ok first off im not very good with computer so please bare with me. my computer keeps telling me it has found harmful software callled Trojan:Win32/Sirefef.AN and it asks me to remove it. ive removed it atleast 10 time now and it keeps popping up again saying to remove it. i searched it on google and the only thing i can come up with is a guide to remove it. the only problem is that i cant fully understand how to do what the guide is telling me. its not very descriptive. if someone could help me out it would be very appreciated. ill post the guide to remove the trojan i found..also does anyone know what this is and how i got it?
virus help
- Thread starter X-Raided
- Start date
Step1: Open Task Manager and end all the malicious processes created by XY. ( Methods to open Task Manager: Press CTRL+ALT+DEL or CTRL+SHIFT+ESC or Press the Start button->click on the Run option->Type in taskmgr and press OK.)
Step 2: Go to Regitry Editor and delete malicious registry entries related to Trojan:Win32/Sirefef.AN:
%WINDOWS%\system32\[random_name].dll
%WINDOWS%\system32\o2flash.dll
%WINDOWS%\system32\p1131vid.dll
%WINDOWS%\system32\tb2launch.dll
%WINDOWS%\system32\wdica.dll
%WINDOWS%\ystem32\drivers\[random_characters].sys
%Temp%\[random]
Step 3: Search and Remove malicious files of Trojan:Win32/Sirefef.AN:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer “NoDesktop” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random].exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ’1′
Step 2: Go to Regitry Editor and delete malicious registry entries related to Trojan:Win32/Sirefef.AN:
%WINDOWS%\system32\[random_name].dll
%WINDOWS%\system32\o2flash.dll
%WINDOWS%\system32\p1131vid.dll
%WINDOWS%\system32\tb2launch.dll
%WINDOWS%\system32\wdica.dll
%WINDOWS%\ystem32\drivers\[random_characters].sys
%Temp%\[random]
Step 3: Search and Remove malicious files of Trojan:Win32/Sirefef.AN:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer “NoDesktop” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random].exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ’1′
What software is telling you that you are infected? Why are you doing it the hard way and depending on the site you are using, I wouldn't be trusting them.
Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.
If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com. If you are still having issues running rkill then try downloading these renamed versions of the same program.
EXPLORER.EXE
IEXPLORE.EXE
USERINIT.EXE
WINLOGON.EXE
But DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.
Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.
Vista and Windows 7 users must right click on the hijackthis icon and click on run as. If the run as option doesn't appear then press and hold the shift key while right clicking on the icon to get it to appear.
Click Do a system scan and save a logfile
Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.
When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy. Come back to your reply and right click on your mouse and click on paste.
Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log
Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
- then click Finish.
- If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware
If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com. If you are still having issues running rkill then try downloading these renamed versions of the same program.
EXPLORER.EXE
IEXPLORE.EXE
USERINIT.EXE
WINLOGON.EXE
But DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.
Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.
Vista and Windows 7 users must right click on the hijackthis icon and click on run as. If the run as option doesn't appear then press and hold the shift key while right clicking on the icon to get it to appear.
Click Do a system scan and save a logfile
Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.
When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy. Come back to your reply and right click on your mouse and click on paste.
Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log
okay, so i did the malware bytes scan and it detected 3 objects that i removed. as for the HiJack This program here is the log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:39:41 PM, on 5/13/2013
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16476)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
C:\Users\ray\AppData\Roaming\BitTorrent\BitTorrent.exe
C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe
C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe
C:\Windows\SysWOW64\svchost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
O4 - HKLM\..\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
O4 - HKLM\..\Run: [DivXMediaServer] C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [BitTorrent] "C:\Users\ray\AppData\Roaming\BitTorrent\BitTorrent.exe" /MINIMIZED
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files (x86)\Logitech\Logitech Vid\vid.exe" -bootmode
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - ASUS - C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - ASUS - C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: RealNetworks Downloader Resolver Service - Unknown owner - C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 9386 bytes
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:39:41 PM, on 5/13/2013
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16476)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
C:\Users\ray\AppData\Roaming\BitTorrent\BitTorrent.exe
C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe
C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe
C:\Windows\SysWOW64\svchost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
O4 - HKLM\..\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
O4 - HKLM\..\Run: [DivXMediaServer] C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [BitTorrent] "C:\Users\ray\AppData\Roaming\BitTorrent\BitTorrent.exe" /MINIMIZED
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files (x86)\Logitech\Logitech Vid\vid.exe" -bootmode
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - ASUS - C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - ASUS - C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: RealNetworks Downloader Resolver Service - Unknown owner - C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 9386 bytes
Last edited by a moderator:
there it is
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.05.13.09
Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
ray :: RAY-PC [administrator]
5/13/2013 4:34:10 PM
mbam-log-2013-05-13 (16-34-10).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219408
Time elapsed: 7 minute(s), 6 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\Users\ray\AppData\Local\Temp\bqpnedy (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\ray\AppData\Local\Temp\msimg32.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2210142320-3163110101-2213217975-1000\$441a5886718862ea37ebd89b704084e9\n (Trojan.0Access) -> Delete on reboot.
(end)
Uh oh, Zero access can be difficult to remove. Lets do the following.
1.
Please download and run TDSSkiller
When the program opens, click on the start scan button.
TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.
To remove the infections simply click on the Continue button and TDSSKiller will attempt to clean them or remove them.
After trying to clean them it will pop up with the results of the scan and its actions.
Please reboot the system if asked to do so.
After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it example, C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt
Please open the log and copy and paste it back here.
2.
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
In your next reply please post:
1.
Please download and run TDSSkiller
When the program opens, click on the start scan button.
TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.
To remove the infections simply click on the Continue button and TDSSKiller will attempt to clean them or remove them.
After trying to clean them it will pop up with the results of the scan and its actions.
Please reboot the system if asked to do so.
After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it example, C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt
Please open the log and copy and paste it back here.
2.
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
- Download this file here :
Combofix
- When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
- Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.
- We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
- Close all open Windows including this one.
- Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
- Please click on I agree on the disclaimer window.
- ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.
- ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.
- Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:
- At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
- Please click on yes in the next window to continue scanning for malware.
- ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
- ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
- While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.
- When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
- This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
- When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
- Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.
In your next reply please post:
- The ComboFix log
- A fresh HiJackThis log
- An update on how your computer is running
alright here is the Combofix log file....
ComboFix 13-05-13.01 - ray 05/13/2013 17:49:44.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3873.2887 [GMT -7:00]
Running from: c:\users\ray\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\$recycle.bin\S-1-5-21-2210142320-3163110101-2213217975-1000\$441a5886718862ea37ebd89b704084e9\@
c:\$recycle.bin\S-1-5-21-2210142320-3163110101-2213217975-1000\$441a5886718862ea37ebd89b704084e9\L\00000004.@
c:\$recycle.bin\S-1-5-21-2210142320-3163110101-2213217975-1000\$441a5886718862ea37ebd89b704084e9\U\00000004.@
c:\$recycle.bin\S-1-5-21-2210142320-3163110101-2213217975-1000\$441a5886718862ea37ebd89b704084e9\U\00000008.@
c:\$recycle.bin\S-1-5-21-2210142320-3163110101-2213217975-1000\$441a5886718862ea37ebd89b704084e9\U\000000cb.@
c:\$recycle.bin\S-1-5-21-2210142320-3163110101-2213217975-1000\$441a5886718862ea37ebd89b704084e9\U\80000000.@
c:\$recycle.bin\S-1-5-21-2210142320-3163110101-2213217975-1000\$441a5886718862ea37ebd89b704084e9\U\80000064.@
c:\windows\iun6002.exe
c:\windows\msvcr71.dll
c:\windows\SysWow64\tmp2131.tmp
c:\windows\SysWow64\tmp3330.tmp
c:\windows\SysWow64\tmpF523.tmp
.
.
((((((((((((((((((((((((( Files Created from 2013-04-14 to 2013-05-14 )))))))))))))))))))))))))))))))
.
.
2013-05-14 00:56 . 2013-05-14 00:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-14 00:55 . 2013-05-14 00:55 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6FF9BE5B-8C36-4F35-BBBD-972F715B98D0}\offreg.dll
2013-05-13 23:38 . 2013-05-13 23:38 388096 ----a-r- c:\users\ray\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-05-13 23:38 . 2013-05-13 23:38 -------- d-----w- c:\program files (x86)\Trend Micro
2013-05-13 23:33 . 2013-05-13 23:33 -------- d-----w- c:\users\ray\AppData\Roaming\Malwarebytes
2013-05-13 23:33 . 2013-05-13 23:33 -------- d-----w- c:\programdata\Malwarebytes
2013-05-13 23:33 . 2013-04-04 21:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-13 23:33 . 2013-05-13 23:33 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-05-13 23:32 . 2013-05-13 23:32 -------- d-----w- c:\users\ray\AppData\Local\Programs
2013-05-11 22:13 . 2013-04-10 03:46 9317456 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6FF9BE5B-8C36-4F35-BBBD-972F715B98D0}\mpengine.dll
2013-05-08 01:40 . 2013-05-08 01:40 -------- d-----w- c:\users\ray\AppData\Local\Diagnostics
2013-05-03 15:14 . 2013-05-03 15:14 -------- d-----w- c:\windows\system32\EventProviders
2013-04-25 18:11 . 2013-04-25 18:11 -------- d-----w- c:\windows\SysWow64\xlive
2013-04-25 18:11 . 2013-04-25 18:11 -------- d-----w- c:\program files (x86)\Microsoft Games for Windows - LIVE
2013-04-25 15:06 . 2013-04-25 15:06 -------- d-----w- c:\users\ray\AppData\Roaming\RealNetworks
2013-04-25 15:05 . 2013-04-25 15:05 -------- d-----w- c:\program files (x86)\RealNetworks
2013-04-25 15:05 . 2013-04-25 15:05 -------- d-----w- c:\programdata\RealNetworks
2013-04-25 15:05 . 2013-04-25 15:05 -------- d-----w- c:\program files (x86)\Common Files\xing shared
2013-04-24 19:47 . 2013-04-24 19:47 -------- d-----w- c:\windows\en
2013-04-24 19:46 . 2013-04-24 19:46 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2013-04-24 19:45 . 2013-04-24 19:45 20808 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-04-24 19:45 . 2013-04-24 19:46 -------- d-----w- c:\program files (x86)\Windows Live
2013-04-24 19:45 . 2013-04-24 19:45 -------- d-----w- c:\windows\PCHEALTH
2013-04-24 19:40 . 2013-05-08 06:31 -------- d-----w- c:\users\ray\AppData\Local\Windows Live
2013-04-24 19:40 . 2013-04-24 19:40 -------- d-----w- c:\program files (x86)\Common Files\Windows Live
2013-04-24 19:30 . 2013-04-12 14:36 1653096 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-24 17:48 . 2008-10-15 13:22 519000 ----a-w- c:\windows\system32\d3dx10_40.dll
2013-04-24 17:48 . 2008-10-15 13:22 452440 ----a-w- c:\windows\SysWow64\d3dx10_40.dll
2013-04-24 17:48 . 2008-10-15 13:22 2605920 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2013-04-24 17:48 . 2008-10-15 13:22 2036576 ----a-w- c:\windows\SysWow64\D3DCompiler_40.dll
2013-04-24 17:48 . 2008-10-15 13:22 5631312 ----a-w- c:\windows\system32\D3DX9_40.dll
2013-04-24 17:48 . 2008-10-15 13:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
2013-04-24 17:28 . 2013-04-24 17:28 -------- d--h--w- c:\programdata\Common Files
2013-04-24 17:26 . 2013-04-24 17:26 -------- d-----w- c:\program files (x86)\Codemasters
2013-04-24 17:24 . 2013-04-24 17:24 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2013-04-24 17:23 . 2013-04-24 17:24 -------- d-----w- c:\program files (x86)\DAEMON Tools Pro
2013-04-24 16:21 . 2013-04-24 16:22 -------- d-----w- c:\users\ray\AppData\Local\ArmA
2013-04-24 16:14 . 2013-04-24 16:14 108144 ----a-w- c:\windows\SysWow64\CmdLineExt.dll
2013-04-24 15:43 . 2013-04-25 05:39 -------- d-----w- c:\users\ray\AppData\Local\Pokki
2013-04-24 15:43 . 2013-04-24 15:46 -------- d-----w- c:\users\ray\AppData\Roaming\DAEMON Tools Pro
2013-04-24 15:43 . 2013-04-24 17:23 -------- d-----w- c:\users\ray\AppData\Roaming\OpenCandy
2013-04-24 15:42 . 2013-04-24 15:47 -------- d-----w- c:\programdata\DAEMON Tools Pro
2013-04-24 15:32 . 2013-04-24 15:37 -------- d-----w- c:\program files (x86)\Vietcong2
2013-04-24 15:13 . 2013-04-24 15:13 -------- d-----w- c:\program files (x86)\OpenAL
2013-04-24 01:56 . 2013-04-24 01:57 -------- d-----w- c:\users\ray\AppData\Local\ArmA 2
2013-04-23 00:12 . 2013-04-23 00:12 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2
2013-04-18 21:02 . 2013-04-18 21:02 -------- d-----w- c:\users\ray\AppData\Local\arw
2013-04-18 21:02 . 2013-04-18 21:02 -------- d-----w- c:\program files (x86)\Audio Record Wizard
2013-04-18 20:46 . 2013-04-18 20:46 -------- d-----w- c:\program files (x86)\Replay Converter
2013-04-18 19:57 . 2013-04-18 19:57 -------- d-----w- c:\windows\Downloaded Installations
2013-04-18 19:56 . 2007-03-04 11:55 1936528 ----a-w- c:\windows\SysWow64\ltmm15.dll
2013-04-18 19:56 . 2007-03-04 11:55 135168 ----a-w- c:\windows\SysWow64\DSKernel2.dll
2013-04-18 19:56 . 2013-04-18 21:06 -------- d-----w- c:\program files\Replay AV 8
2013-04-18 19:55 . 2013-04-18 19:55 -------- d-----w- c:\program files (x86)\Replay AV 8
2013-04-18 18:43 . 2013-04-18 18:43 -------- d-----w- c:\program files (x86)\Portable
2013-04-18 17:29 . 2013-04-18 17:29 -------- d-----w- c:\users\ray\AppData\Local\LogiShrd
2013-04-18 17:29 . 2013-04-18 17:29 -------- d-----w- c:\program files (x86)\Logitech
2013-04-18 17:29 . 2013-04-18 17:29 -------- d-----w- c:\users\ray\AppData\Roaming\Leadertech
2013-04-18 17:28 . 2013-04-18 17:28 -------- d-----w- c:\program files (x86)\Common Files\LogiShrd
2013-04-18 17:28 . 2013-04-21 18:56 -------- d-----w- c:\programdata\LogiShrd
2013-04-18 17:28 . 2013-04-18 17:28 -------- d-----w- c:\program files\Logitech
2013-04-18 17:26 . 2013-04-18 17:28 -------- d-----w- c:\program files\Common Files\logishrd
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-02 09:06 . 2013-02-19 15:38 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-04-25 15:04 . 2013-02-19 04:07 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
2013-04-25 15:04 . 2013-02-19 04:07 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2013-04-12 16:08 . 2013-04-08 16:11 72702784 ----a-w- c:\windows\system32\MRT.exe
2013-03-22 00:16 . 2013-03-22 00:17 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-22 00:16 . 2013-03-22 00:17 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-22 00:16 . 2013-03-22 00:17 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-19 06:19 . 2013-04-10 14:50 5497688 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 05:54 . 2013-04-10 14:50 43520 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 05:06 . 2013-04-10 14:50 3958120 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:06 . 2013-04-10 14:50 3902312 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:53 . 2013-04-10 14:50 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:19 . 2013-04-10 14:50 112640 ----a-w- c:\windows\system32\smss.exe
2013-03-13 15:22 . 2013-02-19 03:32 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-13 15:22 . 2013-02-19 03:32 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-01 03:32 . 2013-04-10 14:50 3150848 ----a-w- c:\windows\system32\win32k.sys
2013-02-22 15:16 . 2013-02-22 15:16 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2013-02-22 15:16 . 2013-02-22 15:16 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2013-02-22 15:16 . 2013-02-22 15:16 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2013-02-22 15:16 . 2013-02-22 15:16 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2013-02-22 15:16 . 2013-02-22 15:16 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2013-02-22 15:16 . 2013-02-22 15:16 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2013-02-22 15:16 . 2013-02-22 15:16 367104 ----a-w- c:\windows\SysWow64\html.iec
2013-02-22 15:16 . 2013-02-22 15:16 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2013-02-22 15:16 . 2013-02-22 15:16 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2013-02-22 15:16 . 2013-02-22 15:16 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2013-02-22 15:16 . 2013-02-22 15:16 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2013-02-22 15:16 . 2013-02-22 15:16 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2013-02-22 15:16 . 2013-02-22 15:16 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2013-02-22 15:16 . 2013-02-22 15:16 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2013-02-22 15:16 . 2013-02-22 15:16 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2013-02-22 15:16 . 2013-02-22 15:16 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-02-22 15:16 . 2013-02-22 15:16 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-02-22 15:16 . 2013-02-22 15:16 89088 ----a-w- c:\windows\system32\ie4uinit.exe
2013-02-22 15:16 . 2013-02-22 15:16 85504 ----a-w- c:\windows\system32\iesetup.dll
2013-02-22 15:16 . 2013-02-22 15:16 82432 ----a-w- c:\windows\system32\icardie.dll
2013-02-22 15:16 . 2013-02-22 15:16 76800 ----a-w- c:\windows\system32\tdc.ocx
2013-02-22 15:16 . 2013-02-22 15:16 65024 ----a-w- c:\windows\system32\pngfilt.dll
2013-02-22 15:16 . 2013-02-22 15:16 55296 ----a-w- c:\windows\system32\msfeedsbs.dll
2013-02-22 15:16 . 2013-02-22 15:16 534528 ----a-w- c:\windows\system32\ieapfltr.dll
2013-02-22 15:16 . 2013-02-22 15:16 49664 ----a-w- c:\windows\system32\imgutil.dll
2013-02-22 15:16 . 2013-02-22 15:16 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-02-22 15:16 . 2013-02-22 15:16 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2013-02-22 15:16 . 2013-02-22 15:16 448512 ----a-w- c:\windows\system32\html.iec
2013-02-22 15:16 . 2013-02-22 15:16 403248 ----a-w- c:\windows\system32\iedkcs32.dll
2013-02-22 15:16 . 2013-02-22 15:16 39936 ----a-w- c:\windows\system32\iernonce.dll
2013-02-22 15:16 . 2013-02-22 15:16 3695416 ----a-w- c:\windows\system32\ieapfltr.dat
2013-02-22 15:16 . 2013-02-22 15:16 30720 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-22 15:16 . 2013-02-22 15:16 282112 ----a-w- c:\windows\system32\dxtrans.dll
2013-02-22 15:16 . 2013-02-22 15:16 267776 ----a-w- c:\windows\system32\ieaksie.dll
2013-02-22 15:16 . 2013-02-22 15:16 249344 ----a-w- c:\windows\system32\webcheck.dll
2013-02-22 15:16 . 2013-02-22 15:16 222208 ----a-w- c:\windows\system32\msls31.dll
2013-02-22 15:16 . 2013-02-22 15:16 197120 ----a-w- c:\windows\system32\msrating.dll
2013-02-22 15:16 . 2013-02-22 15:16 165888 ----a-w- c:\windows\system32\iexpress.exe
2013-02-22 15:16 . 2013-02-22 15:16 163840 ----a-w- c:\windows\system32\ieakui.dll
2013-02-22 15:16 . 2013-02-22 15:16 160256 ----a-w- c:\windows\system32\wextract.exe
2013-02-22 15:16 . 2013-02-22 15:16 160256 ----a-w- c:\windows\system32\ieakeng.dll
2013-02-22 15:16 . 2013-02-22 15:16 149504 ----a-w- c:\windows\system32\occache.dll
2013-02-22 15:16 . 2013-02-22 15:16 145920 ----a-w- c:\windows\system32\iepeers.dll
2013-02-22 15:16 . 2013-02-22 15:16 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-02-22 15:16 . 2013-02-22 15:16 12288 ----a-w- c:\windows\system32\mshta.exe
2013-02-22 15:16 . 2013-02-22 15:16 114176 ----a-w- c:\windows\system32\admparse.dll
2013-02-22 15:16 . 2013-02-22 15:16 111616 ----a-w- c:\windows\system32\iesysprep.dll
2013-02-22 15:16 . 2013-02-22 15:16 10752 ----a-w- c:\windows\system32\msfeedssync.exe
2013-02-22 15:16 . 2013-02-22 15:16 103936 ----a-w- c:\windows\system32\inseng.dll
2013-02-22 06:57 . 2013-04-12 16:07 17817088 ----a-w- c:\windows\system32\mshtml.dll
2013-02-22 06:29 . 2013-04-12 16:07 10925568 ----a-w- c:\windows\system32\ieframe.dll
2013-02-22 06:27 . 2013-04-12 16:07 2312704 ----a-w- c:\windows\system32\jscript9.dll
2013-02-22 06:21 . 2013-04-12 16:07 1346560 ----a-w- c:\windows\system32\urlmon.dll
2013-02-22 06:20 . 2013-04-12 16:07 1392128 ----a-w- c:\windows\system32\wininet.dll
2013-02-22 06:19 . 2013-04-12 16:07 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-22 06:18 . 2013-04-12 16:07 237056 ----a-w- c:\windows\system32\url.dll
2013-02-22 06:17 . 2013-04-12 16:07 85504 ----a-w- c:\windows\system32\jsproxy.dll
2013-02-22 06:15 . 2013-04-12 16:07 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2013-02-22 06:15 . 2013-04-12 16:07 599040 ----a-w- c:\windows\system32\vbscript.dll
2013-02-22 06:15 . 2013-04-12 16:07 816640 ----a-w- c:\windows\system32\jscript.dll
2013-02-22 06:14 . 2013-04-12 16:07 729088 ----a-w- c:\windows\system32\msfeeds.dll
2013-02-22 06:13 . 2013-04-12 16:07 2147840 ----a-w- c:\windows\system32\iertutil.dll
2013-02-22 06:13 . 2013-04-12 16:07 96768 ----a-w- c:\windows\system32\mshtmled.dll
2013-02-22 06:12 . 2013-04-12 16:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-02-22 06:09 . 2013-04-12 16:07 248320 ----a-w- c:\windows\system32\ieui.dll
2013-02-22 03:46 . 2013-04-12 16:07 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2013-02-22 03:38 . 2013-04-12 16:07 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2013-02-22 03:37 . 2013-04-12 16:07 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2013-02-22 03:34 . 2013-04-12 16:07 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2013-02-22 03:34 . 2013-04-12 16:07 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2013-02-22 03:31 . 2013-04-12 16:07 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2013-02-19 04:44 . 2013-02-19 04:44 45056 ----a-w- c:\windows\SysWow64\acovcnt.exe
2013-02-19 04:28 . 2013-02-19 04:29 53248 ----a-w- c:\windows\SysWow64\CSVer.dll
2013-02-19 01:54 . 2013-02-19 01:55 169584 ----a-w- c:\windows\system32\drivers\L1C62x64.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="c:\users\ray\AppData\Roaming\BitTorrent\BitTorrent.exe" [2013-04-24 882520]
"Logitech Vid"="c:\program files (x86)\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]
"DAEMON Tools Pro Agent"="c:\program files (x86)\DAEMON Tools Pro\DTAgent.exe" [2012-10-23 3108480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2011-07-21 5716608]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2010-10-07 170624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2013-04-25 295512]
.
c:\users\ray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2013-2-18 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 lvpopf64;Logitech POP Suppression Filter;c:\windows\system32\DRIVERS\lvpopf64.sys [2009-10-07 271640]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2009-10-07 327704]
R3 LVUVC64;QuickCam for Notebooks Deluxe(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2009-10-07 6379288]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-09-28 53760]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-02-20 1255736]
S1 ATKWMIACPIIO;ATKWMIACPI Driver;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2011-09-07 17536]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2013-04-24 283200]
S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-03 15416]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 191000]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2013-03-06 39056]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2011-06-02 128488]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2011-06-02 401896]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2013-02-19 169584]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2009-10-07 30232]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-19 15:22]
.
2013-05-14 c:\windows\Tasks\OpenCandyHelper63F6808535BD498190BF3C31AD8DE07D.job
- c:\users\ray\AppData\Roaming\OpenCandy\F5C27D725E32448AA77F71BB14947BCA\OCBrowserHelper_1.0.6.124.exe [2013-04-10 17:24]
.
2013-05-14 c:\windows\Tasks\OpenCandyHelperRun2CF5A7F65F0B42E7AF07860D775F5AE8.job
- c:\users\ray\AppData\Roaming\OpenCandy\F5C27D725E32448AA77F71BB14947BCA\OCBrowserHelper_1.0.6.124.exe [2013-04-10 17:24]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-12-14 172144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-12-14 399984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-14 441968]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\ray\AppData\Roaming\Mozilla\Firefox\Profiles\cqsh33ge.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3290520&CUI=UN28359892492779060&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - msn.com
FF - ExtSQL: 2013-04-25 08:05; {DAC3F861-B30D-40dd-9166-F4E75327FAC7}; c:\programdata\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-DivXMediaServer - c:\program files (x86)\DivX\DivX Media Server\DivXMediaServer.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-05-13 17:59:28
ComboFix-quarantined-files.txt 2013-05-14 00:59
.
Pre-Run: 175,588,270,080 bytes free
Post-Run: 177,017,597,952 bytes free
.
- - End Of File - - DB1C7FA6F5A7810AE2CB50AB45E9F90D
and a fresh HiJack this log...
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:02:27 PM, on 5/13/2013
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16476)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe
C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
O4 - HKLM\..\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
O4 - HKCU\..\Run: [BitTorrent] "C:\Users\ray\AppData\Roaming\BitTorrent\BitTorrent.exe" /MINIMIZED
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files (x86)\Logitech\Logitech Vid\vid.exe" -bootmode
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe" -autorun
O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - ASUS - C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - ASUS - C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: RealNetworks Downloader Resolver Service - Unknown owner - C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 8638 bytes
as for how its running, ever since this happened it hasnt really had a difference in how it runs. everything is pretty fast.
ComboFix 13-05-13.01 - ray 05/13/2013 17:49:44.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3873.2887 [GMT -7:00]
Running from: c:\users\ray\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\$recycle.bin\S-1-5-21-2210142320-3163110101-2213217975-1000\$441a5886718862ea37ebd89b704084e9\@
c:\$recycle.bin\S-1-5-21-2210142320-3163110101-2213217975-1000\$441a5886718862ea37ebd89b704084e9\L\00000004.@
c:\$recycle.bin\S-1-5-21-2210142320-3163110101-2213217975-1000\$441a5886718862ea37ebd89b704084e9\U\00000004.@
c:\$recycle.bin\S-1-5-21-2210142320-3163110101-2213217975-1000\$441a5886718862ea37ebd89b704084e9\U\00000008.@
c:\$recycle.bin\S-1-5-21-2210142320-3163110101-2213217975-1000\$441a5886718862ea37ebd89b704084e9\U\000000cb.@
c:\$recycle.bin\S-1-5-21-2210142320-3163110101-2213217975-1000\$441a5886718862ea37ebd89b704084e9\U\80000000.@
c:\$recycle.bin\S-1-5-21-2210142320-3163110101-2213217975-1000\$441a5886718862ea37ebd89b704084e9\U\80000064.@
c:\windows\iun6002.exe
c:\windows\msvcr71.dll
c:\windows\SysWow64\tmp2131.tmp
c:\windows\SysWow64\tmp3330.tmp
c:\windows\SysWow64\tmpF523.tmp
.
.
((((((((((((((((((((((((( Files Created from 2013-04-14 to 2013-05-14 )))))))))))))))))))))))))))))))
.
.
2013-05-14 00:56 . 2013-05-14 00:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-14 00:55 . 2013-05-14 00:55 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6FF9BE5B-8C36-4F35-BBBD-972F715B98D0}\offreg.dll
2013-05-13 23:38 . 2013-05-13 23:38 388096 ----a-r- c:\users\ray\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-05-13 23:38 . 2013-05-13 23:38 -------- d-----w- c:\program files (x86)\Trend Micro
2013-05-13 23:33 . 2013-05-13 23:33 -------- d-----w- c:\users\ray\AppData\Roaming\Malwarebytes
2013-05-13 23:33 . 2013-05-13 23:33 -------- d-----w- c:\programdata\Malwarebytes
2013-05-13 23:33 . 2013-04-04 21:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-13 23:33 . 2013-05-13 23:33 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-05-13 23:32 . 2013-05-13 23:32 -------- d-----w- c:\users\ray\AppData\Local\Programs
2013-05-11 22:13 . 2013-04-10 03:46 9317456 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6FF9BE5B-8C36-4F35-BBBD-972F715B98D0}\mpengine.dll
2013-05-08 01:40 . 2013-05-08 01:40 -------- d-----w- c:\users\ray\AppData\Local\Diagnostics
2013-05-03 15:14 . 2013-05-03 15:14 -------- d-----w- c:\windows\system32\EventProviders
2013-04-25 18:11 . 2013-04-25 18:11 -------- d-----w- c:\windows\SysWow64\xlive
2013-04-25 18:11 . 2013-04-25 18:11 -------- d-----w- c:\program files (x86)\Microsoft Games for Windows - LIVE
2013-04-25 15:06 . 2013-04-25 15:06 -------- d-----w- c:\users\ray\AppData\Roaming\RealNetworks
2013-04-25 15:05 . 2013-04-25 15:05 -------- d-----w- c:\program files (x86)\RealNetworks
2013-04-25 15:05 . 2013-04-25 15:05 -------- d-----w- c:\programdata\RealNetworks
2013-04-25 15:05 . 2013-04-25 15:05 -------- d-----w- c:\program files (x86)\Common Files\xing shared
2013-04-24 19:47 . 2013-04-24 19:47 -------- d-----w- c:\windows\en
2013-04-24 19:46 . 2013-04-24 19:46 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2013-04-24 19:45 . 2013-04-24 19:45 20808 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-04-24 19:45 . 2013-04-24 19:46 -------- d-----w- c:\program files (x86)\Windows Live
2013-04-24 19:45 . 2013-04-24 19:45 -------- d-----w- c:\windows\PCHEALTH
2013-04-24 19:40 . 2013-05-08 06:31 -------- d-----w- c:\users\ray\AppData\Local\Windows Live
2013-04-24 19:40 . 2013-04-24 19:40 -------- d-----w- c:\program files (x86)\Common Files\Windows Live
2013-04-24 19:30 . 2013-04-12 14:36 1653096 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-24 17:48 . 2008-10-15 13:22 519000 ----a-w- c:\windows\system32\d3dx10_40.dll
2013-04-24 17:48 . 2008-10-15 13:22 452440 ----a-w- c:\windows\SysWow64\d3dx10_40.dll
2013-04-24 17:48 . 2008-10-15 13:22 2605920 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2013-04-24 17:48 . 2008-10-15 13:22 2036576 ----a-w- c:\windows\SysWow64\D3DCompiler_40.dll
2013-04-24 17:48 . 2008-10-15 13:22 5631312 ----a-w- c:\windows\system32\D3DX9_40.dll
2013-04-24 17:48 . 2008-10-15 13:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
2013-04-24 17:28 . 2013-04-24 17:28 -------- d--h--w- c:\programdata\Common Files
2013-04-24 17:26 . 2013-04-24 17:26 -------- d-----w- c:\program files (x86)\Codemasters
2013-04-24 17:24 . 2013-04-24 17:24 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2013-04-24 17:23 . 2013-04-24 17:24 -------- d-----w- c:\program files (x86)\DAEMON Tools Pro
2013-04-24 16:21 . 2013-04-24 16:22 -------- d-----w- c:\users\ray\AppData\Local\ArmA
2013-04-24 16:14 . 2013-04-24 16:14 108144 ----a-w- c:\windows\SysWow64\CmdLineExt.dll
2013-04-24 15:43 . 2013-04-25 05:39 -------- d-----w- c:\users\ray\AppData\Local\Pokki
2013-04-24 15:43 . 2013-04-24 15:46 -------- d-----w- c:\users\ray\AppData\Roaming\DAEMON Tools Pro
2013-04-24 15:43 . 2013-04-24 17:23 -------- d-----w- c:\users\ray\AppData\Roaming\OpenCandy
2013-04-24 15:42 . 2013-04-24 15:47 -------- d-----w- c:\programdata\DAEMON Tools Pro
2013-04-24 15:32 . 2013-04-24 15:37 -------- d-----w- c:\program files (x86)\Vietcong2
2013-04-24 15:13 . 2013-04-24 15:13 -------- d-----w- c:\program files (x86)\OpenAL
2013-04-24 01:56 . 2013-04-24 01:57 -------- d-----w- c:\users\ray\AppData\Local\ArmA 2
2013-04-23 00:12 . 2013-04-23 00:12 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2
2013-04-18 21:02 . 2013-04-18 21:02 -------- d-----w- c:\users\ray\AppData\Local\arw
2013-04-18 21:02 . 2013-04-18 21:02 -------- d-----w- c:\program files (x86)\Audio Record Wizard
2013-04-18 20:46 . 2013-04-18 20:46 -------- d-----w- c:\program files (x86)\Replay Converter
2013-04-18 19:57 . 2013-04-18 19:57 -------- d-----w- c:\windows\Downloaded Installations
2013-04-18 19:56 . 2007-03-04 11:55 1936528 ----a-w- c:\windows\SysWow64\ltmm15.dll
2013-04-18 19:56 . 2007-03-04 11:55 135168 ----a-w- c:\windows\SysWow64\DSKernel2.dll
2013-04-18 19:56 . 2013-04-18 21:06 -------- d-----w- c:\program files\Replay AV 8
2013-04-18 19:55 . 2013-04-18 19:55 -------- d-----w- c:\program files (x86)\Replay AV 8
2013-04-18 18:43 . 2013-04-18 18:43 -------- d-----w- c:\program files (x86)\Portable
2013-04-18 17:29 . 2013-04-18 17:29 -------- d-----w- c:\users\ray\AppData\Local\LogiShrd
2013-04-18 17:29 . 2013-04-18 17:29 -------- d-----w- c:\program files (x86)\Logitech
2013-04-18 17:29 . 2013-04-18 17:29 -------- d-----w- c:\users\ray\AppData\Roaming\Leadertech
2013-04-18 17:28 . 2013-04-18 17:28 -------- d-----w- c:\program files (x86)\Common Files\LogiShrd
2013-04-18 17:28 . 2013-04-21 18:56 -------- d-----w- c:\programdata\LogiShrd
2013-04-18 17:28 . 2013-04-18 17:28 -------- d-----w- c:\program files\Logitech
2013-04-18 17:26 . 2013-04-18 17:28 -------- d-----w- c:\program files\Common Files\logishrd
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-02 09:06 . 2013-02-19 15:38 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-04-25 15:04 . 2013-02-19 04:07 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
2013-04-25 15:04 . 2013-02-19 04:07 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2013-04-12 16:08 . 2013-04-08 16:11 72702784 ----a-w- c:\windows\system32\MRT.exe
2013-03-22 00:16 . 2013-03-22 00:17 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-22 00:16 . 2013-03-22 00:17 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-22 00:16 . 2013-03-22 00:17 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-19 06:19 . 2013-04-10 14:50 5497688 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 05:54 . 2013-04-10 14:50 43520 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 05:06 . 2013-04-10 14:50 3958120 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:06 . 2013-04-10 14:50 3902312 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:53 . 2013-04-10 14:50 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:19 . 2013-04-10 14:50 112640 ----a-w- c:\windows\system32\smss.exe
2013-03-13 15:22 . 2013-02-19 03:32 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-13 15:22 . 2013-02-19 03:32 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-01 03:32 . 2013-04-10 14:50 3150848 ----a-w- c:\windows\system32\win32k.sys
2013-02-22 15:16 . 2013-02-22 15:16 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2013-02-22 15:16 . 2013-02-22 15:16 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2013-02-22 15:16 . 2013-02-22 15:16 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2013-02-22 15:16 . 2013-02-22 15:16 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2013-02-22 15:16 . 2013-02-22 15:16 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2013-02-22 15:16 . 2013-02-22 15:16 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2013-02-22 15:16 . 2013-02-22 15:16 367104 ----a-w- c:\windows\SysWow64\html.iec
2013-02-22 15:16 . 2013-02-22 15:16 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2013-02-22 15:16 . 2013-02-22 15:16 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2013-02-22 15:16 . 2013-02-22 15:16 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2013-02-22 15:16 . 2013-02-22 15:16 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2013-02-22 15:16 . 2013-02-22 15:16 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2013-02-22 15:16 . 2013-02-22 15:16 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2013-02-22 15:16 . 2013-02-22 15:16 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2013-02-22 15:16 . 2013-02-22 15:16 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2013-02-22 15:16 . 2013-02-22 15:16 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-02-22 15:16 . 2013-02-22 15:16 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-02-22 15:16 . 2013-02-22 15:16 89088 ----a-w- c:\windows\system32\ie4uinit.exe
2013-02-22 15:16 . 2013-02-22 15:16 85504 ----a-w- c:\windows\system32\iesetup.dll
2013-02-22 15:16 . 2013-02-22 15:16 82432 ----a-w- c:\windows\system32\icardie.dll
2013-02-22 15:16 . 2013-02-22 15:16 76800 ----a-w- c:\windows\system32\tdc.ocx
2013-02-22 15:16 . 2013-02-22 15:16 65024 ----a-w- c:\windows\system32\pngfilt.dll
2013-02-22 15:16 . 2013-02-22 15:16 55296 ----a-w- c:\windows\system32\msfeedsbs.dll
2013-02-22 15:16 . 2013-02-22 15:16 534528 ----a-w- c:\windows\system32\ieapfltr.dll
2013-02-22 15:16 . 2013-02-22 15:16 49664 ----a-w- c:\windows\system32\imgutil.dll
2013-02-22 15:16 . 2013-02-22 15:16 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-02-22 15:16 . 2013-02-22 15:16 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2013-02-22 15:16 . 2013-02-22 15:16 448512 ----a-w- c:\windows\system32\html.iec
2013-02-22 15:16 . 2013-02-22 15:16 403248 ----a-w- c:\windows\system32\iedkcs32.dll
2013-02-22 15:16 . 2013-02-22 15:16 39936 ----a-w- c:\windows\system32\iernonce.dll
2013-02-22 15:16 . 2013-02-22 15:16 3695416 ----a-w- c:\windows\system32\ieapfltr.dat
2013-02-22 15:16 . 2013-02-22 15:16 30720 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-22 15:16 . 2013-02-22 15:16 282112 ----a-w- c:\windows\system32\dxtrans.dll
2013-02-22 15:16 . 2013-02-22 15:16 267776 ----a-w- c:\windows\system32\ieaksie.dll
2013-02-22 15:16 . 2013-02-22 15:16 249344 ----a-w- c:\windows\system32\webcheck.dll
2013-02-22 15:16 . 2013-02-22 15:16 222208 ----a-w- c:\windows\system32\msls31.dll
2013-02-22 15:16 . 2013-02-22 15:16 197120 ----a-w- c:\windows\system32\msrating.dll
2013-02-22 15:16 . 2013-02-22 15:16 165888 ----a-w- c:\windows\system32\iexpress.exe
2013-02-22 15:16 . 2013-02-22 15:16 163840 ----a-w- c:\windows\system32\ieakui.dll
2013-02-22 15:16 . 2013-02-22 15:16 160256 ----a-w- c:\windows\system32\wextract.exe
2013-02-22 15:16 . 2013-02-22 15:16 160256 ----a-w- c:\windows\system32\ieakeng.dll
2013-02-22 15:16 . 2013-02-22 15:16 149504 ----a-w- c:\windows\system32\occache.dll
2013-02-22 15:16 . 2013-02-22 15:16 145920 ----a-w- c:\windows\system32\iepeers.dll
2013-02-22 15:16 . 2013-02-22 15:16 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-02-22 15:16 . 2013-02-22 15:16 12288 ----a-w- c:\windows\system32\mshta.exe
2013-02-22 15:16 . 2013-02-22 15:16 114176 ----a-w- c:\windows\system32\admparse.dll
2013-02-22 15:16 . 2013-02-22 15:16 111616 ----a-w- c:\windows\system32\iesysprep.dll
2013-02-22 15:16 . 2013-02-22 15:16 10752 ----a-w- c:\windows\system32\msfeedssync.exe
2013-02-22 15:16 . 2013-02-22 15:16 103936 ----a-w- c:\windows\system32\inseng.dll
2013-02-22 06:57 . 2013-04-12 16:07 17817088 ----a-w- c:\windows\system32\mshtml.dll
2013-02-22 06:29 . 2013-04-12 16:07 10925568 ----a-w- c:\windows\system32\ieframe.dll
2013-02-22 06:27 . 2013-04-12 16:07 2312704 ----a-w- c:\windows\system32\jscript9.dll
2013-02-22 06:21 . 2013-04-12 16:07 1346560 ----a-w- c:\windows\system32\urlmon.dll
2013-02-22 06:20 . 2013-04-12 16:07 1392128 ----a-w- c:\windows\system32\wininet.dll
2013-02-22 06:19 . 2013-04-12 16:07 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-22 06:18 . 2013-04-12 16:07 237056 ----a-w- c:\windows\system32\url.dll
2013-02-22 06:17 . 2013-04-12 16:07 85504 ----a-w- c:\windows\system32\jsproxy.dll
2013-02-22 06:15 . 2013-04-12 16:07 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2013-02-22 06:15 . 2013-04-12 16:07 599040 ----a-w- c:\windows\system32\vbscript.dll
2013-02-22 06:15 . 2013-04-12 16:07 816640 ----a-w- c:\windows\system32\jscript.dll
2013-02-22 06:14 . 2013-04-12 16:07 729088 ----a-w- c:\windows\system32\msfeeds.dll
2013-02-22 06:13 . 2013-04-12 16:07 2147840 ----a-w- c:\windows\system32\iertutil.dll
2013-02-22 06:13 . 2013-04-12 16:07 96768 ----a-w- c:\windows\system32\mshtmled.dll
2013-02-22 06:12 . 2013-04-12 16:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-02-22 06:09 . 2013-04-12 16:07 248320 ----a-w- c:\windows\system32\ieui.dll
2013-02-22 03:46 . 2013-04-12 16:07 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2013-02-22 03:38 . 2013-04-12 16:07 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2013-02-22 03:37 . 2013-04-12 16:07 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2013-02-22 03:34 . 2013-04-12 16:07 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2013-02-22 03:34 . 2013-04-12 16:07 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2013-02-22 03:31 . 2013-04-12 16:07 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2013-02-19 04:44 . 2013-02-19 04:44 45056 ----a-w- c:\windows\SysWow64\acovcnt.exe
2013-02-19 04:28 . 2013-02-19 04:29 53248 ----a-w- c:\windows\SysWow64\CSVer.dll
2013-02-19 01:54 . 2013-02-19 01:55 169584 ----a-w- c:\windows\system32\drivers\L1C62x64.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="c:\users\ray\AppData\Roaming\BitTorrent\BitTorrent.exe" [2013-04-24 882520]
"Logitech Vid"="c:\program files (x86)\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]
"DAEMON Tools Pro Agent"="c:\program files (x86)\DAEMON Tools Pro\DTAgent.exe" [2012-10-23 3108480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2011-07-21 5716608]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2010-10-07 170624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2013-04-25 295512]
.
c:\users\ray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2013-2-18 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 lvpopf64;Logitech POP Suppression Filter;c:\windows\system32\DRIVERS\lvpopf64.sys [2009-10-07 271640]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2009-10-07 327704]
R3 LVUVC64;QuickCam for Notebooks Deluxe(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2009-10-07 6379288]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-09-28 53760]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-02-20 1255736]
S1 ATKWMIACPIIO;ATKWMIACPI Driver;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2011-09-07 17536]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2013-04-24 283200]
S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-03 15416]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 191000]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2013-03-06 39056]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2011-06-02 128488]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2011-06-02 401896]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2013-02-19 169584]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2009-10-07 30232]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-19 15:22]
.
2013-05-14 c:\windows\Tasks\OpenCandyHelper63F6808535BD498190BF3C31AD8DE07D.job
- c:\users\ray\AppData\Roaming\OpenCandy\F5C27D725E32448AA77F71BB14947BCA\OCBrowserHelper_1.0.6.124.exe [2013-04-10 17:24]
.
2013-05-14 c:\windows\Tasks\OpenCandyHelperRun2CF5A7F65F0B42E7AF07860D775F5AE8.job
- c:\users\ray\AppData\Roaming\OpenCandy\F5C27D725E32448AA77F71BB14947BCA\OCBrowserHelper_1.0.6.124.exe [2013-04-10 17:24]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-12-14 172144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-12-14 399984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-14 441968]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\ray\AppData\Roaming\Mozilla\Firefox\Profiles\cqsh33ge.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3290520&CUI=UN28359892492779060&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - msn.com
FF - ExtSQL: 2013-04-25 08:05; {DAC3F861-B30D-40dd-9166-F4E75327FAC7}; c:\programdata\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-DivXMediaServer - c:\program files (x86)\DivX\DivX Media Server\DivXMediaServer.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-05-13 17:59:28
ComboFix-quarantined-files.txt 2013-05-14 00:59
.
Pre-Run: 175,588,270,080 bytes free
Post-Run: 177,017,597,952 bytes free
.
- - End Of File - - DB1C7FA6F5A7810AE2CB50AB45E9F90D
and a fresh HiJack this log...
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:02:27 PM, on 5/13/2013
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16476)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe
C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
O4 - HKLM\..\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
O4 - HKCU\..\Run: [BitTorrent] "C:\Users\ray\AppData\Roaming\BitTorrent\BitTorrent.exe" /MINIMIZED
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files (x86)\Logitech\Logitech Vid\vid.exe" -bootmode
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe" -autorun
O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - ASUS - C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - ASUS - C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: RealNetworks Downloader Resolver Service - Unknown owner - C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 8638 bytes
as for how its running, ever since this happened it hasnt really had a difference in how it runs. everything is pretty fast.
Ok, let me know if you are still getting popups.
I have a couple concerns I need to address now.
1. You have no valid antivirus software installed, windows defender is crap. You need to install Microsoft Security Essentials or Avast Free antivirus.
2. I noticed you have bit torrent installed. If you have any pirated software installed, I highly recommend you uninstall it and stop using bit torrent.
I have a couple concerns I need to address now.
1. You have no valid antivirus software installed, windows defender is crap. You need to install Microsoft Security Essentials or Avast Free antivirus.
2. I noticed you have bit torrent installed. If you have any pirated software installed, I highly recommend you uninstall it and stop using bit torrent.
no pop ups from windows defender yet.. ill keep an eye out for it though.
and yes i have no anti virus. i thought that they all cost money and i just dont have funds to put towards that right now.
also yes bit torrent is installed as well as quite a bit of pirated files.
honestly, ive used bit torrent for years and never had a problem with it even without an anti virus. couldnt i just install a free anti virus and be somewhat safe?
also its not pirated software thats installed, its more just music and couple movies and games. not sure if theres a different between all that and "software" but thats it.
and yes i have no anti virus. i thought that they all cost money and i just dont have funds to put towards that right now.
also yes bit torrent is installed as well as quite a bit of pirated files.
honestly, ive used bit torrent for years and never had a problem with it even without an anti virus. couldnt i just install a free anti virus and be somewhat safe?
also its not pirated software thats installed, its more just music and couple movies and games. not sure if theres a different between all that and "software" but thats it.
Yes, you need to install a free version of Avast or Microsoft Security Essentials. We can't discuss the use of pirated software here in the forum. You take a big chance on installing it. Just because your clean now, doesn't mean any pirated software isn't phoning home or downloading code.
Yes, you can uninstall them. Malwarebytes and Hijackthis will be in the add/remove programs list. But I highly suggest keeping Malwarebytes.
Combofix must be uninstalled like this.
start, search box, type combofix /uninstall hit enter. must be a space between the x and the /
Combofix must be uninstalled like this.
start, search box, type combofix /uninstall hit enter. must be a space between the x and the /
okay, all uninstalled except Malwarebytes, Avast installed and good to go.
still no windows defender pop up and computer running as good as ever.
once again, i thank you for your help John, i would have been totally lost without it. it is very much appreciated. if i have any more problems or questions i will post them. CHEERS MATE
still no windows defender pop up and computer running as good as ever.
once again, i thank you for your help John, i would have been totally lost without it. it is very much appreciated. if i have any more problems or questions i will post them. CHEERS MATE