1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Services.exe pinning CPU once IE or Chrome is opened

Discussion in 'Virus & Other Malware Removal' started by Mblock, Nov 29, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. Mblock

    Mblock Thread Starter

    Joined:
    Nov 29, 2012
    Messages:
    11
    Hi everyone,

    this is my first post and I have been doing a lot of searching to try to solve this issue myself but so far no luck. I am pretty good with computers but not an uber tech guy so hopefully I follow the rules and get this right.

    Issue:
    So I noticed recently that my Dell i5 2.4 Quad Core's fan was running really loud and fast even when just surfing the web. It didn't dawn on me that it probably meant the CPU was working hard and it shouldn't be. So I checked resource manager and my intel turbo boost was pinging a constant 108-110% with me doing literally nothing on the machine. When it first boots up its running very quiet and cool and processors are "parked". Service mgr doesn't detect anything running crazy. Within 2 minutes of opening IE or Chrome, the services.exe goes nuts and pins my CPUs at max. I am thinking the box is infected with something because every no and again when I am in yahoo and search something, some re-direct happens to a site I totally didn't request. Then I close it, it usually just goes away. But the processors continue to chug and get very hot. 70 C or higher. All 4 cores are working too notjust two.

    Anyway I ran hijackthis and the log is pasted below. I think this is a 64 bit system so I can't run that other program. I also ran superspyware (or whatever its called) and it found like 300 tracking cookings which I removed but no bad processes. Something has to be infecting this once it recognizes a browser. I haven't tried to do anything in safe mode but I honestly just dont' know what to do at this point. Any help would be so greatly appreciated! Thanks so much in advance

    Matt

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:18:34 AM, on 11/29/2012
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16450)
    Boot mode: Normal
    Running processes:
    C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe
    C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
    C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Program Files (x86)\Internet Explorer\IELowutil.exe
    C:\Users\Matt\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Matt\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Matt\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Matt\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\ArgusMonitor\ArgusMonitor.exe
    C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Windows\SysWOW64\notepad.exe
    C:\Windows\SysWOW64\DllHost.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: vshare.tv Bar Toolbar - {7aeb3efd-e564-43f1-b658-5058a7c5743b} - C:\Program Files (x86)\vshare.tv_Bar\prxtbvsha.dll
    F2 - REG:system.ini: UserInit=userinit.exe,
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    O2 - BHO: vshare.tv Bar - {7aeb3efd-e564-43f1-b658-5058a7c5743b} - C:\Program Files (x86)\vshare.tv_Bar\prxtbvsha.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111112232525.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
    O3 - Toolbar: vshare.tv Bar Toolbar - {7aeb3efd-e564-43f1-b658-5058a7c5743b} - C:\Program Files (x86)\vshare.tv_Bar\prxtbvsha.dll
    O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
    O4 - HKLM\..\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
    O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
    O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
    O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Add to Wish List - {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - C:\Program Files (x86)\Amazon\Add to Wish List IE Extension\run.htm
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~2\mcafee\msc\mcsniepl.dll
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: FlipShare Service - Unknown owner - C:\Program Files (x86)\Flip Video\FlipShare\FlipShareService.exe
    O23 - Service: FlipShare Server (FlipShareServer) - Unknown owner - C:\Program Files (x86)\Flip Video\FlipShareServer\FlipShareServer.exe
    O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
    O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
    O23 - Service: FF Install Filter Service (InstallFilterService) - Unknown owner - C:\Program Files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\mcafee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
    O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Cyberlink RichVideo64 Service(CRVS) (RichVideo64) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo64.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
    O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\STacSV64.exe
    O23 - Service: TurboBoost - Intel(R) Corporation - C:\Program Files\Intel\TurboBoost\TurboBoost.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: Intel(R) Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: DW WLAN Tray Service (wltrysvc) - Dell Inc. - C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
     
  2. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Hiya Matt,

    Run the following and post the logs...

    1. Download Malwarebytes Anti-Rootkit from this link http://www.malwarebytes.org/products/mbar/
    2. Unzip the File to a convenient location. (Recommend the Desktop)
    3. Open the folder where the contents were unzipped to run mbar.exe

    [​IMG]

    4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

    [​IMG]

    5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

    6. The following image opens, select Next.

    [​IMG]

    7. The following image opens, select Update

    [​IMG]

    8. When the Update completes, select Next

    [​IMG]

    9. In the following window ensure "Targets" are ticked. Then select "Scan"

    [​IMG]

    10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:

    [​IMG]

    11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:

    [​IMG]

    12. Select "Yes" to close down the program. If NO infections were found you will see the following image:

    [​IMG]

    13. Select "Exit" to close down.
    14. Copy and paste the two following logs from the mbar folder:

    System - log
    Mbar - log Date and time of scan will also be shown

    [​IMG]

    Post those two logs in your reply.

    Kevin
     
  3. Mblock

    Mblock Thread Starter

    Joined:
    Nov 29, 2012
    Messages:
    11
    Thanks for the super fast response. I will do all of this shortly and post the logs you asked for.
     
  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Ok....(y)
     
  5. Mblock

    Mblock Thread Starter

    Joined:
    Nov 29, 2012
    Messages:
    11
    Kevin,

    I did all the steps you provided above and here are the logs. As a note I think I misinformed you on the original post that it happened when I opened a browser, that doesn't appear to be the case. Computer runs great for about 2 min after boot up and CPUs are cool and reserved, then after about 2 min of doing nothing at all the fan goes full blast and my intel turbo boost gaget shows me the thing is overclocking like mad. And its the services.exe

    anyway onto the logs. It found 10 Malware Infections lol (yikes!)

    Malwarebytes Anti-Rootkit 1.1.0.1009
    www.malwarebytes.org
    Database version: v2012.11.29.11
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Matt :: MATT-PC [administrator]
    11/29/2012 6:52:44 PM
    mbar-log-2012-11-29 (18-52-44).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
    Scan options disabled: PUP | PUM | P2P
    Objects scanned: 27756
    Time elapsed: 14 minute(s), 43 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 2
    C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\L (Backdoor.0Access) -> Delete on reboot. [43684c70de7fe1558501758bc53b5fa1]
    C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\U (Backdoor.0Access) -> Delete on reboot. [208b46764617b3834f38a957897712ee]
    Files Detected: 8
    C:\Windows\System32\services.exe (Unknown Rootkit Driver Infection) -> Delete on reboot. []
    C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\@ (Backdoor.0Access) -> Delete on reboot. [2487fdbfef6e50e6bca05ba5817f5ba5]
    C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\L\[email protected] (Backdoor.0Access) -> Delete on reboot. [6a419e1ebda016203e1cca362ed2f20e]
    C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\U\[email protected] (Backdoor.0Access) -> Delete on reboot. [7c2f3d7fc39afb3bcf8ac33d70908b75]
    C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\U\[email protected] (Backdoor.0Access) -> Delete on reboot. [3378ebd193ca59ddf4654cb46d933ec2]
    C:\Windows\assembly\GAC_32\Desktop.ini (Rootkit.0access) -> Delete on reboot. [8f1c8933bda0f83e8c9df8d17b852ed2]
    C:\Windows\assembly\GAC_64\Desktop.ini (Rootkit.0access) -> Delete on reboot. [55564775a1bc0c2a19106366728e2ed2]
    C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\L\201d3dde (Backdoor.0Access) -> Delete on reboot. [43684c70de7fe1558501758bc53b5fa1]
    (end)


    and the second


    Malwarebytes Anti-Rootkit BETA 1.01.0.1009
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7601 Windows 7 Service Pack 1 x64
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
    CPU speed: 2.394000 GHz
    Memory total: 6296199168, free: 4414578688
    ------------ Kernel report ------------
    11/29/2012 18:37:15
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\msahci.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\system32\drivers\mfehidk.sys
    \SystemRoot\System32\Drivers\PxHlpa64.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\mfewfpk.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\system32\DRIVERS\stdflt.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\system32\drivers\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\mfenlfk.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\drivers\termdd.sys
    \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
    \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\drivers\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\atikmdag.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\drivers\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\HECIx64.sys
    \SystemRoot\system32\drivers\usbehci.sys
    \SystemRoot\system32\drivers\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\bcmwl664.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\DRIVERS\risdpe64.sys
    \SystemRoot\system32\DRIVERS\rimspe64.sys
    \SystemRoot\system32\DRIVERS\rixdpe64.sys
    \SystemRoot\system32\drivers\1394ohci.sys
    \SystemRoot\system32\DRIVERS\Rt64win7.sys
    \SystemRoot\system32\drivers\i8042prt.sys
    \SystemRoot\system32\drivers\kbdclass.sys
    \SystemRoot\system32\DRIVERS\SynTP.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    \SystemRoot\system32\DRIVERS\Impcd.sys
    \SystemRoot\system32\DRIVERS\Acceler.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\drivers\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\drivers\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\CtClsFlt.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\drivers\swenum.sys
    \SystemRoot\system32\drivers\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\AtiHdmi.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\DRIVERS\stwrt64.sys
    \SystemRoot\system32\drivers\mfeavfk.sys
    \SystemRoot\system32\drivers\mfefirek.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_dumpata.sys
    \SystemRoot\System32\Drivers\dump_msahci.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\system32\DRIVERS\dc3d.sys
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\drivers\kbdhid.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\point64.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\DRIVERS\Sftvollh.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\DRIVERS\TurboB.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\system32\DRIVERS\Sftfslh.sys
    \SystemRoot\system32\DRIVERS\Sftplaylh.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\system32\drivers\tdtcp.sys
    \SystemRoot\System32\DRIVERS\tssecsrv.sys
    \SystemRoot\System32\Drivers\RDPWD.SYS
    \SystemRoot\system32\drivers\mfeapfk.sys
    \SystemRoot\system32\DRIVERS\Sftredirlh.sys
    \SystemRoot\system32\drivers\BCM42RLY.sys
    \SystemRoot\system32\DRIVERS\serscan.sys
    \SystemRoot\System32\Drivers\fastfat.SYS
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\urlmon.dll
    \Windows\System32\nsi.dll
    \Windows\System32\shell32.dll
    \Windows\System32\user32.dll
    \Windows\System32\usp10.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\ole32.dll
    \Windows\System32\sechost.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\ws2_32.dll
    \Windows\System32\psapi.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\wininet.dll
    \Windows\System32\lpk.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\imm32.dll
    \Windows\System32\msctf.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\devobj.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\msasn1.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa80064c8060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
    Lower Device Object: 0xfffffa800620d060
    Lower Device Driver Name: \Driver\atapi\
    Driver name found: atapi
    DriverEntry returned 0x0
    Function returned 0x0
    Downloaded database version: v2012.11.29.11
    Downloaded database version: v2012.11.28.01
    Initializing...
    Done!
    Scanning directory: C:\Windows\system32\drivers...
    <<<2>>>
    Device number: 0, partition: 3
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa80064c8060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa80064c8b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa80064c8060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8006383ce0, DeviceName: Unknown, DriverName: \Driver\stdflt\
    DevicePointer: 0xfffffa800620d060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
    ------------ End ----------
    Upper DeviceData: 0xfffff8a00b27a800, 0xfffffa80064c8060, 0xfffffa8005e14790
    Lower DeviceData: 0xfffff8a00a80fca0, 0xfffffa800620d060, 0xfffffa8005429cf0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 14ADBB11
    Partition information:
    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 80262
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 80325 Numsec = 36864000
    Partition file system is NTFS
    Partition is bootable
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 36944325 Numsec = 939826795
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 500107862016 bytes
    Sector size: 512 bytes
    Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
    Done!
    Performing system, memory and registry scan...
    Read File: File "C:\ProgramData\{D19C2D22-6043-47E7-B400-83A351841204}\delldock.dat" is compressed (flags = 1)
    Read File: File "C:\ProgramData\{D19C2D22-6043-47E7-B400-83A351841204}\instance.dat" is compressed (flags = 1)
    Backup file found for a file C:\Windows\System32\services.exe
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\@ --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\L\[email protected] --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\U\[email protected] --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\U\[email protected] --> [Backdoor.0Access]
    Infected: C:\Windows\assembly\GAC_32\Desktop.ini --> [Rootkit.0access]
    Infected: C:\Windows\assembly\GAC_64\Desktop.ini --> [Rootkit.0access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\L --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\L\201d3dde --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\U --> [Backdoor.0Access]
    Done!
    Scan finished
     
  6. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Yep I fully expected this, its ZeroAccess Rootkit infection. You should be aware that this will have probably harvested any and all password etc.
    If you have used this system for anything with financial implications such as banking or credit cards etc it would be prudent to make those companies aware. All passwords will need to be replaced once we know this system is clean...

    OK next step is to run MBAR again, this time we go for the infection....

    1. Open the mbar folder run mbar.exe as before....

    [​IMG]

    2. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

    [​IMG]

    3. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

    4. The following image opens, select Next.

    [​IMG]

    5. The following image opens, select Update

    [​IMG]

    6. When the update completes select Next.

    [​IMG]

    7. In the following window ensure "Targets" are ticked. Then select "Scan"

    [​IMG]

    8. If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats. Or if you are sure any entries should not be kept, just untick them.

    [​IMG]

    9. The Clean up procedure will be Scheduled for process.

    [​IMG]

    10. When scheduling is complete the following image will appear,

    [​IMG]

    11. Select the Yes tab, the system should re-boot to complete the cleaning process.

    12. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

    System - log
    Mbar - log Date and time of scan will also be shown, (copy/paste the most recent by date/time)

    [​IMG]

    Thanks,

    Kevin
     
  7. Mblock

    Mblock Thread Starter

    Joined:
    Nov 29, 2012
    Messages:
    11
    OK that is now all done. Here are the logs. System so far is performing much better. CPU at about 57% running on 2 cores the other 2 show "parked" I think that is a Win7 thing. Argus Monitor is showing about 49 degrees C now (for some reason is only showing 2 cores working but that might be some other issue) but they are not being maxed out at all.

    Malwarebytes Anti-Rootkit 1.1.0.1009
    www.malwarebytes.org
    Database version: v2012.11.29.11
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Matt :: MATT-PC [administrator]
    11/29/2012 7:33:33 PM
    mbar-log-2012-11-29 (19-33-33).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
    Scan options disabled: PUP | PUM | P2P
    Objects scanned: 27752
    Time elapsed: 13 minute(s), 41 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 2
    C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\L (Backdoor.0Access) -> Delete on reboot. [f4b72498d984d85e6125ef11db25f10f]
    C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\U (Backdoor.0Access) -> Delete on reboot. [0d9efac2293413230d7acc34fc04c43c]
    Files Detected: 8
    C:\Windows\System32\services.exe (Unknown Rootkit Driver Infection) -> Delete on reboot. []
    C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\@ (Backdoor.0Access) -> Delete on reboot. [64478b31b1ac9f978bd12dd3d32d649c]
    C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\L\[email protected] (Backdoor.0Access) -> Delete on reboot. [f5b6a4186eef79bdd48622deb34ddc24]
    C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\U\[email protected] (Backdoor.0Access) -> Delete on reboot. [d5d6229ad08ddc5acb8e9e620ff16799]
    C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\U\[email protected] (Backdoor.0Access) -> Delete on reboot. [8625a9133825b581d5845ba516ea39c7]
    C:\Windows\assembly\GAC_32\Desktop.ini (Rootkit.0access) -> Delete on reboot. [0ba0deded4895ed861c86f5a50b016ea]
    C:\Windows\assembly\GAC_64\Desktop.ini (Rootkit.0access) -> Delete on reboot. [d1da2d8f8cd1c0768d9cd2f7d927cb35]
    C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\L\201d3dde (Backdoor.0Access) -> Delete on reboot. [f4b72498d984d85e6125ef11db25f10f]
    (end)


    alwarebytes Anti-Rootkit BETA 1.01.0.1009
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7601 Windows 7 Service Pack 1 x64
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
    CPU speed: 2.394000 GHz
    Memory total: 6296199168, free: 4414578688
    ------------ Kernel report ------------
    11/29/2012 18:37:15
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\msahci.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\system32\drivers\mfehidk.sys
    \SystemRoot\System32\Drivers\PxHlpa64.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\mfewfpk.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\system32\DRIVERS\stdflt.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\system32\drivers\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\mfenlfk.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\drivers\termdd.sys
    \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
    \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\drivers\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\atikmdag.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\drivers\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\HECIx64.sys
    \SystemRoot\system32\drivers\usbehci.sys
    \SystemRoot\system32\drivers\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\bcmwl664.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\DRIVERS\risdpe64.sys
    \SystemRoot\system32\DRIVERS\rimspe64.sys
    \SystemRoot\system32\DRIVERS\rixdpe64.sys
    \SystemRoot\system32\drivers\1394ohci.sys
    \SystemRoot\system32\DRIVERS\Rt64win7.sys
    \SystemRoot\system32\drivers\i8042prt.sys
    \SystemRoot\system32\drivers\kbdclass.sys
    \SystemRoot\system32\DRIVERS\SynTP.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    \SystemRoot\system32\DRIVERS\Impcd.sys
    \SystemRoot\system32\DRIVERS\Acceler.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\drivers\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\drivers\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\CtClsFlt.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\drivers\swenum.sys
    \SystemRoot\system32\drivers\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\AtiHdmi.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\DRIVERS\stwrt64.sys
    \SystemRoot\system32\drivers\mfeavfk.sys
    \SystemRoot\system32\drivers\mfefirek.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_dumpata.sys
    \SystemRoot\System32\Drivers\dump_msahci.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\system32\DRIVERS\dc3d.sys
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\drivers\kbdhid.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\point64.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\DRIVERS\Sftvollh.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\DRIVERS\TurboB.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\system32\DRIVERS\Sftfslh.sys
    \SystemRoot\system32\DRIVERS\Sftplaylh.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\system32\drivers\tdtcp.sys
    \SystemRoot\System32\DRIVERS\tssecsrv.sys
    \SystemRoot\System32\Drivers\RDPWD.SYS
    \SystemRoot\system32\drivers\mfeapfk.sys
    \SystemRoot\system32\DRIVERS\Sftredirlh.sys
    \SystemRoot\system32\drivers\BCM42RLY.sys
    \SystemRoot\system32\DRIVERS\serscan.sys
    \SystemRoot\System32\Drivers\fastfat.SYS
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\urlmon.dll
    \Windows\System32\nsi.dll
    \Windows\System32\shell32.dll
    \Windows\System32\user32.dll
    \Windows\System32\usp10.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\ole32.dll
    \Windows\System32\sechost.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\ws2_32.dll
    \Windows\System32\psapi.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\wininet.dll
    \Windows\System32\lpk.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\imm32.dll
    \Windows\System32\msctf.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\devobj.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\msasn1.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa80064c8060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
    Lower Device Object: 0xfffffa800620d060
    Lower Device Driver Name: \Driver\atapi\
    Driver name found: atapi
    DriverEntry returned 0x0
    Function returned 0x0
    Downloaded database version: v2012.11.29.11
    Downloaded database version: v2012.11.28.01
    Initializing...
    Done!
    Scanning directory: C:\Windows\system32\drivers...
    <<<2>>>
    Device number: 0, partition: 3
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa80064c8060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa80064c8b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa80064c8060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8006383ce0, DeviceName: Unknown, DriverName: \Driver\stdflt\
    DevicePointer: 0xfffffa800620d060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
    ------------ End ----------
    Upper DeviceData: 0xfffff8a00b27a800, 0xfffffa80064c8060, 0xfffffa8005e14790
    Lower DeviceData: 0xfffff8a00a80fca0, 0xfffffa800620d060, 0xfffffa8005429cf0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 14ADBB11
    Partition information:
    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 80262
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 80325 Numsec = 36864000
    Partition file system is NTFS
    Partition is bootable
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 36944325 Numsec = 939826795
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 500107862016 bytes
    Sector size: 512 bytes
    Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
    Done!
    Performing system, memory and registry scan...
    Read File: File "C:\ProgramData\{D19C2D22-6043-47E7-B400-83A351841204}\delldock.dat" is compressed (flags = 1)
    Read File: File "C:\ProgramData\{D19C2D22-6043-47E7-B400-83A351841204}\instance.dat" is compressed (flags = 1)
    Backup file found for a file C:\Windows\System32\services.exe
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\@ --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\L\[email protected] --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\U\[email protected] --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\U\[email protected] --> [Backdoor.0Access]
    Infected: C:\Windows\assembly\GAC_32\Desktop.ini --> [Rootkit.0access]
    Infected: C:\Windows\assembly\GAC_64\Desktop.ini --> [Rootkit.0access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\L --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\L\201d3dde --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\U --> [Backdoor.0Access]
    Done!
    Scan finished
    =======================================

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1009
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7601 Windows 7 Service Pack 1 x64
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
    CPU speed: 2.394000 GHz
    Memory total: 6296199168, free: 4260904960
    ------------ Kernel report ------------
    11/29/2012 19:19:17
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\msahci.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\system32\drivers\mfehidk.sys
    \SystemRoot\System32\Drivers\PxHlpa64.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\mfewfpk.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\system32\DRIVERS\stdflt.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\system32\drivers\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\mfenlfk.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\drivers\termdd.sys
    \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
    \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\drivers\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\atikmdag.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\drivers\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\HECIx64.sys
    \SystemRoot\system32\drivers\usbehci.sys
    \SystemRoot\system32\drivers\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\bcmwl664.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\DRIVERS\risdpe64.sys
    \SystemRoot\system32\DRIVERS\rimspe64.sys
    \SystemRoot\system32\DRIVERS\rixdpe64.sys
    \SystemRoot\system32\drivers\1394ohci.sys
    \SystemRoot\system32\DRIVERS\Rt64win7.sys
    \SystemRoot\system32\drivers\i8042prt.sys
    \SystemRoot\system32\drivers\kbdclass.sys
    \SystemRoot\system32\DRIVERS\SynTP.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    \SystemRoot\system32\DRIVERS\Impcd.sys
    \SystemRoot\system32\DRIVERS\Acceler.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\drivers\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\drivers\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\CtClsFlt.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\drivers\swenum.sys
    \SystemRoot\system32\drivers\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\AtiHdmi.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\DRIVERS\stwrt64.sys
    \SystemRoot\system32\drivers\mfeavfk.sys
    \SystemRoot\system32\drivers\mfefirek.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_dumpata.sys
    \SystemRoot\System32\Drivers\dump_msahci.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\system32\DRIVERS\dc3d.sys
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\drivers\kbdhid.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\point64.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\DRIVERS\Sftvollh.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\DRIVERS\TurboB.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\system32\DRIVERS\Sftfslh.sys
    \SystemRoot\system32\DRIVERS\Sftplaylh.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\system32\drivers\tdtcp.sys
    \SystemRoot\System32\DRIVERS\tssecsrv.sys
    \SystemRoot\System32\Drivers\RDPWD.SYS
    \SystemRoot\system32\drivers\mfeapfk.sys
    \SystemRoot\system32\DRIVERS\Sftredirlh.sys
    \SystemRoot\system32\drivers\BCM42RLY.sys
    \SystemRoot\system32\DRIVERS\serscan.sys
    \SystemRoot\System32\Drivers\fastfat.SYS
    \??\c:\program files\dell support center\pcdsrvc_x64.pkms
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\urlmon.dll
    \Windows\System32\nsi.dll
    \Windows\System32\shell32.dll
    \Windows\System32\user32.dll
    \Windows\System32\usp10.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\ole32.dll
    \Windows\System32\sechost.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\ws2_32.dll
    \Windows\System32\psapi.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\wininet.dll
    \Windows\System32\lpk.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\imm32.dll
    \Windows\System32\msctf.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\devobj.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\msasn1.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa80064c8060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
    Lower Device Object: 0xfffffa800620d060
    Lower Device Driver Name: \Driver\atapi\
    Device already Exists: 0xfffffa8005429cf0
    Initializing...
    Done!
    Scanning directory: C:\Windows\system32\drivers...
    <<<2>>>
    Device number: 0, partition: 3
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa80064c8060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa80064c8b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa80064c8060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8006383ce0, DeviceName: Unknown, DriverName: \Driver\stdflt\
    DevicePointer: 0xfffffa800620d060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
    ------------ End ----------
    Upper DeviceData: 0xfffff8a00fbdf7f0, 0xfffffa80064c8060, 0xfffffa8005e14790
    Lower DeviceData: 0xfffff8a0156197f0, 0xfffffa800620d060, 0xfffffa8005429cf0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 14ADBB11
    Partition information:
    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 80262
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 80325 Numsec = 36864000
    Partition file system is NTFS
    Partition is bootable
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 36944325 Numsec = 939826795
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 500107862016 bytes
    Sector size: 512 bytes
    Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
    Done!
    Performing system, memory and registry scan...
    Read File: File "C:\ProgramData\{D19C2D22-6043-47E7-B400-83A351841204}\delldock.dat" is compressed (flags = 1)
    Read File: File "C:\ProgramData\{D19C2D22-6043-47E7-B400-83A351841204}\instance.dat" is compressed (flags = 1)
    Backup file found for a file C:\Windows\System32\services.exe
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\@ --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\L\[email protected] --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\U\80[email protected] --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\U\[email protected] --> [Backdoor.0Access]
    Infected: C:\Windows\assembly\GAC_32\Desktop.ini --> [Rootkit.0access]
    Infected: C:\Windows\assembly\GAC_64\Desktop.ini --> [Rootkit.0access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\L --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\L\201d3dde --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{e8d00e29-a836-1fd6-a83f-6dfad1f40a81}\U --> [Backdoor.0Access]
    Done!
    Scan finished
    Creating System Restore point...
    Scheduling clean up...
    <<<2>>>
    Device number: 0, partition: 3
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Removal scheduling successful. System shutdown needed.
    System shutdown occured
    =======================================

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1009
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7601 Windows 7 Service Pack 1 x64
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
    CPU speed: 2.394000 GHz
    Memory total: 6296199168, free: 5000282112
     
  8. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    OK that looks good, only problem with ZA is that it may have introduced other typs of infection, because of that possibility it is wise to run Combofix. Its almost 1 am local time for me, i`ll have to comeback later.. OK run this:

    Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

    Combofix

    • Ensure that Combofix is saved directly to the Desktop <--- Very important
    • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Double click the [​IMG] icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • Instructions for running Combofix available Here if required.
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...

    Kevin
     
  9. Mblock

    Mblock Thread Starter

    Joined:
    Nov 29, 2012
    Messages:
    11
    Ok I did all that. I actually needed to delete my free MacFee that was expired from the original purchase. Once I did that I ran it, it needed to reboot and I waited for the log to show up. Once it did I assumed it was done. I tried to click on literally anything and got an error message that I could not do so because the file was slotted to be deleted then it would ask do I want to delete it? I said no of course. It didn't seem like anything was happening with Combofix so I just did another reboot and crossed my fingers. It appeared to work and all my icons were back and I could access the internet.

    Here is the log from ComboFix

    System is still running quiet and cool now!

    ComboFix 12-11-29.02 - Matt 11/29/2012 20:33:04.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6005.4242 [GMT -5:00]
    Running from: c:\users\Matt\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\LoJackNotifier.txt
    c:\programdata\PCDr\6032\AddOnDownloaded\087abda5-3ca9-433a-8a4e-6b9fc9285607.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\111e1115-314f-4404-be4a-ad58e8e2423d.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\1b075935-6b9c-41c2-8914-643bfe886db8.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\21eb1c2f-b0d8-40e6-96dd-163437759b68.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\2f733848-355c-4a6f-89a5-08a4dcc89c5c.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\35445406-e7ed-4a0e-9922-45505e71594b.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\358ba71b-117f-40d5-95aa-57de622719b7.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\3c49c05a-0eb3-4044-a0f8-d4ea2a439295.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\3d656744-60b2-4576-8124-a39729f8b522.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\406007ac-5ba8-43e6-97b6-0c6ed58bb6e8.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\468d25c7-baa8-4db4-a17f-ceac895a9bc8.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\4704833a-6508-40cc-b98b-5ebd235e52ca.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\489f121a-4538-4839-9d1d-3c48e590be59.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\4cfdf1e7-d0b2-449c-bd2d-084cd975e5d8.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\4f1c58d6-ca02-4906-b156-709481baca61.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\4f64943e-d62a-4f2e-a3cd-98fb91e30469.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\59bb1a7b-2122-4c71-82b0-30bee96f063e.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\5cd81d7c-326c-42d2-8929-1ee85c69dc1d.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\5f169f6e-cfce-411e-b266-aa53ac35ce83.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\7119bf4b-d404-4b31-8779-44fac71761fa.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\72f0dc20-5af7-4221-9657-442597ce030b.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\73a14ca6-4567-413f-a60f-d04159cb72eb.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\75c8751b-fcad-4846-80ce-3a2efec60612.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\7779c9df-2dc0-4fd5-92bb-c64027285f8b.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\8a7e779d-1e14-4f91-a1b0-82dc746441b1.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\9881c561-a45a-4c53-9d45-de93a99e2898.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\b510dd11-341c-4dfa-9f1e-dd5ddcc444f4.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\ba58cab8-833c-4868-95e2-cff538a852a7.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\cb7af81b-44d9-4f99-b223-18a71e8c85b6.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\cf9bce06-e765-4c6f-afa9-0d82a3adc417.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\d220b53c-6a3c-4b5d-8797-965d39e82fff.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\d3ef65ec-842a-4640-b428-aca2f4a966e6.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\d78fa15b-2d61-4303-adaa-edec9ebbb2b3.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\dbecb802-efe1-453f-828f-29af4ab73508.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\e16f2788-babe-4a60-93d0-d507a5228753.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\e1ce76af-328a-41dc-b2c4-0dd9771f6aa1.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\e3e252fe-80ab-4f89-82a9-b607007220bd.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\eb115e4d-8592-4082-bffa-e65ae6b21e95.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\ed26c1b3-d9f9-42e8-80e0-cd62e65fd901.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\f28ef68b-8cc4-4c00-891d-473fb67bd0b0.dll
    c:\programdata\PCDr\6032\AddOnDownloaded\ff24953d-0c6e-4af9-a727-84ce58c99035.dll
    c:\users\Matt\videos\mp4muxer.exe
    c:\users\Matt\videos\SUPERAntiSpyware.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-30 )))))))))))))))))))))))))))))))
    .
    .
    2012-11-30 01:40 . 2012-11-30 01:40 -------- d-----w- c:\users\Mcx1-MATT-PC\AppData\Local\temp
    2012-11-30 01:40 . 2012-11-30 01:40 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-11-29 13:04 . 2012-11-29 13:04 -------- d-----w- c:\users\Matt\AppData\Roaming\SUPERAntiSpyware.com
    2012-11-29 13:04 . 2012-11-29 13:04 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-11-29 13:04 . 2012-11-29 13:04 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-11-29 12:53 . 2012-11-29 12:53 388096 ----a-r- c:\users\Matt\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2012-11-29 12:53 . 2012-11-29 12:53 -------- d-----w- c:\program files (x86)\Trend Micro
    2012-11-29 04:53 . 2012-11-29 04:54 -------- d-----w- c:\program files (x86)\ArgusMonitor
    2012-11-25 03:53 . 2012-11-25 03:53 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-11-25 03:53 . 2012-11-25 03:52 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-11-29 02:08 . 2012-04-03 23:09 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-11-29 02:08 . 2011-07-15 03:16 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-11-25 03:52 . 2012-06-29 00:10 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2012-11-25 03:52 . 2010-08-23 13:43 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-10-11 07:02 . 2010-08-30 13:53 65309168 ----a-w- c:\windows\system32\MRT.exe
    2012-09-29 23:54 . 2012-09-23 16:19 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-09-14 19:19 . 2012-10-10 12:14 2048 ----a-w- c:\windows\system32\tzres.dll
    2012-09-14 18:28 . 2012-10-10 12:14 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2012-09-04 12:46 . 2012-09-04 12:46 68296 ----a-w- c:\windows\SysWow64\drivers\ArgusMonitor.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{7aeb3efd-e564-43f1-b658-5058a7c5743b}"= "c:\program files (x86)\vshare.tv_Bar\prxtbvsha.dll" [2011-03-28 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{7aeb3efd-e564-43f1-b658-5058a7c5743b}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2011-03-28 16:22 176936 ----a-w- c:\program files (x86)\ConduitEngine\prxConduitEngin.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{7aeb3efd-e564-43f1-b658-5058a7c5743b}]
    2011-03-28 16:22 176936 ----a-w- c:\program files (x86)\vshare.tv_Bar\prxtbvsha.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{7aeb3efd-e564-43f1-b658-5058a7c5743b}"= "c:\program files (x86)\vshare.tv_Bar\prxtbvsha.dll" [2011-03-28 176936]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\prxConduitEngin.dll" [2011-03-28 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{7aeb3efd-e564-43f1-b658-5058a7c5743b}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-18 98304]
    "Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
    "Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-14 559616]
    .
    c:\users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
    R3 ArgusMonitor;ArgusMonitor kernel mode driver;SysWOW64\drivers\ArgusMonitor.sys [x]
    R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
    R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    R3 PCDSRVC{1E208CE0-FB7451FF-06020200}_0;PCDSRVC{1E208CE0-FB7451FF-06020200}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2012-08-17 25584]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-29 1255736]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
    S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdflt.sys [2009-07-23 18792]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe [2009-03-02 89600]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-18 202752]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
    S2 FlipShareServer;FlipShare Server;c:\program files (x86)\Flip Video\FlipShareServer\FlipShareServer.exe [2011-05-06 1085440]
    S2 InstallFilterService;FF Install Filter Service;c:\program files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe [2009-06-23 60928]
    S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\CyberLink\Shared files\RichVideo64.exe [2010-08-19 386344]
    S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [2009-07-02 60416]
    S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [2009-07-01 80896]
    S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [2009-07-04 55808]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
    S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-11-02 13784]
    S2 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-09-30 2320920]
    S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Acceler.sys [2009-07-24 23912]
    S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
    S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-07-07 51600]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-12 151040]
    S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2010-07-21 45456]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 344680]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-11-30 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 02:08]
    .
    2012-11-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1325184395-2148579531-2972560024-1001Core.job
    - c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-06 02:22]
    .
    2012-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1325184395-2148579531-2972560024-1001UA.job
    - c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-06 02:22]
    .
    2012-11-29 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 78db802f-7a9a-471b-a510-d68b8aedbc1a.job
    - c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
    .
    2012-11-29 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 83132ff5-89b7-464c-a4bc-23dfd2ecadfa.job
    - c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-01-20 487424]
    "FreeFallProtection"="c:\program files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe" [2009-07-22 2384896]
    "Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2009-12-16 5470208]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://my.yahoo.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Wow6432Node-HKLM-Run-<NO NAME> - (no file)
    SafeBoot-rpcnet
    Toolbar-Locked - (no file)
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    AddRemove-YAMB - c:\program files (x86)\YAMB\uninstall.exe
    AddRemove-{0B8565BA-BAD5-4732-B122-5FD78EFC50A9} - c:\programdata\{A6DB2A6F-FF9D-453F-99D6-C1AA54BC0C14}\Service Center Setup PC.exe
    AddRemove-{43E7798A-248E-4A3D-9969-FEA63543A462} - c:\programdata\{F531707E-A555-4890-97A1-9A651D437F0F}\Kontakt 4 Setup PC.exe
    AddRemove-{B0FC9E28-1CE6-4A40-BEF1-C6E6EDFCA070} - c:\programdata\{47960B9E-9E4E-438D-AA0C-2F495913AD7E}\Kontakt Factory Selection Setup PC.exe
    AddRemove-UnityWebPlayer - c:\users\Matt\AppData\Local\Unity\WebPlayer\Uninstall.exe
    .
    .
    "ImagePath"="\"c:\program files\CyberLink\Shared files\RichVideo64.exe\"\00Z
    [\]^_µ\00\00µ\00\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~µ\00\00µ\00\00\00\00u\00\00\00\00\00\00\00\00&#8216;&#8217;&#8220;"
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020200}_0]
    "ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* ***t**\PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* *n**t**\PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* *m**t**\PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* *ú*\PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* *m**t**\PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* *m**t**\PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.Email.1"
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.VCard.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Flip Video\FlipShare\FlipShareService.exe
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
    c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
    c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
    c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
    .
    **************************************************************************
    .
    Completion time: 2012-11-29 20:48:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-11-30 01:48
    .
    Pre-Run: 250,599,124,992 bytes free
    Post-Run: 251,773,976,576 bytes free
    .
    - - End Of File - - 98DCE99F52339F52501535653FAAAEE1
     
  10. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Thanks for the log, ok do the following:

    Step 1

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    Code:
    ClearJavaCache::
    Killall::
    Folder::
    c:\program files (x86)\ConduitEngine
    c:\program files (x86)\vshare.tv_Bar
    c:\program files\Common Files\McAfee
    Driver::
    McMPFSvc
    ArgusMonitor
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{7aeb3efd-e564-43f1-b658-5058a7c5743b}"=-
    [-HKEY_CLASSES_ROOT\clsid\{7aeb3efd-e564-43f1-b658-5058a7c5743b}]
    [-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{7aeb3efd-e564-43f1-b658-5058a7c5743b}"=-
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
    [-HKEY_CLASSES_ROOT\clsid\{7aeb3efd-e564-43f1-b658-5058a7c5743b}]
    [-HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    RegNull::
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* ***t**\PDR8]
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* *n**t*
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* *m**t*
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* *ú*\PDR8]
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* *m**t*
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* *m**t*
    
    Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

    [​IMG]

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Step 2

    As McAfee has been UNinstalled and the licence was expired you will ned an Anti-Virus program for security, I recommend Microsoft Security Essentials, I use that myself....

    To keep safe when online you need a good Antivirus/Antspyware/Antimalware/Anti-Rootkit combination application. Microsoft Security Essentials covers all of those bases, but better still it is free. Go Here and hit the "Download free" tab, follow the prompts. Once installed it will want to update and carry out a quick scan, allow that to happen. It will also want to turn on the windows firewall...

    Let me see the log from Combofix. If MSE was installed it will have run a quick scan, did it find anything. You can check under the History tab from the main interface..

    Kevin
     
  11. Mblock

    Mblock Thread Starter

    Joined:
    Nov 29, 2012
    Messages:
    11
    Ok I did as you said and here is the new log

    ComboFix 12-11-30.01 - Matt 11/30/2012 8:05.2.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6005.4215 [GMT -5:00]
    Running from: c:\users\Matt\Desktop\ComboFix.exe
    Command switches used :: c:\users\Matt\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\ConduitEngine
    c:\program files (x86)\ConduitEngine\appContextMenu.xml
    c:\program files (x86)\ConduitEngine\ConduitEngin.dll
    c:\program files (x86)\ConduitEngine\ConduitEngineHelper.exe
    c:\program files (x86)\ConduitEngine\ConduitEngineUninstall.exe
    c:\program files (x86)\ConduitEngine\engineContextMenu.xml
    c:\program files (x86)\ConduitEngine\EngineSettings.json
    c:\program files (x86)\ConduitEngine\ldrConduitEngin.dll
    c:\program files (x86)\ConduitEngine\prxConduitEngin.dll
    c:\program files (x86)\ConduitEngine\toolbar.cfg
    c:\program files (x86)\vshare.tv_Bar
    c:\program files (x86)\vshare.tv_Bar\GottenAppsContextMenu.xml
    c:\program files (x86)\vshare.tv_Bar\ldrtbvsha.dll
    c:\program files (x86)\vshare.tv_Bar\OtherAppsContextMenu.xml
    c:\program files (x86)\vshare.tv_Bar\prxtbvsha.dll
    c:\program files (x86)\vshare.tv_Bar\SharedAppsContextMenu.xml
    c:\program files (x86)\vshare.tv_Bar\tbvsha.dll
    c:\program files (x86)\vshare.tv_Bar\toolbar.cfg
    c:\program files (x86)\vshare.tv_Bar\ToolbarContextMenu.xml
    c:\program files (x86)\vshare.tv_Bar\uninstall.exe
    c:\program files (x86)\vshare.tv_Bar\vshare.tv_BarToolbarHelper.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_ARGUSMONITOR
    -------\Service_McMPFSvc
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-30 )))))))))))))))))))))))))))))))
    .
    .
    2012-11-30 13:09 . 2012-11-30 13:09 -------- d-----w- c:\users\Mcx1-MATT-PC\AppData\Local\temp
    2012-11-29 12:53 . 2012-11-29 12:53 388096 ----a-r- c:\users\Matt\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2012-11-29 12:53 . 2012-11-29 12:53 -------- d-----w- c:\program files (x86)\Trend Micro
    2012-11-25 03:53 . 2012-11-25 03:53 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-11-25 03:53 . 2012-11-25 03:52 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-11-30 06:35 . 2010-09-07 23:21 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2012-11-30 06:35 . 2010-09-07 23:21 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2012-11-29 02:08 . 2012-04-03 23:09 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-11-29 02:08 . 2011-07-15 03:16 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-11-25 03:52 . 2012-06-29 00:10 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2012-11-25 03:52 . 2010-08-23 13:43 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-10-11 07:02 . 2010-08-30 13:53 65309168 ----a-w- c:\windows\system32\MRT.exe
    2012-09-29 23:54 . 2012-09-23 16:19 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-09-14 19:19 . 2012-10-10 12:14 2048 ----a-w- c:\windows\system32\tzres.dll
    2012-09-14 18:28 . 2012-10-10 12:14 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-18 98304]
    "Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
    "Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-14 559616]
    .
    c:\users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
    R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
    R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    R3 PCDSRVC{1E208CE0-FB7451FF-06020200}_0;PCDSRVC{1E208CE0-FB7451FF-06020200}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2012-08-17 25584]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-29 1255736]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
    S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdflt.sys [2009-07-23 18792]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe [2009-03-02 89600]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-18 202752]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
    S2 FlipShareServer;FlipShare Server;c:\program files (x86)\Flip Video\FlipShareServer\FlipShareServer.exe [2011-05-06 1085440]
    S2 InstallFilterService;FF Install Filter Service;c:\program files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe [2009-06-23 60928]
    S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\CyberLink\Shared files\RichVideo64.exe [2010-08-19 386344]
    S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [2009-07-02 60416]
    S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [2009-07-01 80896]
    S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [2009-07-04 55808]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
    S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-11-02 13784]
    S2 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-09-30 2320920]
    S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Acceler.sys [2009-07-24 23912]
    S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
    S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-07-07 51600]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-12 151040]
    S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2010-07-21 45456]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 344680]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-11-30 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 02:08]
    .
    2012-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1325184395-2148579531-2972560024-1001Core.job
    - c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-06 02:22]
    .
    2012-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1325184395-2148579531-2972560024-1001UA.job
    - c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-06 02:22]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-01-20 487424]
    "FreeFallProtection"="c:\program files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe" [2009-07-22 2384896]
    "Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2009-12-16 5470208]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://my.yahoo.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files (x86)\ConduitEngine\prxConduitEngin.dll
    BHO-{7aeb3efd-e564-43f1-b658-5058a7c5743b} - c:\program files (x86)\vshare.tv_Bar\prxtbvsha.dll
    Toolbar-Locked - (no file)
    Wow6432Node-HKLM-Run-<NO NAME> - (no file)
    AddRemove-conduitEngine - c:\program files (x86)\ConduitEngine\ConduitEngineUninstall.exe
    AddRemove-vshare.tv_Bar Toolbar - c:\program files (x86)\vshare.tv_Bar\uninstall.exe
    AddRemove-{0B8565BA-BAD5-4732-B122-5FD78EFC50A9} - c:\programdata\{A6DB2A6F-FF9D-453F-99D6-C1AA54BC0C14}\Service Center Setup PC.exe
    AddRemove-{43E7798A-248E-4A3D-9969-FEA63543A462} - c:\programdata\{F531707E-A555-4890-97A1-9A651D437F0F}\Kontakt 4 Setup PC.exe
    AddRemove-{B0FC9E28-1CE6-4A40-BEF1-C6E6EDFCA070} - c:\programdata\{47960B9E-9E4E-438D-AA0C-2F495913AD7E}\Kontakt Factory Selection Setup PC.exe
    .
    .
    "ImagePath"="\"c:\program files\CyberLink\Shared files\RichVideo64.exe\"\00Z
    [\]^_µ\00\00µ\00\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~µ\00\00µ\00\00\00\00u\00\00\00\00\00\00\00\00&#8216;&#8217;&#8220;"
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020200}_0]
    "ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* ***t**\PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* *n**t**\PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* *m**t**\PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* *ú*\PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* *m**t**\PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\CyberLink\common\claud\yberLink\PowerDirector\P* *m**t**\PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.Email.1"
    .
    [HKEY_USERS\S-1-5-21-1325184395-2148579531-2972560024-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.VCard.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Flip Video\FlipShare\FlipShareService.exe
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
    c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
    c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
    c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
    .
    **************************************************************************
    .
    Completion time: 2012-11-30 08:16:18 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-11-30 13:16
    ComboFix2.txt 2012-11-30 01:48
    .
    Pre-Run: 247,469,596,672 bytes free
    Post-Run: 247,232,303,104 bytes free
    .
    - - End Of File - - 499469DE9960EDA7BDB0B1A7E626DCCA
     
  12. Mblock

    Mblock Thread Starter

    Joined:
    Nov 29, 2012
    Messages:
    11
    I have just downloaded MSE and am in the process of running it. I need to head out to work in a few min so I don't know if I will be able to wait for the results but if so I will let you know
     
  13. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    OK, post info anytime you`re ready...
     
  14. Mblock

    Mblock Thread Starter

    Joined:
    Nov 29, 2012
    Messages:
    11
    Ok just asked my wife and she said that MSE found nothing. So the logs above that post are from the second run of ComboFix where i made the file in notepad and dragged it in.
     
  15. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Ok, run DDS and post a fresh set of logs, let me see if anything shows in those logs.. Here are instructions incase needed...

    Download and save DDS to your Desktop from either of the following links:

    http://download.bleepingcomputer.com/sUBs/dds.scr
    http://compendiate.net/sUBs/dds/dds.scr

    Double click DDS to run the scan, Vista or Windows 7 user accept UAC alert.
    There will be an alert that two logs will be saved to the Desktop, DDS.txt and Attach.txt
    Copy and paste those two logs to your reply when the scan is complete....

    Let me see those two logs, also let me know how your system responds and if any issues remain...

    Kevin
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1078776

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice