TechSpot

Sirefef.y infection

By Edaume
Jun 14, 2012
  1. Similar to many others on this forum, my laptop's been infected with Sirefef.y. The laptop's HP with a Windows 7 operating system.

    A few hours ago, I noticed that my Firewall and Microsoft Security Essentials (MSE) weren't working. I uninstalled MSE and reinstalled it. After running a scan, the scan detected "Trojan:Win64/Sirefef.y" and when I tried to remove it, I got a message saying that due to some error, Windows would be shutting down in 1 minute. Tried running some Panda Security software but because my system shuts down after 1 minute after every start up, I couldn't do anything.

    I tried to get into safe mode but regardless of being in safe mode, my laptop still shut itself down after 1 minute. While trying to figure out the problem, I tried to get into safe mode again but I found that I'm also not able to get into safe mode, despite having pressed F8 numerous times.

    I know this problem is very repetitive on this forum but I hope that I will be able to find a right solution that would fit my laptop and its settings. Thank you very much and your help is much appreciated!!

     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes, this malware has hit very hard! Give the following a try, then see if the system will stay up long enough to run the scans:

    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)
    -----------------------------
    Please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ======================================
    Note: If you can't download the scans directly to the infected computer, download them from a clean computer to a flash drive. Then connect to the infected system to run the programs.
    =====================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  3. Edaume

    Edaume TS Rookie Topic Starter

    Thank you so much for your response!
    Just a side note, before I received your reply, I went into System Restore and once it was completed, I was able to work with the computer for more than 1 minute (no more MSE warning signs either). I am still unable to use MSE or my firewall, though. The GMER log came out blank. Here are my other logs from the 5 step process:

    MBAM LOG
    --
    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.04.04.08

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Hyunsoo :: HYUNSOO-PC [administrator]

    Protection: Enabled

    14/06/2012 10:03:27 PM
    mbam-log-2012-06-14 (22-03-27).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 213142
    Time elapsed: 6 minute(s), 51 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 8
    HKCR\AppID\{D2083641-E57F-4eab-BB85-0582424F4A29} (Adware.HotBar.CP) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
    HKCR\ClickPotatoLiteAX.UserProfiles (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKCR\ClickPotatoLiteAX.UserProfiles.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKCR\MenuButtonIE.ButtonIE (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKCR\MenuButtonIE.ButtonIE.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKCR\AppID\MenuButtonIE.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\QuestBrowse (Adware.QuestBrowse) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 4
    C:\Program Files (x86)\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0} (Adware.QuestBrowse) -> Quarantined and deleted successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}\chrome (Adware.QuestBrowse) -> Quarantined and deleted successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}\defaults (Adware.QuestBrowse) -> Quarantined and deleted successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}\defaults\preferences (Adware.QuestBrowse) -> Quarantined and deleted successfully.

    Files Detected: 4
    C:\Program Files (x86)\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}\chrome.manifest (Adware.QuestBrowse) -> Quarantined and deleted successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}\install.rdf (Adware.QuestBrowse) -> Quarantined and deleted successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}\chrome\questbrowse.jar (Adware.QuestBrowse) -> Quarantined and deleted successfully.
    C:\Program Files (x86)\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}\defaults\preferences\prefs.js (Adware.QuestBrowse) -> Quarantined and deleted successfully.

    (end)
    --
    DDS LOG
    --
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
    Run by Hyunsoo at 22:47:45 on 2012-06-14
    Microsoft Windows 7 Home Premium 6.1.7601.1.949.82.1033.18.3894.2195 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\IDT\WDM\STacSV64.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Hpservice.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\IDT\WDM\AESTSr64.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\ProgramData\Clickfree\HDDV2USB3\UACProxy.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\SwSetup\QuickWeb\QW.SYS\config\DVMExportService.exe
    C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
    C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\Tablet.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\Dwm.exe
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Windows\system32\WTablet\TabUserW.exe
    C:\Windows\system32\Tablet.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    C:\Program Files\Hewlett-Packard\HPToneControl\HPToneCtl.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Olympus\ib\olycamdetect.exe
    C:\Program Files (x86)\CrossriderWebApps\Crossrider.exe
    C:\ProgramData\Clickfree\HDDV2USB3\reminder\SacReminder.exe
    C:\Program Files (x86)\NetMeter\NetMeter.exe
    C:\Windows\System32\spool\drivers\x64\3\E_IATIHRA.EXE
    C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
    C:\Program Files (x86)\Winamp\winampa.exe
    C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Freecorder\FLVSrvc.exe
    C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
    C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
    C:\program files (x86)\google\gmail notifier\gnotify.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\system32\spool\DRIVERS\x64\3\EBAPIx32.EXE
    C:\Windows\SysWOW64\ctfmon.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://search.conduit.com/?SearchSource=10&ctid=CT1060933
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll
    mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll
    mWinlogon: Userinit=userinit.exe,
    BHO: Complitly: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - C:\Users\Hyunsoo\AppData\Roaming\Complitly\Complitly.dll
    BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: DealPly: {a6174f27-1fff-e1d6-a93f-ba48ad5dd448} - C:\Program Files (x86)\DealPly\DealPlyIE.dll
    BHO: CrossRider: {a876e312-7d08-401a-b7a6-fafc5dc2f292} - C:\Program Files (x86)\CrossriderWebApps\Crossrider.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    uRun: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
    uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    uRun: [Google Update] "C:\Users\Hyunsoo\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [Olympus ib] "C:\Program Files (x86)\Olympus\ib\olycamdetect.exe" /Startup
    uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
    uRun: [CrossRiderPlugin] C:\Program Files (x86)\CrossriderWebApps\Crossrider.exe
    uRun: [SacReminderHDDV2] C:\ProgramData\Clickfree\HDDV2USB3\reminder\SacReminder.exe
    uRun: [C:\Program Files (x86)\NetMeter\NetMeter.exe] C:\Program Files (x86)\NetMeter\NetMeter.exe
    uRun: [EPSON WorkForce 435 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIHRA.EXE /FU "C:\Users\Hyunsoo\AppData\Local\Temp\E_SCE76.tmp" /EF "HKCU"
    mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [MDS_Menu] "C:\Program Files (x86)\Olympus\ib\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Olympus\ib" UpdateWithCreateOnce "Software\OLYMPUS\ib\1.0"
    mRun: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
    mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe
    mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [Freecorder FLV Service] "C:\Program Files (x86)\Freecorder\FLVSrvc.exe" /run
    mRun: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
    mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
    mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    StartupFolder: C:\Users\Hyunsoo\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Hyunsoo\AppData\Roaming\Dropbox\bin\Dropbox.exe
    StartupFolder: C:\Users\Hyunsoo\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E734BF43-7194-4E3A-832F-307606DDF665} - hxxps://www.conferenceservers.com/components/WDPLUGIN.CAB
    DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} - hxxp://item2.naver.com/music/cab/NaverAXGuide.cab
    TCP: Interfaces\{BF3DCDD6-8CF5-49E1-885F-607FF79B1896}\2456C6B696E6F5E4F575962756C6563737F5431483835413 : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{BF3DCDD6-8CF5-49E1-885F-607FF79B1896}\2756075616475627 : DhcpNameServer = 64.71.255.198
    TCP: Interfaces\{BF3DCDD6-8CF5-49E1-885F-607FF79B1896}\3556E656E45445 : DhcpNameServer = 142.204.1.2 142.204.10.100
    TCP: Interfaces\{BF3DCDD6-8CF5-49E1-885F-607FF79B1896}\461647166716C65647 : DhcpNameServer = 205.151.222.250 4.2.2.1
    TCP: Interfaces\{BF3DCDD6-8CF5-49E1-885F-607FF79B1896}\75C414E4 : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{BF3DCDD6-8CF5-49E1-885F-607FF79B1896}\E4544575F425B4D2C45454 : DhcpNameServer = 192.168.0.1
    SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\Program Files (x86)\Stardock\Object Desktop\IconPackager\iprepair.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
    BHO-X64: Complitly: {0FB6A909-6086-458F-BD92-1F8EE10042A0} - C:\Users\Hyunsoo\AppData\Roaming\Complitly\Complitly.dll
    BHO-X64: Complitly - No File
    BHO-X64: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll
    BHO-X64: Freecorder - No File
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
    BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: DealPly: {A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} - C:\Program Files (x86)\DealPly\DealPlyIE.dll
    BHO-X64: CrossRider: {A876E312-7D08-401a-B7A6-FAFC5DC2F292} - C:\Program Files (x86)\CrossriderWebApps\Crossrider.dll
    BHO-X64: CrossRider - No File
    BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO-X64: SmartSelect - No File
    TB-X64: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll
    TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
    mRun-x64: [(Default)]
    mRun-x64: [MDS_Menu] "C:\Program Files (x86)\Olympus\ib\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Olympus\ib" UpdateWithCreateOnce "Software\OLYMPUS\ib\1.0"
    mRun-x64: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
    mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    mRun-x64: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe
    mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [Freecorder FLV Service] "C:\Program Files (x86)\Freecorder\FLVSrvc.exe" /run
    mRun-x64: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
    mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
    mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    SSODL-X64: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\Program Files (x86)\Stardock\Object Desktop\IconPackager\iprepair.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Hyunsoo\AppData\Roaming\Mozilla\Firefox\Profiles\jw0h7oh2.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Freecorder Customized Web Search
    FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT1060933&SearchSource=13
    FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
    FF - plugin: C:\Program Files (x86)\Research In Motion Limited\BlackBerry App World Browser Plugin\npappworld.dll
    FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll
    FF - plugin: C:\Users\Hyunsoo\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: C:\Users\Hyunsoo\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
    FF - plugin: C:\Users\Hyunsoo\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
    R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
    R1 DVMIO;DeviceVM IO Service;C:\Windows\system32\DRIVERS\dvmio.sys --> C:\Windows\system32\DRIVERS\dvmio.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
    R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2010-9-16 89600]
    R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
    R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-6-14 44768]
    R2 CFUACProxy_hddv2usb3;CFUACProxy_hddv2usb3;C:\ProgramData\Clickfree\HDDV2USB3\UACProxy.exe [2012-1-9 83792]
    R2 DvmMDES;DeviceVM Meta Data Export Service;C:\SwSetup\QuickWeb\QW.SYS\config\DVMExportService.exe [2010-2-8 338168]
    R2 EpsonCustomerParticipation;EpsonCustomerParticipation;C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe [2011-3-17 552832]
    R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]
    R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2009-12-16 102968]
    R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
    R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
    R2 HPWMISVC;HPWMISVC;C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-1-18 20480]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-6-14 654408]
    R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.EXE [2010-6-8 2320920]
    R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
    R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
    R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
    R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
    R3 rcmirror;rcmirror;C:\Windows\system32\DRIVERS\rcmirror.sys --> C:\Windows\system32\DRIVERS\rcmirror.sys [?]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
    S1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-25 257224]
    S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
    S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
    S3 NMgamingmsFltr;USB Optical Mouse;C:\Windows\system32\drivers\NMgamingms.sys --> C:\Windows\system32\drivers\NMgamingms.sys [?]
    S3 OlyCamComm;OLYMPUS USB Communication Device;C:\Windows\system32\DRIVERS\OlyCamComm.sys --> C:\Windows\system32\DRIVERS\OlyCamComm.sys [?]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
    S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
    S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
    S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
    S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
    .
    =============== Created Last 30 ================
    .
    2012-06-15 02:01:35--------d-----w-C:\Users\Hyunsoo\AppData\Roaming\Malwarebytes
    2012-06-15 02:01:26--------d-----w-C:\ProgramData\Malwarebytes
    2012-06-15 02:01:2524904----a-w-C:\Windows\System32\drivers\mbam.sys
    2012-06-15 02:01:25--------d-----w-C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-06-15 01:58:2453080----a-w-C:\Windows\System32\drivers\aswRdr2.sys
    2012-06-15 01:58:23819032----a-w-C:\Windows\System32\drivers\aswSnx.sys
    2012-06-15 01:58:2369976----a-w-C:\Windows\System32\drivers\aswMonFlt.sys
    2012-06-15 01:57:5041184----a-w-C:\Windows\avastSS.scr
    2012-06-15 01:57:37--------d-----w-C:\ProgramData\AVAST Software
    2012-06-15 01:57:37--------d-----w-C:\Program Files\AVAST Software
    2012-06-13 00:32:24--------d-sh--w-C:\Windows\System32\%APPDATA%
    2012-06-12 23:35:55927800----a-w-C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A2ADA8D7-A7F6-443C-9F0F-D4982A48DC86}\gapaengine.dll
    2012-06-12 23:35:408955792----a-w-C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{76F7DF36-B090-4F0C-98B9-9C6CEBB317BC}\mpengine.dll
    2012-06-11 23:27:128955792----a-w-C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-05-23 03:09:04--------d-----w-C:\Users\Hyunsoo\AppData\Roaming\NetMeter
    2012-05-23 03:08:58--------d-----w-C:\Program Files (x86)\NetMeter
    2012-05-17 09:08:54--------d-----w-C:\Program Files (x86)\JPEG to PDF
    2012-05-17 08:44:17--------d-----w-C:\ProgramData\A-PDF
    2012-05-17 08:43:49--------d-----w-C:\Program Files (x86)\A-PDF Image to PDF
    .
    ==================== Find3M ====================
    .
    2012-06-13 00:28:5370344----a-w-C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-13 00:28:53426184----a-w-C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-05-05 03:02:128744608----a-w-C:\Windows\SysWow64\FlashPlayerInstaller.exe
    2012-04-20 05:30:27472808----a-w-C:\Windows\SysWow64\deployJava1.dll
    2012-03-31 06:05:575559664----a-w-C:\Windows\System32\ntoskrnl.exe
    2012-03-31 04:39:373968368----a-w-C:\Windows\SysWow64\ntkrnlpa.exe
    2012-03-31 04:39:373913072----a-w-C:\Windows\SysWow64\ntoskrnl.exe
    2012-03-31 03:10:033146240----a-w-C:\Windows\System32\win32k.sys
    2012-03-30 11:35:471918320----a-w-C:\Windows\System32\drivers\tcpip.sys
    2012-03-22 19:12:124435968----a-w-C:\Windows\SysWow64\GPhotos.scr
    2012-03-21 00:44:1298688----a-w-C:\Windows\System32\drivers\NisDrvWFP.sys
    2012-03-21 00:44:12203888----a-w-C:\Windows\System32\drivers\MpFilter.sys
    2012-03-17 07:58:5775120----a-w-C:\Windows\System32\drivers\partmgr.sys
    .
    ============= FINISH: 22:51:47.20 ===============
    --
     
  4. Edaume

    Edaume TS Rookie Topic Starter

    I also had another concern: I have two other computers in my home that share the same internet password and router. I was wonder if there was somewhat the hacker (for Sirefef.Y) could gain access to these computers through the internet connection and cause damage. My internet connection for my infected computer was acting very strangely before the problems occurred which is why I'm worried. Thanks again and here is my attach log:
    ATTACH LOG
    --
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 29/08/2010 3:20:03 PM
    System Uptime: 14/06/2012 6:16:43 PM (4 hours ago)
    .
    Motherboard: Hewlett-Packard | | 144C
    Processor: Intel(R) Core(TM) i3 CPU M 350 @ 2.27GHz | CPU | 929/1066mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 444 GiB total, 203.297 GiB free.
    D: is FIXED (NTFS) - 22 GiB total, 3.162 GiB free.
    E: is FIXED (FAT32) - 0 GiB total, 0.083 GiB free.
    F: is CDROM ()
    G: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP573: 18/05/2012 4:24:23 PM - Windows Update
    RP574: 21/05/2012 11:44:38 PM - Windows Update
    RP575: 06/06/2012 10:41:48 PM - Windows Update
    RP576: 07/06/2012 12:13:32 AM - Windows Update
    RP577: 11/06/2012 7:26:42 PM - Windows Update
    RP578: 13/06/2012 8:42:03 PM - Windows Update
    RP580: 14/06/2012 9:57:15 PM - avast! Free Antivirus Setup
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    ??? ActiveX ???
    A-PDF Image Converter Pro
    Acrobat.com
    Adobe Acrobat X Pro - English, Fran?is, Deutsch
    Adobe After Effects CS5.5
    Adobe AIR
    Adobe Community Help
    Adobe Digital Editions
    Adobe Download Assistant
    Adobe Flash Player 11 ActiveX
    Adobe Flash Professional CS5.5
    Adobe Illustrator CS5.1
    Adobe Photoshop 7.0
    Adobe Photoshop CS
    Adobe Premiere Pro CS5.5
    Adobe Reader X (10.1.3)
    Adobe Shockwave Player
    Adobe Shockwave Player 11.6
    Adobe Story
    Agatha Christie - Death on the Nile
    Amazon Kindle For PC v1.1
    Apple Application Support
    Apple Software Update
    Applian Director
    Astrobatics
    Audacity 1.2.6
    avast! Free Antivirus
    Bejeweled 2 Deluxe
    BlackBerry App World Browser Plugin
    Blackhawk Striker 2
    Blasterball 3
    Bus Driver
    calibre
    Chuzzle Deluxe
    Compatibility Pack for the 2007 Office system
    Complitly
    Coupon Printer for Windows
    Crossrider Web Apps
    CyberLink DVD Suite
    DealPly
    DivX Setup
    Dora's Carnival Adventure
    Dropbox
    DVD Menu Pack for HP MediaSmart Video
    DyKnow x64
    Epson Connect
    Epson Event Manager
    EPSON Scan
    EpsonNet Print
    Escape Rosecliff Island
    ESU for Microsoft Windows 7
    Faerie Solitaire
    FATE
    FileZilla Client 3.5.3
    Free Audio Editor
    Free WMA to MP3 Converter 1.16
    Freecorder 5
    Freecorder Toolbar
    Frontline Excel Solvers V11.5
    Google Chrome
    Google Gmail Notifier
    Google Talk Plugin
    Hewlett-Packard ACLM.NET v1.1.2.0
    HP Advisor
    HP Color LaserJet CP3525 Screen Fonts
    HP Color LaserJet CP3525 User Guide
    HP Customer Experience Enhancements
    HP DVB-T TV Tuner 8.0.64.43
    HP Games
    HP MediaSmart DVD
    HP MediaSmart Internet TV
    HP MediaSmart Music
    HP MediaSmart Photo
    HP MediaSmart Video
    HP MediaSmart Webcam
    HP QuickWeb Installer
    HP RC Mirror Driver
    HP Setup
    HP Software Framework
    HP Support Assistant
    HP Update
    HP User Guides 0176
    IconPackager
    IDT Audio
    Intel(R) Control Center
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Management Engine Components
    Intel(R) Rapid Storage Technology
    IrfanView (remove only)
    Java Auto Updater
    Java(TM) 6 Update 31
    Jewel Quest 3
    JPEG to PDF 1.0
    Korean Fonts Support For Adobe Reader X
    LabelPrint
    Left 4 Dead 2
    LightScribe System Software
    Malwarebytes Anti-Malware version 1.61.0.1400
    Messenger Plus! 5
    Microsoft Choice Guard
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Excel MUI (French) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office Live Add-in 1.5
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office OneNote MUI (French) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint MUI (French) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (Arabic) 2007
    Microsoft Office Proof (Dutch) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (German) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing (French) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared MUI (French) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Office Word MUI (French) 2007
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Works
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Microsoft_VC90_MFCLOC_x86
    Mise a jour Microsoft Office Excel 2007 Help (KB963678)
    Mise a jour Microsoft Office Powerpoint 2007 Help (KB963669)
    Mise a jour Microsoft Office Word 2007 Help (KB963665)
    MixPad Audio Mixer
    Movie Theme Pack for HP MediaSmart Video
    Mozilla Firefox 11.0 (x86 en-US)
    MSVCRT
    MSVCRT Redists
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NetMeter 1.1.4 BETA
    OhCASTra
    OLYMPUS ib
    PDF Password Cracker v3.1
    PDF Password Remover
    PDF Settings CS5
    Penguins!
    PhotoNow!
    Picasa 3
    Plants vs. Zombies
    Poker Superstars III
    Polar Bowler
    Polar Golfer
    Power2Go
    PowerDirector
    PxMergeModule
    QuickTime
    Realtek Ethernet Controller Driver For Windows 7
    Realtek USB 2.0 Card Reader
    Recovery Manager
    Replay Video Capture 5
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
    Skype¢â 4.1
    SmartFTP Client Setup Files 4.0 (x64) (remove only)
    Sony Noise Reduction Plug-In 2.0h
    Steam
    swMSM
    Tablet
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update Installer for WildTangent Games App
    VC80CRTRedist - 8.0.50727.6195
    Vegas Pro 10.0
    Virtual Families
    Virtual Villagers - The Secret City
    Visual Studio Tools for the Office system 3.0 Runtime
    WavePad Sound Editor
    WildTangent Games App
    WildTangent Games App (HP Games)
    Winamp
    Winamp Detector Plug-in
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Media Player Firefox Plugin
    XAMPP 1.7.4
    Xilisoft MOV Converter 6
    YouTube Downloader 2.7.4
    Zuma's Revenge
    ³ª´®±Û²Ã
    .
    ==== Event Viewer Messages From Past Week ========
    .
    14/06/2012 12:34:25 AM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.Y&threatid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\system32\services.exe;file:_C:\Windows\system32\services.exe->731;process:_pid:648 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.127.1941.0, AS: 1.127.1941.0, NIS: 11.137.0.0 Engine Version: AM: 1.1.8403.0, NIS: 2.0.8001.0
    14/06/2012 12:33:09 AM, Error: Service Control Manager [7024] - The Windows Firewall service terminated with service-specific error Access is denied..
    14/06/2012 12:30:57 AM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.Y&threatid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\system32\services.exe;file:_C:\Windows\system32\services.exe->731;process:_pid:660 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.127.1941.0, AS: 1.127.1941.0, NIS: 11.137.0.0 Engine Version: AM: 1.1.8403.0, NIS: 2.0.8001.0
    14/06/2012 12:27:38 AM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.Y&threatid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\system32\services.exe;file:_C:\Windows\system32\services.exe->731;process:_pid:516 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.127.1941.0, AS: 1.127.1941.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.8403.0, NIS: 0.0.0.0
    14/06/2012 12:27:05 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    14/06/2012 12:27:05 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    14/06/2012 12:27:04 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    14/06/2012 12:27:04 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    14/06/2012 12:27:04 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    14/06/2012 12:27:03 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    14/06/2012 12:27:01 AM, Error: Service Control Manager [7001] - The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service or group failed to start.
    14/06/2012 12:26:57 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    14/06/2012 12:26:31 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache DVMIO MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
    14/06/2012 12:26:30 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    14/06/2012 12:26:30 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    14/06/2012 12:26:30 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    14/06/2012 12:26:30 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    14/06/2012 12:26:30 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    14/06/2012 12:26:30 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    14/06/2012 12:26:30 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    14/06/2012 12:26:30 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    14/06/2012 12:26:30 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    13/06/2012 9:58:18 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.Y&threatid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\System32\services.exe;file:_C:\Windows\System32\services.exe->731;process:_pid:672 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.127.1941.0, AS: 1.127.1941.0, NIS: 11.137.0.0 Engine Version: AM: 1.1.8403.0, NIS: 2.0.8001.0
    13/06/2012 6:11:58 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
    13/06/2012 6:11:58 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
    13/06/2012 10:29:59 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.Y&threatid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\system32\services.exe;file:_C:\Windows\system32\services.exe->731;process:_pid:676 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.127.1941.0, AS: 1.127.1941.0, NIS: 11.137.0.0 Engine Version: AM: 1.1.8403.0, NIS: 2.0.8001.0
    13/06/2012 10:26:50 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.Y&threatid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\system32\services.exe;file:_C:\Windows\system32\services.exe->731;process:_pid:676 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.127.1941.0, AS: 1.127.1941.0, NIS: 11.137.0.0 Engine Version: AM: 1.1.8403.0, NIS: 2.0.8001.0
    13/06/2012 10:23:45 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.Y&threatid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\system32\services.exe;file:_C:\Windows\system32\services.exe->731;process:_pid:636 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.127.1941.0, AS: 1.127.1941.0, NIS: 11.137.0.0 Engine Version: AM: 1.1.8403.0, NIS: 2.0.8001.0
    13/06/2012 10:18:21 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.Y&threatid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\system32\services.exe;file:_C:\Users\Hyunsoo\AppData\Local\{476a158c-e88e-bc9f-2115-6146218442f3}\n;file:_C:\Windows\system32\services.exe->731;process:_pid:672 Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.127.1941.0, AS: 1.127.1941.0, NIS: 11.137.0.0 Engine Version: AM: 1.1.8403.0, NIS: 2.0.8001.0
    13/06/2012 10:15:25 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.Y&threatid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\system32\services.exe;file:_C:\Users\Hyunsoo\AppData\Local\{476a158c-e88e-bc9f-2115-6146218442f3}\n;file:_C:\Windows\system32\services.exe->731;process:_pid:684 Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.127.1941.0, AS: 1.127.1941.0, NIS: 11.137.0.0 Engine Version: AM: 1.1.8403.0, NIS: 2.0.8001.0
    13/06/2012 10:07:33 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.Y&threatid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\System32\services.exe;file:_C:\Users\Hyunsoo\AppData\Local\{476a158c-e88e-bc9f-2115-6146218442f3}\n;file:_C:\Windows\System32\services.exe->731;process:_pid:688 Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.127.1941.0, AS: 1.127.1941.0, NIS: 11.137.0.0 Engine Version: AM: 1.1.8403.0, NIS: 2.0.8001.0
    13/06/2012 10:04:26 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.Y&threatid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\System32\services.exe;file:_C:\Users\Hyunsoo\AppData\Local\{476a158c-e88e-bc9f-2115-6146218442f3}\n;file:_C:\Windows\System32\services.exe->731;process:_pid:676 Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.127.1941.0, AS: 1.127.1941.0, NIS: 11.137.0.0 Engine Version: AM: 1.1.8403.0, NIS: 2.0.8001.0
    13/06/2012 10:01:30 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.Y&threatid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\System32\services.exe;file:_C:\Users\Hyunsoo\AppData\Local\{476a158c-e88e-bc9f-2115-6146218442f3}\n;file:_C:\Windows\System32\services.exe->731;process:_pid:652 Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.127.1941.0, AS: 1.127.1941.0, NIS: 11.137.0.0 Engine Version: AM: 1.1.8403.0, NIS: 2.0.8001.0
    .
    ==== End Of File ===========================
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You might want to stay off the home network until we get the system cleaned up. Most of what I see is associated with adware and we will be removing those plugins, toolbars and browser helper objects. Don't share any files at this time.

    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------

    • Download Combofix from HERE or HEREand save to the desktop
      • Double click combofix.exe [​IMG]& follow the prompts.
      • If prompted for Recovery Console, please allow.
      • Once installed, you should see a blue screen prompt that says:
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • Close any open browsers.
    • Before you run the Combofix scan, please disable any security software you have running.
      (If you need help with this, please see HERE)
    • Click on Yes, to continue scanning for malware
    • If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored by restarting your machine.
    =======================================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =======================================================

    Combofix will remove some of the malware. I will write script to remove additional entries after you run Combofix. I will also set up removal for anything found in the Eset scan. Please leave those 2 logs in your next reply.
     
  6. Edaume

    Edaume TS Rookie Topic Starter

    I tried running ComboFix and this is what happened:
    - Left my computer disconnected from the internet
    - Ran ComboFix after pasting it onto my infected computer's desktop, wasn't given a prompt that said "The Recovery Console was successfully installed"
    - It continued to run anyways and it completed stage 50
    - After a few minutes, it rebooted my system
    - After the reboot, I got the ComboFix window that said "Preparing Log Report. Do not run any programs until ComboFix has finished. pevFind, by Billy O'Neal III, version 1.5.6 ComboFix Edition. Syntax Error. Pass LEGAL for license information. Built Sat Jun 25 23:20:28 2011"

    I'm planning to leave it on overnight because I've been waiting for about 45 minutes to an hour for the log to pop up and for ComboFix to finish and am wondering if it's stuck.
     
  7. Edaume

    Edaume TS Rookie Topic Starter

    I apologize about the post before! Here is the ComboFix log:

    ComboFix 12-06-15.06 - Hyunsoo 15/06/2012 20:20:11.4.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.949.82.1033.18.3894.2151 [GMT -4:00]
    Running from: c:\users\Hyunsoo\Desktop\ComboFix.exe
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-16 to 2012-06-16 )))))))))))))))))))))))))))))))
    .
    .
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-13 00:28 . 2012-04-26 02:12426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2012-06-13 00:28 . 2011-06-17 11:4870344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-05-08 17:02 . 2012-06-12 23:358955792----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{76F7DF36-B090-4F0C-98B9-9C6CEBB317BC}\mpengine.dll
    2012-05-08 17:02 . 2012-06-11 23:278955792----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-05-05 03:02 . 2012-04-26 03:028744608----a-w-c:\windows\SysWow64\FlashPlayerInstaller.exe
    2012-04-20 05:30 . 2010-09-15 01:55472808----a-w-c:\windows\SysWow64\deployJava1.dll
    2012-03-31 06:05 . 2012-05-10 18:545559664----a-w-c:\windows\system32\ntoskrnl.exe
    2012-03-31 04:39 . 2012-05-10 18:543968368----a-w-c:\windows\SysWow64\ntkrnlpa.exe
    2012-03-31 04:39 . 2012-05-10 18:543913072----a-w-c:\windows\SysWow64\ntoskrnl.exe
    2012-03-31 03:10 . 2012-05-10 18:543146240----a-w-c:\windows\system32\win32k.sys
    2012-03-30 11:35 . 2012-05-10 18:381918320----a-w-c:\windows\system32\drivers\tcpip.sys
    2012-03-22 19:12 . 2012-03-22 19:124435968----a-w-c:\windows\SysWow64\GPhotos.scr
    2012-03-21 00:44 . 2010-10-25 05:2598688----a-w-c:\windows\system32\drivers\NisDrvWFP.sys
    2012-03-21 00:44 . 2010-03-26 04:30203888----a-w-c:\windows\system32\drivers\MpFilter.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files (x86)\Freecorder\prxtbFree.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
    2011-05-09 09:49176936----a-w-c:\program files (x86)\Freecorder\prxtbFree.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files (x86)\Freecorder\prxtbFree.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1294208----a-w-c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1294208----a-w-c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1294208----a-w-c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-01-28 1712184]
    "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-06-16 2736128]
    "Olympus ib"="c:\program files (x86)\Olympus\ib\olycamdetect.exe" [2009-12-11 93376]
    "Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-02 1242448]
    "CrossRiderPlugin"="c:\program files (x86)\CrossriderWebApps\Crossrider.exe" [2011-05-15 478720]
    "SacReminderHDDV2"="c:\programdata\Clickfree\HDDV2USB3\reminder\SacReminder.exe" [2010-12-16 444240]
    "c:\program files (x86)\NetMeter\NetMeter.exe"="c:\program files (x86)\NetMeter\NetMeter.exe" [2009-08-09 293888]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "MDS_Menu"="c:\program files (x86)\Olympus\ib\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2010-12-09 74752]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files (x86)\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
    "DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
    "Freecorder FLV Service"="c:\program files (x86)\Freecorder\FLVSrvc.exe" [2011-03-24 167936]
    "EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
    "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-04-04 36760]
    "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-04-04 815512]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    .
    c:\users\Hyunsoo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-6-6 27502520]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-10-6 113664]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    R1 mqkhfqjp;mqkhfqjp;c:\windows\system32\drivers\mqkhfqjp.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
    R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2009-12-16 102968]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-13 257224]
    R3 cpuz134;cpuz134;c:\users\Hyunsoo\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [x]
    R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys [x]
    R3 OlyCamComm;OLYMPUS USB Communication Device;c:\windows\system32\DRIVERS\OlyCamComm.sys [x]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 Tsucessfwpn;Tsucessfwpn; [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 DVMIO;DeviceVM IO Service;c:\windows\system32\DRIVERS\dvmio.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2010-09-16 89600]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
    S2 CFUACProxy_hddv2usb3;CFUACProxy_hddv2usb3;c:\programdata\Clickfree\HDDV2USB3\UACProxy.exe [2010-12-16 83792]
    S2 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe [2010-02-08 338168]
    S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [2011-03-17 552832]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
    S2 HPWMISVC;HPWMISVC;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-01-18 20480]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-03-18 2320920]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    S3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [x]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-06-16 20:38451872----a-w-c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-16 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-26 00:28]
    .
    2012-06-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-366287834-1261937978-3892601416-1000Core.job
    - c:\users\Hyunsoo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-15 03:51]
    .
    2012-06-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-366287834-1261937978-3892601416-1000UA.job
    - c:\users\Hyunsoo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-15 03:51]
    .
    2012-06-11 c:\windows\Tasks\HPCeeScheduleForHyunsoo.job
    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 03:15]
    .
    2012-06-15 c:\windows\Tasks\ParetoLogic Registration.job
    - c:\windows\system32\rundll32.exe [2009-07-13 01:14]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-03-06 23:15135408----a-w-c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1297792----a-w-c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1297792----a-w-c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1297792----a-w-c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1297792----a-w-c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Quick Launch"="c:\program files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-01-18 451072]
    "SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-20 611896]
    "HPToneControl"="c:\program files\Hewlett-Packard\HPToneControl\HPTonectl.exe" [2009-08-20 107832]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-02 172032]
    "HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2009-12-16 8192]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-09-16 487424]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-29 161304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-29 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-29 415256]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.conduit.com/?SearchSource=10&ctid=CT1060933
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    DPF: {E734BF43-7194-4E3A-832F-307606DDF665} - hxxps://www.conferenceservers.com/components/WDPLUGIN.CAB
    DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} - hxxp://item2.naver.com/music/cab/NaverAXGuide.cab
    FF - ProfilePath - c:\users\Hyunsoo\AppData\Roaming\Mozilla\Firefox\Profiles\jw0h7oh2.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Freecorder Customized Web Search
    FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT1060933&SearchSource=13
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-MsMpSvc
    WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-NanumFont - c:\program files (x86)\Naver\NanumFont\uninst.exe
    AddRemove-{4FFBB818-B13C-11E0-931D-B2664824019B}_is1 - c:\program files (x86)\Complitly\unins000.exe
    AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-06-15 21:44:22 - machine was rebooted
    .
    Pre-Run: 221,036,064,768 bytes free
    Post-Run: 220,739,735,552 bytes free
    .
     
  8. Edaume

    Edaume TS Rookie Topic Starter

    ESET Scan log:

    C:\Users\Hyunsoo\Downloads\PROGRAMS\installer_adobe_acrobat_professional.exeWin32/Toggle application
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Why did you add Avast? You already had MSE running:
    Remove one of the AV programs please. Reboot the computer when finished.
    ================================================
    Please read my instructions carefully. I think you may have found this:
    But you missed this:
    So you had 2 antivirus programs running when you did the Combofix scan.
    ==================================================
    Please handle the antivirus problem now.
    ================================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Folder::
    C:\Windows\System32\%APPDATA%
    DDS::
    uStart Page = hxxp://search.conduit.com/?SearchSource=10&ctid=CT1060933
    uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll
    mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll
    BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll
    BHO: DealPly: {a6174f27-1fff-e1d6-a93f-ba48ad5dd448} - C:\Program Files (x86)\DealPly\DealPlyIE.dll
    BHO: CrossRider: {a876e312-7d08-401a-b7a6-fafc5dc2f292} - C:\Program Files (x86)\CrossriderWebApps\Crossrider.dll
    TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll
    uRun: [CrossRiderPlugin] C:\Program Files (x86)\CrossriderWebApps\Crossrider.exe
    DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
    BHO-X64: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll
    BHO-X64: DealPly: {A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} - C:\Program Files (x86)\DealPly\DealPlyIE.dll
    BHO-X64: CrossRider: {A876E312-7D08-401a-B7A6-FAFC5DC2F292} - C:\Program Files (x86)\CrossriderWebApps\Crossrider.dll
    TB-X64: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{1392b8d2-5c05-419f-a8f6-b9f15a596612}"=-
    [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{1392b8d2-5c05-419f-a8f6-b9f15a596612}"=-
    [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CrossRiderPlugin"=-
     
    Clearjavacache::
     
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Please leave the new Combofix log after you run the script.
    ==============================================
    Stop this Scheduler Task:
    Sch. Tsk> 2012-06-15 c:\windows\Tasks\ParetoLogic Registration.job
    - c:\windows\system32\rundll32.exe [2009-07-13 01:14]

    Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.
    [o] Look for ParetoLogic Registration> right-click the task> click Delete.
    ======================================
    The following programs should be uninstalled:
    1. CrossRider
    2. DealPly
    3. Freecorder Toolbar (OK to keep the program but remove the toolbr)

    After they are uninstalled: use Windows Explorer to access Computer> Local Drive> Programs> Find the program folder for each and do a Right click> Delete.
    ====================================
    Let me know the status of the internet and if the system is rebooting on it's own when you finish.
     
  10. Edaume

    Edaume TS Rookie Topic Starter

    I apologize for any trouble I might have caused you! I thought I disabled everything, especially since the orange AVAST logo had an "x" on top of it. After running ComboFix again as you instructed (using the script you gave me), I successfully uninstalled the three programs and I have no trouble getting onto an internet network. The computer also doesn't reboot on its own while the Firewall seems to be back on. For the log I'm pasting here, I made sure to disable my AV. I also uninstalled MSE before running ComboFix again.

    ComboFix 12-06-15.06 - Hyunsoo 16/06/2012 22:43:43.5.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.949.82.1033.18.3894.2258 [GMT -4:00]
    Running from: c:\users\Hyunsoo\Desktop\ComboFix.exe
    Command switches used :: c:\users\Hyunsoo\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\CrossriderWebApps\Crossrider.dll
    c:\program files (x86)\CrossriderWebApps\Crossrider.exe
    c:\program files (x86)\DealPly\DealPlyIE.dll
    c:\program files (x86)\Freecorder\prxtbFree.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-17 to 2012-06-17 )))))))))))))))))))))))))))))))
    .
    .
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-13 00:28 . 2012-04-26 02:12426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2012-06-13 00:28 . 2011-06-17 11:4870344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-05-17 22:35 . 2012-06-15 22:041129472----a-w-c:\windows\SysWow64\wininet.dll
    2012-05-05 03:02 . 2012-04-26 03:028744608----a-w-c:\windows\SysWow64\FlashPlayerInstaller.exe
    2012-04-20 05:30 . 2010-09-15 01:55472808----a-w-c:\windows\SysWow64\deployJava1.dll
    2012-03-30 11:35 . 2012-05-10 18:381918320----a-w-c:\windows\system32\drivers\tcpip.sys
    2012-03-22 19:12 . 2012-03-22 19:124435968----a-w-c:\windows\SysWow64\GPhotos.scr
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@ )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-06-15 23:23 . 2012-04-24 05:37184320 c:\windows\system32\cryptsvc.dll
    + 2012-06-15 23:23 . 2012-04-24 05:37140288 c:\windows\system32\cryptnet.dll
    + 2012-06-15 23:22 . 2012-04-07 12:313216384 c:\windows\system32\msi.dll
    + 2009-07-14 04:45 . 2012-06-17 02:285170480 c:\windows\system32\FNTCACHE.DAT
    - 2009-07-14 04:45 . 2012-05-15 18:505170480 c:\windows\system32\FNTCACHE.DAT
    + 2012-06-15 23:23 . 2012-04-24 05:371462272 c:\windows\system32\crypt32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1294208----a-w-c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1294208----a-w-c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1294208----a-w-c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-01-28 1712184]
    "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-06-16 2736128]
    "Olympus ib"="c:\program files (x86)\Olympus\ib\olycamdetect.exe" [2009-12-11 93376]
    "Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-02 1242448]
    "SacReminderHDDV2"="c:\programdata\Clickfree\HDDV2USB3\reminder\SacReminder.exe" [2010-12-16 444240]
    "c:\program files (x86)\NetMeter\NetMeter.exe"="c:\program files (x86)\NetMeter\NetMeter.exe" [2009-08-09 293888]
    "EPSON WorkForce 435 Series"="c:\windows\system32\spool\DRIVERS\x64\3\E_IATIHRA.EXE" [2011-01-21 232448]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "MDS_Menu"="c:\program files (x86)\Olympus\ib\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2010-12-09 74752]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files (x86)\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
    "DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
    "Freecorder FLV Service"="c:\program files (x86)\Freecorder\FLVSrvc.exe" [2011-03-24 167936]
    "EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
    "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-04-04 36760]
    "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-04-04 815512]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    .
    c:\users\Hyunsoo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-6-6 27502520]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-10-6 113664]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    R1 mqkhfqjp;mqkhfqjp;c:\windows\system32\drivers\mqkhfqjp.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
    R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2009-12-16 102968]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-13 257224]
    R3 cpuz134;cpuz134;c:\users\Hyunsoo\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [x]
    R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
    R3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys [x]
    R3 OlyCamComm;OLYMPUS USB Communication Device;c:\windows\system32\DRIVERS\OlyCamComm.sys [x]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 Tsucessfwpn;Tsucessfwpn; [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 DVMIO;DeviceVM IO Service;c:\windows\system32\DRIVERS\dvmio.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2010-09-16 89600]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
    S2 CFUACProxy_hddv2usb3;CFUACProxy_hddv2usb3;c:\programdata\Clickfree\HDDV2USB3\UACProxy.exe [2010-12-16 83792]
    S2 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe [2010-02-08 338168]
    S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [2011-03-17 552832]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
    S2 HPWMISVC;HPWMISVC;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-01-18 20480]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-03-18 2320920]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    S3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [x]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-06-16 20:38451872----a-w-c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-17 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-26 00:28]
    .
    2012-06-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-366287834-1261937978-3892601416-1000Core.job
    - c:\users\Hyunsoo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-15 03:51]
    .
    2012-06-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-366287834-1261937978-3892601416-1000UA.job
    - c:\users\Hyunsoo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-15 03:51]
    .
    2012-06-11 c:\windows\Tasks\HPCeeScheduleForHyunsoo.job
    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 03:15]
    .
    2012-06-15 c:\windows\Tasks\ParetoLogic Registration.job
    - c:\windows\system32\rundll32.exe [2009-07-13 01:14]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-03-06 23:15135408----a-w-c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1297792----a-w-c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1297792----a-w-c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1297792----a-w-c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:1297792----a-w-c:\users\Hyunsoo\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "HP Quick Launch"="c:\program files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-01-18 451072]
    "SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-20 611896]
    "HPToneControl"="c:\program files\Hewlett-Packard\HPToneControl\HPTonectl.exe" [2009-08-20 107832]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-02 172032]
    "HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2009-12-16 8192]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-09-16 487424]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-29 161304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-29 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-29 415256]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    DPF: {E734BF43-7194-4E3A-832F-307606DDF665} - hxxps://www.conferenceservers.com/components/WDPLUGIN.CAB
    DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} - hxxp://item2.naver.com/music/cab/NaverAXGuide.cab
    FF - ProfilePath - c:\users\Hyunsoo\AppData\Roaming\Mozilla\Firefox\Profiles\jw0h7oh2.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Freecorder Customized Web Search
    FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT1060933&SearchSource=13
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-06-17 00:12:23 - machine was rebooted
    .
    Pre-Run: 220,200,206,336 bytes free
    Post-Run: 219,809,042,432 bytes free
    .
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The system is looking better. Unfortunately, it is the scan that you do which can be affected by the security running.

    Regrding ParetoLogic> Strongly recommend removing:

    (It should also be noted that none of the ParetoLogic web sites or pages are rated safe by Site Advisors.

    Part 1.
    1. Click on Start> navigate to your "Programs" icon via Windows Vista and the "Add/Remove Icon" when using Windows XP.
    2. Find the ParetoLogic application> Click to Highligjt> choose the "Remove" option
    3. Restart your computer, and the first part of the removal process is complete.
    Part 2.
    1. Click on Start> navigate to the "Accessories" tab> System Tools> Scheduled Tasks.
    2. Click on this option to bring up the "Tasks" menu.
    3. Find "Paretologic Registration"
    4. Left-click on the application, and then in the window on the left side click the "Delete" link to remove the scheduled task.
    ==============================================
    Use of programs like this is questionable at best. You almost certainly will get malware by using- advise remove::
    PDF Password Cracker v3.1
    PDF Password Remover
    ==============================================
    Reset in Firefox:
    Reset Browser search selectedEngine:

    • [1]. Open FireFox and instead of a url, type about:config in the Address Bar.
      [2]. Firefox will give you a warning, but go in anyway.
      [3]. Locate the browser. search. selectedEngine line
      [4]. Do the right click and choose Reset if available. If not, type in Google
    ----------------------
    Firefox Keyword Reset:

    • [1]. Open FireFox and instead of a url, type about:config in the Address Bar.
      [2]. Firefox will give you a warning, but go in anyway.
      [3]. Locate the keyword.url line. It should look like the image below.
      [​IMG]
      [4]. Right click on keyword.url, then select Reset
    ================================================
    Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    Logs in next reply please.
     
  12. Edaume

    Edaume TS Rookie Topic Starter

    I deleted ParetoLogic, deleted the two files that you recommended I delete, and also ran the Firefox procedures as you instructed. Thank you for your clear and concise instructions!! I'll paste the log here:
    --
    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.06.17.07

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Hyunsoo :: HYUNSOO-PC [administrator]

    Protection: Enabled

    17/06/2012 3:34:55 PM
    mbam-log-2012-06-17 (15-34-55).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 615344
    Time elapsed: 2 hour(s), 16 minute(s), 3 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\Program Files (x86)\Adobe PhotoShop CS3\Msvcrt.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Users\Hyunsoo\Downloads\PROGRAMS\installer_adobe_acrobat_professional.exe (PUP.Adbundler) -> Quarantined and deleted successfully.

    (end)
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. But I think I've found the source of the malware.

    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
     
  14. Edaume

    Edaume TS Rookie Topic Starter

    Thank you so much for your consistent replies! The log is pasted below. And I apologize if I sound like I'm repeating myself but because my infected laptop was connected to our home network internet while the virus was activated/became active, I'm concerned that the other computers may also be damaged/affected. Is there a possibility?
    --
    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\program files\adobe\adobe premiere pro cs5.5\plug-ins\en_us\vstplugins\decrackler1.dll
    c:\program files\adobe\adobe premiere pro cs5.5\plug-ins\en_us\vstplugins\decrackler2.dll
    c:\program files\adobe\adobe premiere pro cs5.5\plug-ins\en_us\vstplugins\decrackler6.dll
    c:\program files (x86)\hp games\blasterball 3\data\art\bitmaps\enemies\boss2_crack.jpg.wkz
    c:\users\hyunsoo\downloads\adobe.acrobat.pro.x.10.crack\file_id.diz
    c:\users\hyunsoo\downloads\adobe.acrobat.pro.x.10.crack\orion.nfo
    c:\windows\crackpdf.ini
    scanner sequence 3.GL.11.XEAPOA
    ----- EOF -----
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You or someone who you authorized to use your computer is downloading thru the torrents or from Cracked sites. Piracy is illegal and brings malware with the downloaded files. I do not support piracy and to continue support, all pirated downloads must be removed.

    I saw the entries in Mbam and I confirmed it with the CK Scanner. If you've used the pirated program on the other computer, you probably have the malware on them also
     
  16. Edaume

    Edaume TS Rookie Topic Starter

    Thank you so much for letting me know. I deleted these files; I had no idea as I do share my laptop frequently with others.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This is something you should reconsider. As you have seen, others don't necessarily respect your property and you may want to consider being less generous..You also need to tighten up the security on the system:

    You may find the following helpful: (Links are Bold Blue)
    Tips for added security and safer browsing:
    1. Browser Security
      [o]Make Internet Explorer safer
      [o] Use WOT Site Advisor..
      Have layered Security:
    2. Add a Firewall (only one)
      [o] Zone Alarm Free
      [o]Comodo Firewall Free
    3. Antispyware/Security: I recommend all of the following:
      [o]Spywareblaster:Protects against bad ActiveX.
      [o]IE/Spyad Restricts bad domains.
      [o]MVPS Hosts files Directs HOSTS file to 127.0.0.1 which is your local computer.
    4. Stay current on updates:
      [o] Windows Updates. You should get All updates marked Critical and the current SP updates.
      [o] Adobe Reade. Uninstall old.
      [o] Java Uninstall old.
    5. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using an AdBlock compatible with the version of the browser you have.
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
      (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    6. Do regular Maintenance
      [o]To include Disc Cleanup, Defrag, Error Check/
    7. Remove Temporary Internet Files regularly:
      [o]TFC
    8. System Restore Guide: Understand Restore Points> why you need to clean and set restore points and what information is in them.
    9. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Save to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet/ Have a separate email account on free web-based mail.
    Please let me know if you find any bad links.

    About toolbars(TB) and browser helper objects(BHO) and other 'bundled' objects:
    Many download scrren have pre-checked boxes for TB and BHO. Frequently they have nothing to do with the programs you're downloading. ALL should be unchecked BEFORE you download the program.

    After you download, when you are ready to install(run) the program, if you are offered Custom install or Standard install, choose [b[Custom.[/b] That will give you some control over leaving out some of the 'bundle.'
    ==================================================
    How is the system doing now? Are you still connecting okay? Are you having any sudden or random reboots?
     
  18. Edaume

    Edaume TS Rookie Topic Starter

    Thank you so much for all of your help, advice, and the links you provided for me! I will begin tightening the security on my laptop right now. I will also definitely re-consider letting other people use my computer frequently as I wasn't aware of many of the files being downloaded and searches that were being done on the computer. The system is doing really well: I am able to connect well, the firewall is back up, and there aren't any sudden or random reboots. Do you think it's okay for me to connect permanently onto my home network now?
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're very welcome! You got off easy this time with the Sirefef malware! As you have probably noticed, many with this malware found themselves in a endless reboot cycle that had to be dealt with before any scans could be done.

    If you used flash drive between the computers while this system was infected, It would be best to start a new thread for each computer and go through the scanning process. If any of the same processes I had you uninstall on this system are also on the other systems, they should be remove from there also- I am referring to the processes like DealPly, CrossRider, Freecorder Toolbar, etc.

    Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
      [o] Click START> then RUN
      [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
      [o] Double click OTCleanIt.exe.
      [o] Click the CleanUp! button.
      [o] If you are prompted to Reboot during the cleanup, select Yes.
      [o]The tool will delete itself once it finishes.
      Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • Set a new, clean Restore Point
      [o] Click on Start> right click on Computer> Properties
      [o] Select System Protection
      [o] Click on the Create button (near bottom)
      [o] Type a name for the Restore Point
      [o] Click on Create again to save the restore point.
    • Deleting all but the most recent System Protection point in Windows 7
      [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
      [o] Click Disk Cleanup from there.
      [​IMG]
      [o] Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
      [o] Click the More Options tab
      [​IMG]
      [o] Click the Clean up under System Restore and Shadow Copies.
      [o] Click OK.
      [o] You will get a confirmation screen> Just click Delete.
      [o] Click OK on the Disk Cleanup Screen.
      [o] Click Delete Files on the Confirmation screen.
    [​IMG]
    This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...