Solved Need help with 0Access removal

Status
Not open for further replies.
Codehead

Codehead

Posts: 11   +0
Hello guys,

I noticed an odd behavior of my machine yesterday, there suddenly were several unknown processes (looking like this '~AB123xyz') in the task manager and there was a severe performance drop. I killed all processes I could not recognize and watched my systems network activity. explorer.exe had lots of connections that were rapidly changing. It looked very much the same as when you download something with a Torrent client and watch its peer list. From what I have read so for, this was probably because it became a node in some botnet or downloaded more virus modules. So, I unplugged my network cable and tried to make a quick scan, but MSE was not responding, some services might have been terminated by the dropper program. I killed the MSE process and started it up again. Quick scan results showed Sirefef.AB and another Sirefef variant that I don't recall. Some of the files were removed by MSE, but I checked the folder location of one of the newly detected trojans and it was still there. I could access it with the Explorers address bar, but when I tried to remove it, it was not visible and del on the Command Prompt failed. I realized that a rootkit was fooling me and that this rootkit must have already installed itself inside the OS.. I got too pissed to deal with it yesterday, but now I have to.

After reading some related forum entries before posting this, I already took the following steps:
  • started in System Recovery Mode
  • ran Farbar Recovery Scan Tool (64-Bit)
I had a successful infection of my system two or three years ago, but it has not been such a nasty bugger and if I remember correctly, it came through a Java exploit as well. MSE blocks malware pretty well, but it seems to have some problems with Java related things.. the Java browser plug-in is the first thing that goes off when I got rid of this infection, but for now I am too scared to start into the system, I don't want to do any more damage to it.

The affected machine is still running in System Recovery Mode, if someone could tell me what I have to do next, I would really appreciate it. Oh, and the log file is attached to this posting.

Thank you in advance,
Johannes
 

Attachments

  • FRST.txt
    43.1 KB · Views: 2
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
Please review the 5-Step removal instructions and post the logs back here for my review.
 
Hello DMJ and thank you for your quick replay. I read the instructions and it say that the computer is to be started in NORMAL mode. Let me just clarify this, before I proceed, please. Can I reduce further damage to the system by starting it in SAFE mode or would that be counter productive?

Thanks again,
Johannes
 
No more replays so far, so I'll stick with the NORMAL mode to get this done.

I booted up the system in normal mode and got a new Fake AV scanner (Rogue:Win32/Winwebsec) popping up. MSE and almost nothing else did start up properly. I started MSE manually and after refusing to start a few times it finally did. I ran a quick scan and Sirefef.AB, Sirefef.P, Sirefef.W and what not were found.. and probably were not removed correctly with MSE. So, here are the steps of the removal instructions:
  • ran Anit-Malware
  • started GMER and waited for its quick scan to finish
GMER did not find anything and produced an empty log file. I don't know, if I have to click 'Scan' myself or not, but since the instructions do not say so and since they also say click 'NO' when asked to do a full system scan, I assume I do not have to click it. The instructions really could be a bit more specific at this point.
  • ran DDS
And here come all the logs:
 
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.20.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Codehead :: KANDALF [administrator]

7/20/2012 10:58:55 PM
mbam-log-2012-07-20 (22-58-55).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 190092
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Trojan.LameShield) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|0C1CFAE7CF1EF58502A368B9F875EF60 (Trojan.LameShield) -> Data: C:\ProgramData\0C1CFAE7CF1EF58502A368B9F875EF60\0C1CFAE7CF1EF58502A368B9F875EF60.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\Codehead\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.

Files Detected: 8
C:\ProgramData\0C1CFAE7CF1EF58502A368B9F875EF60\0C1CFAE7CF1EF58502A368B9F875EF60.exe (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\Users\Codehead\AppData\Local\Temp\msimg32.dll (RootKit.0Access) -> Quarantined and deleted successfully.
C:\Users\Codehead\AppData\Local\Temp\~!#D71C.tmp (Spyware.Zbot.Gen) -> Quarantined and deleted successfully.
C:\Users\Codehead\AppData\Local\Temp\~!#DF99.tmp (RootKit.0Access) -> Quarantined and deleted successfully.
C:\Users\Codehead\AppData\Local\Temp\~!#E3A1.tmp (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\Users\Codehead\AppData\Local\Temp\~!#E72D.tmp (Spyware.Zbot.CF) -> Quarantined and deleted successfully.
C:\Users\Codehead\Desktop\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.
C:\Users\Codehead\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.

(end)
 
As I said above GMER produced an empty log, so here are the DDS logs.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Codehead at 23:34:40 on 2012-07-20
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.49.1033.18.4094.2772 [GMT 2:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft Security Client\msseces.exe
D:\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:Tabs
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - D:\MICROS~1\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - D:\Java\jre6\bin\jp2ssv.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [Steam] "D:\Steam\steam.exe" -silent
uRun: [WLSync] "C:\Program Files (x86)\Windows Live\Mesh\WLSync.exe" /background
uRunOnce: [Uninstall C:\Users\Codehead\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\amd64] C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Codehead\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\amd64"
uRunOnce: [Uninstall C:\Users\Codehead\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64] C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Codehead\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64"
mRun: [Adobe Reader Speed Launcher] "D:\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "D:\QuickTime\QTTask.exe" -atboottime
StartupFolder: C:\Users\Codehead\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - D:\Microsoft Office\Office12\ONENOTEM.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - D:\MICROS~1\Office12\EXCEL.EXE/3000
IE: Open with XmlPad - D:\XMLPad\WmhASPP.dll/101
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - D:\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - D:\MICROS~1\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15116/CTPID.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{2A5A73CF-9DAA-450F-A6BF-E7FD1F4F0A48} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{8F75C650-399E-4AF7-81D5-268447D7EFEB} : DhcpNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Handler: wmh - {A1428E78-2D00-4590-A071-0CC9700A7768} - D:\XMLPad\WmhASPP.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Java\jre6\bin\jp2ssv.dll
TB-X64: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
mRun-x64: [Adobe Reader Speed Launcher] "D:\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "D:\QuickTime\QTTask.exe" -atboottime
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 SBRE;SBRE;\??\C:\Windows\system32\drivers\SBREdrv.sys --> C:\Windows\system32\drivers\SBREdrv.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R3 COMMONFX.SYS;COMMONFX.SYS;C:\Windows\system32\drivers\COMMONFX.SYS --> C:\Windows\system32\drivers\COMMONFX.SYS [?]
R3 copperhd;Razer Copperhead Driver;C:\Windows\system32\drivers\copperhd.sys --> C:\Windows\system32\drivers\copperhd.sys [?]
R3 CTAUDFX.SYS;CTAUDFX.SYS;C:\Windows\system32\drivers\CTAUDFX.SYS --> C:\Windows\system32\drivers\CTAUDFX.SYS [?]
R3 CTSBLFX.SYS;CTSBLFX.SYS;C:\Windows\system32\drivers\CTSBLFX.SYS --> C:\Windows\system32\drivers\CTSBLFX.SYS [?]
R3 LADF_DHP2;G35 DHP2 Filter Driver;C:\Windows\system32\DRIVERS\ladfDHP2amd64.sys --> C:\Windows\system32\DRIVERS\ladfDHP2amd64.sys [?]
R3 LADF_SBVM;G35 SBVM Filter Driver;C:\Windows\system32\DRIVERS\ladfSBVMamd64.sys --> C:\Windows\system32\DRIVERS\ladfSBVMamd64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-4 250056]
S3 COMMONFX;COMMONFX;C:\Windows\system32\drivers\COMMONFX.SYS --> C:\Windows\system32\drivers\COMMONFX.SYS [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-5-25 79360]
S3 CTAUDFX;CTAUDFX;C:\Windows\system32\drivers\CTAUDFX.SYS --> C:\Windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;C:\Windows\system32\drivers\CTERFXFX.SYS --> C:\Windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;C:\Windows\system32\drivers\CTERFXFX.SYS --> C:\Windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTSBLFX;CTSBLFX;C:\Windows\system32\drivers\CTSBLFX.SYS --> C:\Windows\system32\drivers\CTSBLFX.SYS [?]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8192su.sys --> C:\Windows\system32\DRIVERS\RTL8192su.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-07-21 02:15:45 -------- d-----w- C:\FRST
2012-07-20 21:28:25 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E144533F-83F7-4E89-8B05-14B689ADD92B}\offreg.dll
2012-07-20 21:27:08 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E144533F-83F7-4E89-8B05-14B689ADD92B}\mpengine.dll
2012-07-20 21:09:03 -------- d-----w- C:\Users\Codehead\AppData\Local\{FAF0BA70-693C-455E-A3EE-02E19784E6CF}
2012-07-20 20:56:54 -------- d-----w- C:\Users\Codehead\AppData\Roaming\Malwarebytes
2012-07-20 20:56:29 -------- d-----w- C:\ProgramData\Malwarebytes
2012-07-20 20:56:28 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-07-20 05:40:05 -------- d-----w- C:\ProgramData\0C1CFAE7CF1EF58502A368B9F875EF60
2012-07-20 05:38:46 -------- d-----w- C:\Users\Codehead\AppData\Roaming\Eqli
2012-07-20 05:38:46 -------- d-----w- C:\Users\Codehead\AppData\Roaming\Ariti
2012-07-19 17:32:36 -------- d-----w- C:\Users\Codehead\AppData\Local\{D5116B74-5E43-4B46-9B0A-632678041BCD}
2012-07-19 17:32:26 -------- d-----w- C:\Users\Codehead\AppData\Local\{6F5085D2-C13E-44C2-90A9-75D0FC68F662}
2012-07-19 05:31:59 -------- d-----w- C:\Users\Codehead\AppData\Local\{3DDD92A5-822F-419C-8842-887435F4B3DE}
2012-07-19 05:31:49 -------- d-----w- C:\Users\Codehead\AppData\Local\{D36A4FE2-E8F3-4363-898B-8980695130D1}
2012-07-18 12:53:25 9133488 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-18 07:53:23 -------- d-----w- C:\Users\Codehead\AppData\Local\{04CDEA11-B2C5-43C7-8319-8FA3E60055C6}
2012-07-17 21:50:54 -------- d-----w- C:\Users\Codehead\AppData\Roaming\UDP Software
2012-07-17 19:52:59 -------- d-----w- C:\Users\Codehead\AppData\Local\{410F0DC3-52A1-42B8-A176-ABD5F6FF6A92}
2012-07-17 19:52:49 -------- d-----w- C:\Users\Codehead\AppData\Local\{AD056E2C-8CF7-497D-9BDD-1AE5013EF93F}
2012-07-17 07:52:23 -------- d-----w- C:\Users\Codehead\AppData\Local\{E71EC145-8A7F-4946-A059-61CEAE54DA64}
2012-07-17 07:52:14 -------- d-----w- C:\Users\Codehead\AppData\Local\{6E45F1AD-B2D9-4E96-9A5F-909BC85E90AD}
2012-07-17 07:52:04 -------- d-----w- C:\Users\Codehead\AppData\Local\{BF486747-1975-4843-B2E9-82F967CFC915}
2012-07-17 03:20:36 -------- d-----w- C:\Users\Codehead\AppData\Roaming\MiKTeX
2012-07-17 00:44:42 -------- d-----w- C:\Users\Codehead\AppData\Local\MiKTeX
2012-07-16 19:51:33 -------- d-----w- C:\Users\Codehead\AppData\Local\{0E028D8D-7D31-45A9-94D7-306DA679EA49}
2012-07-16 19:51:10 -------- d-----w- C:\Users\Codehead\AppData\Local\{AC5FD43B-1A95-40EC-AF4F-D5FB498D9299}
2012-07-16 03:48:54 -------- d-----w- C:\Users\Codehead\AppData\Local\{6DF1C452-58D6-4079-828C-86F2E2986510}
2012-07-16 03:48:31 -------- d-----w- C:\Users\Codehead\AppData\Local\{400656F7-AC7B-4361-A734-3527DC417723}
2012-07-15 21:38:03 -------- d-----w- C:\Program Files (x86)\Musicalis
2012-07-15 15:48:10 -------- d-----w- C:\Users\Codehead\AppData\Local\{188B93B8-8530-422A-930A-1B586537975A}
2012-07-15 15:47:48 -------- d-----w- C:\Users\Codehead\AppData\Local\{A98E7132-89F0-4DA4-A146-2C3E97F1F323}
2012-07-15 03:46:27 -------- d-----w- C:\Users\Codehead\AppData\Local\{7BAC06CD-43DC-4AA4-AB51-D95CB8515865}
2012-07-14 15:45:51 -------- d-----w- C:\Users\Codehead\AppData\Local\{690F24EF-B40A-4AED-8F8E-58EA9DBFB453}
2012-07-14 15:45:29 -------- d-----w- C:\Users\Codehead\AppData\Local\{3435F8F7-F4CB-41AC-A366-1FC8BDAB8752}
2012-07-14 03:45:01 -------- d-----w- C:\Users\Codehead\AppData\Local\{8F10B132-C3F7-4B25-9817-9175D5F096D2}
2012-07-13 15:44:22 -------- d-----w- C:\Users\Codehead\AppData\Local\{E8E28B65-9F71-4197-95BA-5B9F28C1F1B3}
2012-07-13 15:44:09 -------- d-----w- C:\Users\Codehead\AppData\Local\{057B5EA1-7DA2-4BE6-AFD6-FFEDC939764E}
2012-07-13 02:00:09 -------- d-----w- C:\Users\Codehead\AppData\Local\{1B081D7A-78CE-4D34-BD42-DAADC42E906D}
2012-07-13 01:59:52 -------- d-----w- C:\Users\Codehead\AppData\Local\{8717FF35-7478-402A-A04C-1FC125004760}
2012-07-12 13:59:34 -------- d-----w- C:\Users\Codehead\AppData\Local\{6DD08455-EBDB-4FE5-902E-08B49F283645}
2012-07-12 13:59:22 -------- d-----w- C:\Users\Codehead\AppData\Local\{5DF25705-BB5E-4CF9-A4C4-9A1622C1B3DF}
2012-07-11 15:07:27 -------- d-----w- C:\Users\Codehead\AppData\Local\{259E7503-73A6-49F6-BDD9-C98C67F15208}
2012-07-11 15:07:04 -------- d-----w- C:\Users\Codehead\AppData\Local\{91CF5F7B-20BC-450C-9047-2EAC20E06E3C}
2012-07-11 04:28:05 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-11 04:07:57 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
2012-07-11 04:07:57 1499136 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2012-07-11 04:07:57 1019904 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2012-07-11 04:07:56 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-07-11 04:07:56 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
2012-07-11 04:07:56 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
2012-07-11 04:07:56 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
2012-07-11 04:07:55 61440 ----a-w- C:\Program Files\Common Files\System\ado\msador15.dll
2012-07-11 04:07:55 57344 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msador15.dll
2012-07-11 04:07:55 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll
2012-07-11 04:07:55 212992 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll
2012-07-11 04:07:55 143360 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msjro.dll
2012-07-11 04:07:55 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-07-11 03:06:36 -------- d-----w- C:\Users\Codehead\AppData\Local\{A97D5DBF-96E3-42D7-BD01-00CBAAFE0599}
2012-07-10 15:05:59 -------- d-----w- C:\Users\Codehead\AppData\Local\{B5C06789-15C3-4201-B9A6-83711ADE0A4A}
2012-07-10 15:05:47 -------- d-----w- C:\Users\Codehead\AppData\Local\{2750B9C9-D2B2-46C1-89E9-7385B034DC18}
2012-07-10 06:47:01 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-07-10 06:47:01 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-07-10 06:47:01 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-07-10 06:47:01 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-07-10 06:47:01 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-07-10 06:47:01 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-07-10 06:47:01 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-07-10 03:07:14 -------- d-----r- C:\Users\Codehead\SkyDrive
2012-07-10 03:06:43 -------- d-----w- C:\ProgramData\Microsoft SkyDrive
2012-07-10 03:05:30 -------- d-----w- C:\Users\Codehead\AppData\Local\{D99278B1-7947-494E-BA17-4885EB32E960}
2012-07-10 03:05:03 -------- d-----w- C:\Users\Codehead\AppData\Local\{9E38B2CE-0B30-4D87-8034-6D9DBD0609B7}
2012-07-09 21:48:35 224088 ----a-w- C:\Windows\System32\drivers\VBoxDrv.sys
2012-07-09 21:48:24 130904 ----a-w- C:\Windows\System32\drivers\VBoxUSBMon.sys
2012-07-09 21:42:08 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2012-07-09 19:42:40 -------- d-----w- C:\Program Files\Microsoft Synchronization Services
2012-07-09 19:42:40 -------- d-----w- C:\Program Files\Microsoft SQL Server Compact Edition
2012-07-09 19:31:23 -------- d-----w- C:\Windows\SysWow64\1033
2012-07-09 19:21:46 -------- d-----w- C:\Users\Codehead\AppData\Roaming\texstudio
2012-07-09 18:47:10 -------- d-----w- C:\ProgramData\MiKTeX
2012-07-09 15:23:34 -------- d-----w- C:\Users\Codehead\AppData\Local\e-academy Inc
2012-07-09 15:04:31 -------- d-----w- C:\Users\Codehead\AppData\Local\{8B629822-07AE-4110-8D3B-D4BA15B299E1}
2012-07-09 15:04:05 -------- d-----w- C:\Users\Codehead\AppData\Local\{8D43132E-8A30-43DB-8AEA-433B9E16D65A}
2012-07-08 15:34:29 -------- d-----w- C:\Users\Codehead\AppData\Local\{3159E31F-AF82-4365-A1AB-6D74CAFF8888}
2012-07-08 15:34:14 -------- d-----w- C:\Users\Codehead\AppData\Local\{D03CA594-4F85-4CE4-A850-8C916864BA30}
2012-07-08 03:14:37 -------- d-----w- C:\Users\Codehead\AppData\Local\{8C6EE260-F7E7-456E-AED5-331493808901}
2012-07-08 03:14:23 -------- d-----w- C:\Users\Codehead\AppData\Local\{A42AEFB6-7B5B-49A6-A79F-5271D67C52DD}
2012-07-07 13:40:37 -------- d-----w- C:\Users\Codehead\AppData\Local\{36310D5F-190C-44E0-9239-0EC289E84DEB}
2012-07-07 13:40:24 -------- d-----w- C:\Users\Codehead\AppData\Local\{88792998-78D0-496A-A869-6010AAA26B66}
2012-07-07 02:22:35 -------- d-----w- C:\Users\Codehead\AppData\Roaming\Awesomium
2012-07-07 01:21:23 -------- d-----w- C:\Users\Codehead\AppData\Local\{847D90CD-8CAF-4286-9B70-2339ABCAD2D2}
2012-07-07 01:21:05 -------- d-----w- C:\Users\Codehead\AppData\Local\{B1B2684C-038F-4A8C-BF14-B715B4E4F857}
2012-07-06 13:08:05 -------- d-----w- C:\Users\Codehead\AppData\Local\{205D30BB-1B64-4A8B-A5FE-CFECB65413E1}
2012-07-06 13:07:52 -------- d-----w- C:\Users\Codehead\AppData\Local\{83F6202C-E3DC-4183-865B-598F21722BF2}
2012-07-06 00:25:27 -------- d-----w- C:\Users\Codehead\AppData\Local\{AC3DD3D9-55F4-458E-BBF5-9C336037785A}
2012-07-05 12:24:46 -------- d-----w- C:\Users\Codehead\AppData\Local\{396E829A-3BD6-4922-9EBC-0957E779179C}
2012-07-05 12:24:34 -------- d-----w- C:\Users\Codehead\AppData\Local\{C2603762-16A0-45A5-9168-D91AE76831C3}
2012-07-04 14:57:12 -------- d-----w- C:\Users\Codehead\AppData\Local\{C6639754-1F6C-4E22-8A58-521510FC8FC8}
2012-07-04 14:56:57 -------- d-----w- C:\Users\Codehead\AppData\Local\{A2A7977D-E86F-4C2F-8E15-5CD2E6003204}
2012-07-03 19:15:45 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E69E3F7C-C3E5-46F2-BF13-D23472C1D9D7}\gapaengine.dll
2012-07-03 13:14:21 -------- d-----w- C:\Users\Codehead\AppData\Local\{76A2A30C-1A1D-4A95-B65A-DF5D45DFA81D}
2012-07-03 13:14:09 -------- d-----w- C:\Users\Codehead\AppData\Local\{9B7C628A-0C83-4480-9407-95AFDD07E609}
2012-07-02 07:44:51 -------- d-----w- C:\Users\Codehead\AppData\Local\{0531586F-7D99-40C3-B9BE-E1A95A6D72BC}
2012-07-01 19:44:11 -------- d-----w- C:\Users\Codehead\AppData\Local\{F01B55DA-B785-431D-A873-9A4334FDF8A9}
2012-07-01 19:43:47 -------- d-----w- C:\Users\Codehead\AppData\Local\{383BFBD9-3FA0-43E4-95C0-A44694F0CD67}
2012-07-01 07:43:19 -------- d-----w- C:\Users\Codehead\AppData\Local\{B5B81772-F2CC-4B7E-BF91-083F28A646C4}
2012-07-01 07:43:08 -------- d-----w- C:\Users\Codehead\AppData\Local\{55808EDB-C7D3-4418-B834-558384321D44}
2012-06-30 18:43:31 -------- d-----w- C:\Users\Codehead\AppData\Roaming\Image-Line
2012-06-30 18:22:37 1554944 ----a-w- C:\Windows\SysWow64\vorbis.acm
2012-06-30 18:22:33 -------- d-----w- C:\Program Files (x86)\Outsim
2012-06-30 18:12:14 -------- d-----w- C:\Program Files (x86)\Image-Line
2012-06-30 16:27:46 -------- d-----w- C:\Program Files (x86)\NCH Software
2012-06-30 16:27:37 -------- d-----w- C:\Users\Codehead\AppData\Roaming\NCH Software
2012-06-30 16:20:49 -------- d-----w- C:\Users\Codehead\AppData\Local\{FE7ECA4F-E98A-429D-B12D-A36AE8C1B16A}
2012-06-30 16:20:34 -------- d-----w- C:\Users\Codehead\AppData\Local\{F5D1ED5F-BBED-4E90-95A6-52257620BEC6}
2012-06-29 18:22:34 -------- d-----w- C:\Users\Codehead\AppData\Local\{06F5FC3A-7379-4F06-84AD-37A25E013438}
2012-06-29 18:22:20 -------- d-----w- C:\Users\Codehead\AppData\Local\{AD679CA8-169A-4973-8C63-D9318A95F388}
2012-06-28 18:47:53 -------- d-----w- C:\Users\Codehead\AppData\Local\{4517A0DF-2F91-4A64-9354-15B526A4F07C}
2012-06-28 18:47:36 -------- d-----w- C:\Users\Codehead\AppData\Local\{76242114-3A1E-497E-B0A8-723DDE00C2F0}
2012-06-27 18:07:43 -------- d-----w- C:\Users\Codehead\AppData\Local\{1D4C960B-8608-4B6B-A1CB-F199261E69C5}
2012-06-27 18:07:31 -------- d-----w- C:\Users\Codehead\AppData\Local\{E1FE6FCD-8DD8-47CA-9DA7-8E2FFDAFA2D5}
2012-06-26 11:37:04 -------- d-----w- C:\Users\Codehead\AppData\Local\{EC408E80-75D6-4B55-8693-F251D14F94BA}
2012-06-26 11:36:52 -------- d-----w- C:\Users\Codehead\AppData\Local\{9765F3DF-AD33-4266-9D20-47E8FADC5602}
2012-06-25 15:41:49 -------- d-----w- C:\Users\Codehead\AppData\Local\{B8C8D4E5-DADE-4DC0-958D-D31476B1A948}
2012-06-25 15:41:36 -------- d-----w- C:\Users\Codehead\AppData\Local\{0DF4CB72-167E-4B96-BC72-C343D6438970}
2012-06-24 02:33:36 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-24 02:33:29 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-24 02:33:18 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-24 02:33:18 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-24 02:29:41 -------- d-----w- C:\Users\Codehead\AppData\Local\{602E6761-B84C-45A9-935E-17BC1165AA45}
2012-06-24 02:29:29 -------- d-----w- C:\Users\Codehead\AppData\Local\{3FA0F958-488F-4CF2-BE9D-2D277DF7939F}
2012-06-23 12:40:27 -------- d-----w- C:\Users\Codehead\AppData\Local\{80555213-D358-45AE-9A00-89DE17CCCF01}
2012-06-23 12:40:15 -------- d-----w- C:\Users\Codehead\AppData\Local\{16615612-35B4-4E4A-85FE-27418B5054E0}
2012-06-22 16:56:15 -------- d-----w- C:\Users\Codehead\AppData\Local\{5060DC4E-4BE0-4E65-A901-A6712CE95024}
2012-06-22 16:56:03 -------- d-----w- C:\Users\Codehead\AppData\Local\{8C70E6D6-6074-4F47-BB3F-EFA58053C048}
2012-06-21 22:43:53 -------- d-----w- C:\Users\Codehead\AppData\Local\{6869C1C1-CF8E-4A05-BB27-6CBCAF604292}
2012-06-21 22:43:40 -------- d-----w- C:\Users\Codehead\AppData\Local\{1BCF00E7-478D-407D-BDEE-54C96C74D972}
2012-06-20 23:13:43 -------- d-----w- C:\Users\Codehead\AppData\Local\{D6203A74-8E05-40E3-9D14-7E4A5DFE44F1}
2012-06-20 23:13:25 -------- d-----w- C:\Users\Codehead\AppData\Local\{009F30E0-255F-476C-9F9A-8A41E50E54DC}
.
==================== Find3M ====================
.
2012-07-12 02:02:57 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-12 02:02:56 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-05 01:02:29 189480 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2012-07-05 01:02:29 189480 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2012-06-30 07:23:22 298280 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-05 14:03:52 166232 ----a-w- C:\Windows\System32\drivers\VBoxNetFlt.sys
2012-06-05 14:03:52 147288 ----a-w- C:\Windows\System32\drivers\VBoxNetAdp.sys
2012-06-05 14:02:22 320856 ----a-w- C:\Windows\System32\VBoxNetFltNobj.dll
2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-04-28 19:14:56 2892 ----a-w- C:\Windows\SysWow64\audcon.sys
2012-04-28 05:32:05 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll
2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-04-24 05:37:37 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-04-24 05:37:37 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-04-24 05:37:36 1462272 ----a-w- C:\Windows\System32\crypt32.dll
2012-04-24 04:36:42 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-04-24 04:36:42 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-04-24 04:36:42 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
.
============= FINISH: 23:35:43.23 ===============
 
And as requested the 2nd DDS log file.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 1/7/2010 1:20:27 AM
System Uptime: 7/20/2012 11:08:02 PM (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | 965P-DQ6
Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz | Socket 775 | 2400/266mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 69 GiB total, 10.648 GiB free.
D: is FIXED (NTFS) - 279 GiB total, 36.328 GiB free.
G: is Removable
J: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96c-e325-11ce-bfc1-08002be10318}
Description: Creative Game Port
Device ID: PCI\VEN_1102&DEV_7003&SUBSYS_00401102&REV_04\4&36D8C60D&0&01F0
Manufacturer: Creative
Name: Creative Game Port
PNP Device ID: PCI\VEN_1102&DEV_7003&SUBSYS_00401102&REV_04\4&36D8C60D&0&01F0
Service:
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: D-Link DWA-131 Wireless N Nano USB Adapter
Device ID: USB\VID_07D1&PID_3303\00E04C000001
Manufacturer: D-Link Corporation
Name: D-Link DWA-131 Wireless N Nano USB Adapter
PNP Device ID: USB\VID_07D1&PID_3303\00E04C000001
Service: RTL8192su
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: VirtualBox Host-Only Ethernet Adapter
Device ID: ROOT\NET\0000
Manufacturer: Oracle Corporation
Name: VirtualBox Host-Only Ethernet Adapter
PNP Device ID: ROOT\NET\0000
Service: VBoxNetAdp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_E0001458&REV_22\4&35EC29B0&0&00E4
Manufacturer: Marvell
Name: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_E0001458&REV_22\4&35EC29B0&0&00E4
Service: yukonw7
.
==== System Restore Points ===================
.
RP805: 7/18/2012 2:51:16 PM - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Adobe AIR
Adobe Community Help
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Media Player
Adobe Photoshop CS5.1
Adobe Premiere Pro CS5.5
Adobe Reader 9.5.1
Adobe Story
AfterWorld Alpha
Amazon Kindle
America's Army 3
APB Reloaded
Apple Application Support
Apple Software Update
ARMA 2
ARMA 2: Operation Arrowhead
ASIO4ALL
µTorrent
Auslogics Disk Defrag
AXE 3.4
Brytenwalda version 1.39
Camtasia Studio 7
Counter-Strike: Source
CPU Speed Pro version 3
Creation Kit
Creative Audio Console
Creative WaveStudio 7
Crysis
Crysis Warhead
Crysis Wars
D3DX10
Day of Defeat: Source
Dear Esther
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DivX Setup
Dune Wars
DVD Flick 1.3.0.7
eLicenser Control
Entropia Universe
eyeQ
Fallen Earth
Fallout 3
Fallout 3 - The Garden of Eden Creation Kit
Fallout: New Vegas
FL Studio 10
Free 3GP Video Converter version 3.7.15
Golemlabs' GL Editor
Guitar Pro 5.0
Hardcopy (D:\Hardcopy)
Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB2465361)
Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB971091)
Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB971092)
Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB973674)
IL Download Manager
IL Shared Libraries
Imperialism II
Interaktiver Gitarren Kurs
J2SE Runtime Environment 5.0 Update 4
Japanese Fonts Support For Adobe Reader 9
jass-magic-1.1.4 (remove only)
Java Auto Updater
Java(TM) 6 Update 14
Java(TM) 6 Update 29
Junk Mail filter update
KeePass Password Safe 2.15
LizardTech DjVu Control
Local Port Scanner v1.2.2
MagicDisc 2.7.106
Malwarebytes Anti-Malware version 1.62.0.1300
Master of Mana 1.40
Melodyne 3.1
Mesh Runtime
Messenger Companion
Microsoft .NET Compact Framework 2.0 SP2
Microsoft .NET Compact Framework 3.5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 2
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
Microsoft ASP.NET Web Pages
Microsoft Document Explorer 2008
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access 2007
Microsoft Office Access MUI (English) 2007
Microsoft Office Access MUI (German) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (German) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office OneNote MUI (German) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (German) 2007
Microsoft Office Project MUI (English) 2010
Microsoft Office Project Professional 2010
Microsoft Office Proof (English) 2007
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2007
Microsoft Office Proof (French) 2010
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (English) 2010
Microsoft Office Proofing (German) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared MUI (German) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (German) 2007
Microsoft Project 2010 Service Pack 1 (SP1)
Microsoft Project Professional 2010
Microsoft Research AutoCollage 2008 Academic Edition
Microsoft Silverlight 3 SDK
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008 R2 Data-Tier Application Framework
Microsoft SQL Server 2008 R2 Data-Tier Application Project
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 R2 Transact-SQL Language Service
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server Database Publishing Wizard 1.4
Microsoft SQL Server System CLR Types
Microsoft Sync Framework SDK v1.0 SP1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
Microsoft Visual F# 2.0 Runtime
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Visual Studio Macro Tools
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
Mount & Blade
Mount and Blade: Warband
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NifSkope (remove only)
Notepad++
NVIDIA Photoshop Plug-ins
NVIDIA PhysX
NxS XFade control v0.7
Oblivion - Construction Set
OpenAL
Opera 12.00
Orbis
PDF Settings CS5
PDFCreator
Prism Video File Converter
PunkBuster Services
PxMergeModule
Python 2.6.6
QuickTime
Realtek High Definition Audio Driver
Samsung_MonSetup
SecondLifeViewer (remove only)
Secure Download Manager
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Security Update for Microsoft Visual Studio Macro Tools (KB2669970)
Sibelius 6
Sibelius Scorch (Firefox, Opera, Netscape only)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Civilization 4 - Warlords
Sid Meier's Civilization IV Colonization
Sid Meier's Civilization V
Sid Meier's Civilization V SDK
Sniper: Ghost Warrior - Dedicated Server
Songsmith (Academic Edition)
Star Trek
Star Trek Online
Star Wars: Knights of the Old Republic
Star Wars: The Force Unleashed
Steam
Steinberg Groove Agent ONE Content
Steinberg Groove Agent ONE Vintage Beatboxes
Steinberg HALion Sonic SE Content for Cubase LE AI Elements
Super Meat Boy
Super Meat Boy Editor
Switch Sound File Converter
Sword of Islam
TeXstudio 2.3
The Elder Scrolls IV: Oblivion
The Elder Scrolls V: Skyrim
The Guild II: Renaissance
The Klub 17 [v 6.10]
Tom Clancy's Splinter Cell
Tom Clancy's Splinter Cell: Chaos Theory
Total War: SHOGUN 2
Transcribe! 8.10
Tropico 4
TrueCrypt
UltraStar Deluxe
Uninstall 1.0.0.1
Update für Microsoft Office Excel 2007 Help (KB963678)
Update für Microsoft Office Powerpoint 2007 Help (KB963669)
Update für Microsoft Office Word 2007 Help (KB963665)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
VC Runtimes MSI
VC80CRTRedist - 8.0.50727.4053
Visual C++ 2008 IA64 Runtime - (v9.0.30729)
Visual C++ 2008 IA64 Runtime - v9.0.30729.01
Visual C++ 2008 x64 Runtime - (v9.0.30729)
Visual C++ 2008 x64 Runtime - (v9.0.30729.4148)
Visual C++ 2008 x64 Runtime - (v9.0.30729.6161)
Visual C++ 2008 x64 Runtime - KB2465361 - (v9.0.30729.5570)
Visual C++ 2008 x64 Runtime - v9.0.30729.01
Visual C++ 2008 x64 Runtime - v9.0.30729.4148
Visual C++ 2008 x64 Runtime - v9.0.30729.5570
Visual C++ 2008 x64 Runtime - v9.0.30729.6161
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - (v9.0.30729.4148)
Visual C++ 2008 x86 Runtime - (v9.0.30729.6161)
Visual C++ 2008 x86 Runtime - KB2465361 - (v9.0.30729.5570)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual C++ 2008 x86 Runtime - v9.0.30729.4148
Visual C++ 2008 x86 Runtime - v9.0.30729.5570
Visual C++ 2008 x86 Runtime - v9.0.30729.6161
Visual Studio 2005 Tools for Office Second Edition Runtime
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
Visual Studio Tools for the Office system 3.0 Runtime
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258)
VLC media player 1.1.11
WavePad Sound Editor
Winamp
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Encoder 9 Series
Windows Media Player Firefox Plugin
Windows Mobile 5.0 SDK R2 for Pocket PC
Windows Mobile 5.0 SDK R2 for Smartphone
WinImage
WMHelp XmlPad
X3: Albion Prelude
X3: Reunion
X3: Terran Conflict
.
==== Event Viewer Messages From Past Week ========
.
7/20/2012 7:49:23 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.241.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
7/20/2012 11:19:30 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.241.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
7/20/2012 10:50:26 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.241.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
7/20/2012 10:40:56 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
7/20/2012 10:40:56 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
7/16/2012 2:40:19 AM, Error: Ntfs [137] - The default transaction resource manager on volume P: encountered a non-retryable error and could not start. The data contains the error code.
7/16/2012 1:51:09 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
7/15/2012 12:54:27 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the wlidsvc service.
7/13/2012 9:31:56 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\DR3.
7/13/2012 11:05:37 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\DR4.
.
==== End Of File ===========================
 
That's all there is.. my guess is that everything has been removed after running Anit-Malware. Could anyone please confirm this assumption?

Thanks again,
Johannes
 
I have restarted the computer and ran Anit-Malware: 'No malicious items detected.'

Plugged in the Internet, restarted, ran Anti-Malware again and watched the computers behavior a bit and it seems to function properly again.

Gawd, I hate it when so much time and nerves get destroyed by this kind of "programs".. but it could have been much more time without your hint DMJ, thanks aaaaannd

Peace!
 
Great...let's continue disinfection. Don't want your computer to reinfect itself.

ComboFix

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
 
Hi and a big sorry, I didn't expect more to come.. I used the PC already.. but just to disable Operas Java plugin and to play Dwarf Fortress for the rest of the night.. I hope that, and the fact that I restarted the machine several times, doesn't matter :confused: .. I also niticed that some Windows functions do not work as they should.. e.g. when I use a different view (List, Details, Tiles and so on..) Windows does not save it. It also messes up my Desktops icons everything I restart.. anyway, here is the log that ComboFix aka. svchost.exe produced:

ComboFix 12-07-21.01 - Codehead 07/21/2012 18:41:55.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.49.1033.18.4094.2572 [GMT 2:00]
ausgeführt von:: c:\users\Codehead\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Disk Defrag
c:\programdata\Microsoft\Windows\Start Menu\Programs\Disk Defrag\Auslogics Disk Defrag on the Web.url
c:\programdata\Microsoft\Windows\Start Menu\Programs\Disk Defrag\Auslogics Disk Defrag.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Disk Defrag\Uninstall Auslogics Disk Defrag.lnk
c:\users\Codehead\AppData\Local\assembly\tmp
c:\users\Codehead\AppData\Roaming\Microsoft\Windows\Recent\America's Army 3.url
c:\users\Codehead\AppData\Roaming\Microsoft\Windows\Recent\Melodyne.mar
c:\users\Codehead\AppData\Roaming\Microsoft\Windows\Recent\SunnyD and Rum.mar
c:\windows\IsUn0407.exe
c:\windows\SysWow64\html
c:\windows\SysWow64\images
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-06-21 bis 2012-07-21 ))))))))))))))))))))))))))))))
.
.
2012-07-21 02:32 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{10B5716C-4369-4D1D-94E9-DFBD972056DA}\mpengine.dll
2012-07-20 21:27 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-20 20:56 . 2012-07-20 20:56 -------- d-----w- c:\users\Codehead\AppData\Roaming\Malwarebytes
2012-07-20 20:56 . 2012-07-20 20:56 -------- d-----w- c:\programdata\Malwarebytes
2012-07-20 20:56 . 2012-07-03 11:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-20 05:38 . 2012-07-20 05:39 -------- d-----w- c:\users\Codehead\AppData\Roaming\Ariti
2012-07-20 05:38 . 2012-07-20 05:38 -------- d-----w- c:\users\Codehead\AppData\Roaming\Eqli
2012-07-17 21:50 . 2012-07-17 21:50 -------- d-----w- c:\users\Codehead\AppData\Roaming\UDP Software
2012-07-17 03:20 . 2012-07-17 03:20 -------- d-----w- c:\users\Codehead\AppData\Roaming\MiKTeX
2012-07-17 00:44 . 2012-07-17 00:44 -------- d-----w- c:\users\Codehead\AppData\Local\MiKTeX
2012-07-15 21:40 . 2012-07-15 21:40 -------- d-----w- c:\programdata\QuickTime
2012-07-15 21:38 . 2012-07-15 21:38 -------- d-----w- c:\program files (x86)\Musicalis
2012-07-11 04:28 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 04:09 . 2012-06-09 05:43 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-07-11 04:07 . 2012-06-06 06:05 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2012-07-11 04:07 . 2012-06-06 06:05 1499136 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 04:07 . 2012-06-06 05:05 1019904 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
2012-07-11 04:07 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-07-11 04:07 . 2012-06-06 06:05 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2012-07-11 04:07 . 2012-06-06 05:05 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll
2012-07-11 04:07 . 2012-06-06 05:03 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-07-11 04:07 . 2012-06-06 06:05 61440 ----a-w- c:\program files\Common Files\System\ado\msador15.dll
2012-07-11 04:07 . 2012-06-06 06:02 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-07-11 04:07 . 2012-06-06 05:05 143360 ----a-w- c:\program files (x86)\Common Files\System\ado\msjro.dll
2012-07-11 04:07 . 2012-06-06 05:05 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll
2012-07-11 04:07 . 2012-06-06 05:05 57344 ----a-w- c:\program files (x86)\Common Files\System\ado\msador15.dll
2012-07-11 04:07 . 2012-06-06 05:05 212992 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll
2012-07-10 11:58 . 2012-07-10 11:58 -------- d-----w- c:\users\Codehead\AppData\Roaming\Apple Computer
2012-07-10 06:47 . 2012-07-10 06:47 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-07-10 06:47 . 2012-07-10 06:47 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-07-10 06:47 . 2012-07-10 06:47 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-07-10 06:47 . 2012-07-10 06:47 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-07-10 06:47 . 2012-07-10 06:47 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-07-10 06:47 . 2012-07-10 06:47 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-07-10 06:47 . 2012-07-10 06:47 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-07-10 06:45 . 2012-07-10 06:45 -------- d-----w- c:\program files (x86)\Common Files\Apple
2012-07-10 06:45 . 2012-07-10 06:45 -------- d-----w- c:\program files (x86)\Apple Software Update
2012-07-10 03:06 . 2012-07-10 03:06 -------- d-----w- c:\programdata\Microsoft SkyDrive
2012-07-09 21:48 . 2012-06-05 14:03 224088 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2012-07-09 21:48 . 2012-06-05 14:03 130904 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2012-07-09 21:42 . 2012-07-09 21:42 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2012-07-09 19:42 . 2012-07-09 19:42 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-07-09 19:42 . 2012-07-09 19:42 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-07-09 19:31 . 2012-07-15 00:33 -------- d-----w- c:\windows\SysWow64\1033
2012-07-09 19:26 . 2012-07-09 19:26 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 9.0
2012-07-09 19:21 . 2012-07-09 19:21 -------- d-----w- c:\users\Codehead\AppData\Roaming\texstudio
2012-07-09 18:47 . 2012-07-09 18:47 -------- d-----w- c:\programdata\MiKTeX
2012-07-09 15:23 . 2012-07-09 15:23 -------- d-----w- c:\users\Codehead\AppData\Local\e-academy Inc
2012-07-07 02:22 . 2012-07-07 02:22 -------- d-----w- c:\users\Codehead\AppData\Roaming\Awesomium
2012-07-03 19:15 . 2012-02-10 21:57 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E69E3F7C-C3E5-46F2-BF13-D23472C1D9D7}\gapaengine.dll
2012-06-30 18:43 . 2012-06-30 18:43 -------- d-----w- c:\users\Codehead\AppData\Roaming\Image-Line
2012-06-30 18:22 . 2009-09-15 09:14 1554944 ----a-w- c:\windows\SysWow64\vorbis.acm
2012-06-30 18:22 . 2012-06-30 18:22 -------- d-----w- c:\program files (x86)\Outsim
2012-06-30 18:12 . 2012-06-30 18:22 -------- d-----w- c:\program files (x86)\Image-Line
2012-06-30 16:28 . 2012-07-16 02:37 -------- d-----w- c:\programdata\NCH Software
2012-06-30 16:27 . 2012-07-16 02:37 -------- d-----w- c:\program files (x86)\NCH Software
2012-06-30 16:27 . 2012-07-16 02:37 -------- d-----w- c:\users\Codehead\AppData\Roaming\NCH Software
2012-06-24 02:33 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-24 02:33 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-24 02:33 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-24 02:33 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-24 02:33 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-24 02:33 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-24 02:33 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-24 02:33 . 2012-06-02 13:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-24 02:33 . 2012-06-02 13:15 36864 ----a-w- c:\windows\system32\wuapp.exe
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-15 00:25 . 2011-03-22 10:01 2117120 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2012-07-12 02:02 . 2012-04-03 22:48 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-12 02:02 . 2011-08-25 22:00 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-11 04:14 . 2010-01-07 02:48 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-07-05 01:02 . 2010-08-27 22:41 189480 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-07-05 01:02 . 2010-08-27 22:38 189480 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-06-30 07:23 . 2010-08-27 22:38 298280 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-06-05 14:03 . 2012-06-05 14:03 166232 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2012-06-05 14:03 . 2012-06-05 14:03 147288 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2012-06-05 14:02 . 2012-06-05 14:02 320856 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
2012-05-18 18:59 . 2012-05-18 18:59 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
2012-05-04 11:06 . 2012-06-13 18:48 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-13 18:48 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-13 18:48 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-04-28 19:14 . 2012-04-28 19:14 2892 ----a-w- c:\windows\SysWow64\audcon.sys
2012-04-28 05:32 . 2012-06-13 18:48 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
2012-04-28 03:55 . 2012-06-13 18:48 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 05:41 . 2012-06-13 18:48 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 05:41 . 2012-06-13 18:48 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 05:34 . 2012-06-13 18:48 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="d:\steam\steam.exe" [2011-08-03 1242448]
"WLSync"="c:\program files (x86)\Windows Live\Mesh\WLSync.exe" [2012-03-08 1449824]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="d:\adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"QuickTime Task"="d:\quicktime\QTTask.exe" [2012-04-18 421888]
.
c:\users\Codehead\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - d:\microsoft office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 250056]
R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2010-03-18 158808]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-05-25 79360]
R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2010-03-18 706648]
R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2010-03-18 141912]
R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2010-03-18 141912]
R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2010-03-18 681048]
R3 dump_wmimmc;dump_wmimmc;d:\netmarbleglobal\GV Online Eg\GameGuard\dump_wmimmc.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 esgiguard;esgiguard;c:\program files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [2010-11-25 694888]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2012-06-05 147288]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-03-04 55856]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-07-01 55384]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2012-06-05 224088]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2012-06-05 130904]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2010-03-18 158808]
S3 copperhd;Razer Copperhead Driver;c:\windows\system32\drivers\copperhd.sys [2006-05-24 13824]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2010-03-18 706648]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2010-03-18 681048]
S3 LADF_DHP2;G35 DHP2 Filter Driver;c:\windows\system32\DRIVERS\ladfDHP2amd64.sys [2010-09-29 62168]
S3 LADF_SBVM;G35 SBVM Filter Driver;c:\windows\system32\DRIVERS\ladfSBVMamd64.sys [2010-09-29 377176]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2012-06-05 166232]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 395264]
.
.
Inhalt des "geplante Tasks" Ordners
.
2012-07-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 02:02]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:Tabs
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\micros~1\Office12\EXCEL.EXE/3000
IE: Open with XmlPad - d:\xmlpad\WmhASPP.dll/101
TCP: DhcpNameServer = 192.168.2.1
Handler: wmh - {A1428E78-2D00-4590-A071-0CC9700A7768} - d:\xmlpad\WmhASPP.dll
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
AddRemove-Imperialism II - c:\windows\IsUn0407.exe
AddRemove-WinImage - c:\users\Codehead\Desktop\Data Recovery\WinImage v8.50\winimage.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-407477768-3834995353-2232539331-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Ï3]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-407477768-3834995353-2232539331-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Ï3\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-407477768-3834995353-2232539331-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DD5A5B6D-6B0F-24B5-26F3-C267FC21DEC8}*]
@Allowed: (Read) (RestrictedCode)
"haggjbpdoeckljnp"=hex:67,61,68,61,6d,6f,62,6c,6f,64,6b,6b,64,6a,00,77
"iakdfjkglngjdjnjmn"=hex:63,61,6c,61,66,6f,00,01
.
[HKEY_USERS\S-1-5-21-407477768-3834995353-2232539331-1000\Software\SecuROM\License information*]
"datasecu"=hex:67,18,d4,09,58,c0,76,5c,2f,8c,1b,14,cf,ec,d7,a0,8e,a0,cd,e7,c0,
77,ce,5b,ca,fa,e6,23,c4,61,20,9d,27,07,47,e1,97,ad,b9,11,6a,e9,f7,11,18,88,\
"rkeysecu"=hex:7d,40,10,cb,c7,39,e0,67,0a,69,a8,47,07,da,5b,5c
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:90,88,a6,da,dc,33,14,d4,f2,a7,e5,78,e8,dc,13,16,c3,93,db,0e,2e,
d3,00,57,cb,fa,d7,5c,bf,f4,fd,86,c3,fc,76,4b,e1,d9,1b,e2,df,92,19,4a,f4,8d,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-07-21 19:03:30 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-07-21 17:03
.
Vor Suchlauf: 15,260,209,152 bytes free
Nach Suchlauf: 14,973,247,488 bytes free
.
- - End Of File - - 939071F3297514D1C71A90F499FCF282
 
Let's work with the following tool as well...

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

Note: please close all other applications running on your system.

Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

Click the Settings button.
2hd457o.gif


settingsslider.png


Set the slider to Maximum.

driversports.png


IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.


generaltab.png


On the General tab, make sure all of the boxes are checked.


misce.png


On the Misc tab, make sure all the checkboxes are checked.

Then, click OK on the windows that you launched.


2ekm73m.gif

Click Create Report to run it.

beginscanning.png

It will begin scanning.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.
 
Hello DMJ,

there are all errors and issues listed in the report besides the Event Log, which I had to exclude, because it contains too much information that I consider private.. and that I will not share.

From the results of the scans we ran so far and from watching the system for a few days, I'd say that the initial problem has been solved and there are no other threads on the machine. Thank you very much for your time and efford, I really appreciate it and I would not have been able to remove Sirefef without your help.

Thanks and peace!
 
Status
Not open for further replies.

Similar threads

losdavos
Malware removal help, please and thank you!
Replies
1
Views
832
losdavos
losdavos
AGenericFool
Help - Valid Windows 10 Licenses deactivate after two days?!
Replies
1
Views
318
Nelson28
N
M
Virus warning popup
Replies
1
Views
543
Mark Fuller
M

Latest posts

Back