Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

flashplayer update => securityshield & sirefef


  • This topic is locked This topic is locked
26 replies to this topic

#1 taxidiotes

taxidiotes

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 04 June 2012 - 04:52 PM

This is a follow-on from this topic in the subforum "Am I infected? What do I do?".

Here is a brief history of what occurred (copied from the link above for convenience):

  • 2 days ago while I was browsing (no suspicious sites), an Adobe Flash player updater window appeared. This was already installed so I allowed it to proceed. Next thing I know a 'SecurityShield' application installed itself (I may have unwittingly allowed it to, I honestly don't remember). Before this, MSE was running; it was now gone. The task manager could not be launched, the firewall was also gone (I use the standard Windows version). I was also warned about viruses etc. and was prompted to purchase the pro version of securityshield.
  • I ended up uninstalling securityshield (from the Control Panel if I remember correctly), then reinstalled MSE and did a full system scan. The Sirefef trojan was detected but could not be removed. The system then rebooted within about a minute after the virus was detected (a prompt indicated this would occur).
  • Every startup after that MSE would detect Sirefef, attempt to remove it and the system would reboot again (after it prompted that it would). At this stage, task manager could be launched.
    Quarantined items:
    - Trojan:Win64/Sirefef.W (6 instances, dates are 3/6 and 4/6/2012)
    - VirTool:Win32/Evidpatch.A (17/4/2012)
    Threat detected:
    - Trojan:Win64/Sirefef.Y => reboot
  • I uninstalled MSE via the control panel. To avoid another reboot before this could be completed, I killed the MSE client process before it could try removing the virus. The continuous reboots then stopped.
  • I tried removing it with a number of tools. Here is a list:
    - Microsoft security essentials (first & last attempted, behaviour always as described above).
    - Microsoft Malware removal tool (nothing found)
    - Malwarebytes anti-malware tool (1 virus removed - I don't have a record of which, nothing found after that)
    - Super antispyware (nothing found)
    - Kaspersky virus removal tool (nothing found)
    - Kaspersky TDSS rootkit removal tool (suspicious objects: one locked file [sptd service], 6 unsigned files, medium risk, skip preselected for all)
    - Microsoft fixit (tried to fix the firewall, no joy)
    - Combofix (installation aborts)


I have not archived the reports. All AV tools are now uninstalled.
Edit: It may or may not be important, but the OS appearance has changed from aero to classic windows.
My OS is Win7 64-bit home premium, AV software was Microsoft Security Essentials (now uninstalled)
I am writing this from a second, clean system (both are laptops) with Windows XP professional SP3.

As requested, I have executed Defogger & DDS on the infected system. This is the DDS log:

-----------------------------------------------------------------------------------------

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Dimitris at 0:11:33 on 2012-06-05
Microsoft Windows 7 Home Premium 6.1.7601.1.1253.30.1032.18.8046.6225 [GMT 3:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\Prey\platform\windows\cronsvc.exe
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SysWOW64\SAgent4.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
C:\Program Files (x86)\SONY\VAIO Event Service\VESMgr.exe
C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
C:\Program Files\Sony\VAIO Smart Network\VSNService.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Smart Network\VSNClient.exe
C:\Program Files\Sony\VAIO Gate\VAIO Gate.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\VAIO Power Management\SPMService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\spool\drivers\x64\3\E_IATIGXE.EXE
C:\Windows\System32\spool\drivers\x64\3\E_IATIGXE.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\SONY\ISB Utility\ISBMgr.exe
C:\Program Files (x86)\SONY\PMB\PMBVolumeWatcher.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Mattel\Barbie Video Girl\Barbie Video Girl Autolauncher.exe
C:\Program Files (x86)\Samsung\AllShare\AllShareAgent.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Program Files (x86)\Samsung\AllShare\AllShareDMS\AllShareDMS.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 5\VAIOUpdt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Sony\VAIO Update Common\VUAgent.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SVEC&bmod=EU01
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SVEC&bmod=EU01
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Epson Stylus Photo PX820FWD(Network)] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGXE.EXE /FU "C:\Users\Dimitris\AppData\Local\Temp\E_S45C6.tmp" /EF "HKCU"
uRun: [EPSON PX820FWD Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGXE.EXE /FU "C:\Windows\TEMP\E_S1869.tmp" /EF "HKCU"
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
mRun: [ISBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe"
mRun: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
mRun: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SHTtray.exe] C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [NBAgent] "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [BarbieVideoGirlAutoLauncher] "C:\Program Files (x86)\Mattel\Barbie Video Girl\Barbie Video Girl Autolauncher.exe"
mRun: [AllShareAgent] C:\Program Files (x86)\Samsung\AllShare\AllShareAgent.exe
StartupFolder: C:\Users\Dimitris\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MAGICD~1.LNK - C:\Program Files (x86)\MagicDisc\MagicDisc.exe
StartupFolder: C:\Users\Dimitris\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Αποστολή εικόνας στη συσκευή &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Αποστολή σελίδας στη συσκευή &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - C:\Program Files (x86)\Evernote\Evernote3.5\enbar.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{33E16AA4-7666-4C96-A7FD-CC130D4C0D78} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{33E16AA4-7666-4C96-A7FD-CC130D4C0D78}\07C616E656870373531333135633 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{33E16AA4-7666-4C96-A7FD-CC130D4C0D78}\07C616E656871323363613364373 : DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{33E16AA4-7666-4C96-A7FD-CC130D4C0D78}\7596E646027596649602846335539507 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{CA34CC92-2599-464B-B82F-FB9082705712} : DhcpNameServer = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Notify: VESWinlogon - VESWinlogon.dll
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
mRun-x64: [ISBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe"
mRun-x64: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
mRun-x64: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [SHTtray.exe] C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [NBAgent] "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [BarbieVideoGirlAutoLauncher] "C:\Program Files (x86)\Mattel\Barbie Video Girl\Barbie Video Girl Autolauncher.exe"
mRun-x64: [AllShareAgent] C:\Program Files (x86)\Samsung\AllShare\AllShareAgent.exe
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Dimitris\AppData\Roaming\Mozilla\Firefox\Profiles\sohcih90.default\
FF - prefs.js: browser.search.selectedEngine - Google.com (in English)
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com
FF - prefs.js: keyword.URL - hxxp://search.skipity.com/?source=ab&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\COMMON~1\Nero\BROWSE~1\npBrowserPlugin.dll
FF - plugin: C:\Program Files (x86)\Canon\MyCamera Download Plugin\NPCIG.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\OpenOffice.org 3\program\npsoplugin.dll
FF - plugin: C:\Users\Dimitris\AppData\Roaming\Mozilla\Firefox\Profiles\sohcih90.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 CronService;Cron Service for Prey;C:\Program Files (x86)\Prey\platform\windows\cronsvc.exe [2010-9-30 19968]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2010-12-31 166400]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2010-12-31 128512]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-2-4 13336]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2011-11-25 687400]
R2 rimspci;rimspci;C:\Windows\system32\drivers\rimssne64.sys --> C:\Windows\system32\drivers\rimssne64.sys [?]
R2 risdsnpe;risdsnpe;C:\Windows\system32\drivers\risdsne64.sys --> C:\Windows\system32\drivers\risdsne64.sys [?]
R2 SamsungAllShareV2.0;Samsung AllShare PC;C:\Program Files (x86)\Samsung\AllShare\AllShareDMS\AllShareDMS.exe [2012-3-2 25504]
R2 uCamMonitor;CamMonitor;C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2010-2-26 104960]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-9-2 2320920]
R2 VCFw;VAIO Content Folder Watcher;C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2011-1-20 887000]
R2 VSNService;VSNService;C:\Program Files\Sony\VAIO Smart Network\VSNService.exe [2010-10-4 845312]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;C:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys --> C:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\system32\drivers\SFEP.sys --> C:\Windows\system32\drivers\SFEP.sys [?]
R3 SpfService;VAIO Entertainment Common Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [2011-1-20 286936]
R3 VAIO Power Management;VAIO Power Management;C:\Program Files\Sony\VAIO Power Management\SPMService.exe [2010-2-26 571248]
R3 VUAgent;VUAgent;C:\Program Files\Sony\VAIO Update Common\VUAgent.exe [2012-1-13 1256040]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-26 133104]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe [2009-8-31 362992]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-15 158856]
S2 SOHCImp;VAIO Media plus Content Importer;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2010-9-10 108400]
S2 SOHDms;VAIO Media plus Digital Media Server;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2010-10-12 423280]
S2 SOHDs;VAIO Media plus Device Searcher;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2010-9-10 67952]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-3-30 257696]
S3 androidusb;ADB Interface Driver;C:\Windows\system32\Drivers\androidusb.sys --> C:\Windows\system32\Drivers\androidusb.sys [?]
S3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 gupdatem;Υπηρεσία Google Update (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-26 133104]
S3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;C:\Windows\system32\drivers\massfilter_hs.sys --> C:\Windows\system32\drivers\massfilter_hs.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-12 129976]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2009-8-31 313840]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);C:\Windows\system32\DRIVERS\s1018bus.sys --> C:\Windows\system32\DRIVERS\s1018bus.sys [?]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;C:\Windows\system32\DRIVERS\s1018mdfl.sys --> C:\Windows\system32\DRIVERS\s1018mdfl.sys [?]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;C:\Windows\system32\DRIVERS\s1018mdm.sys --> C:\Windows\system32\DRIVERS\s1018mdm.sys [?]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);C:\Windows\system32\DRIVERS\s1018mgmt.sys --> C:\Windows\system32\DRIVERS\s1018mgmt.sys [?]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);C:\Windows\system32\DRIVERS\s1018nd5.sys --> C:\Windows\system32\DRIVERS\s1018nd5.sys [?]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;C:\Windows\system32\DRIVERS\s1018obex.sys --> C:\Windows\system32\DRIVERS\s1018obex.sys [?]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);C:\Windows\system32\DRIVERS\s1018unic.sys --> C:\Windows\system32\DRIVERS\s1018unic.sys [?]
S3 SimpleSlideShowServer;SimpleSlideShowServer;C:\Program Files (x86)\Samsung\AllShare\AllShareSlideShowService.exe [2012-3-2 27584]
S3 SQTECH900A;Barbie Video Girl-Video(PID_909B_00);C:\Windows\system32\Drivers\CaptFXV2.sys --> C:\Windows\system32\Drivers\CaptFXV2.sys [?]
S3 SQUSBDng;Service for Audio Driver;C:\Windows\system32\drivers\FXV2AUD.sys --> C:\Windows\system32\drivers\FXV2AUD.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TVICHW64;TVICHW64;\??\C:\Windows\system32\DRIVERS\TVICHW64.SYS --> C:\Windows\system32\DRIVERS\TVICHW64.SYS [?]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2011-5-19 549616]
S3 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;C:\Program Files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2010-10-25 387896]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2011-2-18 99104]
S3 WatAdminSvc;Υπηρεσία Τεχνολογιών ενεργοποίησης των Windows;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 zghsdiag;ZTE General Handset Diagnostic Port;C:\Windows\system32\DRIVERS\zghsdiag.sys --> C:\Windows\system32\DRIVERS\zghsdiag.sys [?]
S3 zghsmdm;ZTE General Handset USB Modem Proprietary;C:\Windows\system32\DRIVERS\zghsmdm.sys --> C:\Windows\system32\DRIVERS\zghsmdm.sys [?]
S3 zghsnmea;ZTE General Handset NMEA Port;C:\Windows\system32\DRIVERS\zghsnmea.sys --> C:\Windows\system32\DRIVERS\zghsnmea.sys [?]
.
=============== Created Last 30 ================
.
2012-06-04 20:24:06 -------- d-sh--w- C:\Windows\System32\%APPDATA%
2012-06-04 15:08:32 -------- d-----w- C:\ProgramData\Kaspersky Lab
2012-06-03 16:07:59 -------- d-----w- C:\Users\Dimitris\AppData\Roaming\Malwarebytes
2012-06-03 16:07:55 -------- d-----w- C:\ProgramData\Malwarebytes
2012-06-03 13:57:16 -------- d-----w- C:\d3ba6247f4e4ce22c61141dd
2012-06-03 13:52:56 -------- d-----w- C:\31f238157ae057e64cd6
2012-06-03 13:50:37 -------- d-----w- C:\eb59cf17b5cd0784c890d5d9
2012-05-12 08:39:52 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
2012-05-12 08:39:49 157352 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-12 08:39:49 129976 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-05-11 17:51:07 1544704 ----a-w- C:\Windows\System32\DWrite.dll
2012-05-11 17:51:06 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-05-11 17:51:05 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-11 17:51:04 3146240 ----a-w- C:\Windows\System32\win32k.sys
2012-05-11 17:51:03 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-11 17:51:03 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-05-11 17:50:31 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
2012-05-11 17:50:22 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-05-11 17:50:20 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 17:50:20 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-05-11 17:50:20 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2012-05-11 17:50:20 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2012-05-11 17:50:20 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
.
==================== Find3M ====================
.
2012-06-04 21:08:11 29 ----a-w- C:\Windows\SysWow64\TempWmicBatchFile.bat
2012-06-03 11:40:01 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-03 11:40:01 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-05-05 19:15:49 8744608 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-03-30 15:24:38 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
.
============= FINISH: 0:12:41,17 ===============

-----------------------------------------------------------------------------------------

I did not execute GMER since the infected system is 64-bit.
Finally, I have also attached the second file generated by DDS as suggested.

Attached Files


Edited by taxidiotes, 04 June 2012 - 05:00 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:12 AM

Posted 08 June 2012 - 08:57 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 taxidiotes

taxidiotes
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 14 June 2012 - 09:07 AM

I apologise for the delay, I was absent for the past 5 days with no internet access. I will be able to reply immediately from now on.
I eagerly await your instructions.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:12 AM

Posted 14 June 2012 - 01:36 PM

Okay, let's start with aswMBR which looks for rootkits and related malware

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 taxidiotes

taxidiotes
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 15 June 2012 - 02:41 PM

Did as instructed.
The application prompted me to download the latest virus definitions which I did.
I then selected 'Scan'. After about 5' a blue screen appeared. All I had time to read was "A problem has been detected and windows will shut down to protect your computer".
I saw no red lines of text in the aswMBR window before the blue screen appeared.

A few seconds later a reboot occurred. After startup the following message appeared:

"Windows has recovered from an unexpected shutdown"
---
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.0.0.768.3
Locale ID: 1032

Additional information about the problem:
BCCode: 109
BCP1: A3A039D89E38A5DA
BCP2: B3B7465EF0B6E298
BCP3: FFFFF8800316F5C0
BCP4: 0000000000000002
OS Version: 6_1_7601
Service Pack: 1_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\061512-24273-01.dmp
C:\Users\Dimitris\AppData\Local\Temp\WER-720194-0.sysdata.xml

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0408

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\el-GR\erofflps.txt
---

Shall I repeat the scan, upload the dump file or do something else?
Thanks for your help BTW.

Edited by taxidiotes, 15 June 2012 - 02:50 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:12 AM

Posted 15 June 2012 - 07:28 PM

Can you boot into Safe Mode and try aswMBR again please
Posted Image
m0le is a proud member of UNITE

#7 taxidiotes

taxidiotes
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 16 June 2012 - 01:21 AM

It worked in safe mode!
Here is the log:

---
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-16 08:50:50
-----------------------------
08:50:50.162 OS Version: Windows x64 6.1.7601 Service Pack 1
08:50:50.162 Number of processors: 4 586 0x2505
08:50:50.162 ComputerName: ALWAYSJOYFUL UserName: Dimitris
08:50:51.472 Initialize success
08:50:58.352 AVAST engine defs: 12061500
08:51:07.384 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
08:51:07.384 Disk 0 Vendor: ST950032 0006 Size: 476940MB BusType: 3
08:51:07.384 Disk 1 \Device\Harddisk1\DR1 -> \Device\0000006b
08:51:07.400 Disk 1 Vendor: RICOH 02 Size: 476940MB BusType: 0
08:51:07.400 Disk 2 \Device\Harddisk2\DR2 -> \Device\0000006c
08:51:07.400 Disk 2 Vendor: RICOH 02 Size: 476940MB BusType: 0
08:51:07.415 Disk 0 MBR read successfully
08:51:07.431 Disk 0 MBR scan
08:51:07.431 Disk 0 Windows 7 default MBR code
08:51:07.431 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 14587 MB offset 2048
08:51:07.462 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 29876224
08:51:07.462 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 462251 MB offset 30081024
08:51:07.478 Disk 0 scanning C:\Windows\system32\drivers
08:51:19.552 Service scanning
08:51:40.753 Modules scanning
08:51:40.753 Disk 0 trace - called modules:
08:51:40.768 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
08:51:40.768 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800847c060]
08:51:40.768 3 CLASSPNP.SYS[fffff88001b5d43f] -> nt!IofCallDriver -> [0xfffffa80073f1a40]
08:51:40.784 5 ACPI.sys[fffff88000f237a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80073f4050]
08:51:42.671 AVAST engine scan C:\Windows
08:51:46.774 AVAST engine scan C:\Windows\system32
08:55:25.767 AVAST engine scan C:\Windows\system32\drivers
08:55:55.080 AVAST engine scan C:\Users\Dimitris
09:05:35.448 File: C:\Users\Dimitris\AppData\Local\{8b0090f7-39a4-c523-6961-bf0ffc13ddfb}\n **INFECTED** Win64:Sirefef-F [Rtk]
09:05:35.479 File: C:\Users\Dimitris\AppData\Local\{8b0090f7-39a4-c523-6961-bf0ffc13ddfb}\U\00000001.@ **INFECTED** Win32:Malware-gen
09:10:33.502 AVAST engine scan C:\ProgramData
09:12:38.411 Scan finished successfully
09:13:24.790 Disk 0 MBR has been saved successfully to "C:\Users\Dimitris\Desktop\MBR.dat"
09:13:24.790 The log file has been saved successfully to "C:\Users\Dimitris\Desktop\aswMBR.txt"
---

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:12 AM

Posted 16 June 2012 - 05:47 AM

Let's try and remove this threat in safe mode with Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 taxidiotes

taxidiotes
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 16 June 2012 - 12:45 PM

I renamed to comfix.exe as instructed and executed it in safe mode. Stupidly, I neglected to connect to my LAN. Anyway:

The first attempt seems to have failed: Execution was simply aborted without warning.

The second attempt progressed a bit further, resulting in a reboot (this is when I noticed there was no network connection) but the displayed information in the console window was laconic. There was no prompt to install Windows Recovery Console. I connected to the network after the reboot. A log report was prepared (see below):

---
ComboFix 12-06-15.06 - Dimitris 16/06/2012 14:40:39.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1253.30.1032.18.8046.6739 [GMT 3:00]
Running from: c:\users\Dimitris\Desktop\ComFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Dimitris\AppData\Local\{8b0090f7-39a4-c523-6961-bf0ffc13ddfb}
c:\users\Dimitris\AppData\Local\{8b0090f7-39a4-c523-6961-bf0ffc13ddfb}\@
c:\users\Dimitris\AppData\Local\{8b0090f7-39a4-c523-6961-bf0ffc13ddfb}\n
c:\users\Dimitris\AppData\Local\{8b0090f7-39a4-c523-6961-bf0ffc13ddfb}\U\00000001.@
c:\users\Dimitris\AppData\Local\{8b0090f7-39a4-c523-6961-bf0ffc13ddfb}\U\800000cb.@
c:\windows\Installer\{8b0090f7-39a4-c523-6961-bf0ffc13ddfb}
c:\windows\Installer\{8b0090f7-39a4-c523-6961-bf0ffc13ddfb}\@
c:\windows\Installer\{8b0090f7-39a4-c523-6961-bf0ffc13ddfb}\n
c:\windows\Installer\{8b0090f7-39a4-c523-6961-bf0ffc13ddfb}\U\00000001.@
c:\windows\Installer\{8b0090f7-39a4-c523-6961-bf0ffc13ddfb}\U\80000000.@
c:\windows\Installer\{8b0090f7-39a4-c523-6961-bf0ffc13ddfb}\U\800000cb.@
.
Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\32788r22fwjfw\HarddiskVolumeShadowCopy9_!Windows!System32!services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-16 to 2012-06-16 )))))))))))))))))))))))))))))))
.
.
2012-06-16 11:46 . 2012-06-16 11:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-16 11:37 . 2012-05-14 22:41 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E3D6655A-7995-4C87-97DE-613D1DC77E79}\mpengine.dll
2012-06-04 20:24 . 2012-06-04 20:24 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-04 15:08 . 2012-06-04 15:08 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-03 16:07 . 2012-06-03 16:07 -------- d-----w- c:\users\Dimitris\AppData\Roaming\Malwarebytes
2012-06-03 16:07 . 2012-06-03 16:07 -------- d-----w- c:\programdata\Malwarebytes
2012-06-03 13:57 . 2012-06-03 13:57 -------- d-----w- C:\d3ba6247f4e4ce22c61141dd
2012-06-03 13:52 . 2012-06-03 13:52 -------- d-----w- C:\31f238157ae057e64cd6
2012-06-03 13:50 . 2012-06-03 13:50 -------- d-----w- C:\eb59cf17b5cd0784c890d5d9
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-16 17:07 . 2010-10-02 16:46 29 ----a-w- c:\windows\SysWow64\TempWmicBatchFile.bat
2012-06-03 11:40 . 2012-03-30 15:16 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-03 11:40 . 2011-04-27 19:12 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-05 19:15 . 2012-03-30 16:15 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-03-31 06:05 . 2012-05-11 17:51 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-31 04:39 . 2012-05-11 17:51 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-31 04:39 . 2012-05-11 17:51 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-31 03:10 . 2012-05-11 17:51 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-03-30 15:24 . 2010-09-04 07:24 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-30 11:35 . 2012-05-11 17:50 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2009-11-20 284696]
"FUFAXSTM"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-02 847872]
"ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2009-08-26 320880]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2011-03-15 650080]
"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-09-20 102400]
"SHTtray.exe"="c:\program files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe" [2010-09-10 99696]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
"NBAgent"="c:\program files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2011-04-28 1406248]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"BarbieVideoGirlAutoLauncher"="c:\program files (x86)\Mattel\Barbie Video Girl\Barbie Video Girl Autolauncher.exe" [2010-09-21 385536]
"AllShareAgent"="c:\program files (x86)\Samsung\AllShare\AllShareAgent.exe" [2012-03-01 285072]
.
c:\users\Dimitris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2010-12-31 576000]
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-4 1081632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2009-12-01 22:03 98304 ----a-w- c:\windows\System32\VESWinlogon.dll
.
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 CronService;Cron Service for Prey;c:\program files (x86)\Prey\platform\windows\cronsvc.exe [2011-11-24 19968]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2009-09-14 166400]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2009-09-14 128512]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-26 133104]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-11-20 13336]
R2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2011-11-25 687400]
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe [2009-08-31 362992]
R2 SamsungAllShareV2.0;Samsung AllShare PC;c:\program files (x86)\Samsung\AllShare\AllShareDMS\AllShareDMS.exe [2012-03-02 25504]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-15 158856]
R2 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2010-09-10 108400]
R2 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2010-10-12 423280]
R2 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2010-09-10 67952]
R2 uCamMonitor;CamMonitor;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2008-09-18 104960]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-12-14 2320920]
R2 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2011-01-20 887000]
R2 VSNService;VSNService;c:\program files\Sony\VAIO Smart Network\VSNService.exe [2010-08-11 845312]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-03 257696]
R3 ALSysIO;ALSysIO;c:\users\Dimitris\AppData\Local\Temp\ALSysIO64.sys [x]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [x]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [x]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 gupdatem;Υπηρεσία Google Update (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-26 133104]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
R3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-12 129976]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2009-08-31 313840]
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [x]
R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1018mdfl.sys [x]
R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1018mdm.sys [x]
R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1018mgmt.sys [x]
R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1018nd5.sys [x]
R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1018obex.sys [x]
R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1018unic.sys [x]
R3 SimpleSlideShowServer;SimpleSlideShowServer;c:\program files (x86)\Samsung\AllShare\AllShareSlideShowService.exe [2012-03-02 27584]
R3 SpfService;VAIO Entertainment Common Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [2011-01-20 286936]
R3 SQTECH900A;Barbie Video Girl-Video(PID_909B_00);c:\windows\system32\Drivers\CaptFXV2.sys [x]
R3 SQUSBDng;Service for Audio Driver;c:\windows\system32\drivers\FXV2AUD.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TVICHW64;TVICHW64;c:\windows\system32\DRIVERS\TVICHW64.SYS [x]
R3 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2009-11-30 571248]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2011-05-19 549616]
R3 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2010-10-25 387896]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2011-02-18 99104]
R3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update Common\VUAgent.exe [2012-01-13 1256040]
R3 WatAdminSvc;Υπηρεσία Τεχνολογιών ενεργοποίησης των Windows;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 zghsdiag;ZTE General Handset Diagnostic Port;c:\windows\system32\DRIVERS\zghsdiag.sys [x]
R3 zghsmdm;ZTE General Handset USB Modem Proprietary;c:\windows\system32\DRIVERS\zghsmdm.sys [x]
R3 zghsnmea;ZTE General Handset NMEA Port;c:\windows\system32\DRIVERS\zghsnmea.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 rimspci;rimspci;c:\windows\system32\drivers\rimssne64.sys [x]
S2 risdsnpe;risdsnpe;c:\windows\system32\drivers\risdsne64.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 11:40]
.
2012-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-26 04:24]
.
2012-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-26 04:24]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-16 9636896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-26 171520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SVEC&bmod=EU01
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Αποστολή εικόνας στη συσκευή &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Αποστολή σελίδας στη συσκευή &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Dimitris\AppData\Roaming\Mozilla\Firefox\Profiles\sohcih90.default\
FF - prefs.js: browser.search.selectedEngine - Google.com (in English)
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com
FF - prefs.js: keyword.URL - hxxp://search.skipity.com/?source=ab&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
SafeBoot-SolutoService
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-EPSON Scanner - c:\program files (x86)\epson\escndv\setup\setup.exe
AddRemove-InstallShield_{B25563A0-41F4-4A81-A6C1-6DBC0911B1F3}_Temp2 - c:\program files (x86)\InstallShield Installation Information\{B25563A0-41F4-4A81-A6C1-6DBC0911B1F3}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-06-16 20:22:53 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-16 17:22
.
Pre-Run: 19 Κατάλογοι 339.659.296.768 διαθέσιμα byte
Post-Run: 25 Κατάλογοι 344.825.741.312 διαθέσιμα byte
.
- - End Of File - - 009C6B1B2134D6C6648A00AEFCF76660
---

I repeated the process with the network connection this time. The installation process took a bit longer (e.g. I saw 2/10 stages the previous time, 10/10 this time). The scanning process was also more verbose (20-odd stages vs. none before). A reboot occurred again and another log report was created (see below):

---
ComboFix 12-06-15.06 - Dimitris 16/06/2012 20:27:28.2.4 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1253.30.1032.18.8046.7018 [GMT 3:00]
Running from: c:\users\Dimitris\Desktop\ComFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-05-16 to 2012-06-16 )))))))))))))))))))))))))))))))
.
.
2012-06-16 17:31 . 2012-06-16 17:31 -------- d-----w- c:\users\Lisaki\AppData\Local\temp
2012-06-16 17:31 . 2012-06-16 17:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-16 11:37 . 2012-05-14 22:41 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E3D6655A-7995-4C87-97DE-613D1DC77E79}\mpengine.dll
2012-06-04 20:24 . 2012-06-04 20:24 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-04 15:08 . 2012-06-04 15:08 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-03 16:07 . 2012-06-03 16:07 -------- d-----w- c:\users\Dimitris\AppData\Roaming\Malwarebytes
2012-06-03 16:07 . 2012-06-03 16:07 -------- d-----w- c:\programdata\Malwarebytes
2012-06-03 13:57 . 2012-06-03 13:57 -------- d-----w- C:\d3ba6247f4e4ce22c61141dd
2012-06-03 13:52 . 2012-06-03 13:52 -------- d-----w- C:\31f238157ae057e64cd6
2012-06-03 13:50 . 2012-06-03 13:50 -------- d-----w- C:\eb59cf17b5cd0784c890d5d9
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-16 17:32 . 2010-10-02 16:46 29 ----a-w- c:\windows\SysWow64\TempWmicBatchFile.bat
2012-06-03 11:40 . 2012-03-30 15:16 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-03 11:40 . 2011-04-27 19:12 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-05 19:15 . 2012-03-30 16:15 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-03-31 06:05 . 2012-05-11 17:51 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-31 04:39 . 2012-05-11 17:51 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-31 04:39 . 2012-05-11 17:51 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-31 03:10 . 2012-05-11 17:51 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-03-30 15:24 . 2010-09-04 07:24 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-30 11:35 . 2012-05-11 17:50 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-16_17.18.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-03 22:23 . 2012-06-16 17:34 85180 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2010-02-03 22:23 . 2012-06-16 11:39 85180 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-06-16 17:34 45414 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-09-04 05:04 . 2012-06-16 17:34 26004 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4262959588-1175740641-1975643379-1000_UserData.bin
- 2012-06-16 17:18 . 2012-06-16 17:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-16 17:32 . 2012-06-16 17:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-16 17:32 . 2012-06-16 17:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-06-16 17:18 . 2012-06-16 17:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2009-11-20 284696]
"FUFAXSTM"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-02 847872]
"ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2009-08-26 320880]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2011-03-15 650080]
"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-09-20 102400]
"SHTtray.exe"="c:\program files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe" [2010-09-10 99696]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
"NBAgent"="c:\program files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2011-04-28 1406248]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"BarbieVideoGirlAutoLauncher"="c:\program files (x86)\Mattel\Barbie Video Girl\Barbie Video Girl Autolauncher.exe" [2010-09-21 385536]
"AllShareAgent"="c:\program files (x86)\Samsung\AllShare\AllShareAgent.exe" [2012-03-01 285072]
.
c:\users\Dimitris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2010-12-31 576000]
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-4 1081632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2009-12-01 22:03 98304 ----a-w- c:\windows\System32\VESWinlogon.dll
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-26 133104]
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe [2009-08-31 362992]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-15 158856]
R2 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2010-09-10 108400]
R2 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2010-10-12 423280]
R2 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2010-09-10 67952]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-03 257696]
R3 ALSysIO;ALSysIO;c:\users\Dimitris\AppData\Local\Temp\ALSysIO64.sys [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [x]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 gupdatem;Υπηρεσία Google Update (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-26 133104]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
R3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-12 129976]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2009-08-31 313840]
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [x]
R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1018mdfl.sys [x]
R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1018mdm.sys [x]
R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1018mgmt.sys [x]
R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1018nd5.sys [x]
R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1018obex.sys [x]
R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1018unic.sys [x]
R3 SimpleSlideShowServer;SimpleSlideShowServer;c:\program files (x86)\Samsung\AllShare\AllShareSlideShowService.exe [2012-03-02 27584]
R3 SQTECH900A;Barbie Video Girl-Video(PID_909B_00);c:\windows\system32\Drivers\CaptFXV2.sys [x]
R3 SQUSBDng;Service for Audio Driver;c:\windows\system32\drivers\FXV2AUD.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TVICHW64;TVICHW64;c:\windows\system32\DRIVERS\TVICHW64.SYS [x]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2011-05-19 549616]
R3 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2010-10-25 387896]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2011-02-18 99104]
R3 WatAdminSvc;Υπηρεσία Τεχνολογιών ενεργοποίησης των Windows;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 zghsdiag;ZTE General Handset Diagnostic Port;c:\windows\system32\DRIVERS\zghsdiag.sys [x]
R3 zghsmdm;ZTE General Handset USB Modem Proprietary;c:\windows\system32\DRIVERS\zghsmdm.sys [x]
R3 zghsnmea;ZTE General Handset NMEA Port;c:\windows\system32\DRIVERS\zghsnmea.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 CronService;Cron Service for Prey;c:\program files (x86)\Prey\platform\windows\cronsvc.exe [2011-11-24 19968]
S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2009-09-14 166400]
S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2009-09-14 128512]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-11-20 13336]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2011-11-25 687400]
S2 rimspci;rimspci;c:\windows\system32\drivers\rimssne64.sys [x]
S2 risdsnpe;risdsnpe;c:\windows\system32\drivers\risdsne64.sys [x]
S2 SamsungAllShareV2.0;Samsung AllShare PC;c:\program files (x86)\Samsung\AllShare\AllShareDMS\AllShareDMS.exe [2012-03-02 25504]
S2 uCamMonitor;CamMonitor;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2008-09-18 104960]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-12-14 2320920]
S2 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2011-01-20 887000]
S2 VSNService;VSNService;c:\program files\Sony\VAIO Smart Network\VSNService.exe [2010-08-11 845312]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [x]
S3 SpfService;VAIO Entertainment Common Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [2011-01-20 286936]
S3 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2009-11-30 571248]
S3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update Common\VUAgent.exe [2012-01-13 1256040]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 11:40]
.
2012-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-26 04:24]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-16 9636896]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-26 171520]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SVEC&bmod=EU01
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Αποστολή εικόνας στη συσκευή &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Αποστολή σελίδας στη συσκευή &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Dimitris\AppData\Roaming\Mozilla\Firefox\Profiles\sohcih90.default\
FF - prefs.js: browser.search.selectedEngine - Google.com (in English)
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com
FF - prefs.js: keyword.URL - hxxp://search.skipity.com/?source=ab&q=
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\windows\SysWOW64\SAgent4.exe
c:\program files (x86)\SONY\VAIO Event Service\VESMgr.exe
c:\windows\SysWOW64\DllHost.exe
c:\program files (x86)\SONY\VAIO Event Service\VESMgrSub.exe
.
**************************************************************************
.
Completion time: 2012-06-16 20:37:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-16 17:37
ComboFix2.txt 2012-06-16 17:22
.
Pre-Run: 24 Κατάλογοι 344.729.047.040 διαθέσιμα byte
Post-Run: 25 Κατάλογοι 344.692.609.024 διαθέσιμα byte
.
- - End Of File - - F94BFA274FF0BB358024B6EAE3574CA2
---

I hope the last attempt did not disrupt you efforts...
Please advise how I should proceed.

PS: Thanks for continuing to look at this on a weekend

Edited by taxidiotes, 16 June 2012 - 12:54 PM.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:12 AM

Posted 17 June 2012 - 06:25 PM

The first attempt certainly didn't fail. That removed the ZeroAccess files which should mean that you would lose your connection but now you are reconnected can you now boot into normal mode?
Posted Image
m0le is a proud member of UNITE

#11 taxidiotes

taxidiotes
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 18 June 2012 - 02:02 AM

Yes I can boot into normal mode (but then I always could). I did notice that the Windows firewall was enabled so that seems to have been fixed.

I disabled the firewall & reran aswMBR in normal mode which resulted in a BSOD.

I rebooted into safe mode and the scan completed successfully. This is the resulting log:

---
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-18 09:27:17
-----------------------------
09:27:17.475 OS Version: Windows x64 6.1.7601 Service Pack 1
09:27:17.475 Number of processors: 4 586 0x2505
09:27:17.490 ComputerName: ALWAYSJOYFUL UserName: Dimitris
09:27:18.847 Initialize success
09:27:22.014 AVAST engine defs: 12061700
09:27:29.721 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
09:27:29.721 Disk 0 Vendor: ST950032 0006 Size: 476940MB BusType: 3
09:27:29.721 Disk 1 \Device\Harddisk1\DR1 -> \Device\0000006a
09:27:29.721 Disk 1 Vendor: RICOH 02 Size: 476940MB BusType: 0
09:27:29.721 Disk 2 \Device\Harddisk2\DR2 -> \Device\0000006b
09:27:29.736 Disk 2 Vendor: RICOH 02 Size: 476940MB BusType: 0
09:27:29.752 Disk 0 MBR read successfully
09:27:29.752 Disk 0 MBR scan
09:27:29.767 Disk 0 Windows 7 default MBR code
09:27:29.767 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 14587 MB offset 2048
09:27:29.783 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 29876224
09:27:29.799 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 462251 MB offset 30081024
09:27:29.830 Disk 0 scanning C:\Windows\system32\drivers
09:27:42.185 Service scanning
09:28:02.247 Modules scanning
09:28:02.247 Disk 0 trace - called modules:
09:28:02.309 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
09:28:02.325 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800847a060]
09:28:02.325 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa80066a7e40]
09:28:02.325 5 ACPI.sys[fffff88000eed7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80073d7050]
09:28:03.869 AVAST engine scan C:\Windows
09:28:06.833 AVAST engine scan C:\Windows\system32
09:31:36.357 AVAST engine scan C:\Windows\system32\drivers
09:31:54.219 AVAST engine scan C:\Users\Dimitris
09:45:10.460 AVAST engine scan C:\ProgramData
09:47:15.479 Scan finished successfully
09:53:03.780 Disk 0 MBR has been saved successfully to "C:\Users\Dimitris\Desktop\MBR.dat"
09:53:03.796 The log file has been saved successfully to "C:\Users\Dimitris\Desktop\aswMBR(2).txt"
---

Please advise on how to proceed from here.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:12 AM

Posted 18 June 2012 - 06:17 PM

Can you run FSS for me. I think the malware has gone but I need to do some checks for remnants

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Posted Image
m0le is a proud member of UNITE

#13 taxidiotes

taxidiotes
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 19 June 2012 - 02:06 AM

BTW I managed to read the message in the BSOD when running aswMBR in normal mode.
It is "DRIVER_IRQL_NOT_LESS_OR_EQUAL".

Here is the FSS log:
---

Farbar Service Scanner Version: 19-06-2012
Ran by Dimitris (administrator) on 19-06-2012 at 10:04:16
Running from "C:\Users\Dimitris\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

Edited by taxidiotes, 19 June 2012 - 02:35 AM.


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:12 AM

Posted 19 June 2012 - 06:38 PM

The DRIVER_IRQL_NOT_LESS_OR_EQUAL is often indicative of a remnant of a rootkit so let's search with FRST

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your next reply.[/list]
Posted Image
m0le is a proud member of UNITE

#15 taxidiotes

taxidiotes
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 20 June 2012 - 02:02 PM

"FRST.txt", as requested.

---
Scan result of Farbar Recovery Scan Tool Version: 20-06-2012 04
Ran by SYSTEM at 20-06-2012 21:59:12
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [9636896 2009-12-16] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1861416 2009-12-16] (Synaptics Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" [171520 2010-02-26] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2009-11-20] (Intel Corporation)
HKLM-x32\...\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [847872 2009-12-02] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [ISBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe" [320880 2009-08-26] (Sony Corporation)
HKLM-x32\...\Run: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe [650080 2011-03-15] (Sony Corporation)
HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [976320 2009-12-03] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [102400 2010-09-20] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SHTtray.exe] C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe [99696 2010-09-10] (Sony Corporation)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-04-27] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [NBAgent] "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart [1406248 2011-04-28] (Nero AG)
HKLM-x32\...\Run: [BarbieVideoGirlAutoLauncher] "C:\Program Files (x86)\Mattel\Barbie Video Girl\Barbie Video Girl Autolauncher.exe" [385536 2010-09-21] ()
HKLM-x32\...\Run: [AllShareAgent] C:\Program Files (x86)\Samsung\AllShare\AllShareAgent.exe [285072 2012-03-01] (Samsung Electronics Co., Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2009-12-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [948672 2009-12-11] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\Dimitris\Start Menu\Programs\Startup\MagicDisc.lnk
ShortcutTarget: MagicDisc.lnk -> C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
Startup: C:\Users\Dimitris\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ======

3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
2 CronService; "C:\Program Files (x86)\Prey\platform\windows\cronsvc.exe" [19968 2011-11-24] (Fork Ltd.)
3 Roxio UPnP Renderer 10; "C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe" [313840 2009-08-31] (Sonic Solutions)
2 Roxio Upnp Server 10; "C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe" [362992 2009-08-31] (Sonic Solutions)
2 SOHDms; "C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe" [423280 2010-10-12] (Sony Corporation)
2 StatusAgent4; C:\Windows\SysWOW64\SAgent4.exe [131072 2006-12-20] (SEIKO EPSON CORPORATION)
2 uCamMonitor; C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [104960 2008-09-18] (ArcSoft, Inc.)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2320920 2009-12-14] (Intel Corporation)
2 VAIO Event Service; "C:\Program Files (x86)\SONY\VAIO Event Service\VESMgr.exe" [205168 2010-05-28] (Sony Corporation)
3 VAIO Power Management; "C:\Program Files\Sony\VAIO Power Management\SPMService.exe" [571248 2009-11-30] (Sony Corporation)
2 VCFw; "C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe" [887000 2011-01-20] (Sony Corporation)
3 VcmIAlzMgr; "C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe" [549616 2011-05-19] (Sony Corporation)
3 VcmINSMgr; "C:\Program Files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe" [387896 2010-10-25] (Sony Corporation)
3 VcmXmlIfHelper; "C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe" [99104 2011-02-18] (Sony Corporation)
2 VSNService; "C:\Program Files\Sony\VAIO Smart Network\VSNService.exe" [845312 2010-08-11] (Sony Corporation)
3 VUAgent; "C:\Program Files\Sony\VAIO Update Common\VUAgent.exe" [1256040 2012-01-13] (Sony Corporation)

========================== Drivers (Whitelisted) =============

3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [38424 2010-10-18] (Google Inc)
3 ArcSoftKsUFilter; C:\Windows\System32\Drivers\ArcSoftKsUFilter.sys [19968 2009-05-26] (ArcSoft, Inc.)
3 massfilter_hs; C:\Windows\System32\Drivers\massfilter_hs.sys [11776 2010-10-20] (HandSet Incorporated)
2 rimspci; C:\Windows\system32\drivers\rimssne64.sys [93696 2009-11-06] (REDC)
2 risdsnpe; C:\Windows\system32\drivers\risdsne64.sys [75776 2009-09-15] (REDC)
3 s1018bus; C:\Windows\System32\Drivers\s1018bus.sys [113704 2009-03-25] (MCCI Corporation)
3 s1018mdfl; C:\Windows\System32\Drivers\s1018mdfl.sys [19496 2009-03-25] (MCCI Corporation)
3 s1018mdm; C:\Windows\System32\Drivers\s1018mdm.sys [153128 2009-03-25] (MCCI Corporation)
3 s1018mgmt; C:\Windows\System32\Drivers\s1018mgmt.sys [133160 2009-03-25] (MCCI Corporation)
3 s1018nd5; C:\Windows\System32\Drivers\s1018nd5.sys [34856 2009-03-25] (MCCI Corporation)
3 s1018obex; C:\Windows\System32\Drivers\s1018obex.sys [128552 2009-03-25] (MCCI Corporation)
3 s1018unic; C:\Windows\System32\Drivers\s1018unic.sys [146472 2009-03-25] (MCCI Corporation)
4 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-09-18] (Duplex Secure Ltd.)
3 SQTECH900A; C:\Windows\System32\Drivers\CaptFXV2.sys [143040 2010-01-28] (Service & Quality Technology.)
3 SQUSBDng; C:\Windows\System32\drivers\FXV2AUD.sys [46400 2010-03-05] (Service & Quality Technology.)
3 TVICHW64; C:\Windows\System32\Drivers\TVICHW64.sys [21200 2010-10-04] (EnTech Taiwan)
3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-11-12] ()
3 zghsdiag; C:\Windows\System32\Drivers\zghsdiag.sys [129304 2010-10-18] (ZTE Incorporated)
3 zghsmdm; C:\Windows\System32\Drivers\zghsmdm.sys [127056 2010-10-18] (ZTE Incorporated)
3 zghsnmea; C:\Windows\System32\Drivers\zghsnmea.sys [129304 2010-10-18] (ZTE Incorporated)
3 ALSysIO; \??\C:\Users\Dimitris\AppData\Local\Temp\ALSysIO64.sys [x]
3 catchme; \??\C:\ComFix\catchme.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-20 21:44 - 2012-06-20 21:59 - 00000000 ____D C:\FRST
2012-06-19 17:08 - 2012-06-19 17:08 - 00000000 ___DC C:\Users\Dimitris\AppData\Local\MigWiz
2012-06-19 16:30 - 2009-07-14 01:41 - 00332288 ____A (Microsoft Corporation) C:\Windows\System32\uxtheme.dll.backup
2012-06-19 16:29 - 2010-11-20 13:27 - 02851840 ____A (Microsoft Corporation) C:\Windows\System32\themeui.dll.backup
2012-06-19 16:29 - 2009-07-14 01:41 - 00044544 ____A (Microsoft Corporation) C:\Windows\System32\themeservice.dll.backup
2012-06-19 15:36 - 2012-06-19 15:36 - 00000000 ____D C:\Program Files (x86)\NirSoft
2012-06-19 15:28 - 2012-06-19 15:28 - 00000000 ____D C:\AMD
2012-06-19 15:16 - 2012-06-19 15:16 - 00273912 ____A C:\Windows\Minidump\061912-20342-01.dmp
2012-06-19 15:13 - 2012-06-19 15:13 - 00000000 ____D C:\Users\Dimitris\Catalyst_Mobility_64-Bit_Util
2012-06-19 14:35 - 2012-06-19 14:35 - 00273912 ____A C:\Windows\Minidump\061912-27206-01.dmp
2012-06-19 14:01 - 2012-06-19 14:01 - 00476936 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-06-19 13:52 - 2012-06-19 13:52 - 00003288 ____N C:\bootsqm.dat
2012-06-19 07:33 - 2012-06-19 07:33 - 00273912 ____A C:\Windows\Minidump\061912-31559-01.dmp
2012-06-18 06:53 - 2012-06-18 06:53 - 00002295 ____A C:\Users\Dimitris\Desktop\aswMBR(2).txt
2012-06-18 06:25 - 2012-06-18 06:25 - 00273912 ____A C:\Windows\Minidump\061812-23337-01.dmp
2012-06-17 00:00 - 2012-05-18 02:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-17 00:00 - 2012-05-18 02:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-17 00:00 - 2012-05-18 02:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-17 00:00 - 2012-05-18 01:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-17 00:00 - 2012-05-18 01:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-17 00:00 - 2012-05-18 01:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-17 00:00 - 2012-05-18 01:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-17 00:00 - 2012-05-18 01:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-17 00:00 - 2012-05-18 01:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-17 00:00 - 2012-05-18 01:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-17 00:00 - 2012-05-18 01:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-17 00:00 - 2012-05-18 01:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-17 00:00 - 2012-05-18 01:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-17 00:00 - 2012-05-18 01:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-17 00:00 - 2012-05-17 23:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-17 00:00 - 2012-05-17 22:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-17 00:00 - 2012-05-17 22:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-17 00:00 - 2012-05-17 22:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-17 00:00 - 2012-05-17 22:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-17 00:00 - 2012-05-17 22:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-17 00:00 - 2012-05-17 22:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-17 00:00 - 2012-05-17 22:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-17 00:00 - 2012-05-17 22:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-17 00:00 - 2012-05-17 22:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-17 00:00 - 2012-05-17 22:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-17 00:00 - 2012-05-17 22:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-17 00:00 - 2012-05-17 22:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-17 00:00 - 2012-05-17 22:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-16 17:37 - 2012-06-16 17:37 - 00021773 ____A C:\ComboFix.txt
2012-06-16 11:39 - 2011-06-26 06:45 - 00256000 ____A C:\Windows\PEV.exe
2012-06-16 11:39 - 2010-11-07 17:20 - 00208896 ____A C:\Windows\MBR.exe
2012-06-16 11:39 - 2009-04-20 04:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-06-16 11:39 - 2000-08-31 00:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-06-16 11:39 - 2000-08-31 00:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-06-16 11:39 - 2000-08-31 00:00 - 00098816 ____A C:\Windows\sed.exe
2012-06-16 11:39 - 2000-08-31 00:00 - 00080412 ____A C:\Windows\grep.exe
2012-06-16 11:39 - 2000-08-31 00:00 - 00068096 ____A C:\Windows\zip.exe
2012-06-16 11:29 - 2012-06-16 17:37 - 00000000 ____D C:\Qoobox
2012-06-16 11:29 - 2012-06-16 17:21 - 00000000 ____D C:\Windows\erdnt
2012-06-15 18:53 - 2012-06-15 18:53 - 00273912 ____A C:\Windows\Minidump\061512-24273-01.dmp
2012-06-15 18:49 - 2012-05-15 01:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-15 18:49 - 2012-05-04 11:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-15 18:49 - 2012-05-04 10:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-15 18:49 - 2012-05-04 10:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-15 18:49 - 2012-04-28 03:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-15 18:49 - 2012-04-26 05:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-15 18:49 - 2012-04-26 05:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-15 18:49 - 2012-04-26 05:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-04 21:06 - 2012-06-04 21:06 - 00000020 ____A C:\Users\Dimitris\defogger_reenable
2012-06-04 20:24 - 2012-06-04 20:24 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-04 15:08 - 2012-06-04 15:08 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-06-03 16:07 - 2012-06-03 16:07 - 00000000 ____D C:\Users\Dimitris\AppData\Roaming\Malwarebytes
2012-06-03 16:07 - 2012-06-03 16:07 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-03 13:57 - 2012-06-03 13:57 - 00000000 ____D C:\d3ba6247f4e4ce22c61141dd
2012-06-03 13:52 - 2012-06-03 13:52 - 00000000 ____D C:\31f238157ae057e64cd6
2012-06-03 13:50 - 2012-06-03 13:50 - 00000000 ____D C:\eb59cf17b5cd0784c890d5d9
2012-06-03 12:08 - 2012-06-03 12:08 - 12621696 ____A (Microsoft Corporation) C:\Users\Dimitris\Desktop\mseinstall.exe

============ 3 Months Modified Files and Folders =============

2012-06-20 21:59 - 2012-06-20 21:44 - 00000000 ____D C:\FRST
2012-06-20 18:57 - 2010-09-02 18:48 - 01521491 ____A C:\Windows\WindowsUpdate.log
2012-06-20 18:54 - 2009-07-14 04:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-20 18:54 - 2009-07-14 04:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-20 18:51 - 2011-02-03 21:31 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-20 18:50 - 2010-02-03 22:55 - 00560194 ____A C:\Windows\System32\perfh008.dat
2012-06-20 18:50 - 2010-02-03 22:55 - 00089820 ____A C:\Windows\System32\perfc008.dat
2012-06-20 18:46 - 2011-05-24 18:06 - 00039020 ____A C:\Windows\setupact.log
2012-06-20 18:46 - 2010-10-02 16:46 - 00000029 ____A C:\Windows\SysWOW64\TempWmicBatchFile.bat
2012-06-20 18:46 - 2009-07-14 05:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-20 18:32 - 2010-02-26 04:24 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-20 18:27 - 2012-05-12 08:39 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-06-19 19:15 - 2012-03-30 15:16 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-06-19 17:59 - 2011-02-03 21:23 - 01391090 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-19 17:54 - 2010-02-26 04:52 - 00000000 ____D C:\Program Files\Sony
2012-06-19 17:42 - 2010-09-13 20:03 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-06-19 17:08 - 2012-06-19 17:08 - 00000000 ___DC C:\Users\Dimitris\AppData\Local\MigWiz
2012-06-19 16:30 - 2010-11-02 17:54 - 00104654 ____A C:\Windows\PFRO.log
2012-06-19 16:30 - 2009-07-13 23:55 - 00332288 ____A (Microsoft Corporation) C:\Windows\System32\uxtheme.dll
2012-06-19 16:29 - 2011-05-29 07:46 - 02851840 ____A (Microsoft Corporation) C:\Windows\System32\themeui.dll
2012-06-19 16:29 - 2009-07-13 23:54 - 00044544 ____A (Microsoft Corporation) C:\Windows\System32\themeservice.dll
2012-06-19 15:36 - 2012-06-19 15:36 - 00000000 ____D C:\Program Files (x86)\NirSoft
2012-06-19 15:34 - 2009-07-14 05:13 - 01364376 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-19 15:28 - 2012-06-19 15:28 - 00000000 ____D C:\AMD
2012-06-19 15:16 - 2012-06-19 15:16 - 00273912 ____A C:\Windows\Minidump\061912-20342-01.dmp
2012-06-19 15:16 - 2011-08-09 13:21 - 923715317 ____A C:\Windows\MEMORY.DMP
2012-06-19 15:16 - 2011-01-09 07:58 - 00000000 ____D C:\Windows\Minidump
2012-06-19 15:13 - 2012-06-19 15:13 - 00000000 ____D C:\Users\Dimitris\Catalyst_Mobility_64-Bit_Util
2012-06-19 15:13 - 2010-09-02 18:47 - 00000000 ____D C:\users\Dimitris
2012-06-19 14:35 - 2012-06-19 14:35 - 00273912 ____A C:\Windows\Minidump\061912-27206-01.dmp
2012-06-19 14:01 - 2012-06-19 14:01 - 00476936 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-06-19 14:01 - 2011-11-05 10:39 - 00157448 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-06-19 14:01 - 2011-11-05 10:39 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-06-19 14:01 - 2011-11-05 10:39 - 00149256 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-06-19 14:01 - 2010-09-04 07:24 - 00472840 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-06-19 14:01 - 2010-02-26 04:51 - 00000000 ____D C:\Program Files (x86)\Java
2012-06-19 13:52 - 2012-06-19 13:52 - 00003288 ____N C:\bootsqm.dat
2012-06-19 07:33 - 2012-06-19 07:33 - 00273912 ____A C:\Windows\Minidump\061912-31559-01.dmp
2012-06-18 06:53 - 2012-06-18 06:53 - 00002295 ____A C:\Users\Dimitris\Desktop\aswMBR(2).txt
2012-06-18 06:25 - 2012-06-18 06:25 - 00273912 ____A C:\Windows\Minidump\061812-23337-01.dmp
2012-06-17 00:25 - 2009-07-14 04:45 - 00395304 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-17 00:05 - 2010-09-05 19:12 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-16 17:37 - 2012-06-16 17:37 - 00021773 ____A C:\ComboFix.txt
2012-06-16 17:37 - 2012-06-16 11:29 - 00000000 ____D C:\Qoobox
2012-06-16 17:33 - 2009-07-14 02:34 - 00000215 ____A C:\Windows\system.ini
2012-06-16 17:22 - 2009-07-14 03:20 - 00000000 __RHD C:\users\Default
2012-06-16 17:21 - 2012-06-16 11:29 - 00000000 ____D C:\Windows\erdnt
2012-06-15 18:53 - 2012-06-15 18:53 - 00273912 ____A C:\Windows\Minidump\061512-24273-01.dmp
2012-06-04 21:06 - 2012-06-04 21:06 - 00000020 ____A C:\Users\Dimitris\defogger_reenable
2012-06-04 20:24 - 2012-06-04 20:24 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-04 19:08 - 2011-05-29 21:28 - 00000000 ____D C:\Users\Dimitris\AppData\Local\CrashDumps
2012-06-04 17:12 - 2009-07-14 05:08 - 00032594 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-04 15:08 - 2012-06-04 15:08 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-06-03 16:07 - 2012-06-03 16:07 - 00000000 ____D C:\Users\Dimitris\AppData\Roaming\Malwarebytes
2012-06-03 16:07 - 2012-06-03 16:07 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-03 13:57 - 2012-06-03 13:57 - 00000000 ____D C:\d3ba6247f4e4ce22c61141dd
2012-06-03 13:52 - 2012-06-03 13:52 - 00000000 ____D C:\31f238157ae057e64cd6
2012-06-03 13:50 - 2012-06-03 13:50 - 00000000 ____D C:\eb59cf17b5cd0784c890d5d9
2012-06-03 12:08 - 2012-06-03 12:08 - 12621696 ____A (Microsoft Corporation) C:\Users\Dimitris\Desktop\mseinstall.exe
2012-06-03 11:40 - 2012-03-30 15:16 - 00419488 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-03 11:40 - 2011-04-27 19:12 - 00070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-05-27 09:06 - 2010-09-19 17:53 - 00000000 ____D C:\Users\Dimitris\AppData\Local\Nero
2012-05-19 18:54 - 2011-04-02 17:33 - 00000000 ____D C:\Users\Dimitris\AppData\Roaming\Skype
2012-05-18 19:01 - 2010-09-14 20:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2012-05-18 02:47 - 2012-06-17 00:00 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-18 02:16 - 2012-06-17 00:00 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-18 02:06 - 2012-06-17 00:00 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-18 01:59 - 2012-06-17 00:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-18 01:59 - 2012-06-17 00:00 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-18 01:58 - 2012-06-17 00:00 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-18 01:58 - 2012-06-17 00:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-18 01:56 - 2012-06-17 00:00 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-18 01:55 - 2012-06-17 00:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-18 01:55 - 2012-06-17 00:00 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-18 01:54 - 2012-06-17 00:00 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-18 01:51 - 2012-06-17 00:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-18 01:51 - 2012-06-17 00:00 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-18 01:47 - 2012-06-17 00:00 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 23:11 - 2012-06-17 00:00 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 22:48 - 2012-06-17 00:00 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 22:45 - 2012-06-17 00:00 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 22:36 - 2012-06-17 00:00 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 22:35 - 2012-06-17 00:00 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 22:35 - 2012-06-17 00:00 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 22:33 - 2012-06-17 00:00 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 22:31 - 2012-06-17 00:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 22:29 - 2012-06-17 00:00 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 22:29 - 2012-06-17 00:00 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 22:27 - 2012-06-17 00:00 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 22:25 - 2012-06-17 00:00 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 22:24 - 2012-06-17 00:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 22:20 - 2012-06-17 00:00 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-15 01:32 - 2012-06-15 18:49 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-12 08:39 - 2012-05-12 08:39 - 00000000 ____D C:\Users\All Users\Mozilla
2012-05-12 00:27 - 2011-03-28 18:15 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-05-12 00:00 - 2009-07-14 07:45 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-08 11:32 - 2012-05-08 11:32 - 00792912 ____A C:\Windows\Minidump\050812-21169-01.dmp
2012-05-05 19:15 - 2012-03-30 16:15 - 08744608 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-05-05 18:56 - 2012-05-05 18:39 - 00000000 ____D C:\Users\Dimitris\AppData\Roaming\Subtitle Edit
2012-05-05 18:44 - 2012-05-05 18:39 - 00000000 ____D C:\Program Files (x86)\Subtitle Edit
2012-05-04 18:13 - 2012-05-04 18:13 - 00000000 ____D C:\Program Files (x86)\DirectVobSub
2012-05-04 11:06 - 2012-06-15 18:49 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 10:03 - 2012-06-15 18:49 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 10:03 - 2012-06-15 18:49 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-04-30 10:13 - 2012-04-30 10:13 - 00000000 ____D C:\Download
2012-04-30 09:58 - 2012-04-30 09:58 - 00000000 ____D C:\Users\Dimitris\AppData\Roaming\Samsung
2012-04-30 09:58 - 2012-04-30 09:58 - 00000000 ____D C:\Program Files (x86)\Samsung
2012-04-30 09:58 - 2012-04-30 09:58 - 00000000 ____D C:\AllShare
2012-04-30 09:58 - 2010-02-04 00:14 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-04-30 09:53 - 2012-04-07 17:11 - 00000000 ____D C:\Users\Dimitris\AppData\Local\Downloaded Installations
2012-04-28 03:55 - 2012-06-15 18:49 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-26 05:41 - 2012-06-15 18:49 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-26 05:41 - 2012-06-15 18:49 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-26 05:34 - 2012-06-15 18:49 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-22 09:10 - 2012-02-05 17:04 - 00001394 ____A C:\Windows\SysWOW64\bash.exe.stackdump
2012-04-20 13:33 - 2012-04-20 13:33 - 00015639 ____A C:\Users\Dimitris\Desktop\bachata2watch.htm
2012-04-20 13:32 - 2012-04-20 13:32 - 00011728 ____A C:\Users\Dimitris\Desktop\bachata1.htm
2012-04-16 21:27 - 2010-10-03 08:19 - 00000000 ____D C:\Users\Dimitris\AppData\Local\Paint.NET
2012-04-15 07:35 - 2010-09-02 18:47 - 00093424 ____A C:\Users\Dimitris\AppData\Local\GDIPFONTCACHEV1.DAT
2012-04-15 07:14 - 2010-09-14 20:02 - 00000000 ____D C:\Program Files (x86)\OpenOffice.org 3
2012-04-13 05:50 - 2010-09-04 07:26 - 00000000 ____D C:\Update
2012-04-12 07:17 - 2012-03-31 14:10 - 00000000 ____D C:\Users\Dimitris\AppData\Roaming\DVD Flick
2012-04-11 21:27 - 2011-01-02 15:03 - 00000000 ___RD C:\Users\Dimitris\Documents\??????
2012-04-09 18:47 - 2012-04-09 18:47 - 00000719 ____A C:\Users\Dimitris\Desktop\??ί??????e? - S??t?e?s?.lnk
2012-04-09 18:46 - 2010-12-23 22:06 - 00000000 ____D C:\Users\Dimitris\AppData\Roaming\MyPhoneExplorer
2012-04-09 18:33 - 2011-03-20 09:31 - 00018323 ____A C:\Users\Dimitris\Desktop\????e?t?te?!.ods
2012-04-07 17:21 - 2011-05-20 10:01 - 00141312 ____A C:\Users\Dimitris\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-04-07 17:19 - 2012-04-07 17:19 - 00002791 ____A C:\Users\Public\Desktop\Launch Barbie Video Girl.lnk
2012-04-07 17:19 - 2012-04-07 17:19 - 00000000 ____D C:\Users\Dimitris\Documents\Video Girl Clips
2012-04-07 17:19 - 2012-04-07 17:19 - 00000000 ____D C:\Users\Dimitris\AppData\Roaming\Mattel
2012-04-07 17:19 - 2012-04-07 17:19 - 00000000 ____D C:\Program Files (x86)\Mattel
2012-04-07 17:07 - 2009-07-14 02:34 - 00000493 ____A C:\Windows\win.ini
2012-04-04 19:21 - 2012-04-04 19:21 - 00138459 ____A C:\Users\Dimitris\Desktop\transactions 2012-03-19.xps
2012-04-01 15:43 - 2012-03-31 16:20 - 00000000 ____D C:\Users\Dimitris\Desktop\Vera Cruz
2012-04-01 14:36 - 2012-04-01 14:36 - 00000000 ____D C:\Users\Dimitris\Documents\Freemake
2012-04-01 14:36 - 2012-04-01 14:36 - 00000000 ____D C:\Users\All Users\Freemake
2012-04-01 14:36 - 2012-04-01 14:36 - 00000000 ____D C:\Program Files (x86)\Freemake
2012-04-01 14:08 - 2012-04-01 09:22 - 00000000 ____D C:\Program Files (x86)\Free MKV Video2Dvd
2012-04-01 09:35 - 2012-04-01 09:22 - 00000000 ____D C:\v2d
2012-04-01 09:08 - 2012-03-31 09:31 - 00000000 ____D C:\Program Files (x86)\AviSynth 2.5
2012-04-01 09:07 - 2012-04-01 09:04 - 00000000 ____D C:\Program Files (x86)\The FilmMachine
2012-04-01 09:03 - 2012-03-30 15:40 - 00000000 ____D C:\Users\Dimitris\Desktop\The Magnificent Seven
2012-04-01 08:11 - 2012-03-31 21:12 - 00000000 ____D C:\Users\Dimitris\Desktop\7 Days - Norway
2012-04-01 08:05 - 2012-03-31 21:11 - 00000000 ____D C:\Users\Dimitris\Desktop\Compulsive Traveller - Alaska
2012-03-31 14:09 - 2012-03-31 14:09 - 00000000 ____D C:\Program Files (x86)\DVD Flick
2012-03-31 14:03 - 2012-03-31 09:23 - 00000000 ____D C:\Program Files (x86)\Avi2Dvd
2012-03-31 09:38 - 2012-03-31 09:38 - 00000000 ____D C:\Users\Dimitris\avi2dvd
2012-03-30 19:07 - 2010-09-02 18:47 - 00000000 ____D C:\Users\Dimitris\AppData\Local\VirtualStore
2012-03-30 17:07 - 2011-01-08 12:07 - 00007623 ____A C:\Users\Dimitris\AppData\Local\resmon.resmoncfg
2012-03-30 11:35 - 2012-05-11 17:50 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 9%
Total physical RAM: 8046.07 MB
Available physical RAM: 7243.28 MB
Total Pagefile: 8044.21 MB
Available Pagefile: 7226.11 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (Sylvia) (Fixed) (Total:451.42 GB) (Free:322.22 GB) NTFS
2 Drive e: (Recovery) (Fixed) (Total:14.25 GB) (Free:0.78 GB) NTFS
4 Drive g: () (Removable) (Total:7.46 GB) (Free:7.46 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 7660 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 14 GB 1024 KB
Partition 2 Primary 100 MB 14 GB
Partition 3 Primary 451 GB 14 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Recovery NTFS Partition 14 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Sylvia NTFS Partition 451 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7656 MB 4096 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 7656 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-17 21:07

======================= End Of Log ==========================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users