unable to interpret <"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting> in the current context!
    Error: Unable to interpret <"{95140000-007A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector> in the current context!
    Error: Unable to interpret <"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6> in the current context!
    Error: Unable to interpret <"{9862E0CB-4727-4FFC-963A-E22A9E9EC10C}" = Creative ZEN V Series (R2)> in the current context!
    Error: Unable to interpret <"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail> in the current context!
    Error: Unable to interpret <"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh> in the current context!
    Error: Unable to interpret <"{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility> in the current context!
    Error: Unable to interpret <"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer> in the current context!
    Error: Unable to interpret <"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper> in the current context!
    Error: Unable to interpret <"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common> in the current context!
    Error: Unable to interpret <"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer> in the current context!
    Error: Unable to interpret <"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer> in the current context!
    Error: Unable to interpret <"{AB7032FF-AFED-4C58-AA5C-8473B273793A}" = HDReg> in the current context!
    Error: Unable to interpret <"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4> in the current context!
    Error: Unable to interpret <"{AE46ABD3-D625-467F-B5A7-8D3FFF077F0D}" = Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista> in the current context!
    Error: Unable to interpret <"{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter> in the current context!
    Error: Unable to interpret <"{BC4AE628-81A4-4FC6-863A-7A9BA2E2531F}" = Nokia Connectivity Cable Driver> in the current context!
    Error: Unable to interpret <"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5> in the current context!
    Error: Unable to interpret <"{C3A11907-930D-41AC-A135-CC3B12F92011}" = Seagate Dashboard> in the current context!
    Error: Unable to interpret <"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail> in the current context!
    Error: Unable to interpret <"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1> in the current context!
    Error: Unable to interpret <"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform> in the current context!
    Error: Unable to interpret <"{CFF8B8E8-E086-4DE0-935F-FE22CAB54F80}" = Microsoft Search Enhancement Pack> in the current context!
    Error: Unable to interpret <"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common> in the current context!
    Error: Unable to interpret <"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform> in the current context!
    Error: Unable to interpret <"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources> in the current context!
    Error: Unable to interpret <"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh> in the current context!
    Error: Unable to interpret <"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10> in the current context!
    Error: Unable to interpret <"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger> in the current context!
    Error: Unable to interpret <"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]> in the current context!
    Error: Unable to interpret <"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver> in the current context!
    Error: Unable to interpret <"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5> in the current context!
    Error: Unable to interpret <"{F53D678E-238F-4A71-9742-08BB6774E9DC}" = Windows Live Family Safety> in the current context!
    Error: Unable to interpret <"{FD16AF46-C8A6-4409-5F0A-66390ECB8ED7}" = ATI Catalyst Control Center Ex> in the current context!
    Error: Unable to interpret <"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials> in the current context!
    Error: Unable to interpret <"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX> in the current context!
    Error: Unable to interpret <"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin> in the current context!
    Error: Unable to interpret <"AdobeReader" = Adobe Reader 8> in the current context!
    Error: Unable to interpret <"BitLord" = BitLord 1.1> in the current context!
    Error: Unable to interpret <"BSPlayerf" = BS.Player FREE> in the current context!
    Error: Unable to interpret <"Creative Removable Disk Manager" = Creative Removable Disk Manager> in the current context!
    Error: Unable to interpret <"Flashplayer" = Flash Player plugins 9> in the current context!
    Error: Unable to interpret <"Free Window Registry Repair" = Free Window Registry Repair> in the current context!
    Error: Unable to interpret <"Google Updater" = Google Updater> in the current context!
    Error: Unable to interpret <"InstallShield_{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility> in the current context!
    Error: Unable to interpret <"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300> in the current context!
    Error: Unable to interpret <"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1> in the current context!
    Error: Unable to interpret <"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile> in the current context!
    Error: Unable to interpret <"Microsoft Security Client" = Microsoft Security Essentials> in the current context!
    Error: Unable to interpret <"Mozilla Firefox 14.0.1 (x86 en-GB)" = Mozilla Firefox 14.0.1 (x86 en-GB)> in the current context!
    Error: Unable to interpret <"MozillaMaintenanceService" = Mozilla Maintenance Service> in the current context!
    Error: Unable to interpret <"SynTPDeinstKey" = Synaptics Pointing Device Driver> in the current context!
    Error: Unable to interpret <"SysInfo" = Creative System Information> in the current context!
    Error: Unable to interpret <"VLC media player" = VLC media player 2.0.2> in the current context!
    Error: Unable to interpret <"WinLiveSuite" = Windows Live Essentials> in the current context!
    Error: Unable to interpret <"WinRAR archiver" = WinRAR archiver> in the current context!
    Error: Unable to interpret <"ZENcast Organizer" = ZENcast Organizer> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <========== HKEY_USERS Uninstall List ==========> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[HKEY_USERS\S-1-5-21-967825510-758857322-1603075346-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]> in the current context!
    Error: Unable to interpret <"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <========== Last 20 Event Log Errors ==========> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[ Application Events ]> in the current context!
    Error: Unable to interpret <Error - 29/07/2012 22:07:32 | Computer Name = Russell-Laptop | Source = Application Error | ID = 1000> in the current context!
    Error: Unable to interpret <Description = Faulting application bsplayer.exe, version 2.5.2.1031, time stamp > in the current context!
    Error: Unable to interpret <0x2a425e19, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception> in the current context!
    Error: Unable to interpret < code 0xc0000005, fault offset 0x0359515b, process id 0x17d4, application start time> in the current context!
    Error: Unable to interpret < 0x01cd6df2388d5862.> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 08/08/2012 12:01:12 | Computer Name = Russell-Laptop | Source = Application Error | ID = 1000> in the current context!
    Error: Unable to interpret <Description = Faulting application Explorer.EXE, version 6.0.6002.18005, time stamp> in the current context!
    Error: Unable to interpret < 0x49e01da5, faulting module ntdll.dll, version 6.0.6002.18541, time stamp 0x4ec3e3d5,> in the current context!
    Error: Unable to interpret < exception code 0xc0000374, fault offset 0x000b06b7, process id 0x4d0, application> in the current context!
    Error: Unable to interpret < start time 0x01cd7265b3de398d.> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 14/08/2012 08:00:10 | Computer Name = Russell-Laptop | Source = Windows Search Service | ID = 3038> in the current context!
    Error: Unable to interpret <Description = > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 14/08/2012 08:00:13 | Computer Name = Russell-Laptop | Source = Windows Search Service | ID = 3028> in the current context!
    Error: Unable to interpret <Description = > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 14/08/2012 08:00:13 | Computer Name = Russell-Laptop | Source = Windows Search Service | ID = 3058> in the current context!
    Error: Unable to interpret <Description = > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 14/08/2012 08:07:19 | Computer Name = Russell-Laptop | Source = Application Error | ID = 1000> in the current context!
    Error: Unable to interpret <Description = Faulting application svchost.exe, version 6.0.6001.18000, time stamp> in the current context!
    Error: Unable to interpret < 0x47918b89, faulting module mshtml.dll, version 9.0.8112.16447, time stamp 0x4fc9d776,> in the current context!
    Error: Unable to interpret < exception code 0xc0000005, fault offset 0x002627c8, process id 0x110, application> in the current context!
    Error: Unable to interpret < start time 0x01cd7a150d889080.> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 14/08/2012 08:41:57 | Computer Name = Russell-Laptop | Source = Application Error | ID = 1000> in the current context!
    Error: Unable to interpret <Description = Faulting application svchost.exe, version 6.0.6001.18000, time stamp> in the current context!
    Error: Unable to interpret < 0x47918b89, faulting module mshtml.dll, version 9.0.8112.16447, time stamp 0x4fc9d776,> in the current context!
    Error: Unable to interpret < exception code 0xc0000005, fault offset 0x001d9aa6, process id 0x1408, application> in the current context!
    Error: Unable to interpret < start time 0x01cd7a19a94de996.> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 14/08/2012 08:45:56 | Computer Name = Russell-Laptop | Source = VSS | ID = 8194> in the current context!
    Error: Unable to interpret <Description = > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 14/08/2012 09:20:23 | Computer Name = Russell-Laptop | Source = VSS | ID = 8194> in the current context!
    Error: Unable to interpret <Description = > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 17/08/2012 07:22:02 | Computer Name = Russell-Laptop | Source = EventSystem | ID = 4621> in the current context!
    Error: Unable to interpret <Description = > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[ Media Center Events ]> in the current context!
    Error: Unable to interpret <Error - 05/09/2007 04:11:50 | Computer Name = Russell-Laptop | Source = Media Center Guide | ID = 0> in the current context!
    Error: Unable to interpret <Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError> in the current context!
    Error: Unable to interpret < returned 0D Process: DefaultDomain Object Name: Media Center Guide > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 05/09/2007 04:16:50 | Computer Name = Russell-Laptop | Source = Media Center Guide | ID = 0> in the current context!
    Error: Unable to interpret <Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError> in the current context!
    Error: Unable to interpret < returned 0D Process: DefaultDomain Object Name: Media Center Guide > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 05/09/2007 04:21:50 | Computer Name = Russell-Laptop | Source = Media Center Guide | ID = 0> in the current context!
    Error: Unable to interpret <Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError> in the current context!
    Error: Unable to interpret < returned 0D Process: DefaultDomain Object Name: Media Center Guide > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 05/09/2007 04:26:50 | Computer Name = Russell-Laptop | Source = Media Center Guide | ID = 0> in the current context!
    Error: Unable to interpret <Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError> in the current context!
    Error: Unable to interpret < returned 0D Process: DefaultDomain Object Name: Media Center Guide > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 05/09/2007 04:31:50 | Computer Name = Russell-Laptop | Source = Media Center Guide | ID = 0> in the current context!
    Error: Unable to interpret <Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError> in the current context!
    Error: Unable to interpret < returned 0D Process: DefaultDomain Object Name: Media Center Guide > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 14/05/2008 06:03:51 | Computer Name = Russell-Laptop | Source = Media Center Guide | ID = 0> in the current context!
    Error: Unable to interpret <Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError> in the current context!
    Error: Unable to interpret < returned 10000105 Process: DefaultDomain Object Name: Media Center Guide > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <[ System Events ]> in the current context!
    Error: Unable to interpret <Error - 16/08/2012 21:47:59 | Computer Name = Russell-Laptop | Source = R300 | ID = 43015> in the current context!
    Error: Unable to interpret <Description = I2c return failed> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 16/08/2012 21:53:31 | Computer Name = Russell-Laptop | Source = Service Control Manager | ID = 7022> in the current context!
    Error: Unable to interpret <Description = > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 16/08/2012 22:06:31 | Computer Name = Russell-Laptop | Source = Microsoft Antimalware | ID = 2001> in the current context!
    Error: Unable to interpret <Description = %%860 has encountered an error trying to update signatures. New Signature> in the current context!
    Error: Unable to interpret < Version: Previous Signature Version: 1.131.2019.0 Update Source: %%859 Update Stage:> in the current context!
    Error: Unable to interpret < %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803> in the current context!
    Error: Unable to interpret < User:> in the current context!
    Error: Unable to interpret < NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error> in the current context!
    Error: Unable to interpret < code: 0x80240022 Error description: The program can't check for definition updates.> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 16/08/2012 22:06:31 | Computer Name = Russell-Laptop | Source = Microsoft Antimalware | ID = 2001> in the current context!
    Error: Unable to interpret <Description = %%860 has encountered an error trying to update signatures. New Signature> in the current context!
    Error: Unable to interpret < Version: Previous Signature Version: 1.131.2019.0 Update Source: %%859 Update Stage:> in the current context!
    Error: Unable to interpret < %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803> in the current context!
    Error: Unable to interpret < User:> in the current context!
    Error: Unable to interpret < NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error> in the current context!
    Error: Unable to interpret < code: 0x80240022 Error description: The program can't check for definition updates.> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 16/08/2012 23:47:51 | Computer Name = Russell-Laptop | Source = volsnap | ID = 393252> in the current context!
    Error: Unable to interpret <Description = The shadow copies of volume C: were aborted because the shadow copy> in the current context!
    Error: Unable to interpret < storage could not grow due to a user imposed limit.> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 17/08/2012 07:22:00 | Computer Name = Russell-Laptop | Source = DCOM | ID = 10010> in the current context!
    Error: Unable to interpret <Description = > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 17/08/2012 07:28:31 | Computer Name = Russell-Laptop | Source = R300 | ID = 43015> in the current context!
    Error: Unable to interpret <Description = I2c return failed> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 17/08/2012 07:28:31 | Computer Name = Russell-Laptop | Source = R300 | ID = 43015> in the current context!
    Error: Unable to interpret <Description = I2c return failed> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 17/08/2012 07:41:28 | Computer Name = Russell-Laptop | Source = Microsoft Antimalware | ID = 2001> in the current context!
    Error: Unable to interpret <Description = %%860 has encountered an error trying to update signatures. New Signature> in the current context!
    Error: Unable to interpret < Version: Previous Signature Version: 1.131.2019.0 Update Source: %%859 Update Stage:> in the current context!
    Error: Unable to interpret < %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803> in the current context!
    Error: Unable to interpret < User:> in the current context!
    Error: Unable to interpret < NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error> in the current context!
    Error: Unable to interpret < code: 0x80240022 Error description: The program can't check for definition updates.> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret <Error - 17/08/2012 07:41:28 | Computer Name = Russell-Laptop | Source = Microsoft Antimalware | ID = 2001> in the current context!
    Error: Unable to interpret <Description = %%860 has encountered an error trying to update signatures. New Signature> in the current context!
    Error: Unable to interpret < Version: Previous Signature Version: 1.131.2019.0 Update Source: %%859 Update Stage:> in the current context!
    Error: Unable to interpret < %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803> in the current context!
    Error: Unable to interpret < User:> in the current context!
    Error: Unable to interpret < NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error> in the current context!
    Error: Unable to interpret < code: 0x80240022 Error description: The program can't check for definition updates.> in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret < > in the current context!
    Error: Unable to interpret << End of report >> in the current context!

    OTL by OldTimer - Version 3.2.57.0 log created on 08172012_230139
  14. Russ66

    Russ66 Newcomer, in training Topic Starter Posts: 20

    Checkup txt scan result;

    Results of screen317's Security Check version 0.99.44
    Windows Vista Service Pack 2 x86 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    (On Access scanning disabled!)
    Error obtaining update status for antivirus!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.62.0.1300
    Java(TM) 6 Update 33
    Java(TM) 6 Update 3
    Java version out of Date!
    Adobe Flash Player 11.2.202.235
    Adobe Reader 8 Adobe Reader out of Date!
    Mozilla Firefox (14.0.1)
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0 %
    ````````````````````End of Log``````````````````````
  15. Russ66

    Russ66 Newcomer, in training Topic Starter Posts: 20

    FSS scan results;

    Farbar Service Scanner Version: 06-08-2012
    Ran by Russell Weller (administrator) on 17-08-2012 at 23:31:14
    Running from "C:\Users\Russell Weller\Downloads"
    Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============
    BITS Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.


    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
  16. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    OTL log is incorrect.
    Re-read my instruction.
    Redo.
    Pay attention.
  17. Russ66

    Russ66 Newcomer, in training Topic Starter Posts: 20

    ESET did take some time to scan, as you said. Had to leave it running overnight - here's the result;

    C:\FRST\Quarantine\services.exe Win32/Sirefef.FB.Gen trojan deleted - quarantined
    C:\FRST\Quarantine\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\n Win32/Sirefef.EV trojan cleaned by deleting - quarantined
  18. Russ66

    Russ66 Newcomer, in training Topic Starter Posts: 20

    All processes killed
    ========== OTL ==========
    Service CLTNetCnService stopped successfully!
    Service CLTNetCnService deleted successfully!
    Registry value HKEY_USERS\S-1-5-21-967825510-758857322-1603075346-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
    Registry key HKEY_USERS\S-1-5-21-967825510-758857322-1603075346-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\internet\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-967825510-758857322-1603075346-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-967825510-758857322-1603075346-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com\ not found.
    C:\FRST\Quarantine\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\U folder moved successfully.
    C:\FRST\Quarantine\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\L folder moved successfully.
    C:\FRST\Quarantine\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0} folder moved successfully.
    C:\FRST\Quarantine\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\U folder moved successfully.
    C:\FRST\Quarantine\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0}\L folder moved successfully.
    C:\FRST\Quarantine\{7b01d056-4baf-6e27-9fcd-2cbbc112acf0} folder moved successfully.
    Folder move failed. C:\FRST\Quarantine scheduled to be moved on reboot.
    C:\FRST\Logs folder moved successfully.
    C:\FRST\Hives folder moved successfully.
    C:\FRST folder moved successfully.
    C:\Users\Russell Weller\AppData\Local\q2f17716jns3bn8e5584 moved successfully.
    C:\ProgramData\q2f17716jns3bn8e5584 moved successfully.
    C:\Users\Russell Weller\AppData\Local\o46m08r2kous668313xtbml47c0l680o07f moved successfully.
    C:\ProgramData\o46m08r2kous668313xtbml47c0l680o07f moved successfully.
    C:\Users\Russell Weller\AppData\Local\Hbipevoyoxajij.dat moved successfully.
    C:\Users\Russell Weller\AppData\Local\Smuhehihev.bin moved successfully.
    ADS C:\ProgramData\TEMP:CF0907B4 deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Russell Weller
    ->Temp folder emptied: 31832 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 41297862 bytes
    ->Flash cache emptied: 456 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 3238 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 39.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: Russell Weller
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    "OTL log is incorrect.
    Re-read my instruction.
    Redo.
    Pay attention."

    Have done;


    ->Flash cache emptied: 0 bytes

    User: Public

    User: Russell Weller
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.57.0 log created on 08182012_091808

    Files\Folders moved on Reboot...
    File\Folder C:\FRST\Quarantine not found!

    PendingFileRenameOperations files...
    File C:\FRST\Quarantine not found!

    Registry entries deleted on Reboot...
     
  19. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Uninstall Java(TM) 6 Update 3.

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions (if present).
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

    =========================================

    We have one corrupted registry key affecting Windows updates.

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/


    Download Vista.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
    Unzip the file.
    You'll find several files inside.
    Double click on bits.reg file and confirm the prompt.
    Restart computer.
    Post new FSS log.
  20. Russ66

    Russ66 Newcomer, in training Topic Starter Posts: 20

    When I try to uninstall Java (TM) 6 Update 3 I get a window pop up with the following;

    Java (TM) 6 Update 3

    Error 1719. The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

    I have not moved on to the other steps yet in case it is necessary for the Java removal to take place first.
  21. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    That's fine. Leave it alone.
  22. Russ66

    Russ66 Newcomer, in training Topic Starter Posts: 20

    Ok - I followed your instructions (apart from the Java removal as on previous post) and decided to dump all the Adobe Readers. I uninstalled them (I left Adobe Flashplayer installed) and downloaded Foxit Reader and installed it as you suggested.
    I downloaded the Vista zip and ran the bits reg and restarted but no FSS log appeared anywhere. Do I need to run something from FSS or did I make a mistake somewhere..?
  23. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Yes, re-run FSS.
  24. Russ66

    Russ66 Newcomer, in training Topic Starter Posts: 20

    Ok - I opened the FSS icon on my desktop and checked all the boxes for the scan as I wasn't sure which items you wanted. Result below;

    Farbar Service Scanner Version: 06-08-2012
    Ran by Russell Weller (administrator) on 18-08-2012 at 17:48:21
    Running from "C:\Users\Russell Weller\Downloads"
    Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\ipnathlp.dll
    [2008-05-28 17:03] - [2008-01-19 04:34] - 0288256 ____A (Microsoft Corporation) E1499BD0FF76B1B2FBBF1AF339D91165

    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
  25. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.