Inactive Windows Vista 64-Bit sierfif.y and sirefif.b

S

Shadowhawk642

Posts: 10   +0
I have a couple instances of the sirefif virus showing up on my laptop running Windows Vista 64-bit. I have read through the forums and have run the Farbar tool. Logs posted below...

Scan result of Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 17-08-2012 21:19:22
Running from F:\
Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [237056 2007-12-15] (Alps Electric Co., Ltd.)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [487264 2008-11-04] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52560 2007-12-06] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [518008 2008-06-02] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [882488 2008-11-17] (TOSHIBA Corporation)
HKLM\...\Run: [RtHDVCpl] RAVCpl64.exe [x]
HKLM\...\Run: [Skytel] Skytel.exe [x]
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START [x]
HKLM-x32\...\Run: [NDSTray.exe] NDSTray.exe [x]
HKLM-x32\...\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP [422400 2007-04-16] (TOSHIBA Electronics, Inc.)
HKLM-x32\...\Run: [SVPWUTIL] "C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" SVPwUTIL [438272 2007-09-19] (TOSHIBA)
HKLM-x32\...\Run: [KeNotify] "C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe" [34352 2006-11-06] ()
HKLM-x32\...\Run: [PCMAgent] "C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [143360 2007-12-13] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [188416 2008-07-10] (CyberLink)
HKLM-x32\...\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start [417792 2008-04-29] (Chicony)
HKLM-x32\...\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [1312080 2009-09-10] (Malwarebytes Corporation)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49152 2006-12-10] (Hewlett-Packard Co.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
HKLM-x32\...\Run: [AmazonGSDownloaderTray] "C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [326144 2009-10-23] (Amazon.com)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-01-16] (Apple Inc.)
HKLM-x32\...\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s [89456 2011-03-07] (Elaborate Bytes AG)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start [1996200 2012-06-27] (LogMeIn Inc.)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [432640 2008-04-24] (TOSHIBA)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [432640 2008-04-24] (TOSHIBA)
HKU\Storm\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Storm\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\UpdatusUser\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\UpdatusUser\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKU\UpdatusUser\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [432640 2008-04-24] (TOSHIBA)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

==================== Services (Whitelisted) ======

2 Hamachi2Svc; "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe" -s [2369960 2012-06-27] (LogMeIn Inc.)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 TNaviSrv; C:\Program Files (x86)\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [83312 2008-11-14] (TOSHIBA Corporation)
2 WTouchService; C:\Program Files\WTouch\WTouchService.exe [127272 2009-07-15] (Wacom Technology, Corp.)
2 Norton Internet Security; "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 [x]

========================== Drivers (Whitelisted) =============

3 hamachi; C:\Windows\System32\Drivers\hamachi.sys [33856 2009-03-18] (LogMeIn, Inc.)
0 LPCFilter; C:\Windows\SysWow64\Drivers\LPCFilter.sys [32040 2008-05-07] (COMPAL ELECTRONIC INC.)
2 OpenLibSys; \??\C:\Program Files (x86)\NXP\FM Radio\OpenLibSysX64.sys [14544 2007-10-19] (OpenLibSys.org)
4 tosrfec; C:\Windows\System32\Drivers\tosrfec.sys [18944 2006-10-23] (TOSHIBA Corporation)
1 Beep; [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 Tosrfcom; [x]
3 TpChoice; C:\Windows\System32\DRIVERS\TpChoice.sys [x]
3 WinRing0_1_2_0; \??\C:\Users\Storm\Downloads\RealTemp_340\WinRing0x64.sys [x]
3 X6va009; \??\C:\Windows\SysWOW64\Drivers\X6va009 [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-17 21:18 - 2012-08-17 21:18 - 00000000 ____D C:\FRST
2012-08-17 20:06 - 2012-08-17 20:06 - 00000134 ____A C:\Users\Storm\Desktop\Programs and Features - Shortcut.lnk
2012-08-17 17:58 - 2012-08-17 17:59 - 00000000 ___SD C:\ComboFix
2012-08-17 17:54 - 2012-08-17 17:54 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.037662617EFA1186
2012-08-17 17:53 - 2012-08-17 18:02 - 00000000 ___SD C:\32788R22FWJFW
2012-08-17 09:21 - 2012-08-17 09:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-08-16 19:44 - 2012-08-16 20:16 - 00000000 ____D C:\Users\Storm\Desktop\StarStealingPrinceFullwRTPV2.1
2012-08-16 19:20 - 2012-08-16 19:36 - 228696649 ____A C:\Users\Storm\Downloads\StarStealingPrinceFullwRTPV2.1.rar
2012-08-16 12:41 - 2012-08-16 12:41 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-08-16 12:37 - 2012-08-16 12:37 - 00140827 ____A C:\Windows\SysWOW64\Drivers\str.sys
2012-08-15 21:28 - 2012-07-04 06:33 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-15 15:16 - 2012-06-28 03:37 - 01212416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-15 15:16 - 2012-06-28 03:37 - 00916992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-15 15:16 - 2012-06-28 03:37 - 00105984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-15 15:16 - 2012-06-28 03:35 - 00206848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2012-08-15 15:16 - 2012-06-28 03:33 - 00611840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstime.dll
2012-08-15 15:16 - 2012-06-28 03:32 - 06008320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-15 15:16 - 2012-06-28 03:32 - 00629760 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-15 15:16 - 2012-06-28 03:32 - 00067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-15 15:16 - 2012-06-28 03:32 - 00055296 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2012-08-15 15:16 - 2012-06-28 03:32 - 00043520 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2012-08-15 15:16 - 2012-06-28 03:31 - 11111424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-15 15:16 - 2012-06-28 03:31 - 02000384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-15 15:16 - 2012-06-28 03:31 - 01469440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-15 15:16 - 2012-06-28 03:31 - 00387584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2012-08-15 15:16 - 2012-06-28 03:31 - 00184320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2012-08-15 15:16 - 2012-06-28 03:31 - 00164352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-15 15:16 - 2012-06-28 03:31 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2012-08-15 15:16 - 2012-06-28 03:31 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2012-08-15 15:16 - 2012-06-28 03:31 - 00055808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2012-08-15 15:16 - 2012-06-28 03:31 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-15 15:16 - 2012-06-28 01:59 - 00385024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2012-08-15 15:16 - 2012-06-28 00:19 - 00174080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ie4uinit.exe
2012-08-15 15:16 - 2012-06-28 00:19 - 00133632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-15 15:16 - 2012-06-28 00:18 - 00013312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2012-08-15 15:16 - 2012-06-28 00:17 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-15 15:16 - 2012-06-27 22:53 - 01488384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-15 15:16 - 2012-06-27 22:53 - 01147392 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-15 15:16 - 2012-06-27 22:53 - 00108032 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-15 15:16 - 2012-06-27 22:51 - 00243712 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-08-15 15:16 - 2012-06-27 22:49 - 09328640 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-15 15:16 - 2012-06-27 22:49 - 01062912 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-08-15 15:16 - 2012-06-27 22:49 - 00742912 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-15 15:16 - 2012-06-27 22:49 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-15 15:16 - 2012-06-27 22:49 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-08-15 15:16 - 2012-06-27 22:48 - 01538560 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-15 15:16 - 2012-06-27 22:48 - 00056832 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-08-15 15:16 - 2012-06-27 22:48 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-15 15:16 - 2012-06-27 22:47 - 12508672 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-15 15:16 - 2012-06-27 22:47 - 02350592 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-15 15:16 - 2012-06-27 22:47 - 00459776 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-08-15 15:16 - 2012-06-27 22:47 - 00252416 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-08-15 15:16 - 2012-06-27 22:47 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-15 15:16 - 2012-06-27 22:47 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-08-15 15:16 - 2012-06-27 22:47 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-08-15 15:16 - 2012-06-27 22:47 - 00072192 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-08-15 15:16 - 2012-06-27 21:54 - 00479232 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-08-15 15:16 - 2012-06-27 21:11 - 00162816 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-15 15:16 - 2012-06-27 21:11 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-08-15 15:16 - 2012-06-27 21:10 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-15 15:16 - 2012-06-27 21:10 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-08-15 15:16 - 2012-06-16 03:19 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-15 15:16 - 2012-06-16 03:14 - 00727040 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-15 15:16 - 2012-06-15 23:02 - 00610816 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-15 15:16 - 2012-06-15 22:58 - 00818176 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-15 15:16 - 2012-05-11 08:34 - 00788480 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-15 15:16 - 2012-05-11 07:57 - 00623616 ____A (Microsoft Corporation) C:\Windows\SysWOW64\localspl.dll
2012-08-15 15:15 - 2012-06-29 08:20 - 00648192 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-15 15:15 - 2012-06-29 08:01 - 00467968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-08-15 15:11 - 2012-08-15 15:36 - 00000000 ____D C:\Users\Storm\AppData\Roaming\The Mirror Lied
2012-08-15 14:32 - 2011-09-10 00:40 - 00000000 ____D C:\Users\Storm\Desktop\The Mirror Lied
2012-08-15 14:02 - 2012-08-15 14:27 - 10185946 ____A C:\Users\Storm\Downloads\The_Mirror_Lied-v2.zip
2012-08-14 21:58 - 2012-08-14 22:13 - 136441593 ____A C:\Users\Storm\Downloads\P4U_Complete_Character_Sprites.7z
2012-08-14 21:32 - 2012-08-14 21:34 - 33493196 ____A C:\Users\Storm\Downloads\imageex.7z
2012-08-14 21:27 - 2012-08-14 22:20 - 00000000 ____D C:\Users\Storm\Desktop\P4U
2012-08-14 21:26 - 2012-08-14 21:30 - 47515654 ____A C:\Users\Storm\Downloads\avatar.7z
2012-08-06 18:44 - 2012-08-06 20:38 - 00000000 ____D C:\Users\Storm\Desktop\Bakemonogatari
2012-07-26 13:25 - 2012-07-26 13:26 - 00000000 ____D C:\Users\Storm\Desktop\Supernatural Anime

============ 3 Months Modified Files ========================

2012-08-17 20:15 - 2009-10-19 23:25 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-08-17 20:14 - 2010-12-28 17:51 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-17 20:14 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-17 20:14 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-17 20:14 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-17 20:08 - 2011-07-09 01:33 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-19539739-2347143033-1963601051-1000UA.job
2012-08-17 20:06 - 2012-08-17 20:06 - 00000134 ____A C:\Users\Storm\Desktop\Programs and Features - Shortcut.lnk
2012-08-17 18:04 - 2009-10-16 03:21 - 00007916 ____A C:\Users\Storm\AppData\Local\d3d9caps.dat
2012-08-17 18:01 - 2010-12-28 17:51 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-17 17:54 - 2012-08-17 17:54 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.037662617EFA1186
2012-08-17 17:54 - 2012-07-12 18:20 - 04733838 ____R (Swearware) C:\Users\Storm\Desktop\ComboFix.exe
2012-08-17 09:22 - 2011-11-03 09:47 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-17 09:22 - 2009-07-29 07:59 - 01108881 ____A C:\Windows\WindowsUpdate.log
2012-08-17 09:21 - 2011-11-03 09:47 - 00781174 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-17 09:14 - 2006-11-02 07:42 - 00032622 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-17 09:13 - 2012-04-18 10:18 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-17 09:13 - 2011-05-12 19:28 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-17 09:13 - 2009-10-14 14:39 - 00085888 ____A C:\Users\Storm\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-17 09:11 - 2006-11-02 07:21 - 00328848 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-16 19:36 - 2012-08-16 19:20 - 228696649 ____A C:\Users\Storm\Downloads\StarStealingPrinceFullwRTPV2.1.rar
2012-08-16 12:37 - 2012-08-16 12:37 - 00140827 ____A C:\Windows\SysWOW64\Drivers\str.sys
2012-08-16 11:08 - 2011-07-09 01:33 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-19539739-2347143033-1963601051-1000Core.job
2012-08-16 09:24 - 2006-11-02 04:46 - 00766008 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-15 21:24 - 2006-11-02 04:35 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-08-15 14:27 - 2012-08-15 14:02 - 10185946 ____A C:\Users\Storm\Downloads\The_Mirror_Lied-v2.zip
2012-08-14 22:13 - 2012-08-14 21:58 - 136441593 ____A C:\Users\Storm\Downloads\P4U_Complete_Character_Sprites.7z
2012-08-14 21:34 - 2012-08-14 21:32 - 33493196 ____A C:\Users\Storm\Downloads\imageex.7z
2012-08-14 21:30 - 2012-08-14 21:26 - 47515654 ____A C:\Users\Storm\Downloads\avatar.7z
2012-07-29 22:10 - 2009-10-30 11:47 - 00038912 ____A C:\Users\Storm\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-14 00:08 - 2012-07-13 21:05 - 158874719 ____A C:\Users\Storm\Downloads\bloodtracks_030712_10378-L4D2.zip
2012-07-13 21:35 - 2012-07-13 21:09 - 158874719 ____A C:\Users\Storm\Downloads\bloodtracks_030712_10378-L4D2 (1).zip
2012-07-12 19:01 - 2012-07-12 18:58 - 12621696 ____A (Microsoft Corporation) C:\Users\Storm\Downloads\mseinstall.exe
2012-07-12 18:56 - 2006-11-02 04:33 - 65536000 ____A C:\Windows\System32\config\software_previous
2012-07-12 18:56 - 2006-11-02 04:33 - 21233664 ____A C:\Windows\System32\config\system_previous
2012-07-12 18:52 - 2006-11-02 04:33 - 56623104 ____A C:\Windows\System32\config\components_previous
2012-07-12 18:52 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\sam_previous
2012-07-12 18:47 - 2008-01-20 19:26 - 00735534 ____A C:\Windows\PFRO.log
2012-07-12 18:47 - 2006-11-02 04:34 - 00000215 ____A C:\Windows\system.ini
2012-07-12 17:49 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\security_previous
2012-07-12 17:49 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\default_previous
2012-07-09 23:05 - 2012-07-09 23:02 - 09907915 ____A (Adobe Systems, Inc.) C:\Users\Storm\Desktop\katawa_crash_beta_8-36.exe
2012-07-07 20:29 - 2012-07-07 20:29 - 01391104 ____A C:\Users\Storm\Downloads\apploc.msi
2012-07-06 22:00 - 2012-07-06 21:01 - 161912074 ____A C:\Users\Storm\Downloads\[4ls]_katawa_shoujo_enigmatic_box_of_sound_[503ACD68] (1).zip
2012-07-06 20:49 - 2012-07-06 20:44 - 04957875 ____A C:\Users\Storm\Downloads\[4ls]_katawa_shoujo_enigmatic_box_of_sound_[503ACD68].zip
2012-07-06 20:16 - 2012-07-06 19:42 - 112861440 ____A C:\Users\Storm\Downloads\Supersekritfiles-s.part1.rar
2012-07-06 20:15 - 2012-07-06 19:42 - 154213571 ____A C:\Users\Storm\Downloads\Supersekritfiles-s.part2.rar
2012-07-05 15:25 - 2012-07-05 15:12 - 104921110 ____A C:\Users\Storm\Downloads\lbac_300612_17711-L4D2.zip
2012-07-05 15:15 - 2012-07-05 15:11 - 18411754 ____A C:\Users\Storm\Downloads\vanillaghosthouse_020511_9711-L4D2.zip
2012-07-04 17:59 - 2012-07-04 17:37 - 96140763 ____A C:\Users\Storm\Downloads\Ouran High School Host Club Soundtrack & Character Song 2.zip
2012-07-04 17:42 - 2012-07-04 17:37 - 95248672 ____A C:\Users\Storm\Downloads\Ouran.High.School.Host.Club [Soundtrack.&.Character.Song.1].rar
2012-07-04 17:36 - 2012-07-04 17:35 - 00281448 ____A (Premium) C:\Users\Storm\Downloads\Ouran High School Host Club Soundtrack amp Character Song 2.zip.exe
2012-07-04 06:33 - 2012-08-15 21:28 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-03 20:08 - 2012-07-03 19:02 - 281950221 ____A C:\Users\Storm\Downloads\ihatemountains_290111_5834.zip
2012-07-03 03:55 - 2012-07-03 03:54 - 07524202 ____A C:\Users\Storm\Downloads\mobstadium2012l4d2final_090910_4442-L4D2.zip
2012-07-03 03:53 - 2012-07-03 03:50 - 24160697 ____A C:\Users\Storm\Downloads\spacejockeys_020610_5280-L4D2.zip
2012-07-03 03:52 - 2012-07-03 03:52 - 16769075 ____A C:\Users\Storm\Downloads\wormwoodv2_121210_6925-L4D2.zip
2012-07-03 03:52 - 2012-07-03 03:52 - 12533770 ____A C:\Users\Storm\Downloads\thereturnofthejockeys_280411_10066-L4D2.zip
2012-07-01 13:24 - 2012-06-30 23:18 - 172610288 ____A C:\Users\Storm\Downloads\hauntedforest_v3_230411_6923-L4D2.zip
2012-06-30 23:42 - 2012-06-30 23:29 - 172610288 ____A C:\Users\Storm\Downloads\hauntedforest_v3_230411_6923-L4D2 (1).zip
2012-06-30 11:32 - 2012-06-30 11:32 - 00285920 ____A C:\Windows\Minidump\Mini063012-01.dmp
2012-06-30 11:32 - 2009-10-18 23:50 - 580171102 ____A C:\Windows\MEMORY.DMP
2012-06-29 17:22 - 2012-06-29 17:22 - 00001856 ____A C:\Users\Storm\Desktop\Forget Me Not Annie.lnk
2012-06-29 17:20 - 2009-07-29 08:30 - 00030274 ____A C:\Windows\DirectX.log
2012-06-29 08:20 - 2012-08-15 15:15 - 00648192 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-06-29 08:01 - 2012-08-15 15:15 - 00467968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-06-28 03:37 - 2012-08-15 15:16 - 01212416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-28 03:37 - 2012-08-15 15:16 - 00916992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-28 03:37 - 2012-08-15 15:16 - 00105984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-28 03:35 - 2012-08-15 15:16 - 00206848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2012-06-28 03:33 - 2012-08-15 15:16 - 00611840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstime.dll
2012-06-28 03:32 - 2012-08-15 15:16 - 06008320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-28 03:32 - 2012-08-15 15:16 - 00629760 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-06-28 03:32 - 2012-08-15 15:16 - 00067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-28 03:32 - 2012-08-15 15:16 - 00055296 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2012-06-28 03:32 - 2012-08-15 15:16 - 00043520 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2012-06-28 03:31 - 2012-08-15 15:16 - 11111424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-28 03:31 - 2012-08-15 15:16 - 02000384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-28 03:31 - 2012-08-15 15:16 - 01469440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-28 03:31 - 2012-08-15 15:16 - 00387584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2012-06-28 03:31 - 2012-08-15 15:16 - 00184320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2012-06-28 03:31 - 2012-08-15 15:16 - 00164352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-28 03:31 - 2012-08-15 15:16 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2012-06-28 03:31 - 2012-08-15 15:16 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2012-06-28 03:31 - 2012-08-15 15:16 - 00055808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2012-06-28 03:31 - 2012-08-15 15:16 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-28 01:59 - 2012-08-15 15:16 - 00385024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2012-06-28 00:19 - 2012-08-15 15:16 - 00174080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ie4uinit.exe
2012-06-28 00:19 - 2012-08-15 15:16 - 00133632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-28 00:18 - 2012-08-15 15:16 - 00013312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2012-06-28 00:17 - 2012-08-15 15:16 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-27 22:53 - 2012-08-15 15:16 - 01488384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-27 22:53 - 2012-08-15 15:16 - 01147392 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-27 22:53 - 2012-08-15 15:16 - 00108032 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-27 22:51 - 2012-08-15 15:16 - 00243712 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-06-27 22:49 - 2012-08-15 15:16 - 09328640 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-27 22:49 - 2012-08-15 15:16 - 01062912 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-06-27 22:49 - 2012-08-15 15:16 - 00742912 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-06-27 22:49 - 2012-08-15 15:16 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-27 22:49 - 2012-08-15 15:16 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-06-27 22:48 - 2012-08-15 15:16 - 01538560 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-27 22:48 - 2012-08-15 15:16 - 00056832 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-06-27 22:48 - 2012-08-15 15:16 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-27 22:47 - 2012-08-15 15:16 - 12508672 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-27 22:47 - 2012-08-15 15:16 - 02350592 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-27 22:47 - 2012-08-15 15:16 - 00459776 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-06-27 22:47 - 2012-08-15 15:16 - 00252416 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-06-27 22:47 - 2012-08-15 15:16 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-27 22:47 - 2012-08-15 15:16 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-06-27 22:47 - 2012-08-15 15:16 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-06-27 22:47 - 2012-08-15 15:16 - 00072192 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-06-27 21:54 - 2012-08-15 15:16 - 00479232 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-06-27 21:11 - 2012-08-15 15:16 - 00162816 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-27 21:11 - 2012-08-15 15:16 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-06-27 21:10 - 2012-08-15 15:16 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-27 21:10 - 2012-08-15 15:16 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-06-16 03:19 - 2012-08-15 15:16 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-06-16 03:14 - 2012-08-15 15:16 - 00727040 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-15 23:02 - 2012-08-15 15:16 - 00610816 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-06-15 22:58 - 2012-08-15 15:16 - 00818176 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-14 13:35 - 2012-06-14 13:22 - 109033102 ____A C:\Users\Storm\Downloads\Ib.rar
2012-06-09 11:50 - 2012-06-09 11:49 - 00464924 ____A C:\Windows\dd_vcredistMSI4394.txt
2012-06-09 11:50 - 2012-06-09 11:49 - 00011638 ____A C:\Windows\dd_vcredistUI4394.txt
2012-06-08 18:07 - 2012-06-08 16:10 - 209715200 ____A C:\Users\Storm\Downloads\dBsoundworks_-_Sup.e.rMe.atB.o.y_OST.2010.320.part1.rar
2012-06-08 14:55 - 2012-06-08 14:51 - 17792029 ____A C:\Users\Storm\Downloads\dBsoundworks_-_Sup.e.rMe.atB.o.y_OST.2010.320.part2.rar
2012-06-08 09:59 - 2012-07-10 15:05 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 09:47 - 2012-07-10 15:05 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-07 21:04 - 2012-06-07 21:04 - 00466456 ____A (Creative Labs) C:\Windows\System32\wrap_oal.dll
2012-06-07 21:04 - 2012-06-07 21:04 - 00444952 ____A (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll
2012-06-07 21:04 - 2012-06-07 21:04 - 00122904 ____A (Portions (C) Creative Labs Inc. and NVIDIA Corp.) C:\Windows\System32\OpenAL32.dll
2012-06-07 21:04 - 2012-06-07 21:04 - 00109080 ____A (Portions (C) Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll
2012-06-07 21:03 - 2012-06-07 20:57 - 00414000 ____A C:\Users\Storm\Downloads\EAX 2.zip
2012-06-07 14:03 - 2012-06-07 14:02 - 00434748 ____A C:\Users\Storm\AppData\Local\dd_vcredistMSI0D63.txt
2012-06-07 14:03 - 2012-06-07 14:02 - 00011444 ____A C:\Users\Storm\AppData\Local\dd_vcredistUI0D63.txt
2012-06-07 14:02 - 2012-06-07 14:02 - 00010552 ____A C:\Users\Storm\AppData\Local\dd_vcredistUI0D64.txt
2012-06-05 08:47 - 2012-07-10 15:05 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 08:47 - 2012-07-10 15:05 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 08:22 - 2012-07-10 15:05 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 08:22 - 2012-07-10 15:05 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-04 07:29 - 2012-07-10 15:05 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-04 01:25 - 2012-06-04 01:25 - 00467414 ____A C:\Windows\dd_vcredistMSI5F4C.txt
2012-06-04 01:25 - 2012-06-04 01:25 - 00011622 ____A C:\Windows\dd_vcredistUI5F4C.txt
2012-06-02 15:53 - 2012-06-02 15:51 - 00428770 ____A C:\Users\Storm\AppData\Local\dd_vcredistMSI5A7A.txt
2012-06-02 15:53 - 2012-06-02 15:51 - 00011462 ____A C:\Users\Storm\AppData\Local\dd_vcredistUI5A7A.txt
2012-06-02 14:19 - 2012-06-21 12:05 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 12:05 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 12:05 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-21 12:05 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:19 - 2012-06-21 12:05 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 14:19 - 2012-06-21 12:05 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 12:05 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 12:05 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-21 12:05 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-21 12:05 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 12:05 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:15 - 2012-06-21 12:05 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 14:12 - 2012-06-21 12:05 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 14:12 - 2012-06-21 12:05 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-06-02 13:14 - 2012-06-02 13:14 - 00000220 ____A C:\Users\Storm\Desktop\Psychonauts.url
2012-06-01 16:22 - 2012-07-10 15:05 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:22 - 2012-07-10 15:05 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 16:05 - 2012-07-10 15:05 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 16:04 - 2012-07-10 15:05 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 16:03 - 2012-07-10 15:05 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-05-31 22:17 - 2012-05-31 22:17 - 00872126 ____A C:\Users\Storm\Downloads\YUGIOH_5Ds_Characters_Gmod_PASADENAOPOSSUM.7z
2012-05-31 03:37 - 2009-07-29 08:14 - 00000012 ____A C:\Users\Public\fm_user.cfg
2012-05-31 03:37 - 2009-07-29 08:14 - 00000009 ____A C:\Users\Public\fm_favorite.cfg
2012-05-28 16:24 - 2012-05-28 16:24 - 00001856 ____A C:\Users\Storm\Desktop\PARANORMAL - BETA 4.lnk
2012-05-28 16:14 - 2012-05-28 15:58 - 381167200 ____A (Epic Games, Inc.) C:\Users\Storm\Downloads\UDKInstall-Para-BETA4.exe
2012-05-28 15:41 - 2012-05-28 15:39 - 31842315 ____A C:\Users\Storm\Downloads\Team Starkid w. Darren Criss.zip
2012-05-28 15:03 - 2012-05-28 14:55 - 72002374 ____A C:\Users\Storm\Downloads\Team Starkid SPACE Tour.zip

ZeroAccess:
C:\Windows\Installer\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}
C:\Windows\Installer\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}\@
C:\Windows\Installer\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}\L
C:\Windows\Installer\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}\n
C:\Windows\Installer\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}\U
C:\Windows\Installer\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}\U\00000001.@
C:\Windows\Installer\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}\U\80000000.@
C:\Windows\Installer\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}\U\800000cb.@

ZeroAccess:
C:\Users\Storm\AppData\Local\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}
C:\Users\Storm\AppData\Local\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}\@
C:\Users\Storm\AppData\Local\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}\L
C:\Users\Storm\AppData\Local\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe BC81150939BD52DBC7A08C245F1FB229 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 13%
Total physical RAM: 4059.96 MB
Available physical RAM: 3508.97 MB
Total Pagefile: 3809.45 MB
Available Pagefile: 3483.23 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (SQ004951V02) (Fixed) (Total:285.88 GB) (Free:87.52 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.3 GB) NTFS
4 Drive f: () (Removable) (Total:1.87 GB) (Free:1.87 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 1913 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 286 GB 1501 MB
Partition 3 Primary 11 GB 287 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C SQ004951V02 NTFS Partition 286 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1913 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F FAT Removable 1913 MB Healthy

==================================================================================

Last Boot: 2012-08-17 09:22

======================= End Of Log ==========================
 
Results of running services.exe search...

Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 2012-08-17 21:27:31
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-10-19 23:25] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2009-10-19 23:25] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\SysWOW64\services.exe
[2009-10-19 23:25] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\System32\services.exe
[2009-10-19 23:25] - [2012-08-17 20:15] - 0384512 ____A (Microsoft Corporation) BC81150939BD52DBC7A08C245F1FB229

C:\Windows\erdnt\cache64\services.exe
[2012-07-12 18:52] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

====== End Of Search ======
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}
C:\Users\Storm\AppData\Local\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe C:\Windows\System32\services.exe
end
Click to expand...

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 
Here are the results from the Fixlog.txt file.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012
Ran by SYSTEM at 2012-08-18 09:29:24 Run:1
Running from F:\

==============================================

C:\Windows\Installer\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01} moved successfully.
C:\Users\Storm\AppData\Local\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

As of right now the laptop has been up for about 5 minutes without the return of the "reboot in 60 seconds" message.
 
ComboFix

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
 
Here are the results of the ComboFix Log

ComboFix 12-08-18.03 - Storm 08/19/2012 10:19:25.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4060.1523 [GMT -7:00]
Running from: c:\users\Storm\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\drivers\str.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-07-19 to 2012-08-19 )))))))))))))))))))))))))))))))
.
.
2012-08-19 17:32 . 2012-08-19 17:32 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-08-19 17:32 . 2012-08-19 17:32 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-19 17:32 . 2012-08-19 17:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-18 05:18 . 2012-08-18 05:18 -------- d-----w- C:\FRST
2012-08-18 01:54 . 2012-08-18 01:54 384512 ----a-w- c:\windows\system32\services.exe.037662617EFA1186
2012-08-16 20:41 . 2012-08-16 20:41 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-16 05:28 . 2012-07-04 14:33 2769408 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 23:15 . 2012-06-29 16:20 648192 ----a-w- c:\windows\system32\netapi32.dll
2012-08-15 23:11 . 2012-08-15 23:36 -------- d-----w- c:\users\Storm\AppData\Roaming\The Mirror Lied
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-17 17:13 . 2012-04-18 18:18 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-17 17:13 . 2011-05-13 03:28 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-16 05:24 . 2006-11-02 12:35 62134624 ----a-w- c:\windows\system32\mrt.exe
2012-06-08 17:59 . 2012-07-10 23:05 12899840 ----a-w- c:\windows\system32\shell32.dll
2012-06-08 05:04 . 2012-06-08 05:04 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2012-06-08 05:04 . 2012-06-08 05:04 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-06-08 05:04 . 2012-06-08 05:04 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2012-06-08 05:04 . 2012-06-08 05:04 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2012-06-05 16:47 . 2012-07-10 23:05 1401856 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-05 16:47 . 2012-07-10 23:05 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-05 16:22 . 2012-07-10 23:05 1797120 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:22 . 2012-07-10 23:05 1869824 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:29 . 2012-07-10 23:05 516480 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19 . 2012-06-21 20:05 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 20:05 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 20:05 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 20:05 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 20:05 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-21 20:05 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-02 22:19 . 2012-06-21 20:05 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-21 20:05 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 20:05 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-21 20:05 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 20:05 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:15 . 2012-06-21 20:05 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-21 20:05 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-06-02 22:12 . 2012-06-21 20:05 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-02 00:22 . 2012-07-10 23:05 347136 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:22 . 2012-07-10 23:05 254464 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 00:05 . 2012-07-10 23:05 77312 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 00:04 . 2012-07-10 23:05 278528 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 00:03 . 2012-07-10 23:05 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-13_02.47.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-06-13 08:17 . 2012-05-15 06:33 67072 c:\windows\SysWOW64\mshtmled.dll
+ 2012-08-15 23:16 . 2012-06-28 11:32 67072 c:\windows\SysWOW64\mshtmled.dll
+ 2012-08-15 23:16 . 2012-06-28 08:18 13312 c:\windows\SysWOW64\msfeedssync.exe
- 2012-06-13 08:17 . 2012-05-15 03:24 13312 c:\windows\SysWOW64\msfeedssync.exe
- 2012-06-13 08:17 . 2012-05-15 06:33 55296 c:\windows\SysWOW64\msfeedsbs.dll
+ 2012-08-15 23:16 . 2012-06-28 11:32 55296 c:\windows\SysWOW64\msfeedsbs.dll
- 2012-06-13 08:17 . 2012-05-15 06:37 64512 c:\windows\SysWOW64\migration\WininetPlugin.dll
+ 2012-08-15 23:16 . 2012-06-28 11:37 64512 c:\windows\SysWOW64\migration\WininetPlugin.dll
+ 2012-08-15 23:16 . 2012-06-28 11:32 43520 c:\windows\SysWOW64\licmgr10.dll
- 2012-06-13 08:17 . 2012-05-15 06:32 43520 c:\windows\SysWOW64\licmgr10.dll
+ 2012-08-15 23:16 . 2012-06-28 11:31 25600 c:\windows\SysWOW64\jsproxy.dll
- 2012-06-13 08:17 . 2012-05-15 06:32 25600 c:\windows\SysWOW64\jsproxy.dll
+ 2012-08-15 23:16 . 2012-06-28 11:31 71680 c:\windows\SysWOW64\iesetup.dll
- 2012-06-13 08:17 . 2012-05-15 06:31 71680 c:\windows\SysWOW64\iesetup.dll
+ 2012-08-15 23:16 . 2012-06-28 11:31 55808 c:\windows\SysWOW64\iernonce.dll
- 2012-06-13 08:17 . 2012-05-15 06:31 55808 c:\windows\SysWOW64\iernonce.dll
+ 2008-01-21 03:20 . 2012-08-17 17:15 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2012-06-23 22:59 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2012-08-17 17:15 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-06-23 22:59 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-08-17 17:15 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2012-06-23 22:59 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2012-08-19 17:35 94126 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-08-19 17:35 95038 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-10-15 00:09 . 2012-08-19 17:35 32084 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-19539739-2347143033-1963601051-1000_UserData.bin
- 2012-06-13 08:17 . 2012-05-15 02:15 98304 c:\windows\system32\mshtmled.dll
+ 2012-08-15 23:16 . 2012-06-28 06:49 98304 c:\windows\system32\mshtmled.dll
+ 2012-08-15 23:16 . 2012-06-28 05:10 12288 c:\windows\system32\msfeedssync.exe
- 2012-06-13 08:17 . 2012-05-15 00:39 12288 c:\windows\system32\msfeedssync.exe
- 2012-06-13 08:17 . 2012-05-15 02:15 71680 c:\windows\system32\msfeedsbs.dll
+ 2012-08-15 23:16 . 2012-06-28 06:49 71680 c:\windows\system32\msfeedsbs.dll
+ 2012-08-15 23:16 . 2012-06-28 06:53 93184 c:\windows\system32\migration\WininetPlugin.dll
- 2012-06-13 08:17 . 2012-05-15 02:19 93184 c:\windows\system32\migration\WininetPlugin.dll
- 2012-06-13 08:17 . 2012-05-15 02:15 56832 c:\windows\system32\licmgr10.dll
+ 2012-08-15 23:16 . 2012-06-28 06:48 56832 c:\windows\system32\licmgr10.dll
+ 2012-08-15 23:16 . 2012-06-28 06:48 31744 c:\windows\system32\jsproxy.dll
- 2012-06-13 08:17 . 2012-05-15 02:15 31744 c:\windows\system32\jsproxy.dll
- 2012-06-13 08:17 . 2012-05-15 02:14 77312 c:\windows\system32\iesetup.dll
+ 2012-08-15 23:16 . 2012-06-28 06:47 77312 c:\windows\system32\iesetup.dll
+ 2012-08-15 23:16 . 2012-06-28 06:47 72192 c:\windows\system32\iernonce.dll
- 2012-06-13 08:17 . 2012-05-15 02:14 72192 c:\windows\system32\iernonce.dll
+ 2012-08-15 23:16 . 2012-06-28 05:11 70656 c:\windows\system32\ie4uinit.exe
- 2012-06-13 08:17 . 2012-05-15 00:40 70656 c:\windows\system32\ie4uinit.exe
+ 2012-08-16 21:00 . 2012-08-17 17:20 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2012-07-13 00:28 . 2012-07-13 01:01 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2012-07-13 00:28 . 2012-08-17 17:20 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2009-10-14 22:35 . 2012-08-17 17:12 85888 c:\windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
+ 2012-08-16 20:41 . 2012-08-17 17:20 16384 c:\windows\system32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
- 2009-11-30 04:58 . 2012-07-07 21:24 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-30 04:58 . 2012-08-08 22:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-30 04:58 . 2012-08-08 22:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-30 04:58 . 2012-07-07 21:24 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-07-15 02:01 . 2012-07-15 02:01 22016 c:\windows\Installer\13de220.msi
+ 2009-10-18 20:51 . 2012-08-17 17:44 3540 c:\windows\system32\WDI\ERCQueuedResolutions.dat
+ 2012-08-19 17:33 . 2012-08-19 17:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-13 02:47 . 2012-07-13 02:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-13 02:47 . 2012-07-13 02:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-19 17:33 . 2012-08-19 17:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-06-13 08:17 . 2012-05-15 06:37 916992 c:\windows\SysWOW64\wininet.dll
+ 2012-08-15 23:16 . 2012-06-28 11:37 916992 c:\windows\SysWOW64\wininet.dll
- 2011-04-15 14:38 . 2011-02-17 06:23 420864 c:\windows\SysWOW64\vbscript.dll
+ 2012-08-15 23:16 . 2012-06-16 11:19 420864 c:\windows\SysWOW64\vbscript.dll
+ 2012-08-15 23:16 . 2012-06-28 11:37 105984 c:\windows\SysWOW64\url.dll
- 2012-06-13 08:17 . 2012-05-15 06:37 105984 c:\windows\SysWOW64\url.dll
+ 2012-08-15 23:16 . 2012-06-28 11:35 206848 c:\windows\SysWOW64\occache.dll
- 2012-06-13 08:17 . 2012-05-15 06:35 206848 c:\windows\SysWOW64\occache.dll
+ 2012-08-15 23:15 . 2012-06-29 16:01 467968 c:\windows\SysWOW64\netapi32.dll
+ 2012-08-15 23:16 . 2012-06-28 11:33 611840 c:\windows\SysWOW64\mstime.dll
- 2012-06-13 08:17 . 2012-05-15 06:33 611840 c:\windows\SysWOW64\mstime.dll
- 2012-06-13 08:17 . 2012-05-15 06:33 629760 c:\windows\SysWOW64\msfeeds.dll
+ 2012-08-15 23:16 . 2012-06-28 11:32 629760 c:\windows\SysWOW64\msfeeds.dll
+ 2012-08-17 17:13 . 2012-08-17 17:13 686792 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_271_Plugin.exe
- 2012-04-18 18:18 . 2012-07-12 06:37 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-04-18 18:18 . 2012-08-17 17:13 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
- 2009-10-15 01:10 . 2009-04-23 12:14 623616 c:\windows\SysWOW64\localspl.dll
+ 2012-08-15 23:16 . 2012-05-11 15:57 623616 c:\windows\SysWOW64\localspl.dll
+ 2012-08-15 23:16 . 2012-06-16 11:14 727040 c:\windows\SysWOW64\jscript.dll
+ 2012-08-15 23:16 . 2012-06-28 08:19 133632 c:\windows\SysWOW64\ieUnatt.exe
- 2012-06-13 08:17 . 2012-05-15 03:26 133632 c:\windows\SysWOW64\ieUnatt.exe
- 2012-06-13 08:17 . 2012-05-15 06:31 164352 c:\windows\SysWOW64\ieui.dll
+ 2012-08-15 23:16 . 2012-06-28 11:31 164352 c:\windows\SysWOW64\ieui.dll
+ 2012-08-15 23:16 . 2012-06-28 11:31 109056 c:\windows\SysWOW64\iesysprep.dll
- 2012-06-13 08:17 . 2012-05-15 06:31 109056 c:\windows\SysWOW64\iesysprep.dll
+ 2012-08-15 23:16 . 2012-06-28 11:31 184320 c:\windows\SysWOW64\iepeers.dll
- 2012-06-13 08:17 . 2012-05-15 06:31 184320 c:\windows\SysWOW64\iepeers.dll
+ 2012-08-15 23:16 . 2012-06-28 11:31 387584 c:\windows\SysWOW64\iedkcs32.dll
- 2012-06-13 08:17 . 2012-05-15 06:31 387584 c:\windows\SysWOW64\iedkcs32.dll
- 2012-06-13 08:17 . 2012-05-15 03:25 174080 c:\windows\SysWOW64\ie4uinit.exe
+ 2012-08-15 23:16 . 2012-06-28 08:19 174080 c:\windows\SysWOW64\ie4uinit.exe
+ 2009-11-02 16:32 . 2012-08-17 06:52 298874 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2012-08-15 23:16 . 2012-06-16 07:02 610816 c:\windows\system32\vbscript.dll
- 2012-06-13 08:17 . 2012-05-15 02:19 108032 c:\windows\system32\url.dll
+ 2012-08-15 23:16 . 2012-06-28 06:53 108032 c:\windows\system32\url.dll
- 2009-10-20 07:25 . 2009-04-11 07:10 384512 c:\windows\system32\services.exe
+ 2009-10-20 07:25 . 2008-01-21 02:49 384512 c:\windows\system32\services.exe
+ 2006-11-02 12:46 . 2012-08-19 17:10 645028 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-08-19 17:10 121050 c:\windows\system32\perfc009.dat
+ 2012-08-15 23:16 . 2012-06-28 06:51 243712 c:\windows\system32\occache.dll
- 2012-06-13 08:17 . 2012-05-15 02:18 243712 c:\windows\system32\occache.dll
- 2012-06-13 08:17 . 2012-05-15 02:15 742912 c:\windows\system32\msfeeds.dll
+ 2012-08-15 23:16 . 2012-06-28 06:49 742912 c:\windows\system32\msfeeds.dll
- 2009-10-15 01:46 . 2012-01-31 12:44 279656 c:\windows\system32\MpSigStub.exe
+ 2009-10-15 01:46 . 2012-01-31 12:59 279656 c:\windows\system32\MpSigStub.exe
+ 2012-08-17 17:13 . 2012-08-17 17:13 417992 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_271_Plugin.exe
+ 2012-08-15 23:16 . 2012-05-11 16:34 788480 c:\windows\system32\localspl.dll
+ 2012-08-15 23:16 . 2012-06-16 06:58 818176 c:\windows\system32\jscript.dll
+ 2012-08-15 23:16 . 2012-06-28 05:11 162816 c:\windows\system32\ieUnatt.exe
- 2012-06-13 08:17 . 2012-05-15 00:40 162816 c:\windows\system32\ieUnatt.exe
- 2012-06-13 08:17 . 2012-05-15 02:14 219136 c:\windows\system32\ieui.dll
+ 2012-08-15 23:16 . 2012-06-28 06:47 219136 c:\windows\system32\ieui.dll
- 2012-06-13 08:17 . 2012-05-15 02:14 132096 c:\windows\system32\iesysprep.dll
+ 2012-08-15 23:16 . 2012-06-28 06:47 132096 c:\windows\system32\iesysprep.dll
- 2012-06-13 08:17 . 2012-05-15 02:14 252416 c:\windows\system32\iepeers.dll
+ 2012-08-15 23:16 . 2012-06-28 06:47 252416 c:\windows\system32\iepeers.dll
+ 2012-08-15 23:16 . 2012-06-28 06:47 459776 c:\windows\system32\iedkcs32.dll
- 2012-06-13 08:17 . 2012-05-15 02:14 459776 c:\windows\system32\iedkcs32.dll
+ 2006-11-02 15:21 . 2012-08-17 17:11 328848 c:\windows\system32\FNTCACHE.DAT
+ 2009-10-14 22:32 . 2012-08-19 17:12 229376 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-14 22:32 . 2012-08-19 17:12 409600 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-19 09:29 . 2012-08-19 17:32 307800 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-08-12 01:40 . 2012-08-12 01:40 371272 c:\windows\Installer\{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}\SkypeIcon.exe
- 2012-06-08 04:44 . 2012-06-08 04:44 371272 c:\windows\Installer\{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}\SkypeIcon.exe
- 2012-05-01 03:13 . 2012-05-01 03:13 109563 c:\windows\Installer\{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}\SCEP.exe
+ 2012-05-01 03:13 . 2012-08-17 17:21 109563 c:\windows\Installer\{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}\SCEP.exe
+ 2012-05-01 03:13 . 2012-08-17 17:21 109563 c:\windows\Installer\{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}\INTUNE.exe
- 2012-05-01 03:13 . 2012-05-01 03:13 109563 c:\windows\Installer\{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}\INTUNE.exe
+ 2012-05-01 03:13 . 2012-08-17 17:21 109563 c:\windows\Installer\{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}\FEP.exe
- 2012-05-01 03:13 . 2012-05-01 03:13 109563 c:\windows\Installer\{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}\FEP.exe
+ 2012-05-01 03:13 . 2012-08-17 17:21 109563 c:\windows\Installer\{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}\EPP.exe
- 2012-05-01 03:13 . 2012-05-01 03:13 109563 c:\windows\Installer\{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}\EPP.exe
- 2012-06-13 08:17 . 2012-05-15 06:37 1212416 c:\windows\SysWOW64\urlmon.dll
+ 2012-08-15 23:16 . 2012-06-28 11:37 1212416 c:\windows\SysWOW64\urlmon.dll
+ 2012-08-15 23:16 . 2012-06-28 11:32 6008320 c:\windows\SysWOW64\mshtml.dll
+ 2012-08-17 17:13 . 2012-08-17 17:13 9465032 c:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll
+ 2012-08-17 17:13 . 2012-08-17 17:13 1536712 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
- 2012-06-13 08:17 . 2012-05-15 06:31 2000384 c:\windows\SysWOW64\iertutil.dll
+ 2012-08-15 23:16 . 2012-06-28 11:31 2000384 c:\windows\SysWOW64\iertutil.dll
- 2012-06-13 08:17 . 2012-05-15 02:19 1147392 c:\windows\system32\wininet.dll
+ 2012-08-15 23:16 . 2012-06-28 06:53 1147392 c:\windows\system32\wininet.dll
+ 2012-08-15 23:16 . 2012-06-28 06:53 1488384 c:\windows\system32\urlmon.dll
- 2012-06-13 08:17 . 2012-05-15 02:19 1488384 c:\windows\system32\urlmon.dll
+ 2012-08-15 23:16 . 2012-06-28 06:49 1062912 c:\windows\system32\mstime.dll
- 2012-06-13 08:17 . 2012-05-15 02:16 1062912 c:\windows\system32\mstime.dll
+ 2012-08-15 23:16 . 2012-06-28 06:49 9328640 c:\windows\system32\mshtml.dll
- 2012-06-13 08:17 . 2012-05-15 02:15 9328640 c:\windows\system32\mshtml.dll
- 2012-06-13 08:17 . 2012-05-15 02:14 2350592 c:\windows\system32\iertutil.dll
+ 2012-08-15 23:16 . 2012-06-28 06:47 2350592 c:\windows\system32\iertutil.dll
+ 2009-10-14 22:32 . 2012-08-19 17:12 2572288 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-17 04:45 . 2012-08-19 17:32 1445176 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-07-24 05:03 . 2012-07-24 05:03 1259008 c:\windows\Installer\1ef7a.msi
+ 2012-08-12 01:40 . 2012-08-12 01:40 1648640 c:\windows\Installer\14b19.msi
- 2012-06-13 08:17 . 2012-05-15 06:31 11111424 c:\windows\SysWOW64\ieframe.dll
+ 2012-08-15 23:16 . 2012-06-28 11:31 11111424 c:\windows\SysWOW64\ieframe.dll
- 2006-11-02 12:33 . 2012-07-10 23:56 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2006-11-02 12:33 . 2012-08-16 17:15 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2012-08-17 17:13 . 2012-08-17 17:13 12315336 c:\windows\system32\Macromed\Flash\NPSWF64_11_3_300_271.dll
- 2012-06-13 08:17 . 2012-05-15 02:14 12508672 c:\windows\system32\ieframe.dll
+ 2012-08-15 23:16 . 2012-06-28 06:47 12508672 c:\windows\system32\ieframe.dll
+ 2011-08-27 16:44 . 2012-08-19 17:32 29307360 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-19539739-2347143033-1963601051-1000-12288.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ITSecMng"="c:\program files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"NDSTray.exe"="NDSTray.exe" [BU]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2007-04-17 422400]
"SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2007-09-19 438272]
"KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"PCMAgent"="c:\program files (x86)\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
"CLMLServer"="c:\program files (x86)\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-07-11 188416]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-09-08 421888]
"AmazonGSDownloaderTray"="c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-17 421736]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-06-27 1996200]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-29 01:51]
.
2012-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-29 01:51]
.
2012-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-19539739-2347143033-1963601051-1000Core.job
- c:\users\Storm\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-09 09:33]
.
2012-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-19539739-2347143033-1963601051-1000UA.job
- c:\users\Storm\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-09 09:33]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 237056]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
"SmoothView"="c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe" [BU]
"00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"RtHDVCpl"="RAVCpl64.exe" [2008-05-29 6297088]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Storm\AppData\Roaming\Mozilla\Firefox\Profiles\x8y70e69.default\
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\X6va009]
"ImagePath"="\??\c:\windows\SysWOW64\Drivers\X6va009"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-19539739-2347143033-1963601051-1000\Software\SecuROM\License information*]
"datasecu"=hex:4f,58,76,5f,50,c2,c3,af,5e,56,22,fe,66,93,7f,c5,91,da,8a,70,6c,
76,b0,87,ae,3a,85,ab,7e,42,41,e5,a6,aa,48,7f,ae,bf,8e,94,3c,61,a4,02,d1,7d,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe
c:\program files (x86)\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\program files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
c:\program files (x86)\Toshiba\ConfigFree\NDSTray.exe
c:\program files (x86)\Toshiba\ConfigFree\CFSwMgr.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2012-08-19 10:41:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-19 17:41
ComboFix2.txt 2012-07-13 02:53
.
Pre-Run: 93,852,745,728 bytes free
Post-Run: 93,933,015,040 bytes free
.
- - End Of File - - 5FD0C2E6A4878DDED6A0F49ADD0718CF
 
ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
  • Click Start or wait for the scanner to load.
  • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, there are a couple of things to keep in mind:
  • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
  • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
  • Open the logfile from wherever you saved it
  • Copy and paste the contents in your next reply.
 
Results of the ESET-Scan-Log.txt file.

C:\FRST\Quarantine\services.exe Win64/Patched.B trojan deleted - quarantined
C:\FRST\Quarantine\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}\n Win64/Sirefef.W trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}\U\80000000.@ Win64/Sirefef.AL trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\{b0d01356-c8bc-ebf0-84bf-6423a1f60e01}\U\800000cb.@ Win64/Sirefef.AH trojan cleaned by deleting - quarantined
C:\Users\Storm\Downloads\Ouran High School Host Club Soundtrack amp Character Song 2.zip.exe Win32/InstallMate.A application cleaned by deleting - quarantined
 
Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death
 
As of right now I am not seeing any symptoms, but I have also not been using the system as we work through the fixes. I will start using the system and report any issues seen. Otherwise I will report a clean bill of health.

Initially there were possibly some fake anti-virus alerts (although they were detecting sirefef), but MSE was removed and reinstalled and things appear to be operating normally again.
 
Okay. Almost done. Let's cleanup the tools and System Restore, so you don't get infected again.

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name I.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive I.e. C
  • For a few moments the system will make some calculations:
    diskcleanup1.png
  • Select the More Options tab
    moreoptions.png
  • In the System Restore and Shadow Backups select Clean up
    moreoptions2.png
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran CCleaner
  • Ran Security Check
Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
 
The day after my last post the backlight went out on the laptop. It is currently off at the vendor for repair. Once we get it back I will follow up on this post.
 
You must log in or register to reply here.

Similar threads

wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni
Nicki
Solved Must have picked up something... some COVID computer variant???
Replies
9
Views
3K
Broni
Broni

Latest posts

Back