TechSpot

Need help with 0Access removal

By Codehead
Jul 20, 2012
  1. Hello guys,

    I noticed an odd behavior of my machine yesterday, there suddenly were several unknown processes (looking like this '~AB123xyz') in the task manager and there was a severe performance drop. I killed all processes I could not recognize and watched my systems network activity. explorer.exe had lots of connections that were rapidly changing. It looked very much the same as when you download something with a Torrent client and watch its peer list. From what I have read so for, this was probably because it became a node in some botnet or downloaded more virus modules. So, I unplugged my network cable and tried to make a quick scan, but MSE was not responding, some services might have been terminated by the dropper program. I killed the MSE process and started it up again. Quick scan results showed Sirefef.AB and another Sirefef variant that I don't recall. Some of the files were removed by MSE, but I checked the folder location of one of the newly detected trojans and it was still there. I could access it with the Explorers address bar, but when I tried to remove it, it was not visible and del on the Command Prompt failed. I realized that a rootkit was fooling me and that this rootkit must have already installed itself inside the OS.. I got too pissed to deal with it yesterday, but now I have to.

    After reading some related forum entries before posting this, I already took the following steps:
    • started in System Recovery Mode
    • ran Farbar Recovery Scan Tool (64-Bit)
    I had a successful infection of my system two or three years ago, but it has not been such a nasty bugger and if I remember correctly, it came through a Java exploit as well. MSE blocks malware pretty well, but it seems to have some problems with Java related things.. the Java browser plug-in is the first thing that goes off when I got rid of this infection, but for now I am too scared to start into the system, I don't want to do any more damage to it.

    The affected machine is still running in System Recovery Mode, if someone could tell me what I have to do next, I would really appreciate it. Oh, and the log file is attached to this posting.

    Thank you in advance,
    Johannes
     

    Attached Files:

  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
    Please review the 5-Step removal instructions and post the logs back here for my review.
     
  3. Codehead

    Codehead TS Rookie Topic Starter

    Hello DMJ and thank you for your quick replay. I read the instructions and it say that the computer is to be started in NORMAL mode. Let me just clarify this, before I proceed, please. Can I reduce further damage to the system by starting it in SAFE mode or would that be counter productive?

    Thanks again,
    Johannes
     
  4. Codehead

    Codehead TS Rookie Topic Starter

    No more replays so far, so I'll stick with the NORMAL mode to get this done.

    I booted up the system in normal mode and got a new Fake AV scanner (Rogue:Win32/Winwebsec) popping up. MSE and almost nothing else did start up properly. I started MSE manually and after refusing to start a few times it finally did. I ran a quick scan and Sirefef.AB, Sirefef.P, Sirefef.W and what not were found.. and probably were not removed correctly with MSE. So, here are the steps of the removal instructions:
    • ran Anit-Malware
    • started GMER and waited for its quick scan to finish
    GMER did not find anything and produced an empty log file. I don't know, if I have to click 'Scan' myself or not, but since the instructions do not say so and since they also say click 'NO' when asked to do a full system scan, I assume I do not have to click it. The instructions really could be a bit more specific at this point.
    • ran DDS
    And here come all the logs:
     
  5. Codehead

    Codehead TS Rookie Topic Starter

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.07.20.08

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Codehead :: KANDALF [administrator]

    7/20/2012 10:58:55 PM
    mbam-log-2012-07-20 (22-58-55).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 190092
    Time elapsed: 4 minute(s), 14 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Trojan.LameShield) -> Quarantined and deleted successfully.

    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|0C1CFAE7CF1EF58502A368B9F875EF60 (Trojan.LameShield) -> Data: C:\ProgramData\0C1CFAE7CF1EF58502A368B9F875EF60\0C1CFAE7CF1EF58502A368B9F875EF60.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 1
    C:\Users\Codehead\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.

    Files Detected: 8
    C:\ProgramData\0C1CFAE7CF1EF58502A368B9F875EF60\0C1CFAE7CF1EF58502A368B9F875EF60.exe (Trojan.LameShield) -> Quarantined and deleted successfully.
    C:\Users\Codehead\AppData\Local\Temp\msimg32.dll (RootKit.0Access) -> Quarantined and deleted successfully.
    C:\Users\Codehead\AppData\Local\Temp\~!#D71C.tmp (Spyware.Zbot.Gen) -> Quarantined and deleted successfully.
    C:\Users\Codehead\AppData\Local\Temp\~!#DF99.tmp (RootKit.0Access) -> Quarantined and deleted successfully.
    C:\Users\Codehead\AppData\Local\Temp\~!#E3A1.tmp (Trojan.LameShield) -> Quarantined and deleted successfully.
    C:\Users\Codehead\AppData\Local\Temp\~!#E72D.tmp (Spyware.Zbot.CF) -> Quarantined and deleted successfully.
    C:\Users\Codehead\Desktop\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.
    C:\Users\Codehead\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.

    (end)
     
  6. Codehead

    Codehead TS Rookie Topic Starter

    As I said above GMER produced an empty log, so here are the DDS logs.

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421
    Run by Codehead at 23:34:40 on 2012-07-20
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.49.1033.18.4094.2772 [GMT 2:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    D:\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\taskmgr.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:Tabs
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: H - No File
    mWinlogon: Userinit=userinit.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - D:\MICROS~1\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - D:\Java\jre6\bin\jp2ssv.dll
    TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
    uRun: [Steam] "D:\Steam\steam.exe" -silent
    uRun: [WLSync] "C:\Program Files (x86)\Windows Live\Mesh\WLSync.exe" /background
    uRunOnce: [Uninstall C:\Users\Codehead\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\amd64] C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Codehead\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\amd64"
    uRunOnce: [Uninstall C:\Users\Codehead\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64] C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Codehead\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64"
    mRun: [Adobe Reader Speed Launcher] "D:\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [QuickTime Task] "D:\QuickTime\QTTask.exe" -atboottime
    StartupFolder: C:\Users\Codehead\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - D:\Microsoft Office\Office12\ONENOTEM.EXE
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - D:\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Open with XmlPad - D:\XMLPad\WmhASPP.dll/101
    IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - D:\MICROS~1\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - D:\MICROS~1\Office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15116/CTPID.cab
    TCP: DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{2A5A73CF-9DAA-450F-A6BF-E7FD1F4F0A48} : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{8F75C650-399E-4AF7-81D5-268447D7EFEB} : DhcpNameServer = 192.168.2.1
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    Handler: wmh - {A1428E78-2D00-4590-A071-0CC9700A7768} - D:\XMLPad\WmhASPP.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\MICROS~1\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Java\jre6\bin\jp2ssv.dll
    TB-X64: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
    mRun-x64: [Adobe Reader Speed Launcher] "D:\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun-x64: [QuickTime Task] "D:\QuickTime\QTTask.exe" -atboottime
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
    R1 SBRE;SBRE;\??\C:\Windows\system32\drivers\SBREdrv.sys --> C:\Windows\system32\drivers\SBREdrv.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R3 COMMONFX.SYS;COMMONFX.SYS;C:\Windows\system32\drivers\COMMONFX.SYS --> C:\Windows\system32\drivers\COMMONFX.SYS [?]
    R3 copperhd;Razer Copperhead Driver;C:\Windows\system32\drivers\copperhd.sys --> C:\Windows\system32\drivers\copperhd.sys [?]
    R3 CTAUDFX.SYS;CTAUDFX.SYS;C:\Windows\system32\drivers\CTAUDFX.SYS --> C:\Windows\system32\drivers\CTAUDFX.SYS [?]
    R3 CTSBLFX.SYS;CTSBLFX.SYS;C:\Windows\system32\drivers\CTSBLFX.SYS --> C:\Windows\system32\drivers\CTSBLFX.SYS [?]
    R3 LADF_DHP2;G35 DHP2 Filter Driver;C:\Windows\system32\DRIVERS\ladfDHP2amd64.sys --> C:\Windows\system32\DRIVERS\ladfDHP2amd64.sys [?]
    R3 LADF_SBVM;G35 SBVM Filter Driver;C:\Windows\system32\DRIVERS\ladfSBVMamd64.sys --> C:\Windows\system32\DRIVERS\ladfSBVMamd64.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-4 250056]
    S3 COMMONFX;COMMONFX;C:\Windows\system32\drivers\COMMONFX.SYS --> C:\Windows\system32\drivers\COMMONFX.SYS [?]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-5-25 79360]
    S3 CTAUDFX;CTAUDFX;C:\Windows\system32\drivers\CTAUDFX.SYS --> C:\Windows\system32\drivers\CTAUDFX.SYS [?]
    S3 CTERFXFX.SYS;CTERFXFX.SYS;C:\Windows\system32\drivers\CTERFXFX.SYS --> C:\Windows\system32\drivers\CTERFXFX.SYS [?]
    S3 CTERFXFX;CTERFXFX;C:\Windows\system32\drivers\CTERFXFX.SYS --> C:\Windows\system32\drivers\CTERFXFX.SYS [?]
    S3 CTSBLFX;CTSBLFX;C:\Windows\system32\drivers\CTSBLFX.SYS --> C:\Windows\system32\drivers\CTSBLFX.SYS [?]
    S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
    S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
    S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
    S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
    S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8192su.sys --> C:\Windows\system32\DRIVERS\RTL8192su.sys [?]
    S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    .
    =============== Created Last 30 ================
    .
    2012-07-21 02:15:45 -------- d-----w- C:\FRST
    2012-07-20 21:28:25 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E144533F-83F7-4E89-8B05-14B689ADD92B}\offreg.dll
    2012-07-20 21:27:08 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E144533F-83F7-4E89-8B05-14B689ADD92B}\mpengine.dll
    2012-07-20 21:09:03 -------- d-----w- C:\Users\Codehead\AppData\Local\{FAF0BA70-693C-455E-A3EE-02E19784E6CF}
    2012-07-20 20:56:54 -------- d-----w- C:\Users\Codehead\AppData\Roaming\Malwarebytes
    2012-07-20 20:56:29 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-07-20 20:56:28 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-07-20 05:40:05 -------- d-----w- C:\ProgramData\0C1CFAE7CF1EF58502A368B9F875EF60
    2012-07-20 05:38:46 -------- d-----w- C:\Users\Codehead\AppData\Roaming\Eqli
    2012-07-20 05:38:46 -------- d-----w- C:\Users\Codehead\AppData\Roaming\Ariti
    2012-07-19 17:32:36 -------- d-----w- C:\Users\Codehead\AppData\Local\{D5116B74-5E43-4B46-9B0A-632678041BCD}
    2012-07-19 17:32:26 -------- d-----w- C:\Users\Codehead\AppData\Local\{6F5085D2-C13E-44C2-90A9-75D0FC68F662}
    2012-07-19 05:31:59 -------- d-----w- C:\Users\Codehead\AppData\Local\{3DDD92A5-822F-419C-8842-887435F4B3DE}
    2012-07-19 05:31:49 -------- d-----w- C:\Users\Codehead\AppData\Local\{D36A4FE2-E8F3-4363-898B-8980695130D1}
    2012-07-18 12:53:25 9133488 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-07-18 07:53:23 -------- d-----w- C:\Users\Codehead\AppData\Local\{04CDEA11-B2C5-43C7-8319-8FA3E60055C6}
    2012-07-17 21:50:54 -------- d-----w- C:\Users\Codehead\AppData\Roaming\UDP Software
    2012-07-17 19:52:59 -------- d-----w- C:\Users\Codehead\AppData\Local\{410F0DC3-52A1-42B8-A176-ABD5F6FF6A92}
    2012-07-17 19:52:49 -------- d-----w- C:\Users\Codehead\AppData\Local\{AD056E2C-8CF7-497D-9BDD-1AE5013EF93F}
    2012-07-17 07:52:23 -------- d-----w- C:\Users\Codehead\AppData\Local\{E71EC145-8A7F-4946-A059-61CEAE54DA64}
    2012-07-17 07:52:14 -------- d-----w- C:\Users\Codehead\AppData\Local\{6E45F1AD-B2D9-4E96-9A5F-909BC85E90AD}
    2012-07-17 07:52:04 -------- d-----w- C:\Users\Codehead\AppData\Local\{BF486747-1975-4843-B2E9-82F967CFC915}
    2012-07-17 03:20:36 -------- d-----w- C:\Users\Codehead\AppData\Roaming\MiKTeX
    2012-07-17 00:44:42 -------- d-----w- C:\Users\Codehead\AppData\Local\MiKTeX
    2012-07-16 19:51:33 -------- d-----w- C:\Users\Codehead\AppData\Local\{0E028D8D-7D31-45A9-94D7-306DA679EA49}
    2012-07-16 19:51:10 -------- d-----w- C:\Users\Codehead\AppData\Local\{AC5FD43B-1A95-40EC-AF4F-D5FB498D9299}
    2012-07-16 03:48:54 -------- d-----w- C:\Users\Codehead\AppData\Local\{6DF1C452-58D6-4079-828C-86F2E2986510}
    2012-07-16 03:48:31 -------- d-----w- C:\Users\Codehead\AppData\Local\{400656F7-AC7B-4361-A734-3527DC417723}
    2012-07-15 21:38:03 -------- d-----w- C:\Program Files (x86)\Musicalis
    2012-07-15 15:48:10 -------- d-----w- C:\Users\Codehead\AppData\Local\{188B93B8-8530-422A-930A-1B586537975A}
    2012-07-15 15:47:48 -------- d-----w- C:\Users\Codehead\AppData\Local\{A98E7132-89F0-4DA4-A146-2C3E97F1F323}
    2012-07-15 03:46:27 -------- d-----w- C:\Users\Codehead\AppData\Local\{7BAC06CD-43DC-4AA4-AB51-D95CB8515865}
    2012-07-14 15:45:51 -------- d-----w- C:\Users\Codehead\AppData\Local\{690F24EF-B40A-4AED-8F8E-58EA9DBFB453}
    2012-07-14 15:45:29 -------- d-----w- C:\Users\Codehead\AppData\Local\{3435F8F7-F4CB-41AC-A366-1FC8BDAB8752}
    2012-07-14 03:45:01 -------- d-----w- C:\Users\Codehead\AppData\Local\{8F10B132-C3F7-4B25-9817-9175D5F096D2}
    2012-07-13 15:44:22 -------- d-----w- C:\Users\Codehead\AppData\Local\{E8E28B65-9F71-4197-95BA-5B9F28C1F1B3}
    2012-07-13 15:44:09 -------- d-----w- C:\Users\Codehead\AppData\Local\{057B5EA1-7DA2-4BE6-AFD6-FFEDC939764E}
    2012-07-13 02:00:09 -------- d-----w- C:\Users\Codehead\AppData\Local\{1B081D7A-78CE-4D34-BD42-DAADC42E906D}
    2012-07-13 01:59:52 -------- d-----w- C:\Users\Codehead\AppData\Local\{8717FF35-7478-402A-A04C-1FC125004760}
    2012-07-12 13:59:34 -------- d-----w- C:\Users\Codehead\AppData\Local\{6DD08455-EBDB-4FE5-902E-08B49F283645}
    2012-07-12 13:59:22 -------- d-----w- C:\Users\Codehead\AppData\Local\{5DF25705-BB5E-4CF9-A4C4-9A1622C1B3DF}
    2012-07-11 15:07:27 -------- d-----w- C:\Users\Codehead\AppData\Local\{259E7503-73A6-49F6-BDD9-C98C67F15208}
    2012-07-11 15:07:04 -------- d-----w- C:\Users\Codehead\AppData\Local\{91CF5F7B-20BC-450C-9047-2EAC20E06E3C}
    2012-07-11 04:28:05 3148800 ----a-w- C:\Windows\System32\win32k.sys
    2012-07-11 04:07:57 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
    2012-07-11 04:07:57 1499136 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
    2012-07-11 04:07:57 1019904 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
    2012-07-11 04:07:56 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
    2012-07-11 04:07:56 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
    2012-07-11 04:07:56 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
    2012-07-11 04:07:56 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
    2012-07-11 04:07:55 61440 ----a-w- C:\Program Files\Common Files\System\ado\msador15.dll
    2012-07-11 04:07:55 57344 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msador15.dll
    2012-07-11 04:07:55 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll
    2012-07-11 04:07:55 212992 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll
    2012-07-11 04:07:55 143360 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msjro.dll
    2012-07-11 04:07:55 1133568 ----a-w- C:\Windows\System32\cdosys.dll
    2012-07-11 03:06:36 -------- d-----w- C:\Users\Codehead\AppData\Local\{A97D5DBF-96E3-42D7-BD01-00CBAAFE0599}
    2012-07-10 15:05:59 -------- d-----w- C:\Users\Codehead\AppData\Local\{B5C06789-15C3-4201-B9A6-83711ADE0A4A}
    2012-07-10 15:05:47 -------- d-----w- C:\Users\Codehead\AppData\Local\{2750B9C9-D2B2-46C1-89E9-7385B034DC18}
    2012-07-10 06:47:01 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
    2012-07-10 06:47:01 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
    2012-07-10 06:47:01 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
    2012-07-10 06:47:01 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
    2012-07-10 06:47:01 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
    2012-07-10 06:47:01 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
    2012-07-10 06:47:01 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
    2012-07-10 03:07:14 -------- d-----r- C:\Users\Codehead\SkyDrive
    2012-07-10 03:06:43 -------- d-----w- C:\ProgramData\Microsoft SkyDrive
    2012-07-10 03:05:30 -------- d-----w- C:\Users\Codehead\AppData\Local\{D99278B1-7947-494E-BA17-4885EB32E960}
    2012-07-10 03:05:03 -------- d-----w- C:\Users\Codehead\AppData\Local\{9E38B2CE-0B30-4D87-8034-6D9DBD0609B7}
    2012-07-09 21:48:35 224088 ----a-w- C:\Windows\System32\drivers\VBoxDrv.sys
    2012-07-09 21:48:24 130904 ----a-w- C:\Windows\System32\drivers\VBoxUSBMon.sys
    2012-07-09 21:42:08 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
    2012-07-09 19:42:40 -------- d-----w- C:\Program Files\Microsoft Synchronization Services
    2012-07-09 19:42:40 -------- d-----w- C:\Program Files\Microsoft SQL Server Compact Edition
    2012-07-09 19:31:23 -------- d-----w- C:\Windows\SysWow64\1033
    2012-07-09 19:21:46 -------- d-----w- C:\Users\Codehead\AppData\Roaming\texstudio
    2012-07-09 18:47:10 -------- d-----w- C:\ProgramData\MiKTeX
    2012-07-09 15:23:34 -------- d-----w- C:\Users\Codehead\AppData\Local\e-academy Inc
    2012-07-09 15:04:31 -------- d-----w- C:\Users\Codehead\AppData\Local\{8B629822-07AE-4110-8D3B-D4BA15B299E1}
    2012-07-09 15:04:05 -------- d-----w- C:\Users\Codehead\AppData\Local\{8D43132E-8A30-43DB-8AEA-433B9E16D65A}
    2012-07-08 15:34:29 -------- d-----w- C:\Users\Codehead\AppData\Local\{3159E31F-AF82-4365-A1AB-6D74CAFF8888}
    2012-07-08 15:34:14 -------- d-----w- C:\Users\Codehead\AppData\Local\{D03CA594-4F85-4CE4-A850-8C916864BA30}
    2012-07-08 03:14:37 -------- d-----w- C:\Users\Codehead\AppData\Local\{8C6EE260-F7E7-456E-AED5-331493808901}
    2012-07-08 03:14:23 -------- d-----w- C:\Users\Codehead\AppData\Local\{A42AEFB6-7B5B-49A6-A79F-5271D67C52DD}
    2012-07-07 13:40:37 -------- d-----w- C:\Users\Codehead\AppData\Local\{36310D5F-190C-44E0-9239-0EC289E84DEB}
    2012-07-07 13:40:24 -------- d-----w- C:\Users\Codehead\AppData\Local\{88792998-78D0-496A-A869-6010AAA26B66}
    2012-07-07 02:22:35 -------- d-----w- C:\Users\Codehead\AppData\Roaming\Awesomium
    2012-07-07 01:21:23 -------- d-----w- C:\Users\Codehead\AppData\Local\{847D90CD-8CAF-4286-9B70-2339ABCAD2D2}
    2012-07-07 01:21:05 -------- d-----w- C:\Users\Codehead\AppData\Local\{B1B2684C-038F-4A8C-BF14-B715B4E4F857}
    2012-07-06 13:08:05 -------- d-----w- C:\Users\Codehead\AppData\Local\{205D30BB-1B64-4A8B-A5FE-CFECB65413E1}
    2012-07-06 13:07:52 -------- d-----w- C:\Users\Codehead\AppData\Local\{83F6202C-E3DC-4183-865B-598F21722BF2}
    2012-07-06 00:25:27 -------- d-----w- C:\Users\Codehead\AppData\Local\{AC3DD3D9-55F4-458E-BBF5-9C336037785A}
    2012-07-05 12:24:46 -------- d-----w- C:\Users\Codehead\AppData\Local\{396E829A-3BD6-4922-9EBC-0957E779179C}
    2012-07-05 12:24:34 -------- d-----w- C:\Users\Codehead\AppData\Local\{C2603762-16A0-45A5-9168-D91AE76831C3}
    2012-07-04 14:57:12 -------- d-----w- C:\Users\Codehead\AppData\Local\{C6639754-1F6C-4E22-8A58-521510FC8FC8}
    2012-07-04 14:56:57 -------- d-----w- C:\Users\Codehead\AppData\Local\{A2A7977D-E86F-4C2F-8E15-5CD2E6003204}
    2012-07-03 19:15:45 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E69E3F7C-C3E5-46F2-BF13-D23472C1D9D7}\gapaengine.dll
    2012-07-03 13:14:21 -------- d-----w- C:\Users\Codehead\AppData\Local\{76A2A30C-1A1D-4A95-B65A-DF5D45DFA81D}
    2012-07-03 13:14:09 -------- d-----w- C:\Users\Codehead\AppData\Local\{9B7C628A-0C83-4480-9407-95AFDD07E609}
    2012-07-02 07:44:51 -------- d-----w- C:\Users\Codehead\AppData\Local\{0531586F-7D99-40C3-B9BE-E1A95A6D72BC}
    2012-07-01 19:44:11 -------- d-----w- C:\Users\Codehead\AppData\Local\{F01B55DA-B785-431D-A873-9A4334FDF8A9}
    2012-07-01 19:43:47 -------- d-----w- C:\Users\Codehead\AppData\Local\{383BFBD9-3FA0-43E4-95C0-A44694F0CD67}
    2012-07-01 07:43:19 -------- d-----w- C:\Users\Codehead\AppData\Local\{B5B81772-F2CC-4B7E-BF91-083F28A646C4}
    2012-07-01 07:43:08 -------- d-----w- C:\Users\Codehead\AppData\Local\{55808EDB-C7D3-4418-B834-558384321D44}
    2012-06-30 18:43:31 -------- d-----w- C:\Users\Codehead\AppData\Roaming\Image-Line
    2012-06-30 18:22:37 1554944 ----a-w- C:\Windows\SysWow64\vorbis.acm
    2012-06-30 18:22:33 -------- d-----w- C:\Program Files (x86)\Outsim
    2012-06-30 18:12:14 -------- d-----w- C:\Program Files (x86)\Image-Line
    2012-06-30 16:27:46 -------- d-----w- C:\Program Files (x86)\NCH Software
    2012-06-30 16:27:37 -------- d-----w- C:\Users\Codehead\AppData\Roaming\NCH Software
    2012-06-30 16:20:49 -------- d-----w- C:\Users\Codehead\AppData\Local\{FE7ECA4F-E98A-429D-B12D-A36AE8C1B16A}
    2012-06-30 16:20:34 -------- d-----w- C:\Users\Codehead\AppData\Local\{F5D1ED5F-BBED-4E90-95A6-52257620BEC6}
    2012-06-29 18:22:34 -------- d-----w- C:\Users\Codehead\AppData\Local\{06F5FC3A-7379-4F06-84AD-37A25E013438}
    2012-06-29 18:22:20 -------- d-----w- C:\Users\Codehead\AppData\Local\{AD679CA8-169A-4973-8C63-D9318A95F388}
    2012-06-28 18:47:53 -------- d-----w- C:\Users\Codehead\AppData\Local\{4517A0DF-2F91-4A64-9354-15B526A4F07C}
    2012-06-28 18:47:36 -------- d-----w- C:\Users\Codehead\AppData\Local\{76242114-3A1E-497E-B0A8-723DDE00C2F0}
    2012-06-27 18:07:43 -------- d-----w- C:\Users\Codehead\AppData\Local\{1D4C960B-8608-4B6B-A1CB-F199261E69C5}
    2012-06-27 18:07:31 -------- d-----w- C:\Users\Codehead\AppData\Local\{E1FE6FCD-8DD8-47CA-9DA7-8E2FFDAFA2D5}
    2012-06-26 11:37:04 -------- d-----w- C:\Users\Codehead\AppData\Local\{EC408E80-75D6-4B55-8693-F251D14F94BA}
    2012-06-26 11:36:52 -------- d-----w- C:\Users\Codehead\AppData\Local\{9765F3DF-AD33-4266-9D20-47E8FADC5602}
    2012-06-25 15:41:49 -------- d-----w- C:\Users\Codehead\AppData\Local\{B8C8D4E5-DADE-4DC0-958D-D31476B1A948}
    2012-06-25 15:41:36 -------- d-----w- C:\Users\Codehead\AppData\Local\{0DF4CB72-167E-4B96-BC72-C343D6438970}
    2012-06-24 02:33:36 2622464 ----a-w- C:\Windows\System32\wucltux.dll
    2012-06-24 02:33:29 99840 ----a-w- C:\Windows\System32\wudriver.dll
    2012-06-24 02:33:18 36864 ----a-w- C:\Windows\System32\wuapp.exe
    2012-06-24 02:33:18 186752 ----a-w- C:\Windows\System32\wuwebv.dll
    2012-06-24 02:29:41 -------- d-----w- C:\Users\Codehead\AppData\Local\{602E6761-B84C-45A9-935E-17BC1165AA45}
    2012-06-24 02:29:29 -------- d-----w- C:\Users\Codehead\AppData\Local\{3FA0F958-488F-4CF2-BE9D-2D277DF7939F}
    2012-06-23 12:40:27 -------- d-----w- C:\Users\Codehead\AppData\Local\{80555213-D358-45AE-9A00-89DE17CCCF01}
    2012-06-23 12:40:15 -------- d-----w- C:\Users\Codehead\AppData\Local\{16615612-35B4-4E4A-85FE-27418B5054E0}
    2012-06-22 16:56:15 -------- d-----w- C:\Users\Codehead\AppData\Local\{5060DC4E-4BE0-4E65-A901-A6712CE95024}
    2012-06-22 16:56:03 -------- d-----w- C:\Users\Codehead\AppData\Local\{8C70E6D6-6074-4F47-BB3F-EFA58053C048}
    2012-06-21 22:43:53 -------- d-----w- C:\Users\Codehead\AppData\Local\{6869C1C1-CF8E-4A05-BB27-6CBCAF604292}
    2012-06-21 22:43:40 -------- d-----w- C:\Users\Codehead\AppData\Local\{1BCF00E7-478D-407D-BDEE-54C96C74D972}
    2012-06-20 23:13:43 -------- d-----w- C:\Users\Codehead\AppData\Local\{D6203A74-8E05-40E3-9D14-7E4A5DFE44F1}
    2012-06-20 23:13:25 -------- d-----w- C:\Users\Codehead\AppData\Local\{009F30E0-255F-476C-9F9A-8A41E50E54DC}
    .
    ==================== Find3M ====================
    .
    2012-07-12 02:02:57 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-07-12 02:02:56 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-05 01:02:29 189480 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
    2012-07-05 01:02:29 189480 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
    2012-06-30 07:23:22 298280 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
    2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
    2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
    2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
    2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
    2012-06-05 14:03:52 166232 ----a-w- C:\Windows\System32\drivers\VBoxNetFlt.sys
    2012-06-05 14:03:52 147288 ----a-w- C:\Windows\System32\drivers\VBoxNetAdp.sys
    2012-06-05 14:02:22 320856 ----a-w- C:\Windows\System32\VBoxNetFltNobj.dll
    2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll
    2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
    2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
    2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
    2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
    2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
    2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
    2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
    2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
    2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
    2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2012-04-28 19:14:56 2892 ----a-w- C:\Windows\SysWow64\audcon.sys
    2012-04-28 05:32:05 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll
    2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
    2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
    2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
    2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
    2012-04-24 05:37:37 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
    2012-04-24 05:37:37 140288 ----a-w- C:\Windows\System32\cryptnet.dll
    2012-04-24 05:37:36 1462272 ----a-w- C:\Windows\System32\crypt32.dll
    2012-04-24 04:36:42 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
    2012-04-24 04:36:42 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll
    2012-04-24 04:36:42 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
    .
    ============= FINISH: 23:35:43.23 ===============
     
  7. Codehead

    Codehead TS Rookie Topic Starter

    And as requested the 2nd DDS log file.

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/7/2010 1:20:27 AM
    System Uptime: 7/20/2012 11:08:02 PM (0 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | 965P-DQ6
    Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz | Socket 775 | 2400/266mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 69 GiB total, 10.648 GiB free.
    D: is FIXED (NTFS) - 279 GiB total, 36.328 GiB free.
    G: is Removable
    J: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e96c-e325-11ce-bfc1-08002be10318}
    Description: Creative Game Port
    Device ID: PCI\VEN_1102&DEV_7003&SUBSYS_00401102&REV_04\4&36D8C60D&0&01F0
    Manufacturer: Creative
    Name: Creative Game Port
    PNP Device ID: PCI\VEN_1102&DEV_7003&SUBSYS_00401102&REV_04\4&36D8C60D&0&01F0
    Service:
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: D-Link DWA-131 Wireless N Nano USB Adapter
    Device ID: USB\VID_07D1&PID_3303\00E04C000001
    Manufacturer: D-Link Corporation
    Name: D-Link DWA-131 Wireless N Nano USB Adapter
    PNP Device ID: USB\VID_07D1&PID_3303\00E04C000001
    Service: RTL8192su
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: VirtualBox Host-Only Ethernet Adapter
    Device ID: ROOT\NET\0000
    Manufacturer: Oracle Corporation
    Name: VirtualBox Host-Only Ethernet Adapter
    PNP Device ID: ROOT\NET\0000
    Service: VBoxNetAdp
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
    Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_E0001458&REV_22\4&35EC29B0&0&00E4
    Manufacturer: Marvell
    Name: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
    PNP Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_E0001458&REV_22\4&35EC29B0&0&00E4
    Service: yukonw7
    .
    ==== System Restore Points ===================
    .
    RP805: 7/18/2012 2:51:16 PM - Windows Update
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Adobe AIR
    Adobe Community Help
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Media Player
    Adobe Photoshop CS5.1
    Adobe Premiere Pro CS5.5
    Adobe Reader 9.5.1
    Adobe Story
    AfterWorld Alpha
    Amazon Kindle
    America's Army 3
    APB Reloaded
    Apple Application Support
    Apple Software Update
    ARMA 2
    ARMA 2: Operation Arrowhead
    ASIO4ALL
    µTorrent
    Auslogics Disk Defrag
    AXE 3.4
    Brytenwalda version 1.39
    Camtasia Studio 7
    Counter-Strike: Source
    CPU Speed Pro version 3
    Creation Kit
    Creative Audio Console
    Creative WaveStudio 7
    Crysis
    Crysis Warhead
    Crysis Wars
    D3DX10
    Day of Defeat: Source
    Dear Esther
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    DivX Setup
    Dune Wars
    DVD Flick 1.3.0.7
    eLicenser Control
    Entropia Universe
    eyeQ
    Fallen Earth
    Fallout 3
    Fallout 3 - The Garden of Eden Creation Kit
    Fallout: New Vegas
    FL Studio 10
    Free 3GP Video Converter version 3.7.15
    Golemlabs' GL Editor
    Guitar Pro 5.0
    Hardcopy (D:\Hardcopy)
    Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB2465361)
    Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB971091)
    Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB971092)
    Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB973674)
    IL Download Manager
    IL Shared Libraries
    Imperialism II
    Interaktiver Gitarren Kurs
    J2SE Runtime Environment 5.0 Update 4
    Japanese Fonts Support For Adobe Reader 9
    jass-magic-1.1.4 (remove only)
    Java Auto Updater
    Java(TM) 6 Update 14
    Java(TM) 6 Update 29
    Junk Mail filter update
    KeePass Password Safe 2.15
    LizardTech DjVu Control
    Local Port Scanner v1.2.2
    MagicDisc 2.7.106
    Malwarebytes Anti-Malware version 1.62.0.1300
    Master of Mana 1.40
    Melodyne 3.1
    Mesh Runtime
    Messenger Companion
    Microsoft .NET Compact Framework 2.0 SP2
    Microsoft .NET Compact Framework 3.5
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 4 Multi-Targeting Pack
    Microsoft Application Error Reporting
    Microsoft ASP.NET MVC 2
    Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
    Microsoft ASP.NET Web Pages
    Microsoft Document Explorer 2008
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Games for Windows Marketplace
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access 2007
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access MUI (German) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Excel MUI (German) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office OneNote MUI (German) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint MUI (German) 2007
    Microsoft Office Project MUI (English) 2010
    Microsoft Office Project Professional 2010
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (German) 2007
    Microsoft Office Proof (Italian) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing (English) 2010
    Microsoft Office Proofing (German) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared MUI (German) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2007
    Microsoft Office Word MUI (German) 2007
    Microsoft Project 2010 Service Pack 1 (SP1)
    Microsoft Project Professional 2010
    Microsoft Research AutoCollage 2008 Academic Edition
    Microsoft Silverlight 3 SDK
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server 2008 R2 Data-Tier Application Framework
    Microsoft SQL Server 2008 R2 Data-Tier Application Project
    Microsoft SQL Server 2008 R2 Management Objects
    Microsoft SQL Server 2008 R2 Transact-SQL Language Service
    Microsoft SQL Server Compact 3.5 SP2 ENU
    Microsoft SQL Server Database Publishing Wizard 1.4
    Microsoft SQL Server System CLR Types
    Microsoft Sync Framework SDK v1.0 SP1
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
    Microsoft Visual F# 2.0 Runtime
    Microsoft Visual Studio 2005 Tools for Office Runtime
    Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
    Microsoft Visual Studio Macro Tools
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Microsoft_VC90_MFCLOC_x86
    Mount & Blade
    Mount and Blade: Warband
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NifSkope (remove only)
    Notepad++
    NVIDIA Photoshop Plug-ins
    NVIDIA PhysX
    NxS XFade control v0.7
    Oblivion - Construction Set
    OpenAL
    Opera 12.00
    Orbis
    PDF Settings CS5
    PDFCreator
    Prism Video File Converter
    PunkBuster Services
    PxMergeModule
    Python 2.6.6
    QuickTime
    Realtek High Definition Audio Driver
    Samsung_MonSetup
    SecondLifeViewer (remove only)
    Secure Download Manager
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553091)
    Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
    Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
    Security Update for Microsoft Visual Studio Macro Tools (KB2669970)
    Sibelius 6
    Sibelius Scorch (Firefox, Opera, Netscape only)
    Sid Meier's Civilization 4
    Sid Meier's Civilization 4 - Beyond the Sword
    Sid Meier's Civilization 4 - Warlords
    Sid Meier's Civilization IV Colonization
    Sid Meier's Civilization V
    Sid Meier's Civilization V SDK
    Sniper: Ghost Warrior - Dedicated Server
    Songsmith (Academic Edition)
    Star Trek
    Star Trek Online
    Star Wars: Knights of the Old Republic
    Star Wars: The Force Unleashed
    Steam
    Steinberg Groove Agent ONE Content
    Steinberg Groove Agent ONE Vintage Beatboxes
    Steinberg HALion Sonic SE Content for Cubase LE AI Elements
    Super Meat Boy
    Super Meat Boy Editor
    Switch Sound File Converter
    Sword of Islam
    TeXstudio 2.3
    The Elder Scrolls IV: Oblivion
    The Elder Scrolls V: Skyrim
    The Guild II: Renaissance
    The Klub 17 [v 6.10]
    Tom Clancy's Splinter Cell
    Tom Clancy's Splinter Cell: Chaos Theory
    Total War: SHOGUN 2
    Transcribe! 8.10
    Tropico 4
    TrueCrypt
    UltraStar Deluxe
    Uninstall 1.0.0.1
    Update für Microsoft Office Excel 2007 Help (KB963678)
    Update für Microsoft Office Powerpoint 2007 Help (KB963669)
    Update für Microsoft Office Word 2007 Help (KB963665)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
    VC Runtimes MSI
    VC80CRTRedist - 8.0.50727.4053
    Visual C++ 2008 IA64 Runtime - (v9.0.30729)
    Visual C++ 2008 IA64 Runtime - v9.0.30729.01
    Visual C++ 2008 x64 Runtime - (v9.0.30729)
    Visual C++ 2008 x64 Runtime - (v9.0.30729.4148)
    Visual C++ 2008 x64 Runtime - (v9.0.30729.6161)
    Visual C++ 2008 x64 Runtime - KB2465361 - (v9.0.30729.5570)
    Visual C++ 2008 x64 Runtime - v9.0.30729.01
    Visual C++ 2008 x64 Runtime - v9.0.30729.4148
    Visual C++ 2008 x64 Runtime - v9.0.30729.5570
    Visual C++ 2008 x64 Runtime - v9.0.30729.6161
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - (v9.0.30729.4148)
    Visual C++ 2008 x86 Runtime - (v9.0.30729.6161)
    Visual C++ 2008 x86 Runtime - KB2465361 - (v9.0.30729.5570)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Visual C++ 2008 x86 Runtime - v9.0.30729.4148
    Visual C++ 2008 x86 Runtime - v9.0.30729.5570
    Visual C++ 2008 x86 Runtime - v9.0.30729.6161
    Visual Studio 2005 Tools for Office Second Edition Runtime
    Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
    Visual Studio Tools for the Office system 3.0 Runtime
    Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258)
    VLC media player 1.1.11
    WavePad Sound Editor
    Winamp
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live Messenger Companion Core
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Windows Media Encoder 9 Series
    Windows Media Player Firefox Plugin
    Windows Mobile 5.0 SDK R2 for Pocket PC
    Windows Mobile 5.0 SDK R2 for Smartphone
    WinImage
    WMHelp XmlPad
    X3: Albion Prelude
    X3: Reunion
    X3: Terran Conflict
    .
    ==== Event Viewer Messages From Past Week ========
    .
    7/20/2012 7:49:23 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.241.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    7/20/2012 11:19:30 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.241.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    7/20/2012 10:50:26 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.241.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    7/20/2012 10:40:56 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    7/20/2012 10:40:56 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
    7/16/2012 2:40:19 AM, Error: Ntfs [137] - The default transaction resource manager on volume P: encountered a non-retryable error and could not start. The data contains the error code.
    7/16/2012 1:51:09 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    7/15/2012 12:54:27 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the wlidsvc service.
    7/13/2012 9:31:56 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\DR3.
    7/13/2012 11:05:37 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\DR4.
    .
    ==== End Of File ===========================
     
  8. Codehead

    Codehead TS Rookie Topic Starter

    That's all there is.. my guess is that everything has been removed after running Anit-Malware. Could anyone please confirm this assumption?

    Thanks again,
    Johannes
     
  9. Codehead

    Codehead TS Rookie Topic Starter

    I have restarted the computer and ran Anit-Malware: 'No malicious items detected.'

    Plugged in the Internet, restarted, ran Anti-Malware again and watched the computers behavior a bit and it seems to function properly again.

    Gawd, I hate it when so much time and nerves get destroyed by this kind of "programs".. but it could have been much more time without your hint DMJ, thanks aaaaannd

    Peace!
     
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Great...let's continue disinfection. Don't want your computer to reinfect itself.

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  11. Codehead

    Codehead TS Rookie Topic Starter

    Hi and a big sorry, I didn't expect more to come.. I used the PC already.. but just to disable Operas Java plugin and to play Dwarf Fortress for the rest of the night.. I hope that, and the fact that I restarted the machine several times, doesn't matter :confused: .. I also niticed that some Windows functions do not work as they should.. e.g. when I use a different view (List, Details, Tiles and so on..) Windows does not save it. It also messes up my Desktops icons everything I restart.. anyway, here is the log that ComboFix aka. svchost.exe produced:

    ComboFix 12-07-21.01 - Codehead 07/21/2012 18:41:55.1.2 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.49.1033.18.4094.2572 [GMT 2:00]
    ausgeführt von:: c:\users\Codehead\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    (((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Disk Defrag
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Disk Defrag\Auslogics Disk Defrag on the Web.url
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Disk Defrag\Auslogics Disk Defrag.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Disk Defrag\Uninstall Auslogics Disk Defrag.lnk
    c:\users\Codehead\AppData\Local\assembly\tmp
    c:\users\Codehead\AppData\Roaming\Microsoft\Windows\Recent\America's Army 3.url
    c:\users\Codehead\AppData\Roaming\Microsoft\Windows\Recent\Melodyne.mar
    c:\users\Codehead\AppData\Roaming\Microsoft\Windows\Recent\SunnyD and Rum.mar
    c:\windows\IsUn0407.exe
    c:\windows\SysWow64\html
    c:\windows\SysWow64\images
    .
    .
    ((((((((((((((((((((((( Dateien erstellt von 2012-06-21 bis 2012-07-21 ))))))))))))))))))))))))))))))
    .
    .
    2012-07-21 02:32 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{10B5716C-4369-4D1D-94E9-DFBD972056DA}\mpengine.dll
    2012-07-20 21:27 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-07-20 20:56 . 2012-07-20 20:56 -------- d-----w- c:\users\Codehead\AppData\Roaming\Malwarebytes
    2012-07-20 20:56 . 2012-07-20 20:56 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-20 20:56 . 2012-07-03 11:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-20 05:38 . 2012-07-20 05:39 -------- d-----w- c:\users\Codehead\AppData\Roaming\Ariti
    2012-07-20 05:38 . 2012-07-20 05:38 -------- d-----w- c:\users\Codehead\AppData\Roaming\Eqli
    2012-07-17 21:50 . 2012-07-17 21:50 -------- d-----w- c:\users\Codehead\AppData\Roaming\UDP Software
    2012-07-17 03:20 . 2012-07-17 03:20 -------- d-----w- c:\users\Codehead\AppData\Roaming\MiKTeX
    2012-07-17 00:44 . 2012-07-17 00:44 -------- d-----w- c:\users\Codehead\AppData\Local\MiKTeX
    2012-07-15 21:40 . 2012-07-15 21:40 -------- d-----w- c:\programdata\QuickTime
    2012-07-15 21:38 . 2012-07-15 21:38 -------- d-----w- c:\program files (x86)\Musicalis
    2012-07-11 04:28 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
    2012-07-11 04:09 . 2012-06-09 05:43 14172672 ----a-w- c:\windows\system32\shell32.dll
    2012-07-11 04:07 . 2012-06-06 06:05 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
    2012-07-11 04:07 . 2012-06-06 06:05 1499136 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2012-07-11 04:07 . 2012-06-06 05:05 1019904 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
    2012-07-11 04:07 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
    2012-07-11 04:07 . 2012-06-06 06:05 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
    2012-07-11 04:07 . 2012-06-06 05:05 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll
    2012-07-11 04:07 . 2012-06-06 05:03 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
    2012-07-11 04:07 . 2012-06-06 06:05 61440 ----a-w- c:\program files\Common Files\System\ado\msador15.dll
    2012-07-11 04:07 . 2012-06-06 06:02 1133568 ----a-w- c:\windows\system32\cdosys.dll
    2012-07-11 04:07 . 2012-06-06 05:05 143360 ----a-w- c:\program files (x86)\Common Files\System\ado\msjro.dll
    2012-07-11 04:07 . 2012-06-06 05:05 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll
    2012-07-11 04:07 . 2012-06-06 05:05 57344 ----a-w- c:\program files (x86)\Common Files\System\ado\msador15.dll
    2012-07-11 04:07 . 2012-06-06 05:05 212992 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll
    2012-07-10 11:58 . 2012-07-10 11:58 -------- d-----w- c:\users\Codehead\AppData\Roaming\Apple Computer
    2012-07-10 06:47 . 2012-07-10 06:47 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
    2012-07-10 06:47 . 2012-07-10 06:47 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
    2012-07-10 06:47 . 2012-07-10 06:47 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
    2012-07-10 06:47 . 2012-07-10 06:47 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
    2012-07-10 06:47 . 2012-07-10 06:47 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
    2012-07-10 06:47 . 2012-07-10 06:47 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
    2012-07-10 06:47 . 2012-07-10 06:47 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
    2012-07-10 06:45 . 2012-07-10 06:45 -------- d-----w- c:\program files (x86)\Common Files\Apple
    2012-07-10 06:45 . 2012-07-10 06:45 -------- d-----w- c:\program files (x86)\Apple Software Update
    2012-07-10 03:06 . 2012-07-10 03:06 -------- d-----w- c:\programdata\Microsoft SkyDrive
    2012-07-09 21:48 . 2012-06-05 14:03 224088 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
    2012-07-09 21:48 . 2012-06-05 14:03 130904 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
    2012-07-09 21:42 . 2012-07-09 21:42 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
    2012-07-09 19:42 . 2012-07-09 19:42 -------- d-----w- c:\program files\Microsoft Synchronization Services
    2012-07-09 19:42 . 2012-07-09 19:42 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
    2012-07-09 19:31 . 2012-07-15 00:33 -------- d-----w- c:\windows\SysWow64\1033
    2012-07-09 19:26 . 2012-07-09 19:26 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 9.0
    2012-07-09 19:21 . 2012-07-09 19:21 -------- d-----w- c:\users\Codehead\AppData\Roaming\texstudio
    2012-07-09 18:47 . 2012-07-09 18:47 -------- d-----w- c:\programdata\MiKTeX
    2012-07-09 15:23 . 2012-07-09 15:23 -------- d-----w- c:\users\Codehead\AppData\Local\e-academy Inc
    2012-07-07 02:22 . 2012-07-07 02:22 -------- d-----w- c:\users\Codehead\AppData\Roaming\Awesomium
    2012-07-03 19:15 . 2012-02-10 21:57 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E69E3F7C-C3E5-46F2-BF13-D23472C1D9D7}\gapaengine.dll
    2012-06-30 18:43 . 2012-06-30 18:43 -------- d-----w- c:\users\Codehead\AppData\Roaming\Image-Line
    2012-06-30 18:22 . 2009-09-15 09:14 1554944 ----a-w- c:\windows\SysWow64\vorbis.acm
    2012-06-30 18:22 . 2012-06-30 18:22 -------- d-----w- c:\program files (x86)\Outsim
    2012-06-30 18:12 . 2012-06-30 18:22 -------- d-----w- c:\program files (x86)\Image-Line
    2012-06-30 16:28 . 2012-07-16 02:37 -------- d-----w- c:\programdata\NCH Software
    2012-06-30 16:27 . 2012-07-16 02:37 -------- d-----w- c:\program files (x86)\NCH Software
    2012-06-30 16:27 . 2012-07-16 02:37 -------- d-----w- c:\users\Codehead\AppData\Roaming\NCH Software
    2012-06-24 02:33 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-24 02:33 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-24 02:33 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-24 02:33 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-24 02:33 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-24 02:33 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-24 02:33 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-24 02:33 . 2012-06-02 13:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-24 02:33 . 2012-06-02 13:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-15 00:25 . 2011-03-22 10:01 2117120 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
    2012-07-12 02:02 . 2012-04-03 22:48 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-12 02:02 . 2011-08-25 22:00 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-11 04:14 . 2010-01-07 02:48 59701280 ----a-w- c:\windows\system32\MRT.exe
    2012-07-05 01:02 . 2010-08-27 22:41 189480 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
    2012-07-05 01:02 . 2010-08-27 22:38 189480 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
    2012-06-30 07:23 . 2010-08-27 22:38 298280 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
    2012-06-05 14:03 . 2012-06-05 14:03 166232 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
    2012-06-05 14:03 . 2012-06-05 14:03 147288 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
    2012-06-05 14:02 . 2012-06-05 14:02 320856 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
    2012-05-18 18:59 . 2012-05-18 18:59 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
    2012-05-04 11:06 . 2012-06-13 18:48 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-04 10:03 . 2012-06-13 18:48 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-05-04 10:03 . 2012-06-13 18:48 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-04-28 19:14 . 2012-04-28 19:14 2892 ----a-w- c:\windows\SysWow64\audcon.sys
    2012-04-28 05:32 . 2012-06-13 18:48 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
    2012-04-28 03:55 . 2012-06-13 18:48 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-04-26 05:41 . 2012-06-13 18:48 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-04-26 05:41 . 2012-06-13 18:48 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-04-26 05:34 . 2012-06-13 18:48 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    .
    .
    (((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="d:\steam\steam.exe" [2011-08-03 1242448]
    "WLSync"="c:\program files (x86)\Windows Live\Mesh\WLSync.exe" [2012-03-08 1449824]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="d:\adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
    "QuickTime Task"="d:\quicktime\QTTask.exe" [2012-04-18 421888]
    .
    c:\users\Codehead\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - d:\microsoft office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 250056]
    R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2010-03-18 158808]
    R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-05-25 79360]
    R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2010-03-18 706648]
    R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2010-03-18 141912]
    R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2010-03-18 141912]
    R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2010-03-18 681048]
    R3 dump_wmimmc;dump_wmimmc;d:\netmarbleglobal\GV Online Eg\GameGuard\dump_wmimmc.sys [x]
    R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
    R3 esgiguard;esgiguard;c:\program files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
    R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [2010-11-25 694888]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2012-06-05 147288]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-03-04 55856]
    S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-07-01 55384]
    S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2012-06-05 224088]
    S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2012-06-05 130904]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2010-03-18 158808]
    S3 copperhd;Razer Copperhead Driver;c:\windows\system32\drivers\copperhd.sys [2006-05-24 13824]
    S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2010-03-18 706648]
    S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2010-03-18 681048]
    S3 LADF_DHP2;G35 DHP2 Filter Driver;c:\windows\system32\DRIVERS\ladfDHP2amd64.sys [2010-09-29 62168]
    S3 LADF_SBVM;G35 SBVM Filter Driver;c:\windows\system32\DRIVERS\ladfSBVMamd64.sys [2010-09-29 377176]
    S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2012-06-05 166232]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 395264]
    .
    .
    Inhalt des "geplante Tasks" Ordners
    .
    2012-07-21 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 02:02]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Zusätzlicher Suchlauf -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = about:Tabs
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - d:\micros~1\Office12\EXCEL.EXE/3000
    IE: Open with XmlPad - d:\xmlpad\WmhASPP.dll/101
    TCP: DhcpNameServer = 192.168.2.1
    Handler: wmh - {A1428E78-2D00-4590-A071-0CC9700A7768} - d:\xmlpad\WmhASPP.dll
    .
    - - - - Entfernte verwaiste Registrierungseinträge - - - -
    .
    AddRemove-Imperialism II - c:\windows\IsUn0407.exe
    AddRemove-WinImage - c:\users\Codehead\Desktop\Data Recovery\WinImage v8.50\winimage.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- Gesperrte Registrierungsschluessel ---------------------
    .
    [HKEY_USERS\S-1-5-21-407477768-3834995353-2232539331-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Ï3]
    @Class="Shell"
    .
    [HKEY_USERS\S-1-5-21-407477768-3834995353-2232539331-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Ï3\OpenWithList]
    @Class="Shell"
    "a"="vlc.exe"
    "MRUList"="a"
    .
    [HKEY_USERS\S-1-5-21-407477768-3834995353-2232539331-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DD5A5B6D-6B0F-24B5-26F3-C267FC21DEC8}*]
    @Allowed: (Read) (RestrictedCode)
    "haggjbpdoeckljnp"=hex:67,61,68,61,6d,6f,62,6c,6f,64,6b,6b,64,6a,00,77
    "iakdfjkglngjdjnjmn"=hex:63,61,6c,61,66,6f,00,01
    .
    [HKEY_USERS\S-1-5-21-407477768-3834995353-2232539331-1000\Software\SecuROM\License information*]
    "datasecu"=hex:67,18,d4,09,58,c0,76,5c,2f,8c,1b,14,cf,ec,d7,a0,8e,a0,cd,e7,c0,
    77,ce,5b,ca,fa,e6,23,c4,61,20,9d,27,07,47,e1,97,ad,b9,11,6a,e9,f7,11,18,88,\
    "rkeysecu"=hex:7d,40,10,cb,c7,39,e0,67,0a,69,a8,47,07,da,5b,5c
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
    @Denied: (A) (Everyone)
    "Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
    "Key"="ActionsPane"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
    "Version"=hex:90,88,a6,da,dc,33,14,d4,f2,a7,e5,78,e8,dc,13,16,c3,93,db,0e,2e,
    d3,00,57,cb,fa,d7,5c,bf,f4,fd,86,c3,fc,76,4b,e1,d9,1b,e2,df,92,19,4a,f4,8d,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Weitere laufende Prozesse ------------------------
    .
    c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    .
    **************************************************************************
    .
    Zeit der Fertigstellung: 2012-07-21 19:03:30 - PC wurde neu gestartet
    ComboFix-quarantined-files.txt 2012-07-21 17:03
    .
    Vor Suchlauf: 15,260,209,152 bytes free
    Nach Suchlauf: 14,973,247,488 bytes free
    .
    - - End Of File - - 939071F3297514D1C71A90F499FCF282
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Let's work with the following tool as well...

    Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

    Note: please close all other applications running on your system.

    Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

    Click the Settings button.[​IMG]

    [​IMG]

    Set the slider to Maximum.

    [​IMG]

    IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.


    [​IMG]

    On the General tab, make sure all of the boxes are checked.


    [​IMG]

    On the Misc tab, make sure all the checkboxes are checked.

    Then, click OK on the windows that you launched.


    [​IMG]
    Click Create Report to run it.

    [​IMG]
    It will begin scanning.

    It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

    It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

    It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.
     
  13. Codehead

    Codehead TS Rookie Topic Starter

  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Please list all errors or issues...
     
  15. Codehead

    Codehead TS Rookie Topic Starter

    Hello DMJ,

    there are all errors and issues listed in the report besides the Event Log, which I had to exclude, because it contains too much information that I consider private.. and that I will not share.

    From the results of the scans we ran so far and from watching the system for a few days, I'd say that the initial problem has been solved and there are no other threads on the machine. Thank you very much for your time and efford, I really appreciate it and I would not have been able to remove Sirefef without your help.

    Thanks and peace!
     
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Very well. Topic solved.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...