Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7: STOP: C0000135 the program can't start because %hs is missing


  • This topic is locked This topic is locked
19 replies to this topic

#1 Keewee

Keewee

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 03 April 2012 - 11:57 PM

Hello,

So I got the S.M.A.R.T. HDD trojan program. I tried recovering to restore point before. After that, windows wouldn't boot.

The blue screen I got said the STOP: C0000135 the program can't start because %h is missing message. So searching the forums. It took me a while to be able to run FRST64.exe since literally nothing would boot. If I tried to Start Windows normally, it would just restart (or give me that message). If I tried to use the Recovery Options, it would freeze at "Windows is loading files." So I was finally able to track down a Windows 7 x64 CD.

I have a Windows 7 x64 Home Premium. I have attached the FRST.txt file... any help would be amazingly and gratefully appreciated.

Once I am (hopefully) able to boot Windows, I'll go through the steps in the tutorial on the site to get rid of the S.M.A.R.T. HDD for good... Also - any tips to best avoid these? I have had Malware Bytes on my computer previously...

Attached Files

  • Attached File  FRST.txt   48.6KB   10 downloads

Edited by Keewee, 03 April 2012 - 11:59 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:35 PM

Posted 06 April 2012 - 07:47 PM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
script removed
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Edited by CatByte, 03 July 2012 - 09:36 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Keewee

Keewee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 07 April 2012 - 04:23 PM

Hello,

Thanks so much for your help! I have attached the Fixlog.txt and rebooted my computer. I was able to get Windows to start and login. I then disabled my antivirus stuff and ran Combofix.

For ComboFix, despite me disabling Microsoft Security Essentials, it still registered it as running even though I don't think it was... So ComboFix ran with that.

So I have also attached Combofix log.

Thanks again! Let me know what to do next. :)

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:35 PM

Posted 07 April 2012 - 04:32 PM

Hi,

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish


NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Keewee

Keewee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 08 April 2012 - 12:54 PM

I updated and ran Malwarebytes - the log is attached.

I also ran the ESET Online Scanner - the log is also attached.

ESET took a while so I let it run overnight. When I came back to the computer, it had a ton of pop-ups. I can re-enable Microsoft Security Essentials but not Malwarebytes Protection. I tried turning off MSE and then re-enabling Malwarebytes. No good.

"An error has occurred. Please report this issue to our support team (include the content of all error message(s) and code(s) in your submission).

PROGRAM_ERROR_PROTECTION_MODULE (1068, 0, ProtectionEnable)

The dependence service or group failed to start.


Thanks!

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:35 PM

Posted 08 April 2012 - 01:11 PM

Please do the following for the Malwarebytes program


  • Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  • Restart your computer (very important).
  • Download and run this utility.
  • It will ask to restart your computer (please allow it to).
  • After the computer restarts, install the latest version from here.

NEXT

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Program Files (x86)\FoxTabFLVPlayer\FLVPlayer.exe	
C:\Program Files (x86)\StartNow Toolbar\ReactivateIE.exe	
C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll	
C:\Program Files (x86)\StartNow Toolbar\ToolbarBroker.exe	
C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe	
C:\Users\Kee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\59a1bcca-46ca154d	
C:\Users\Kee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\cd5a54e-7449479e	
C:\Windows\AutoKMS.exe	
C:\Windows\KMSEmulator.exe	

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


I would like to see a list of installed programs, so please do this:
  • Press the Win key + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:

    C:\Qoobox\Add-Remove Programs.txt

  • A text file should open.
  • Post the contents of that file in your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Keewee

Keewee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 08 April 2012 - 06:23 PM

Hello,

I had to re-do the Malwarebytes part twice but it finally worked.

I have attached and also copied and pasted the files.

ComboFix stuff:

ComboFix 12-04-07.02 - Kee 04/08/2012 16:35:18.2.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6076.3824 [GMT -4:00]
Running from: c:\users\Kee\Desktop\ComboFix.exe
Command switches used :: c:\users\Kee\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files (x86)\FoxTabFLVPlayer\FLVPlayer.exe"
"c:\program files (x86)\StartNow Toolbar\ReactivateIE.exe"
"c:\program files (x86)\StartNow Toolbar\Toolbar32.dll"
"c:\program files (x86)\StartNow Toolbar\ToolbarBroker.exe"
"c:\program files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe"
"c:\users\Kee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\59a1bcca-46ca154d"
"c:\users\Kee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\cd5a54e-7449479e"
"c:\windows\AutoKMS.exe"
"c:\windows\KMSEmulator.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\FoxTabFLVPlayer\FLVPlayer.exe
c:\program files (x86)\StartNow Toolbar\ReactivateIE.exe
c:\program files (x86)\StartNow Toolbar\Toolbar32.dll
c:\program files (x86)\StartNow Toolbar\ToolbarBroker.exe
c:\program files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe
c:\windows\AutoKMS.exe
c:\windows\KMSEmulator.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-08 to 2012-04-08 )))))))))))))))))))))))))))))))
.
.
2012-04-08 21:05 . 2012-04-08 21:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-08 20:22 . 2012-04-08 20:22 -------- d-----w- c:\users\Kee\AppData\Roaming\Malwarebytes
2012-04-08 20:21 . 2012-04-08 20:21 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-08 20:21 . 2012-04-08 20:21 -------- d-----w- c:\programdata\Malwarebytes
2012-04-08 20:21 . 2011-12-10 19:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-08 17:55 . 2012-03-14 03:27 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B886D8F5-03CA-433E-8CD1-B4D2DE6F537A}\mpengine.dll
2012-04-07 22:31 . 2012-04-07 22:31 -------- d-----w- c:\program files (x86)\ESET
2012-04-04 08:44 . 2012-04-04 08:45 -------- d-----w- C:\FRST
2012-04-02 02:32 . 2012-04-02 02:32 -------- d-----w- c:\users\Kee\AppData\Roaming\FLEXnet
2012-04-02 02:32 . 2012-04-02 02:32 -------- d-----w- c:\users\Kee\AppData\Roaming\Nuance
2012-04-02 02:27 . 2012-04-02 02:27 -------- d-----w- c:\programdata\Nuance
2012-04-02 02:27 . 2012-04-02 02:27 -------- d-----w- c:\programdata\FLEXnet
2012-04-02 02:27 . 2012-04-02 02:27 -------- d-----w- c:\program files (x86)\Nuance
2012-03-25 19:24 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-25 19:24 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-25 19:24 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-25 19:20 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-03-25 19:20 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-25 19:20 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-25 19:20 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-25 19:20 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-03-25 19:20 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-03-25 19:19 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-25 19:19 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-03-25 19:19 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-25 19:19 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-19 21:58 . 2012-04-02 06:45 -------- d-----w- c:\program files (x86)\Striiv
2012-03-18 17:46 . 2012-03-18 17:46 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-18 17:46 . 2012-03-18 17:46 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-03-11 14:46 . 2012-04-02 06:31 -------- d-----w- c:\program files\iPod
2012-03-11 14:46 . 2012-04-02 06:47 -------- d-----w- c:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-14 03:27 . 2012-01-04 02:27 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-20 03:17 . 2011-05-16 03:54 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-11 03:02 . 2012-02-11 03:03 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{97D50108-4104-4608-A5D4-08A192E893F4}\gapaengine.dll
2012-01-31 12:44 . 2011-04-22 21:47 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-07_20.53.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-23 07:55 . 2012-04-08 20:22 38364 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-08 20:22 50128 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-04-08 20:21 . 2011-12-10 19:24 23152 c:\windows\system64\drivers\mbam.sys
+ 2011-04-24 15:17 . 2012-04-08 20:20 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
- 2011-04-24 15:17 . 2012-04-07 20:52 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
- 2011-04-23 08:07 . 2012-04-07 20:51 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-04-23 08:07 . 2012-04-08 20:19 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-24 15:17 . 2012-04-07 20:52 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
+ 2011-04-24 15:17 . 2012-04-08 20:20 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
- 2011-04-23 08:07 . 2012-04-07 20:51 49152 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-04-23 08:07 . 2012-04-08 20:19 49152 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-04-24 15:17 . 2012-04-08 20:20 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
- 2011-04-24 15:17 . 2012-04-07 20:52 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-08 20:19 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-07 20:51 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-04-23 07:55 . 2012-04-08 20:22 38364 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-08 20:22 50128 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-04-24 15:17 . 2012-04-08 20:20 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
- 2011-04-24 15:17 . 2012-04-07 20:52 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
- 2011-04-23 08:07 . 2012-04-07 20:51 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-04-23 08:07 . 2012-04-08 20:19 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-24 15:17 . 2012-04-07 20:52 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
+ 2011-04-24 15:17 . 2012-04-08 20:20 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
- 2011-04-23 08:07 . 2012-04-07 20:51 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-04-23 08:07 . 2012-04-08 20:19 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-04-24 15:17 . 2012-04-07 20:52 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
+ 2011-04-24 15:17 . 2012-04-08 20:20 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-07 20:51 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-08 20:19 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2012-04-07 21:45 94000 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2011-04-22 21:32 . 2012-04-08 20:22 8742 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2691896802-1096055340-2538439355-1001_UserData.bin
+ 2012-04-07 21:41 . 2012-04-07 21:41 9560 c:\windows\system64\NetworkList\Icons\{E5C8DBA7-BCDC-4AE1-A6C9-DDCFCD252A33}_48.bin
+ 2012-04-07 21:41 . 2012-04-07 21:41 4280 c:\windows\system64\NetworkList\Icons\{E5C8DBA7-BCDC-4AE1-A6C9-DDCFCD252A33}_32.bin
+ 2012-04-07 21:41 . 2012-04-07 21:41 2456 c:\windows\system64\NetworkList\Icons\{E5C8DBA7-BCDC-4AE1-A6C9-DDCFCD252A33}_24.bin
+ 2011-04-22 21:32 . 2012-04-08 20:22 8742 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2691896802-1096055340-2538439355-1001_UserData.bin
+ 2012-04-07 21:41 . 2012-04-07 21:41 9560 c:\windows\system32\NetworkList\Icons\{E5C8DBA7-BCDC-4AE1-A6C9-DDCFCD252A33}_48.bin
+ 2012-04-07 21:41 . 2012-04-07 21:41 4280 c:\windows\system32\NetworkList\Icons\{E5C8DBA7-BCDC-4AE1-A6C9-DDCFCD252A33}_32.bin
+ 2012-04-07 21:41 . 2012-04-07 21:41 2456 c:\windows\system32\NetworkList\Icons\{E5C8DBA7-BCDC-4AE1-A6C9-DDCFCD252A33}_24.bin
+ 2012-04-08 20:18 . 2012-04-08 20:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-07 20:51 . 2012-04-07 20:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-08 20:18 . 2012-04-08 20:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-04-07 20:51 . 2012-04-07 20:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2012-04-08 20:26 665562 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2012-04-07 19:56 665562 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2012-04-07 19:56 123298 c:\windows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2012-04-08 20:26 123298 c:\windows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2012-04-08 20:26 665562 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-04-07 19:56 665562 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-04-07 19:56 123298 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-04-08 20:26 123298 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-04-07 20:49 473740 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-04-08 20:18 473740 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-04-08 00:01 . 2012-04-08 00:01 397312 c:\windows\Installer\5a7194.msi
- 2011-04-24 07:18 . 2012-04-07 20:49 22161216 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2691896802-1096055340-2538439355-1001-12288.dat
+ 2011-04-24 07:18 . 2012-04-08 20:18 22161216 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2691896802-1096055340-2538439355-1001-12288.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 00:52 762000 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 00:52 762000 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 00:52 762000 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MusicManager"="c:\users\Kee\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2012-03-20 13324288]
"AttachmentWipermail.haygroup.com"="c:\users\Kee\Forefront UAG Remote Access Agent\mailhaygroupcom\exchange20071\AttachmentWiper.exeBatchRun\run.bat" [2011-08-16 510]
"Facebook Update"="c:\users\Kee\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-02-26 137536]
"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2010-01-16 717696]
"GameXN (update)"="c:\programdata\GameXN\GameXNGO.exe" [2012-01-03 347008]
"GameXN (news)"="c:\programdata\GameXN\GameXNGO.exe" [2012-01-03 347008]
"GameXN"="c:\programdata\GameXN\GameXNGO.exe" [2012-01-03 347008]
"Striiv Agent"="c:\program files (x86)\Striiv\Agent.exe" [2011-12-22 584928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"Carbonite Backup"="c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880]
"googletalk"="c:\program files (x86)\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-12-16 498160]
"RemoteControl10"="c:\program files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared files\brs.exe" [2010-06-28 75048]
"KeePass 2 PreLoad"="c:\program files (x86)\KeePass Password Safe 2\KeePass.exe" [2011-04-10 1733120]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"DELL Webcam Manager"="c:\program files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-06 421736]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-31 460872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-31 460872]
.
c:\users\Kee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2011-6-28 974848]
Facebook Messenger.lnk - c:\users\Kee\AppData\Local\Facebook\Messenger\2.0.4478.0\FacebookMessenger.exe [2012-4-5 204288]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-1-21 226176]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-29 1132320]
Digital Line Detect.lnk - c:\program files (x86)\Digital Line Detect\DLG.exe [2011-6-23 50688]
Subsonic.lnk - c:\program files (x86)\Subsonic\subsonic-agent.exe [2011-8-11 172032]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
2;2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\Intel\WiMAX\Bin\DMAgent.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\users\Kee\Forefront UAG Remote Access Agent\mailhaygroupcom\exchange20071\uagqecsvc.exe [2011-08-16 149904]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2010-03-05 340240]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 qrkis;Tether Miniport;c:\windows\system32\DRIVERS\qrkis.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/06/23 21:27];c:\program files (x86)\CyberLink\PowerDVD10\NavFilter\000.fcl [2010-06-29 02:50 146928]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-17 98208]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-31 652360]
S2 NvtlService;NovaCore SDK Service;c:\program files (x86)\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [2009-12-29 83456]
S2 QDLService2kDell;Qualcomm Gobi 2000 Download Service (Dell);c:\program files (x86)\QUALCOMM\QDLService2k\QDLService2kDell.exe [2010-01-14 330488]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-12-23 378984]
S2 Tether;Tether;c:\program files (x86)\Tether\TBService.exe [2010-11-18 52664]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-07-01 2533400]
S2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\Intel\WiMAX\Bin\AppSrv.exe [2010-06-07 911872]
S2 WMCoreService;Mobile Broadband Service;c:\program files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe servicemode [x]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
S3 AVer7231_x64;AVerMedia 7231 capture service;c:\windows\system32\DRIVERS\AVer7231_x64.sys [x]
S3 bpenum;bpenum;c:\windows\system32\DRIVERS\bpenum.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
S3 qicflt;upper Device Filter Driver;c:\windows\system32\DRIVERS\qicflt.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-08 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2691896802-1096055340-2538439355-1001Core.job
- c:\users\Kee\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-22 21:56]
.
2012-04-08 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2691896802-1096055340-2538439355-1001UA.job
- c:\users\Kee\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-22 21:56]
.
2012-04-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2691896802-1096055340-2538439355-1001Core.job
- c:\users\Kee\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-23 23:33]
.
2012-04-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2691896802-1096055340-2538439355-1001UA.job
- c:\users\Kee\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-23 23:33]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 00:36 1174672 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 00:36 1174672 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 00:36 1174672 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-03-05 1928976]
"FreeFallProtection"="c:\program files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-09-24 727664]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2010-12-24 312936]
"IntelWirelessWiMAX"="c:\program files\Intel\WiMAX\Bin\WiMAXCU.exe" [2010-06-08 1441792]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-02-18 6611048]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-01-18 2188904]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: dell.com\smartsource
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A6CFF1B1-DF9D-4DDE-9DFE-69516A0A5666}: NameServer = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\Kee\AppData\Roaming\Mozilla\Firefox\Profiles\1lruk8w2.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z128&form=ZGAADF&install_date=20111229&q=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD10\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:3e,d2,8a,70,a6,78,a5,28,17,2f,5e,5d,31,0d,94,95,93,d5,cd,a6,bf,
a6,50,6e,fc,c4,c4,a9,0b,59,fd,9d,96,41,eb,30,0f,43,11,01,4f,60,93,4d,16,14,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:3e,d2,8a,70,a6,78,a5,28,17,2f,5e,5d,31,0d,94,95,93,d5,cd,a6,bf,
a6,50,6e,fc,c4,c4,a9,0b,59,fd,9d,96,41,eb,30,0f,43,11,01,4f,60,93,4d,16,14,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-04-08 17:28:55
ComboFix-quarantined-files.txt 2012-04-08 21:28
ComboFix2.txt 2012-04-07 21:16
.
Pre-Run: 91,302,645,760 bytes free
Post-Run: 91,498,168,320 bytes free
.
- - End Of File - - F3D992472D6EBBD8B435307DEA953B2D


Program List:

µTorrent
AC3Filter 1.63b
AccelerometerP11
Adobe AIR
Adobe Community Help
Adobe Creative Suite 5.5 Master Collection
Adobe Digital Editions
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.1.2)
Adobe Widget Browser
Advanced Audio FX Engine
Advanced Video FX Engine
Advertising Center
Amazon Kindle
Apple Application Support
Apple Software Update
AVerMedia H339 Hybrid TV Tuner 2.2.64.64
AVGo Media Recorder 1.08
Blu-ray Disc Authoring Plug-in
Canon DIGITAL CAMERA Solution Disk Software Guide
CANON iMAGE GATEWAY MyCamera Download Plugin
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon PowerShot ELPH 300 HS_IXUS 220 HS Camera User Guide
Canon Utilities CameraWindow DC 8
Canon Utilities CameraWindow Launcher
Canon Utilities Movie Uploader for YouTube
Canon Utilities MyCamera
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Carbonite
Combined Community Codec Pack 2010-10-10
CoreAVC Professional Edition (remove only)
CyberLink PowerDVD 10
DAEMON Tools Lite
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Driver Download Manager
Dell Mobile Broadband Utility
Dell Webcam Center
Dell Webcam Manager
Dell Wireless HSPA Mini-Card Drivers
Digital Line Detect
DivX Web Player
DolbyFiles
Download Updater (AOL LLC)
DTS Plug-in
ESET Online Scanner v3
Evernote v. 4.4.2
Facebook Messenger 2.0.4478.0
Facebook Video Calling 1.2.0.159
Fate/stay night English v3.2
fbDownloader 1.0.2.0
Flixster Collections
GameXN GO
Google Chrome
Google Talk (remove only)
Google Talk Plugin
Gracenote Plug-in
Haali Media Splitter
ImagXpress
InstallVC90Support
Intel® Control Center
Intel® Management Engine Components
Intel® Rapid Storage Technology
Intel® Turbo Boost Technology Driver
Java Auto Updater
Java™ 6 Update 30
JDownloader 0.9
JMicron Flash Media Controller Driver
KeePass Password Safe 2.15
Last.fm 1.5.4.27091
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Malwarebytes Anti-Malware version 1.60.1.1000
Media Player Classic - Home Cinema v1.5.0.2827
Microsoft AppLocale
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft WSE 3.0 Runtime
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
Mozilla Firefox 11.0 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Manager
Nero ControlCenter
Nero Installer
Nero MediaHome 4
Nero Move it
neroxml
Netwaiting
Notepad++
NVIDIA Stereoscopic 3D Driver
Orb Runtime libraries
PDF Settings CS5
PDFCreator
Qualcomm Gobi 2000 Package for Dell
QuickTime
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Renesas Electronics USB 3.0 Host Controller Driver
Roxio Burn
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Skype™ 5.5
Spotify
StartNow Toolbar
Steam
STEINS;GATE
StreamTransport version: 1.0.2.2171
Striiv version 1.0.0.164
Subsonic
System Requirements Lab CYRI
Tether 1.4.4.0
The Sims Medieval
The Sims™ 3
The Sims™ 3 Ambitions
The Sims™ 3 Fast Lane Stuff
The Sims™ 3 Generations
The Sims™ 3 High-End Loft Stuff
The Sims™ 3 Late Night
The Sims™ 3 Outdoor Living Stuff
The Sims™ 3 Town Life Stuff
The Sims™ 3 World Adventures
TweetDeck
Unity Web Player
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553092)
VC80CRTRedist - 8.0.50727.762
VLC media player 1.1.9
World of Warcraft

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:35 PM

Posted 08 April 2012 - 06:43 PM

Hi

Posted Image Your Java is out of date.
Java™ 6 Update 30 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


NEXT

P2P - I see you have P2P software utorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. This page will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
Perils of P2P File Sharing.
I would strongly recommend that you uninstall this. You can do so via Control Panel >> Add or Remove Programs.


NEXT

Please advise how the computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Keewee

Keewee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 08 April 2012 - 06:51 PM

I couldn't find the Update tab going through those steps for Java.

I then tried to Google it and the search re-directed.


For the uTorrent thing, my friend downloaded it on my computer. Should I just uninstall it?

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:35 PM

Posted 08 April 2012 - 07:36 PM

Yes, I'd uninstall it. It can bring more problems than it's worth

please try the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System is found then ensure Delete is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Keewee

Keewee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 08 April 2012 - 08:21 PM

It won't run even if I rename it iexplore.com

:( What should I do?

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:35 PM

Posted 08 April 2012 - 08:35 PM

Please try running it in safe mode

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account


If it still wont run in safe mode, then try the following:


Download FixTDSS and save it to your desktop.

  • Double click on the FixTDSS.exe icon to run it.
  • Click the "I Accept" button, then the "Proceed" button to begin
  • The tool will restart your computer automatically - click OK to allow it to do so
  • The tool will begin it's scan on reboot > click "run" to begin
  • It will report if an infected MBR is found > click the "repair" button
  • a log is created in the same location as the tool and is called FixTDSS.log, please post the content in your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Keewee

Keewee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 08 April 2012 - 09:00 PM

It didn't work in SafeMode, but FixTDSS did seem to work. It didn't create a log though?

I tried Google searches but no re-directs. My search engine in Firefox still isn't there, though.


Is there anything else I should do? What should I do to prevent this? Malwarebytes? Microsoft Security Essentials? Eset NOD32 or Smart Security?

:(

#14 Keewee

Keewee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 08 April 2012 - 09:34 PM

... Sorry for the double-post. Now any real-time protection gives a popup error for Malwarebytes, and sometimes Microsoft Security Essentials.

[OpenEvent] Failed to perform desired action. Error Code: 2

And the

PROOGRAM_ERROR_PROTECTION_MODULE (1068, 0, ProtectionEnabled)


:( Is there something that's making it erroring?

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:35 PM

Posted 09 April 2012 - 07:41 AM

Mlaware may have corrupted those programs,

they need to be uninstalled, then re-installed

same for FireFox (what exactly do you mean when you say "I tried Google searches but no re-directs. My search engine in Firefox still isn't there, though."

Use this utility to clean up MBAM, then download and reinstall it

  • Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  • Restart your computer (very important).
  • Download and run this utility.
  • It will ask to restart your computer (please allow it to).
  • After the computer restarts, install the latest version from here.


MalwareBytes Security Essentials and ESET are comparable products, both are very good. I'm not familiar with Smart Security so can't comment on it. MalwareBytes will compliment any AntiVirus, I'm not aware of it conflicting with anything,

but let's see if we can get you totally clean and functioning properly now.

Did you try TDSSKiller after you ran FixTDSS? Does it run now?

Edited by CatByte, 09 April 2012 - 07:41 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users