Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible TrolltechTrojan, Trend Micro Clean Boot, Unexplained Pop Up


  • This topic is locked This topic is locked
16 replies to this topic

#1 mred27

mred27

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 AM

Posted 31 May 2014 - 06:37 PM

Three issues that may be related and contributing to ESET's scan and removal of cracked software showing a possible "Themida" trojan explained in this other post. Was told to start a new topic here and paste and attach DDS logs.

http://www.bleepingcomputer.com/forums/t/535869/obsolete-software-key-trolltech-keeps-coming-back/

 

1. CCleaner Registry Cleaner keeps finding this key after reboot even though I have been deleting it. Possible Malware?

Obsolete software key    Trolltech    HKCU\Software\Trolltech

 

2.  I can't seem to uninstall Trend Micro's Clean Boot. It is part of Trend
Micro Titanium 2014. Unistalled the program thru Add/Remove Progra,ms and then also used
their uninstall tool. Editing the registry deleting all trend references but it
still comes up as an option during boot. Also, still runs. Anyway to get rid of it please? Thx.

 

3. Lastly, have had this popup for 6 months

"The application was unable to complete an operation."
Details:
A duplicate value cannot be inserted into a unique index.
[Table name = Prperties Constraint name = PK_Properties]

-----------------------------------

DDS Log

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17041  BrowserJavaVersion: 10.55.2
Run by MY at 18:44:43 on 2014-05-31
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8140.5672 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus *Disabled* {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Program Files (x86)\Avast Free 2014 Reinstall 2-22-14\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\alg.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Program Files (x86)\Browny02\BrYNSvc.exe
C:\Windows\SysWow64\IntelCpHeciSvc.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k NetworkServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\msdtc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
C:\Windows\SysWow64\perfhost.exe
c:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\PSEXESVC.EXE
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\snmptrap.exe
C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe
C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Easy Defrag Bits Du Jour 2-28-14\Live Defrag\supereasydefragservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\UI0Detect.exe
C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe
C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
C:\Program Files\Sony\VAIO Care\VCService.exe
C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
C:\Windows\System32\vds.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update\vuagent.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\Users\MY\AppData\Local\FluxSoftware\Flux\flux.exe
C:\Program Files (x86)\Roboform 8-5-13\robotaskbaricon.exe
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files (x86)\Avast Free 2014 Reinstall 2-22-14\AvastUI.exe
C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\YCIII\YankClip.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Sony\VAIO Care\esrv\esrv_svc.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Sony\VAIO Smart Network\VSNService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Sony\VAIO Smart Network\VSNClient.exe
C:\Program Files\Sony\VAIO Update\VAIOUpdt.exe
C:\Program Files\Sony\VAIO Care\esrv\esrv_svc.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\DDNi\Oasis2Service\Oasis2Service.exe
C:\Program Files\Sony\VAIO Care\VCPerfService.exe
C:\Program Files\Sony\VAIO Care\listener.exe
C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Sony\VAIO Care\VCSystemTray.exe
C:\Program Files\Sony\VAIO Care\VCAgent.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
uSearch Bar = hxxps://www.google.com/
mStart Page = hxxps://www.google.com/
mDefault_Search_URL = hxxps://www.google.com/
uSearchURL,(Default) = hxxps://www.google.com/
mSearchAssistant = hxxps://www.google.com/
mCustomizeSearch = hxxps://www.google.com/
BHO: Protect My Choices (Beta): {3DFCDCA1-AEAC-4302-A690-BFB683568BAA} - C:\Program Files (x86)\DigitalAdvertisingAlliance\Protect My Choices\pmc.dll
BHO: PlusIEEventHelper Class: {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files (x86)\Nuance\PDF Viewer Plus\bin\PlusIEContextMenu.dll
BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Roboform 8-5-13\roboform.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: &RoboForm Toolbar: {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Roboform 8-5-13\roboform.dll
TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Roboform 8-5-13\roboform.dll
uRun: [f.lux] "C:\Users\MY\AppData\Local\FluxSoftware\Flux\flux.exe" /noshow
uRun: [RoboForm] "C:\Program Files (x86)\Roboform 8-5-13\RoboTaskBarIcon.exe"
uRun: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler
uRun: [GUDelayStartup] "C:\Program Files (x86)\Glary Utilities 5\StartupManager.exe" -delayrun
mRun: [AvastUI.exe] "C:\Program Files (x86)\Avast Free 2014 Reinstall 2-22-14\AvastUI.exe" /nogui
mRun: [ISBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe"
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\Users\MY\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\YANKEE~1.LNK - C:\Program Files (x86)\YCIII\YankClip.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: EnableSecureUIAPath = dword:1
IE: Customize Menu - C:/Program Files (x86)/Roboform 8-5-13/RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office10\EXCEL.EXE/3000
IE: Fill Forms - C:/Program Files (x86)/Roboform 8-5-13/RoboFormComFillForms.html
IE: Password Generator - C:/Program Files (x86)/Roboform 8-5-13/RoboFormComPasswordGenerator.html
IE: RoboForm Editor - C:/Program Files (x86)/Roboform 8-5-13/RoboFormComEditIdent.html
IE: Save Forms - C:/Program Files (x86)/Roboform 8-5-13/RoboFormComSavePass.html
IE: Show RoboForm Toolbar - C:/Program Files (x86)/Roboform 8-5-13/RoboFormComShowToolbar.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Roboform 8-5-13\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Roboform 8-5-13\roboform.dll
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Roboform 8-5-13\roboform.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{B59C479D-3ED6-4C1B-8B7C-8DA86D5F3707} : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - <orphaned>
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - <orphaned>
SSODL: WebCheck - <orphaned>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\Windows\System32\wpdshserviceobj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\35.0.1916.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Roboform 8-5-13\RoboForm-x64.dll
x64-BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll
x64-TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Roboform 8-5-13\RoboForm-x64.dll
x64-Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [Persistence] "C:\Windows\System32\igfxpers.exe"
x64-Run: [IgfxTray] "C:\Windows\System32\igfxtray.exe"
x64-Run: [HotKeysCmds] "C:\Windows\System32\hkcmd.exe"
x64-Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe
x64-IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Roboform 8-5-13\RoboForm-x64.dll
x64-IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Roboform 8-5-13\RoboForm-x64.dll
x64-IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Roboform 8-5-13\RoboForm-x64.dll
x64-Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - <orphaned>
x64-Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - <orphaned>
x64-Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\MY\AppData\Roaming\Mozilla\Firefox\Profiles\i18ib50v.default-1395996555282\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1210150.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_206.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;C:\Windows\System32\drivers\aswRvrt.sys [2014-2-22 65776]
R0 aswVmm;avast! VM Monitor;C:\Windows\System32\drivers\aswVmm.sys [2014-2-22 208416]
R0 GUBootStartup;GUBootStartup;C:\Windows\System32\drivers\GUBootStartup.sys [2014-5-15 20672]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswsnx.sys [2014-2-22 1039096]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswsp.sys [2014-2-22 423240]
R1 mbamchameleon;mbamchameleon;C:\Windows\System32\drivers\mbamchameleon.sys [2014-3-30 91352]
R2 aswHwid;avast! HardwareID;C:\Windows\System32\drivers\aswHwid.sys [2014-4-26 29208]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2014-2-22 79184]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files (x86)\Avast Free 2014 Reinstall 2-22-14\AvastSvc.exe [2014-4-1 50344]
R2 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2014-2-24 266240]
R2 ESRV_SVC;Energy Server Service;C:\Program Files\Sony\VAIO Care\esrv\esrv_svc.exe [2013-11-1 377768]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2013-12-9 13336]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2014-3-3 2429544]
R2 Oasis2Service;Oasis2Service;C:\Program Files (x86)\DDNi\Oasis2Service\Oasis2Service.exe [2013-7-3 61440]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [2011-8-2 145256]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2010-11-27 398176]
R2 SampleCollector;Intel® System Behavior Tracker Collector Service;C:\Program Files\Sony\VAIO Care\VCPerfService.exe [2013-11-1 266168]
R2 SOHCImp;VAIO Content Importer;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2011-11-3 138392]
R2 SOHDs;VAIO Device Searcher;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2011-11-3 74904]
R2 SpfService;VAIO Entertainment Common Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [2011-9-23 289952]
R2 SSPORT;SSPORT;C:\Windows\System32\drivers\SSPORT.sys [2013-4-10 11576]
R2 SuperEasy Software Defrag Service;SuperEasy Software Defrag Service;C:\Program Files (x86)\Easy Defrag Bits Du Jour 2-28-14\Live Defrag\supereasydefragservice.exe [2014-2-28 1429976]
R2 uCamMonitor;CamMonitor;C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2013-12-9 105024]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2013-12-9 2656280]
R2 USER_ESRV_SVC;User Energy Server Service;C:\Program Files\Sony\VAIO Care\esrv\esrv_svc.exe [2013-11-1 377768]
R2 VCFw;VAIO Content Folder Watcher;C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2011-10-24 958112]
R2 VcmXmlIfHelper;VAIO Content Metadata XML Interface;C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2011-8-26 101600]
R2 VCService;VCService;C:\Program Files\Sony\VAIO Care\VCService.exe [2014-2-20 60504]
R2 VSNService;VSNService;C:\Program Files\Sony\VAIO Smart Network\VSNService.exe [2013-12-9 852160]
R2 VUAgent;VUAgent;C:\Program Files\Sony\VAIO Update\VUAgent.exe [2014-5-22 1642544]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;C:\Windows\System32\drivers\ArcSoftKsUFilter.sys [2013-12-9 19968]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-3-28 317440]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-2-16 76912]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\System32\drivers\LEqdUsb.sys [2013-5-23 77592]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\System32\drivers\LHidEqd.sys [2013-5-23 13080]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2014-3-3 340072]
R3 semav6thermal64ro;semav6thermal64ro;C:\Windows\System32\drivers\semav6thermal64ro.sys [2012-11-15 13792]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\System32\drivers\SFEP.sys [2010-6-1 12032]
R3 SmbDrvI;SmbDrvI;C:\Windows\System32\drivers\Smb_driver_Intel.sys [2013-12-31 32496]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2011-9-8 549408]
R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S2 aswStm;aswStm;C:\Windows\System32\drivers\aswstm.sys [2014-2-22 85328]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-4-22 111616]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\MalwareBytes Pro Reinstalll 2-22-14\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-3-30 1809720]
S2 MBAMService;MBAMService;C:\Program Files (x86)\MalwareBytes Pro Reinstalll 2-22-14\Malwarebytes Anti-Malware\mbamservice.exe [2014-3-30 860472]
S2 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-12-10 1255736]
S3 ampa;ampa;C:\Windows\System32\ampa.sys [2014-3-7 17008]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\System32\drivers\e1y60x64.sys [2009-6-10 281088]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-2-22 25816]
S3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-3-30 63704]
S3 MDA_NTDRV;MDA_NTDRV;C:\Windows\System32\MDA_NTDRV.sys [2013-2-25 21208]
S3 pwdspio;pwdspio;C:\Windows\System32\pwdspio.sys [2013-12-20 12504]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-12-17 19456]
S3 taphss6;Anchorfree HSS VPN Adapter;C:\Windows\System32\drivers\taphss6.sys [2013-11-13 42184]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-2-21 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-12-17 30208]
S3 UsbFltr;WayTech USB Filter Driver;C:\Windows\System32\drivers\UsbFltr.sys [2007-4-9 12288]
S3 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;C:\Program Files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2011-9-8 381488]
.
=============== Created Last 30 ================
.
2014-05-31 22:10:09    --------    d-----w-    C:\Program Files (x86)\DriveImage XML
2014-05-31 21:31:24    --------    d-----w-    C:\Windows\SysWow64\directx
2014-05-31 21:16:38    --------    d-----w-    C:\Users\MY\AppData\Roaming\iolo
2014-05-31 21:16:38    --------    d-----w-    C:\ProgramData\iolo
2014-05-31 20:37:47    --------    d-----w-    C:\Program Files (x86)\Video Watermark Maker 5-31-14 Bits Du Jour
2014-05-31 12:23:43    10702536    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6D85A52E-E033-4943-8F01-E2950B6E815A}\mpengine.dll
2014-05-29 21:55:16    --------    d-----w-    C:\Program Files (x86)\Doppelganger Free Trial 5-29-14
2014-05-29 15:46:18    536576    ----a-w-    C:\Windows\SysWow64\sqlite3.dll
2014-05-28 20:18:01    --------    d-----w-    C:\Users\MY\AppData\Roaming\SpringPublisher
2014-05-28 20:14:23    --------    d-----w-    C:\Program Files (x86)\Slim Publisher 5-28-14
2014-05-26 21:57:26    --------    d-----w-    C:\Program Files (x86)\Fonts-Free 1000 5-26-14
2014-05-26 05:37:14    --------    d-sh--w-    C:\Users\MY\AppData\Roaming\Common
2014-05-26 05:37:08    --------    d-----w-    C:\Program Files (x86)\FileSeek
2014-05-26 05:28:44    --------    d-----w-    C:\Users\MY\AppData\Roaming\JAM Software
2014-05-26 05:28:40    --------    d-----w-    C:\Program Files\UltraSearch
2014-05-26 05:22:12    --------    d-----w-    C:\Program Files (x86)\Quick Search
2014-05-22 16:24:31    --------    d-----w-    C:\Program Files (x86)\Android Data Recovery 5-22-14
2014-05-21 22:21:37    --------    d-----w-    C:\Recovered
2014-05-21 22:17:42    --------    d-----w-    C:\Program Files (x86)\Picture Doctor 5-21-14
2014-05-20 13:14:00    --------    d-----w-    C:\Program Files (x86)\Smart Diary
2014-05-19 10:13:08    --------    d-----w-    C:\Program Files (x86)\Backup SF Basic 5-18-14
2014-05-18 23:45:58    --------    d-----w-    C:\Program Files (x86)\Watermark Picture Software 5-18-14
2014-05-15 10:05:14    20672    ----a-w-    C:\Windows\System32\drivers\GUBootStartup.sys
2014-05-15 10:05:03    --------    d-----w-    C:\Program Files (x86)\Glary Utilities 5
2014-05-14 04:53:01    2724864    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2014-05-14 04:53:01    2724864    ----a-w-    C:\Windows\System32\mshtml.tlb
2014-05-14 04:53:00    --------    d-----w-    C:\Program Files (x86)\HD Video Converter By Fox-Bits 5-14-14
2014-05-14 04:47:11    477184    ----a-w-    C:\Windows\System32\aepdu.dll
2014-05-14 04:47:10    424448    ----a-w-    C:\Windows\System32\aeinv.dll
2014-05-14 01:11:59    29184    ----a-w-    C:\Windows\System32\sspisrv.dll
2014-05-14 01:11:59    28160    ----a-w-    C:\Windows\System32\secur32.dll
2014-05-14 01:11:59    22016    ----a-w-    C:\Windows\System32\credssp.dll
2014-05-14 01:11:59    17408    ----a-w-    C:\Windows\SysWow64\credssp.dll
2014-05-14 01:11:58    96768    ----a-w-    C:\Windows\SysWow64\sspicli.dll
2014-05-14 01:11:58    22016    ----a-w-    C:\Windows\SysWow64\secur32.dll
2014-05-12 15:13:54    --------    d-----w-    C:\Users\MY\AppData\Local\TriSun_Software_Inc
2014-05-12 15:11:07    --------    d-----w-    C:\Program Files (x86)\Duplicate File Finder Bits Du Jour 5-12-14
2014-05-08 00:20:08    --------    d-----w-    C:\Program Files\Nuance
2014-05-08 00:19:25    --------    d-----w-    C:\ProgramData\zeon
2014-05-08 00:13:51    --------    d-----w-    C:\Program Files (x86)\Common Files\ScanSoft Shared
2014-05-08 00:13:47    --------    d-----w-    C:\Program Files (x86)\Nuance
2014-05-07 22:04:42    --------    d-----w-    C:\Program Files (x86)\Microsoft ActiveSync
2014-05-07 07:17:15    --------    d-----w-    C:\Program Files (x86)\Video Water Maker 5-6-14
2014-05-05 10:07:50    --------    d-----w-    C:\Users\MY\AppData\Roaming\Engelmann Media
2014-05-05 10:07:50    --------    d-----w-    C:\ProgramData\Engelmann Media
2014-05-05 10:07:43    --------    d-----w-    C:\Program Files (x86)\Common Files\OGG
2014-05-05 10:07:43    --------    d-----w-    C:\Program Files (x86)\Common Files\HDX4
2014-05-05 10:02:15    --------    d-----w-    C:\Program Files (x86)\i-Studio 6 Bits Du Jour 5-5-14
2014-05-04 07:34:44    --------    d-sh--w-    C:\ProgramData\System Restore
2014-05-04 00:12:06    --------    d-----w-    C:\Program Files (x86)\DVD Ripper Platinum Bits Du Jour 5-3-14
2014-05-02 10:15:53    --------    d-----w-    C:\Program Files (x86)\Android Data Recovery
2014-05-02 01:04:04    --------    d-s---w-    C:\Windows\System32\CompatTel
.
==================== Find3M  ====================
.
2014-05-31 21:54:26    122584    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-05-15 10:07:26    85328    ----a-w-    C:\Windows\System32\drivers\aswstm.sys
2014-05-15 10:07:26    1039096    ----a-w-    C:\Windows\System32\drivers\aswsnx.sys
2014-05-14 13:33:14    70832    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-14 13:33:14    692400    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2014-05-14 08:39:30    24352    ----a-w-    C:\Windows\System32\RegBootDefrag.exe
2014-05-12 11:26:10    63704    ----a-w-    C:\Windows\System32\drivers\mwac.sys
2014-05-12 11:26:00    91352    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-05-12 11:25:56    25816    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-04-26 07:16:45    93568    ----a-w-    C:\Windows\System32\drivers\aswRdr2.sys
2014-04-26 07:16:45    79184    ----a-w-    C:\Windows\System32\drivers\aswMonFlt.sys
2014-04-26 07:16:45    65776    ----a-w-    C:\Windows\System32\drivers\aswRvrt.sys
2014-04-26 07:16:45    29208    ----a-w-    C:\Windows\System32\drivers\aswHwid.sys
2014-04-26 07:16:45    208416    ----a-w-    C:\Windows\System32\drivers\aswVmm.sys
2014-04-26 07:16:43    43152    ----a-w-    C:\Windows\avastSS.scr
2014-04-15 00:13:43    96168    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-04-12 02:22:05    95680    ----a-w-    C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05    155072    ----a-w-    C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38    136192    ----a-w-    C:\Windows\System32\sspicli.dll
2014-04-12 02:19:32    1460736    ----a-w-    C:\Windows\System32\lsasrv.dll
2014-04-12 02:19:05    31232    ----a-w-    C:\Windows\System32\lsass.exe
2014-04-08 09:24:17    13792    ----a-w-    C:\Windows\System32\drivers\semav6thermal64ro.sys
2014-03-31 13:35:08    270496    ------w-    C:\Windows\System32\MpSigStub.exe
2014-03-07 20:30:54    1024    ---h--w-    C:\AMTAG.BIN
2014-03-06 09:31:33    4096    ----a-w-    C:\Windows\System32\ieetwcollectorres.dll
2014-03-06 08:59:04    66048    ----a-w-    C:\Windows\System32\iesetup.dll
2014-03-06 08:57:34    548352    ----a-w-    C:\Windows\System32\vbscript.dll
2014-03-06 08:57:20    48640    ----a-w-    C:\Windows\System32\ieetwproxystub.dll
2014-03-06 08:29:40    139264    ----a-w-    C:\Windows\System32\ieUnatt.exe
2014-03-06 08:29:14    111616    ----a-w-    C:\Windows\System32\ieetwcollector.exe
2014-03-06 08:28:15    752640    ----a-w-    C:\Windows\System32\jscript9diag.dll
2014-03-06 08:15:54    940032    ----a-w-    C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-06 08:11:41    5784064    ----a-w-    C:\Windows\System32\jscript9.dll
2014-03-06 08:02:34    61952    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2014-03-06 08:02:33    455168    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2014-03-06 08:01:01    51200    ----a-w-    C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56:43    38400    ----a-w-    C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-03-06 07:46:36    4254720    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2014-03-06 07:38:13    112128    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2014-03-06 07:36:40    592896    ----a-w-    C:\Windows\SysWow64\jscript9diag.dll
2014-03-06 07:13:43    32256    ----a-w-    C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11:15    2043904    ----a-w-    C:\Windows\System32\inetcpl.cpl
2014-03-06 06:40:39    1967104    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2014-03-06 06:22:40    2260480    ----a-w-    C:\Windows\System32\wininet.dll
2014-03-06 05:41:49    1789440    ----a-w-    C:\Windows\SysWow64\wininet.dll
2014-03-04 09:47:01    5550016    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2014-03-04 09:44:21    362496    ----a-w-    C:\Windows\System32\wow64win.dll
2014-03-04 09:44:21    243712    ----a-w-    C:\Windows\System32\wow64.dll
2014-03-04 09:44:21    13312    ----a-w-    C:\Windows\System32\wow64cpu.dll
2014-03-04 09:44:20    39936    ----a-w-    C:\Windows\System32\wincredprovider.dll
2014-03-04 09:44:10    210944    ----a-w-    C:\Windows\System32\wdigest.dll
2014-03-04 09:44:08    86528    ----a-w-    C:\Windows\System32\TSpkg.dll
2014-03-04 09:44:06    340992    ----a-w-    C:\Windows\System32\schannel.dll
2014-03-04 09:44:03    722944    ----a-w-    C:\Windows\System32\objsel.dll
2014-03-04 09:44:03    314880    ----a-w-    C:\Windows\System32\msv1_0.dll
2014-03-04 09:44:03    16384    ----a-w-    C:\Windows\System32\ntvdm64.dll
2014-03-04 09:44:00    728064    ----a-w-    C:\Windows\System32\kerberos.dll
2014-03-04 09:44:00    424960    ----a-w-    C:\Windows\System32\KernelBase.dll
2014-03-04 09:43:56    57344    ----a-w-    C:\Windows\System32\cngprovider.dll
2014-03-04 09:43:56    52736    ----a-w-    C:\Windows\System32\dpapiprovider.dll
2014-03-04 09:43:56    44544    ----a-w-    C:\Windows\System32\dimsroam.dll
2014-03-04 09:43:55    56832    ----a-w-    C:\Windows\System32\adprovider.dll
2014-03-04 09:43:55    53760    ----a-w-    C:\Windows\System32\capiprovider.dll
2014-03-04 09:43:50    455168    ----a-w-    C:\Windows\System32\winlogon.exe
2014-03-04 09:20:11    3969984    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2014-03-04 09:20:11    3914176    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2014-03-04 09:16:54    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2014-03-04 09:16:18    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2014-03-04 09:16:18    274944    ----a-w-    C:\Windows\SysWow64\KernelBase.dll
2014-03-04 08:09:30    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2014-03-04 08:09:29    2048    ----a-w-    C:\Windows\SysWow64\user.exe
.
============= FINISH: 18:45:18.83 ===============

 

------------------------------

A WindowsForum.com explanation about the pop-up is at the bottom:

 

Windowsforum Popup Explanation: 3-4-14

 

It sounds like the message is generated by a program that is being loaded at startup (it is not a Windows error). It is most likely either a corrupted program, a program that is not being shut down "gracefully" or that is failing to clean up loose ends before closing, or the result of malware. Just to be safe, do a malware scan.

If the problem happens at boot time but not every time it means that whatever is failing is not starting in the same state or condition every time. That would point to some type of information or configuration file that is read when the program is loaded and that either is sometimes not being saved correctly, or is sometimes being saved with a value that gives the program indigestion. The later case would point to a corrupted program or one with a software bug.

Failing to properly save the file could be several things. It can happen when the program does not close "gracefully", such as your shutting off the computer using the power button instead of closing Windows, or the computer losing power and it is not on a functioning UPS. Or, it can be a corrupted program or software bug.

If the problem is not malware or improper shutdown and it appears at random and not very often, it will be difficult to identify. The process will require time and patience. You can't use Safe mode for a problem like this because in Safe mode, you can't do most of the business for which you have the computer. You can follow a process of doing random stuff that is fast to do on the off chance that you will fix it. For example, reinstall any software that you loaded around the time the problem started (or uninstall it and wait and see if the problem goes away). Make educated guesses about likely and unlikely programs, disable the likely programs in the automated startup, and wait and see if the problem goes away.

It gets more tedious from there. You can try to identify "programs of interest" by searching for files created close to the time you last shut down, look at those that appear to be configuration files or internal-use data files, find what program they are associated with, and if that program is automatically loaded at startup, it is a candidate.Attached File  Attach.txt   8.84KB   1 downloads

If you need a way to rank the suspects to limit time wasted on the least likely, I would include in the least-likely list programs from Microsoft and applications that include the words Control Panel. I would also save for last programs with a long history of good behavior (e.g., stuff from manufacturers like Adobe Systems or Oracle Corporation). You can do a one-step group elimination by disabling any programs that are not critical to the operation of your computer, like download accelerators and helpful gadgets.

One more tool I can readily think of--some programs can be loaded manually by double clicking on the .exe file or a shortcut to it. When these programs are included in the automated startup, they are sometimes loaded with a configuration or data file specified in the command or "arguments" that control features or behavior. If the program can be run without these, it is a candidate to check. If it is not something important to load when the computer boots, like a virus checker or firewall, unselect it in the automated startup (run MSCONFIG.EXE from the Start window; in the General tab, choose Selective Startup; in the Startup tab, unselect the program; and click OK; the change will take effect the next time you bootup). Run the program after bootup or when you need it using a shortcut.

Disable all non-critical programs in the automated startup and all suspect programs and wait for the problem to recur. If it doesn't after a period longer than the previous error frequency, it is a sign (but not proof) that one of the disabled programs is the culprit. Then start re-enabling the programs one at a time or in groups and wait again. Repeat the process until you identify the problem program. Recognize that it is possible to waste a lot of time if you conclude that the problem program is in your list and it really isn't; it is another program that just hasn't messed up again, yet. The only way to really know is to load the program manually and immediately produce the error.



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:06 AM

Posted 01 June 2014 - 02:01 PM

Good evening. :)

1) Did you by any chance have Kaspersky anti-virus installed?

 

2) Trend Micro looks to have added itself to the Master Boot Record, so you will need to reset that it remove it from the boot menu. If you have the Windows installation disk see here.

 

3) If you had asked six months ago I would have said run System Restore to see if that resolves the issue - that's now not an option, sadly. What are you trying to do/run that triggers the pop-up?


So long, and thanks for all the fish.

 

 


#3 mred27

mred27
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 AM

Posted 01 June 2014 - 07:17 PM

Responses in Bold Print. Thanks!

Good evening. :)

Good Evening! Thanks in advance for your assistance!

1) Did you by any chance have Kaspersky anti-virus installed?

Think my son did at one time but when I got this laptop from him, I did a fresh reinstall.

 

2) Trend Micro looks to have added itself to the Master Boot Record, so you will need to reset that it remove it from the boot menu. If you have the Windows installation disk see here.

This Sony didn't come with installation disks. The DVD-RW won't write or recognize disks so I can't make a recovery disk presently.

 

3) If you had asked six months ago I would have said run System Restore to see if that resolves the issue - that's now not an option, sadly. What are you trying to do/run that triggers the pop-up? I ran SR several times back then. It pops up after booting (the most) like a program is trying to start but can't. It will pop up at other times on occasion also.

 

I was sent over here for a possible trojan under that Trolltech registry key.  Figured the other issues might be related which was why I thought to mention them.  ESET scan showed trojans in software cracks but most had been quarantined by AVAST free version since I had not cleared the Quarantine box. I ran a full AVAST scan and Malware Bytes Pro Friday night/Sat and nothing came up.

 

Here is the initial thread brefore I was sent here. Did some scans there. Thx.

http://www.bleepingcomputer.com/forums/t/535869/obsolete-software-key-trolltech-keeps-coming-back/



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:06 AM

Posted 02 June 2014 - 12:31 PM

Good evening. :)

I'll sum up how I see things at the minute. The ESET scan highlighted certain files that could have installed a backdoor on your system, as boopme told you. If you ran any of the cracks my advice would be to wipe the PC as there is no way of knowing exactly what may have been done to the PC as whoever was on the other end of this software would be able to do whatever they liked - install more malicious software or make security setting changes leaving your PC open to further infection.

Although you were given the choice as to how to proceed, the simple fact is that there are limited guarantees with this sort of situation and nothing that can be done to ensure a clean PC at the end of it apart from wiping the hard drive and starting over.

 

It's a little bit like losing your house keys. As long as nobody finds them who knows which house they belong to, there is no risk, but maybe somebody will see you drop them, pick them up and follow you home. Whether you want to go to the expense of changing the locks or not, the risk remains the same. Not wanting to change the locks doesn't make it less likely that somebody will gain access to your house - the risk is what it is and the only way to negate that risk is to change the locks.

 

You may consider this defeatist, but it's just how it is. Not wanting to do something is different to it not being necessary or wise to do it.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

The fact that you are manually deleting the registry key and it is being recreated tells me that something is doing it - that should tell you that i'm good at this sort of thing! :hysterical: It doesn't tell me what is recreating it and whether or not it is malicious.

 

I figure we'll look at the key in more detail and see if we can see if there are more entries and if they match known legitimate ones. This sadly doesn't guarantee that the entries are legitimate as malicious software would seek to mimic legitimate entries to avoid detection, but if the entries don't match any known legitimate ones we have a good pointer to them being naughty.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

I am guessing that you ran the Sony Factory Restore option to reset your PC. That would not only reset Windows but also reinstall any bundled software that Sony chose to include with your PC. That may account for the registry key in question being present at this time. If it were present after reinstalling using a Windows disk and it wasn't a known Microsoft entry you could be sure that there was something more going on.

I'm not convinced that yettibe is right about the registry key being a sign of advanced malware, but s/he could be - new malware is being created all the time. If it has infected the BIOS then you are going to be stuck with it unless you can successfully flash the BIOS to remove the malicious code, and that may not be as easy as you would like.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Download RegScanner by NirSoft from here and save it to your Desktop.
You'll need to extract the files to continue.

Double click RegScanner.exe to begin.

  • Enter the following text into the Find String textbox and then click OK to start the scan:

    trolltech
     
  • Once complete the second window will show the results.
  • I want you to hold SHIFT down and then left click the top and bottom results to select them all.
  • Right click and select Copy selected Items
  • Open Notepad and paste the results of the scan into it.
  • Once done, drop the Notepad file into a compressed folder and attach it in your next reply.

 

 


So long, and thanks for all the fish.

 

 


#5 mred27

mred27
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 AM

Posted 02 June 2014 - 04:33 PM

Response in Bold. Thx.

Good evening. :)

I'll sum up how I see things at the minute. The ESET scan highlighted certain files that could have installed a backdoor on your system, as boopme told you.

It's possible although those files were scanned before and after downloading and most were not used. Since ESET stated they were all a "variant of the Themida trojan", I emailed the company

FYI….

Response from Oreans Technologies, the registered trademark holder of “themida” which was deemed a Trojan variant by ESET.

 

See this from their website:

http://www.oreans.com/themida.php

 

My Email:

I was told by a security expert that "Themida" was a trojan yet your have the word registered as a trademark.

Can you comment on this Threat Expert Site post?
Thanks!
http://www.threatexpert.com/report.aspx?md5=ebfe28c965606d4cd6680d297dc31fa6

What's been found       Severity Level
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Response from Oreans Technologies:

 

Some antiviruses (with bad heuristic engine) reports as false positive almost all files that are packed/compressed using any freeware or commercial software protection.

 

Fortunately, the IEEE, antiviruses companies and software protector vendors have created a standard to avoid that scenario in applications protected by trusted customers. It's called the Taggant System:

 

http://en.wikipedia.org/wiki/Software_taggant

 

http://standards.ieee.org/news/2011/icsg_software.html

 

We hope that the Taggant System will be fully working (from antiviruses side and software protectors side) very soon, so that problem with false positives is solved for good.

 

Thanks,

Rafael

 

....so they may or may not be trojans it appears....they could be false positives but as you state there is no way of knowing.

 

If you ran any of the cracks my advice would be to wipe the PC as there is no way of knowing exactly what may have been done to the PC as whoever was on the other end of this software would be able to do whatever they liked - install more malicious software or make security setting changes leaving your PC open to further infection.

Although you were given the choice as to how to proceed, the simple fact is that there are limited guarantees with this sort of situation and nothing that can be done to ensure a clean PC at the end of it apart from wiping the hard drive and starting over.

 

 My AV wouldn't start back in February so the guy at windowsbbs.com went through malware troubleshooting. Ran ESET back on 2-28-14 and it deleted those rogue files supposedly and haven't downloaded or used any since. The ones found last week were mostly in the AVAST quarantine but hadn't been deleted. He declared this machine as clean after troubleshooting. He didn't know about the trend micro boot issue. Here is the thread:

 

http://www.windowsbbs.com/malware-virus-removal/107145-resolved-anti-virus-wont-start.html

 

I understand your position of not wanting to bother with cleaning a PC when you there is no guarantee it is clean.

 

It's a little bit like losing your house keys. As long as nobody finds them who knows which house they belong to, there is no risk, but maybe somebody will see you drop them, pick them up and follow you home. Whether you want to go to the expense of changing the locks or not, the risk remains the same. Not wanting to change the locks doesn't make it less likely that somebody will gain access to your house - the risk is what it is and the only way to negate that risk is to change the locks.

 

Good analogy!

 

You may consider this defeatist, but it's just how it is. Not wanting to do something is different to it not being necessary or wise to do it.

 

No don't think it's defeatist. Smart approach actually.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

The fact that you are manually deleting the registry key and it is being recreated tells me that something is doing it - that should tell you that i'm good at this sort of thing! :hysterical: It doesn't tell me what is recreating it and whether or not it is malicious.

 

Actually I manually deleted the reg key once through CCleaner but noticed how it kept coming back after boot.

 

I figure we'll look at the key in more detail and see if we can see if there are more entries and if they match known legitimate ones. This sadly doesn't guarantee that the entries are legitimate as malicious software would seek to mimic legitimate entries to avoid detection, but if the entries don't match any known legitimate ones we have a good pointer to them being naughty.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

I am guessing that you ran the Sony Factory Restore option to reset your PC. That would not only reset Windows but also reinstall any bundled software that Sony chose to include with your PC. That may account for the registry key in question being present at this time. If it were present after reinstalling using a Windows disk and it wasn't a known Microsoft entry you could be sure that there was something more going on.

I'm not convinced that yettibe is right about the registry key being a sign of advanced malware, but s/he could be - new malware is being created all the time. If it has infected the BIOS then you are going to be stuck with it unless you can successfully flash the BIOS to remove the malicious code, and that may not be as easy as you would like.

 

Probably 'cause some of my kids malware files were still present from toolbars etc. It was loaded with viruses. Sony didn't give us the original install disks as the files are stored on a seperate partition. I'll run the other items and be back. Thx.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Download RegScanner by NirSoft from here and save it to your Desktop.
You'll need to extract the files to continue.

Double click RegScanner.exe to begin.

  • Enter the following text into the Find String textbox and then click OK to start the scan:

    trolltech
     
  • Once complete the second window will show the results.
  • I want you to hold SHIFT down and then left click the top and bottom results to select them all.
  • Right click and select Copy selected Items
  • Open Notepad and paste the results of the scan into it.
  • Once done, drop the Notepad file into a compressed folder and attach it in your next reply.

 

 



#6 mred27

mred27
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 AM

Posted 02 June 2014 - 04:43 PM

Regscanner attached. Thx.

Attached File  Reg Scanner.zip   11.19KB   2 downloads



#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:06 AM

Posted 02 June 2014 - 06:24 PM

Manually removing something means deleting it yourself as opposed to running an application such as CCleaner which would remove it for you - automatically as it were. When you ran CCleaner and instructed it to remove the item in question, did you run it again before rebooting to see if it had actually been removed?


So long, and thanks for all the fish.

 

 


#8 mred27

mred27
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 AM

Posted 02 June 2014 - 07:22 PM

"Actually I manually deleted the reg key once through CCleaner but noticed how it kept coming back after boot."

 

To clarify this... CCleaner showed the key. I clicked "Find In Registry" or something like that and manually deleted it out of the registry after letting CCleaner delete it automatically.

 

Yes, I did check to see it was deleted then rebooted and checked to see it was back again and showing in CCleaner.



#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:06 AM

Posted 03 June 2014 - 11:14 AM

Good evening. :)

The key shows up as related to MalwareBytes Anti-Malware Pro, and as such I would say that it is legitimate. If you want to double-check, uninstall MBAM and tyhen see if you can remove the key in question.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Without a disk to enable you to fix the Trend Micro boot issue/recover from any failure to correctly fix it i'd say that you would be better off leaving that alone.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

As to the pop-up, that may be a difficult one to solve, as the forum quote you posted tells you. If you can identify any application that you are trying to run/activity you are involved in when it occurs that would be helpful - opening a file, surfing the net, watching a video, anything at all.


So long, and thanks for all the fish.

 

 


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:06 AM

Posted 03 June 2014 - 02:46 PM

Press and hold the "Windows" key (near the bottom left of the keyboard) and tap the R key - a "run" box should appear in the bottom left hand of the screen.
Copy and paste the following into that and hit <ENTER>cmd
In the Command Window that should open, Copy and Paste the following: bcdedit /v >> "%userprofile%\desktop\output1.txt"

Please let me have the contents of the text file output1.txt that you should find on your Desktop in your next reply.
 

I am interested in the Trend Micro issue and a little more information may be of use.


Edited by Noviciate, 03 June 2014 - 02:52 PM.

So long, and thanks for all the fish.

 

 


#11 mred27

mred27
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 AM

Posted 03 June 2014 - 06:09 PM

Comments in bold. Thanks.

Good evening. :)

The key shows up as related to MalwareBytes Anti-Malware Pro, and as such I would say that it is legitimate. If you want to double-check, uninstall MBAM and tyhen see if you can remove the key in question.

Ran CCleaner and it deleted the trolltech key. Rebooted and key was back. Uninstalled MBAM Pro, rebooted and key was gone. Ran CCleaner again and key still gone.

Installed MBAM from older .exe I had on machine (6-13-13) and key was still gone.

Rebooted and ran CCleaner and no trolltech key. Then updated to latest version of MBAM Pro and before I rebooted, AVAST Free Version flagged MBAM as a rootkit to delete so I did and had a forced restart to clear the files. (See screenshots attached)

AVAST scanned at next reboot for about 45 minutes so I dumped it. Upon full boot, the trolltech key was back.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Without a disk to enable you to fix the Trend Micro boot issue/recover from any failure to correctly fix it i'd say that you would be better off leaving that alone.

Okay

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Tried to upload the screenshots but it error shows files were too big even a in compressed folder. Then I cropped the screenshots to 183kb and 333kb and tried to upload them again individually but it STILL says they are too large. What is the file size limitation for attachments on here please?

Now the bold function doesn't work here. Hmmm....

--------------------------------------------------------------------------------------------

As to the pop-up, that may be a difficult one to solve, as the forum quote you posted tells you. If you can identify any application that you are trying to run/activity you are involved in when it occurs that would be helpful - opening a file, surfing the net, watching a video, anything at all.

It popped up again after I copied and pasted your advice into a word doc if that helps.

 



#12 mred27

mred27
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 AM

Posted 03 June 2014 - 06:16 PM

Okay, here are those screenshots from the post 11 as I see they can only be 80 kb so I uploaded the downsized one of 67 kb but couldn't add the next one. Will in next post. Thx.

Attached Files



#13 mred27

mred27
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 AM

Posted 03 June 2014 - 06:26 PM

Tried the second screenshot which was 58kb but says it is still too big. Tried it twice.

RE: your next post...

Press and hold the "Windows" key (near the bottom left of the keyboard) and tap the R key - a "run" box should appear in the bottom left hand of the screen.
Copy and paste the following into that and hit <ENTER>cmd
In the Command Window that should open, Copy and Paste the following: bcdedit >> "%userprofile%\desktop\output1.txt"
Copied the key and nothing happened. See screenshot. Have a screenshot of that also.

Please let me have the contents of the text file output1.txt that you should find on your Desktop in your next reply.
 I am interested in the Trend Micro issue and a little more information may be of use.

 

Tried to upload a screenshot of this one too but too large again at only 34 KB. This system seems screwy 'cause at the bottom where it says the other two attempts were too big then after this last attempt it says,"You can upload up to 13.24KB of files (Max. single file size: 13.24KB)"

 

Aggravating it is...

 

 

 



#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:06 AM

Posted 04 June 2014 - 09:53 AM

Good evening. :)

When you pasted the text into the Command Window did you hit <ENTER> afterwards? If you didn't, you need to.


So long, and thanks for all the fish.

 

 


#15 mred27

mred27
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 AM

Posted 05 June 2014 - 04:19 AM

Good evening. :)

When you pasted the text into the Command Window did you hit <ENTER> afterwards? If you didn't, you need to.

Yes, I did. Thx. Tried it again but no go.

 

Twas' thinking that as you eloquently stated that I will need to wipe this drive and reinstall with the original disks; it is wasting your time and genious on kind of a "moot" point when your troubleshooting expertise can be better utilized elsewhere.. The issues will hopefully be gone reinstall anyway. Feel free to close this thread. If the issues return after the reinstall, I can come back. BTW...ran full ESET and nothing came up but as you stated "There is no guarantee".

 

Really appreciate all your help though! Thanks a bunch.Cya!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users