Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help to remove trojan:win64/sirefef.P [Solved]

Started by NealH , Jul 15 2012 07:28 PM

  • This topic is locked This topic is locked

#16
NealH
Posted 28 July 2012 - 11:49 PM

NealH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK, some progress to report:

I identified what was causing the infected PC to reboot 60 seconds or so after startup:

1. I booted Windows 7 in Safe Mode With Networking
2. I started Task Manager
3. I went to the Processes tab, and clicked on Show Processes for All Users; then I sorted the processes by name
4. One of the processes was MSMPENG.EXE - It had a description something like "Microsoft AntiMalware ... "
5. I right-clicked on MSMPENG.EXE and did an End Process Tree on it.
6. After doing #5, it re-appeared again. So for a second time I did an End Process Tree and killed it.
7. Next, I went to Control Panel, Programs, and uninstalled Microsoft Security Essentials.
8. I rebooted

That seemed to stop the automatic rebooting. That problem is solved now.

Next I went back and followed your instructions again, running FRST and then secondly running ComboFix. This time, both ran 100% to completion and created their respective log files. I will post them for you now.
  • 0

Advertisements

#17
NealH
Posted 28 July 2012 - 11:51 PM

NealH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
This is the FRST log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-07-2012
Ran by SYSTEM at 2012-07-28 21:57:28 Run:2
Running from K:\

==============================================

C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7} not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\@ not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\n not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L\00000004.@ not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L\1afb2d56 not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L\201d3dde not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000004.@ not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000008.@ not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\000000cb.@ not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\80000000.@ not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\80000032.@ not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\80000064.@ not found.
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7} not found.
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\@ not found.
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\L not found.
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\U not found.
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000008.@ not found.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

==== End of Fixlog ====
  • 0

#18
NealH
Posted 28 July 2012 - 11:54 PM

NealH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here is the ComboFix log:

ComboFix 12-07-27.03 - Neal 07/28/2012 22:08:41.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6142.4356 [GMT -7:00]
Running from: c:\users\Neal\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\Neal\AppData\Roaming\inst.exe
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\SysWow64\Packet.dll
c:\windows\SysWow64\pthreadVC.dll
c:\windows\SysWow64\wpcap.dll
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_npf
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-29 )))))))))))))))))))))))))))))))
.
.
2012-07-29 05:23 . 2012-07-29 05:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-29 04:38 . 2012-07-16 09:40 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3E9A3D2B-9DA0-4F94-A6A2-2305898A0A01}\mpengine.dll
2012-07-29 04:30 . 2012-07-29 04:30 328704 ----a-w- c:\windows\system32\services.exe.92F7B00A0FDBDCA0
2012-07-29 04:27 . 2012-07-29 04:27 328704 ----a-w- c:\windows\system32\services.exe.EF4994AB275A8090
2012-07-29 04:07 . 2012-07-29 04:07 -------- d-----w- C:\[bleep]me
2012-07-29 04:03 . 2012-07-29 04:03 328704 ----a-w- c:\windows\system32\services.exe.0DF93F3102A38F99
2012-07-29 03:59 . 2012-07-29 03:59 328704 ----a-w- c:\windows\system32\services.exe.81CEF827C7412E27
2012-07-29 03:56 . 2012-07-29 03:56 328704 ----a-w- c:\windows\system32\services.exe.0C2E6816EAC446C6
2012-07-29 03:42 . 2012-07-29 03:42 328704 ----a-w- c:\windows\system32\services.exe.45317752639DD8BE
2012-07-29 03:37 . 2012-07-29 03:37 328704 ----a-w- c:\windows\system32\services.exe.31AB7610EB1F10D0
2012-07-29 03:34 . 2012-07-29 03:34 328704 ----a-w- c:\windows\system32\services.exe.45F263F16A8681AE
2012-07-29 03:31 . 2012-07-29 03:31 328704 ----a-w- c:\windows\system32\services.exe.772B31A5A06FBC36
2012-07-29 03:27 . 2012-07-29 03:27 328704 ----a-w- c:\windows\system32\services.exe.8C1CD61FB2C4B2DD
2012-07-29 03:22 . 2012-07-29 03:22 328704 ----a-w- c:\windows\system32\services.exe.4876484873A3FCAA
2012-07-29 03:19 . 2012-07-29 03:19 328704 ----a-w- c:\windows\system32\services.exe.7214291F5F0C70A2
2012-07-29 03:10 . 2012-07-29 03:10 328704 ----a-w- c:\windows\system32\services.exe.2D5F67DB0F965A77
2012-07-29 03:10 . 2012-07-29 03:10 -------- d-----w- c:\windows\SysWow64\GPBAK
2012-07-29 03:10 . 2008-04-14 09:11 295936 ----a-w- c:\windows\SysWow64\appmgr.dll
2012-07-29 03:10 . 2012-07-29 03:10 707354 ----a-w- c:\windows\unins000.exe
2012-07-29 02:48 . 2012-07-29 02:48 328704 ----a-w- c:\windows\system32\services.exe.DEDA589FC22A19FD
2012-07-29 02:44 . 2012-07-29 02:44 328704 ----a-w- c:\windows\system32\services.exe.1218D859A111D148
2012-07-29 02:39 . 2012-07-29 02:39 328704 ----a-w- c:\windows\system32\services.exe.7A0EB484A6F87537
2012-07-29 02:35 . 2012-07-29 02:35 328704 ----a-w- c:\windows\system32\services.exe.5DD24C8AC07F12A1
2012-07-29 02:32 . 2012-07-29 02:32 328704 ----a-w- c:\windows\system32\services.exe.168564939233843C
2012-07-29 02:26 . 2012-07-29 02:26 328704 ----a-w- c:\windows\system32\services.exe.5F2DE3F969A9BC88
2012-07-29 00:56 . 2012-07-29 00:56 328704 ----a-w- c:\windows\system32\services.exe.183BDF6B8A3C66A4
2012-07-29 00:50 . 2012-07-29 00:50 328704 ----a-w- c:\windows\system32\services.exe.5788971235ACE4C9
2012-07-29 00:40 . 2012-07-29 00:40 328704 ----a-w- c:\windows\system32\services.exe.2AF9CD4323D38643
2012-07-19 07:06 . 2012-07-19 07:06 328704 ----a-w- c:\windows\system32\services.exe.5F375166737A0C13
2012-07-19 07:00 . 2012-07-19 07:00 328704 ----a-w- c:\windows\system32\services.exe.E9672C37BAA41107
2012-07-19 06:54 . 2012-07-19 06:54 328704 ----a-w- c:\windows\system32\services.exe.ACAD82678B7CE644
2012-07-19 06:48 . 2012-07-19 06:48 328704 ----a-w- c:\windows\system32\services.exe.3C95EA2CA24B195D
2012-07-19 06:42 . 2012-07-19 06:42 328704 ----a-w- c:\windows\system32\services.exe.D0127216BC0A355B
2012-07-19 06:36 . 2012-07-19 06:36 328704 ----a-w- c:\windows\system32\services.exe.EFEC7BF7882A1194
2012-07-19 04:09 . 2012-07-19 04:09 328704 ----a-w- c:\windows\system32\services.exe.4C2AFC7991E535D0
2012-07-19 04:03 . 2012-07-19 04:03 328704 ----a-w- c:\windows\system32\services.exe.982FC02174D27FBA
2012-07-19 03:57 . 2012-07-19 03:57 328704 ----a-w- c:\windows\system32\services.exe.00DE24430870BBF5
2012-07-19 03:51 . 2012-07-19 03:51 328704 ----a-w- c:\windows\system32\services.exe.3A6A98893EB85C56
2012-07-19 03:45 . 2012-07-19 03:45 328704 ----a-w- c:\windows\system32\services.exe.C476B0875850B691
2012-07-19 03:42 . 2012-07-19 03:42 328704 ----a-w- c:\windows\system32\services.exe.D3DD3C44D4B62205
2012-07-19 03:39 . 2012-07-19 03:39 328704 ----a-w- c:\windows\system32\services.exe.DCA8A8FFBE916730
2012-07-17 13:28 . 2012-07-17 13:28 328704 ----a-w- c:\windows\system32\services.exe.4F245EC1DA348086
2012-07-17 13:19 . 2012-07-17 13:19 328704 ----a-w- c:\windows\system32\services.exe.AEADBE7E10C878D6
2012-07-17 05:12 . 2012-07-17 05:12 328704 ----a-w- c:\windows\system32\services.exe.40EAD0FF2AC439A7
2012-07-17 05:09 . 2012-07-17 05:09 328704 ----a-w- c:\windows\system32\services.exe.0361F1DAA0C5E50B
2012-07-17 04:49 . 2012-07-17 04:49 328704 ----a-w- c:\windows\system32\services.exe.AA0406FAC85374EA
2012-07-16 19:21 . 2012-07-16 19:21 328704 ----a-w- c:\windows\system32\services.exe.963D58B52C692B2D
2012-07-16 19:18 . 2012-07-16 19:18 328704 ----a-w- c:\windows\system32\services.exe.00306FB1F7A2AEE9
2012-07-16 19:14 . 2012-07-16 19:14 328704 ----a-w- c:\windows\system32\services.exe.D622B9D60B60108E
2012-07-16 19:10 . 2012-07-16 19:10 328704 ----a-w- c:\windows\system32\services.exe.11CF1CAEC7CB8348
2012-07-16 19:05 . 2012-07-16 19:05 328704 ----a-w- c:\windows\system32\services.exe.9124237C3E8CAC51
2012-07-16 19:00 . 2012-07-16 19:00 328704 ----a-w- c:\windows\system32\services.exe.9F532628F06C06DF
2012-07-16 02:02 . 2012-07-29 00:49 -------- d-----w- C:\FRST
2012-07-15 23:42 . 2012-07-15 23:42 328704 ----a-w- c:\windows\system32\services.exe.7A5340B1824F7CE1
2012-07-15 23:36 . 2012-07-15 23:36 328704 ----a-w- c:\windows\system32\services.exe.AF673C861190C696
2012-07-15 23:36 . 2012-07-15 23:36 -------- d-----w- c:\users\Neal\AppData\Roaming\SpeedyPC Software
2012-07-15 23:36 . 2012-07-15 23:36 -------- d-----w- c:\users\Neal\AppData\Roaming\DriverCure
2012-07-15 23:35 . 2012-07-15 23:35 -------- d-----w- c:\program files (x86)\Common Files\SpeedyPC Software
2012-07-15 23:35 . 2012-07-15 23:35 -------- d-----w- c:\programdata\SpeedyPC Software
2012-07-15 23:35 . 2012-07-15 23:35 -------- d-----w- c:\program files (x86)\SpeedyPC Software
2012-07-15 23:30 . 2012-07-15 23:30 328704 ----a-w- c:\windows\system32\services.exe.38BFFFC0BCEDC331
2012-07-15 23:25 . 2012-07-15 23:25 328704 ----a-w- c:\windows\system32\services.exe.54EE71CA04AD65A1
2012-07-15 23:18 . 2012-07-15 23:18 328704 ----a-w- c:\windows\system32\services.exe.AEB7AFFE9B5FD888
2012-07-15 23:15 . 2012-07-15 23:15 328704 ----a-w- c:\windows\system32\services.exe.6A64CCC8883B93E6
2012-07-15 23:11 . 2012-07-15 23:11 328704 ----a-w- c:\windows\system32\services.exe.79E74FC0E7DFBB51
2012-07-15 17:33 . 2012-07-15 17:33 328704 ----a-w- c:\windows\system32\services.exe.826A3A05B56CF260
2012-07-15 17:29 . 2012-07-15 17:29 328704 ----a-w- c:\windows\system32\services.exe.1F7399B676C5103F
2012-07-15 17:24 . 2012-07-15 17:24 328704 ----a-w- c:\windows\system32\services.exe.F1D495A44199A424
2012-07-15 17:20 . 2012-07-15 17:20 328704 ----a-w- c:\windows\system32\services.exe.B31265504A5BE47C
2012-07-15 17:16 . 2012-07-15 17:16 328704 ----a-w- c:\windows\system32\services.exe.6D14923BAC9F521D
2012-07-15 17:09 . 2012-07-15 17:09 328704 ----a-w- c:\windows\system32\services.exe.556BF8903A92A254
2012-07-15 16:56 . 2012-07-15 16:56 328704 ----a-w- c:\windows\system32\services.exe.21E06C543B382DFD
2012-07-15 16:44 . 2012-07-15 16:44 328704 ----a-w- c:\windows\system32\services.exe.2C1B5F9F162C46B9
2012-07-15 16:33 . 2012-07-15 16:33 328704 ----a-w- c:\windows\system32\services.exe.0722D142FCD988F9
2012-07-15 16:22 . 2012-07-15 16:22 328704 ----a-w- c:\windows\system32\services.exe.4862A5F8FB8197EF
2012-07-15 16:11 . 2012-07-15 16:11 328704 ----a-w- c:\windows\system32\services.exe.3DDF2C169912E93B
2012-07-15 16:00 . 2012-07-15 16:00 328704 ----a-w- c:\windows\system32\services.exe.2019AEC5BBAFF68E
2012-07-15 15:56 . 2012-07-15 15:56 328704 ----a-w- c:\windows\system32\services.exe.15B44FB771BB6599
2012-07-15 15:50 . 2012-07-15 15:50 328704 ----a-w- c:\windows\system32\services.exe.9B6215968D9D3DD1
2012-07-15 15:45 . 2012-07-15 15:45 328704 ----a-w- c:\windows\system32\services.exe.958CDDB8BDE010F4
2012-07-15 15:40 . 2012-07-15 15:40 328704 ----a-w- c:\windows\system32\services.exe.6A38B77904C78A8C
2012-07-15 15:34 . 2012-07-15 15:34 328704 ----a-w- c:\windows\system32\services.exe.A85ADFDCC2836698
2012-07-15 15:29 . 2012-07-15 15:29 328704 ----a-w- c:\windows\system32\services.exe.0A02FABEF629D73C
2012-07-15 15:23 . 2012-07-15 15:23 328704 ----a-w- c:\windows\system32\services.exe.B1B05458CDA4613F
2012-07-15 15:17 . 2012-07-15 15:17 328704 ----a-w- c:\windows\system32\services.exe.BAC46E5654D2C761
2012-07-15 15:10 . 2012-07-15 15:10 328704 ----a-w- c:\windows\system32\services.exe.1B8F03A105865642
2012-07-15 15:04 . 2012-07-15 15:04 328704 ----a-w- c:\windows\system32\services.exe.A017C0CC54E03A1D
2012-07-15 14:57 . 2012-07-15 14:57 328704 ----a-w- c:\windows\system32\services.exe.CA286445AB93E695
2012-07-15 14:49 . 2012-07-15 14:49 328704 ----a-w- c:\windows\system32\services.exe.1E9606DD3D4BDC5C
2012-07-15 14:42 . 2012-07-15 14:42 328704 ----a-w- c:\windows\system32\services.exe.2D14CE18C3E5311C
2012-07-15 14:31 . 2012-07-15 14:31 328704 ----a-w- c:\windows\system32\services.exe.1FE2E71C0CE1923C
2012-07-15 14:22 . 2012-07-15 14:22 328704 ----a-w- c:\windows\system32\services.exe.A6858AB4272DFBC1
2012-07-15 14:12 . 2012-07-15 14:12 328704 ----a-w- c:\windows\system32\services.exe.7850963A39296D9C
2012-07-15 14:00 . 2012-07-15 14:00 328704 ----a-w- c:\windows\system32\services.exe.7FE8001B1E329378
2012-07-15 13:55 . 2012-07-15 13:55 328704 ----a-w- c:\windows\system32\services.exe.6C3D881E1B1EE50B
2012-07-15 13:50 . 2012-07-15 13:50 328704 ----a-w- c:\windows\system32\services.exe.C73B371C0A4AA98C
2012-07-15 13:45 . 2012-07-15 13:45 328704 ----a-w- c:\windows\system32\services.exe.A7CF69A66B47AFDB
2012-07-15 13:40 . 2012-07-15 13:40 328704 ----a-w- c:\windows\system32\services.exe.67FA7983069B75F8
2012-07-15 13:34 . 2012-07-15 13:34 328704 ----a-w- c:\windows\system32\services.exe.787497BA45A473CC
2012-07-15 13:29 . 2012-07-15 13:29 328704 ----a-w- c:\windows\system32\services.exe.917E6999DCE00F2B
2012-07-15 13:23 . 2012-07-15 13:23 328704 ----a-w- c:\windows\system32\services.exe.6219007C9ADCFD9E
2012-07-15 13:17 . 2012-07-15 13:17 328704 ----a-w- c:\windows\system32\services.exe.354D0DA9188564FC
2012-07-15 13:10 . 2012-07-15 13:10 328704 ----a-w- c:\windows\system32\services.exe.9336293F50DAE854
2012-07-15 13:03 . 2012-07-15 13:03 328704 ----a-w- c:\windows\system32\services.exe.9397F4BC6D26910D
2012-07-15 12:56 . 2012-07-15 12:56 328704 ----a-w- c:\windows\system32\services.exe.33C4DACBD2280A0D
2012-07-15 12:49 . 2012-07-15 12:49 328704 ----a-w- c:\windows\system32\services.exe.A9CA3E3EF6629BB4
2012-07-15 12:42 . 2012-07-15 12:42 328704 ----a-w- c:\windows\system32\services.exe.0DBE2DB311C88C79
2012-07-15 12:31 . 2012-07-15 12:31 328704 ----a-w- c:\windows\system32\services.exe.BE0F736D211E114A
2012-07-15 12:22 . 2012-07-15 12:22 328704 ----a-w- c:\windows\system32\services.exe.7438B5BA3FBA0604
2012-07-15 12:09 . 2012-07-15 12:09 328704 ----a-w- c:\windows\system32\services.exe.743130E4E47E941C
2012-07-15 11:58 . 2012-07-15 11:58 328704 ----a-w- c:\windows\system32\services.exe.F4C55D51E542FEE3
2012-07-15 11:53 . 2012-07-15 11:53 328704 ----a-w- c:\windows\system32\services.exe.6C6C50148F5B7BB0
2012-07-15 11:48 . 2012-07-15 11:48 328704 ----a-w- c:\windows\system32\services.exe.2ECC57E14C1C5D5D
2012-07-15 11:43 . 2012-07-15 11:43 328704 ----a-w- c:\windows\system32\services.exe.A5CC41158A919263
2012-07-15 11:38 . 2012-07-15 11:38 328704 ----a-w- c:\windows\system32\services.exe.BAD51EAB65F091C8
2012-07-15 11:33 . 2012-07-15 11:33 328704 ----a-w- c:\windows\system32\services.exe.E0F442A01D7B205B
2012-07-15 11:27 . 2012-07-15 11:27 328704 ----a-w- c:\windows\system32\services.exe.850E99B128A8B046
2012-07-15 11:21 . 2012-07-15 11:21 328704 ----a-w- c:\windows\system32\services.exe.7CA9BB76A47C29F2
2012-07-15 11:15 . 2012-07-15 11:15 328704 ----a-w- c:\windows\system32\services.exe.D9BF5B4F8BFE09F3
2012-07-15 11:09 . 2012-07-15 11:09 328704 ----a-w- c:\windows\system32\services.exe.7FC80BC548A3A090
2012-07-15 11:02 . 2012-07-15 11:02 328704 ----a-w- c:\windows\system32\services.exe.D71DF12C9EE6026B
2012-07-15 10:55 . 2012-07-15 10:55 328704 ----a-w- c:\windows\system32\services.exe.605CCE83E8BF2CFE
2012-07-15 10:47 . 2012-07-15 10:47 328704 ----a-w- c:\windows\system32\services.exe.3E9431791A9A8EAB
2012-07-15 10:39 . 2012-07-15 10:39 328704 ----a-w- c:\windows\system32\services.exe.B6AECEBC1FACE957
2012-07-15 08:29 . 2012-07-15 08:29 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-15 08:16 . 2012-05-05 14:20 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-15 08:16 . 2011-06-07 00:10 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 10:03 . 2010-11-06 03:04 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-11 20:50 . 2012-06-11 20:50 187392 ----a-w- c:\windows\system32\clinfo.exe
2012-06-11 20:50 . 2012-06-11 20:50 75264 ----a-w- c:\windows\system32\OpenVideo64.dll
2012-06-11 20:50 . 2012-06-11 20:50 65024 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2012-06-11 20:50 . 2012-06-11 20:50 63488 ----a-w- c:\windows\system32\OVDecode64.dll
2012-06-11 20:50 . 2012-06-11 20:50 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll
2012-06-11 20:50 . 2012-06-11 20:50 16457728 ----a-w- c:\windows\system32\amdocl64.dll
2012-06-11 20:49 . 2012-06-11 20:49 13008896 ----a-w- c:\windows\SysWow64\amdocl.dll
2012-06-11 18:59 . 2012-06-11 18:59 10248192 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-06-11 18:35 . 2012-06-11 18:35 70144 ----a-w- c:\windows\system32\coinst_8.98.dll
2012-06-11 18:29 . 2012-06-11 18:29 24826368 ----a-w- c:\windows\system32\atio6axx.dll
2012-06-11 18:00 . 2012-06-11 18:00 20467712 ----a-w- c:\windows\SysWow64\atioglxx.dll
2012-06-11 17:25 . 2012-06-11 17:25 163840 ----a-w- c:\windows\system32\atiapfxx.exe
2012-06-11 17:24 . 2012-04-06 02:21 924160 ----a-w- c:\windows\SysWow64\aticfx32.dll
2012-06-11 17:23 . 2010-10-27 10:54 1090560 ----a-w- c:\windows\system32\aticfx64.dll
2012-06-11 17:20 . 2012-06-11 17:20 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-06-11 17:19 . 2012-06-11 17:19 532992 ----a-w- c:\windows\system32\atieclxx.exe
2012-06-11 17:19 . 2012-06-11 17:19 239616 ----a-w- c:\windows\system32\atiesrxx.exe
2012-06-11 17:17 . 2012-06-11 17:17 120320 ----a-w- c:\windows\system32\atitmm64.dll
2012-06-11 17:17 . 2012-06-11 17:17 21504 ----a-w- c:\windows\system32\atimuixx.dll
2012-06-11 17:17 . 2012-06-11 17:17 59392 ----a-w- c:\windows\system32\atiedu64.dll
2012-06-11 17:17 . 2012-06-11 17:17 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2012-06-11 17:16 . 2012-06-11 17:16 6301696 ----a-w- c:\windows\SysWow64\atidxx32.dll
2012-06-11 17:01 . 2010-10-27 10:38 6914560 ----a-w- c:\windows\system32\atidxx64.dll
2012-06-11 16:51 . 2012-06-11 16:51 4246528 ----a-w- c:\windows\system32\atiumd6a.dll
2012-06-11 16:45 . 2012-06-11 16:45 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2012-06-11 16:45 . 2012-06-11 16:45 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2012-06-11 16:45 . 2012-04-06 01:34 5480448 ----a-w- c:\windows\SysWow64\atiumdag.dll
2012-06-11 16:45 . 2012-06-11 16:45 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2012-06-11 16:45 . 2012-06-11 16:45 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2012-06-11 16:45 . 2012-06-11 16:45 15703040 ----a-w- c:\windows\system32\aticaldd64.dll
2012-06-11 16:43 . 2012-04-06 01:22 4729344 ----a-w- c:\windows\SysWow64\atiumdva.dll
2012-06-11 16:40 . 2012-06-11 16:40 13277696 ----a-w- c:\windows\SysWow64\aticaldd.dll
2012-06-11 16:36 . 2012-06-11 16:36 6605824 ----a-w- c:\windows\system32\atiumd64.dll
2012-06-11 16:27 . 2012-06-11 16:27 539136 ----a-w- c:\windows\system32\atiadlxx.dll
2012-06-11 16:26 . 2012-06-11 16:26 368640 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2012-06-11 16:26 . 2012-06-11 16:26 17920 ----a-w- c:\windows\system32\atig6pxx.dll
2012-06-11 16:26 . 2012-06-11 16:26 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2012-06-11 16:26 . 2012-06-11 16:26 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2012-06-11 16:26 . 2012-06-11 16:26 41984 ----a-w- c:\windows\system32\atig6txx.dll
2012-06-11 16:26 . 2012-06-11 16:26 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll
2012-06-11 16:26 . 2012-06-11 16:26 367616 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-06-11 16:25 . 2010-10-27 10:13 54784 ----a-w- c:\windows\system32\atiuxp64.dll
2012-06-11 16:25 . 2012-06-11 16:25 42496 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2012-06-11 16:25 . 2012-04-06 01:09 45056 ----a-w- c:\windows\system32\atiu9p64.dll
2012-06-11 16:24 . 2012-04-06 01:09 32768 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2012-06-11 16:24 . 2012-06-11 16:24 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-06-11 16:23 . 2012-06-11 16:23 56320 ----a-w- c:\windows\system32\atimpc64.dll
2012-06-11 16:23 . 2012-06-11 16:23 56320 ----a-w- c:\windows\system32\amdpcom64.dll
2012-06-11 16:23 . 2012-06-11 16:23 56832 ----a-w- c:\windows\SysWow64\atimpc32.dll
2012-06-11 16:23 . 2012-06-11 16:23 56832 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2012-06-10 13:57 . 2012-06-10 13:57 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-06-02 22:19 . 2012-06-22 00:06 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 00:06 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 00:06 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 00:06 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 00:06 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-22 00:06 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 00:06 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 00:06 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:15 . 2012-06-22 00:06 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-05-31 19:25 . 2010-11-06 03:06 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-05-04 11:06 . 2012-06-13 01:39 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-13 01:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-13 01:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40 . 2012-06-13 01:39 209920 ----a-w- c:\windows\system32\profsvc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Neal\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Neal\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Neal\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SugarSync"="c:\program files (x86)\SugarSync\SugarSyncManager.exe" [2012-06-12 9786488]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 44544]
"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-22 718720]
"MusicManager"="c:\users\Neal\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2012-06-01 13806592]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2011-06-20 2736128]
"googletalk"="c:\users\Neal\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe" [2010-05-06 222504]
"UpdatePPShortCut"="c:\program files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-06-11 641704]
"RemoteControl8"="c:\program files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-07-17 91432]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"PDVD8LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
"NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-11-21 106496]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-08 421776]
"InstantBurn"="c:\progra~2\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2010-04-21 697640]
"EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2009-11-02 103720]
"BrStsWnd"="c:\program files (x86)\Brownie\BrstsW64.exe" [2009-08-19 3695928]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2010-01-12 75048]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\users\Neal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Neal\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Amazon Unbox.lnk - c:\program files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2010-9-13 97384]
TotalMedia Server.lnk - c:\program files (x86)\ArcSoft\TotalMedia Theatre 5\TotalMedia Server\TM Server.exe [2010-12-20 519744]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 jnzocrrm;jnzocrrm;c:\windows\system32\drivers\jnzocrrm.sys [x]
R1 qxoqzskp;qxoqzskp;c:\windows\system32\drivers\qxoqzskp.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-17 136176]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-03 160944]
R3 appliand;Applian Network Service;c:\windows\system32\DRIVERS\appliand.sys [2010-06-24 33888]
R3 CDVDService;CDVDService;c:\program files (x86)\1Step DVD Copy\CDVDService.exe [2010-10-22 360448]
R3 GSService;GSService;c:\windows\SysWOW64\GSService.exe [2012-04-25 250880]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-17 136176]
R3 hcwhdpvr;Hauppauge HD PVR Capture Device;c:\windows\system32\DRIVERS\hcwhdpvr.sys [2011-10-21 183424]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-11-07 82816]
R3 RGService;RGService;c:\program files (x86)\GetRadio\RGService.exe [2010-10-22 360448]
R3 SMServer;SMServer;c:\windows\SysWOW64\snmvtsvc.exe [2012-01-23 244224]
R3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\DRIVERS\VSTBS26.SYS [2009-06-10 411136]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 STSService;STSService;c:\program files (x86)\SoundTaxi Media Suite\STSService.exe [2010-09-10 348160]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-06 1255736]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2011-08-05 306400]
R3 zsi_fmw;Stiletto Firmware Recovery;c:\windows\system32\Drivers\zsi_fmw.sys [2007-08-02 46376]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-05-20 55280]
S1 ArcSec;ArcSec;c:\windows\system32\drivers\ArcSec.sys [2011-11-10 311872]
S1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\DRIVERS\CLBStor.sys [2010-04-20 24560]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2010/11/08 20:38];c:\program files (x86)\CyberLink\PowerDVD8\000.fcl [2010-01-13 07:08 146928]
S2 ADExchange;ArcSoft Exchange Service;c:\program files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe [2011-09-17 39528]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-06-11 239616]
S2 CLBUDF;CyberLink InstantBurn UDF Filesystem; [x]
S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2011-06-30 517632]
S2 McciServiceHost;McciServiceHost;c:\program files (x86)\Common Files\Motive\McciServiceHost.exe [2010-07-27 315392]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2011-11-25 687400]
S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\CyberLink\Shared files\RichVideo64.exe [2012-04-25 390632]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-06-20 3048136]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-06-11 10248192]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-06-11 367616]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys [2010-06-24 33888]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
S3 CAXHWBS2;CAXHWBS2;c:\windows\system32\DRIVERS\CAXHWBS2.sys [2007-06-20 409600]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2009-11-21 75776]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2009-11-21 177152]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2012-01-24 34040]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2011-06-20 22:05 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-17 02:46]
.
2012-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-17 02:46]
.
2012-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2157790343-3823761573-337949205-1001Core.job
- c:\users\Neal\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-17 06:11]
.
2012-07-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2157790343-3823761573-337949205-1001UA.job
- c:\users\Neal\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-17 06:11]
.
2012-07-15 c:\windows\Tasks\SpeedyPC Pro.job
- c:\program files (x86)\SpeedyPC Software\SpeedyPC\SpeedyPC.exe [2012-01-30 22:17]
.
2012-07-15 c:\windows\Tasks\SpeedyPC Registration3.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
2012-07-15 c:\windows\Tasks\SpeedyPC Update Version3.job
- c:\program files (x86)\Common Files\SpeedyPC Software\UUS3\SpeedyPC_Update3.exe [2012-01-30 22:17]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Neal\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Neal\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Neal\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Neal\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2012-06-12 00:15 463992 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2012-06-12 00:15 463992 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2012-06-12 00:15 463992 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2012-06-12 00:15 463992 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 163552]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-07-27 3453440]
"combofix"="c:\combofix\CF25319.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: $talisma_url$
TCP: DhcpNameServer = 192.168.1.254
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UpdateCenter/applets/sync.cab
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-WinCast - e:\cdsetup\setup.exe
Wow6432Node-HKLM-Run-ArcSoft Connection Service - c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
HKLM-Run-MSC - c:\program files\Microsoft Security Client\msseces.exe
.
.
"ImagePath"="\"c:\program files\CyberLink\Shared files\RichVideo64.exe\"\00Z
[\]^_¯\00\00¯\00\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~¯\00\00¯\00\00\00\00v\00\00\00\00\00\00\00\00‘’“"
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Common Files\Motive\McciCMService.exe
c:\program files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
.
**************************************************************************
.
Completion time: 2012-07-28 22:35:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-29 05:35
.
Pre-Run: 64,524,800,000 bytes free
Post-Run: 67,920,232,448 bytes free
.
- - End Of File - - 967EFAE081FB03EF5DB070F6DF43CCE6
  • 0

#19
NealH
Posted 28 July 2012 - 11:56 PM

NealH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
What do you recommend I do now? Should I re-install some anti-virus software and run a full scan, or ...?
  • 0

#20
maliprog
Posted 29 July 2012 - 02:16 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Combofix did great job. We will do antivirus scan with Kaspersky VRT. Also, how is your system now?

Download Virus Removal Tool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow Virus Removal Tool to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post
  • 0

#21
NealH
Posted 29 July 2012 - 07:47 PM

NealH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK, thanks. The scan is running -- it says it will take 20 hours to complete the scan, so I will report the outcome tomorrow night when it finishes. It's 3% complete with nothing found so far.
  • 0

#22
NealH
Posted 31 July 2012 - 10:42 PM

NealH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
The scan is still running after 2 days, 3+ hours. I'm at 86% now. I will report back when it completes, which will probably be sometime tomorrow now.
  • 0

#23
maliprog
Posted 31 July 2012 - 11:45 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
That is way too long! I would like to see scan results but this is the longest scan I have ever see here at G2G. If you can please let it finish...
  • 0

#24
NealH
Posted 01 August 2012 - 11:45 PM

NealH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK, the scan finished. I too was quite surprised at how long it took. There were a number of threats found -- around 12 or 15. I double-checked in the configuration that the Scan Scope was exactly as you requested -- I didn't have anything included in the scan scope parameters beyond what you listed for me. The Kaspersky Automatic Scan Report is a 628Mb text file, which vastly exceeds the upload limit on this site. I zipped it up with WinZip, but it's still 37Mb after zipping, still larger than what this site allows me to upload. It's so large, it basically hangs notepad for a long time (like about 10 minutes) before it opens. You can see from the stats below it scanned quite a few (almost 4 million) objects and it took well over 2 days (about 49+ hours) to complete the scan.

The scan had these interesting statistics: (events: 3781630, objects: 3724828, time: 2 days 05:20:46).

This the disinfection report - what Kaspersky found and deleted or disinfected:

Status: Deleted (events: 9)
7/30/2012 5:38:28 AM Deleted Trojan program Backdoor.Win64.ZAccess.bs C:\FRST\Quarantine\Desktop.ini High
7/30/2012 5:38:38 AM Deleted Trojan program Backdoor.Win64.ZAccess.br C:\FRST\Quarantine\{daa67205-89ac-97bf-4211-027d13a226e7}\n High
7/30/2012 5:38:41 AM Deleted Trojan program Trojan.Win32.Miner.dw C:\FRST\Quarantine\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000008.@ High
7/30/2012 5:38:41 AM Deleted Trojan program Trojan.Win32.Miner.dw C:\FRST\Quarantine\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000008.@//data0000.res High
7/30/2012 5:38:55 AM Deleted Trojan program Trojan.Win32.Miner.dw C:\FRST\Quarantine\{daa67205-89ac-97bf-4211-027d13a226e7}\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000008.@ High
7/30/2012 5:38:55 AM Deleted Trojan program Trojan.Win32.Miner.dw C:\FRST\Quarantine\{daa67205-89ac-97bf-4211-027d13a226e7}\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000008.@//data0000.res High
7/30/2012 5:07:49 PM Deleted Trojan program Backdoor.Win32.ZAccess.oun C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir High
7/30/2012 5:08:14 PM Deleted Trojan program Backdoor.Win64.ZAccess.bs C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir High
7/30/2012 5:08:06 PM Deleted virus Virus.Win64.ZAccess.b C:\Qoobox\Quarantine\C\Windows\System32\Services.exe.vir High
Status: Disinfected (events: 3)
7/31/2012 5:45:40 AM Disinfected Trojan program Trojan-Downloader.Win32.Murlo.ldr Outlook\Archives\Top of Outlook data file\Inbox\[From:Post Express Office][Subject:Post Express Office. You need to get a parcel NR4601908][Time:2011/03/07 16:19:52]/Post_Express_Label_SinID77685.zip/Post Express Label.exe//UPX High
7/31/2012 5:45:40 AM Disinfected Trojan program Trojan-Downloader.Win32.Murlo.ldr Outlook\Archives\Top of Outlook data file\Inbox\[From:Post Express Office][Subject:Post Express Office. You need to get a parcel NR4601908][Time:2011/03/07 16:19:52]/Post_Express_Label_SinID77685.zip/Post Express Label.exe High
7/31/2012 5:45:41 AM Disinfected Trojan program Trojan-Downloader.Win32.Murlo.ldr Outlook\Archives\Top of Outlook data file\Inbox\[From:Post Express Office][Subject:Post Express Office. You need to get a parcel NR4601908][Time:2011/03/07 16:19:52]/Post_Express_Label_SinID77685.zip High
  • 0

#25
maliprog
Posted 01 August 2012 - 11:48 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Good. How is your system now? Any problems?
  • 0

Advertisements

#26
NealH
Posted 02 August 2012 - 11:22 PM

NealH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
My computer seems to be running OK. I'm not seeing any problems. Looks like we can consider this case closed. Thank you very much for your help.
  • 0

#27
maliprog
Posted 03 August 2012 - 01:35 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Your logs and system are clean now. I'm glad we fix up your computer.

Step 1

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL

    :Commands
    [purity]
    [emptytemp]
    [resethosts]
    [clearallrestorepoints]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
Step 2

We need to clean up your PC from programs we used.

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end.

In case that any of the software we used in this fix still remains on your system please delete it manually (Right click on it and select Delete).

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Something to read

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

2. Make Backups of Important Files

Please read this article Home Computer Data Backup.

3. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.
  • 0

#28
NealH
Posted 03 August 2012 - 08:54 PM

NealH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK, I completed all the steps. Thanks for the information as well.
  • 0

#29
maliprog
Posted 05 August 2012 - 04:38 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP