View Full Version : coin-miner.exe
Help please. I appear to have the trojan coin-miner running on my computer. It appears in Task Manager with a description of Comodo Dragon. I cannot successfully end the process in Task Manager under normal conditions.
My computer is 64bit and running Windows 7.
I can get coin-miner to stop running by disconnecting my internet connection. I do this by unplugging my computer from my router. The computer then appears to run normally.
The effect on the computer is to slow it down and make the mouse operation rather jerky. When the computer is shut down there is a Application Error on Shutdown message specifying coin-miner.exe. I also deleted the folder and file users\Ian\appdata\roaming\oIvhz4z\qcih1Ij.exe (not sure of correct cases) which I think came up as an error message on startup.
I have backed up the registry using ERUNT. I have run awsMBR and will attempt to include the log file below. I cannot get DDS to run successfully, not even with the internet disconnected. I get a message saying that it is running in the background and will place the log files on the desktop. The message disappears after a few seconds but no log files are created. Can't find them even if I do a search.
Hope you are able to help.
Thanks, Ian McDonald
aswMBR.txt:
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-04-29 11:51:04
-----------------------------
11:51:04.036 OS Version: Windows x64 6.1.7601 Service Pack 1
11:51:04.036 Number of processors: 4 586 0x1001
11:51:04.037 ComputerName: IAN-HP UserName: Ian
11:51:04.076 Initialze error 1
11:56:44.520 AVAST engine defs: 13042801
11:57:14.113 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005b
11:57:14.115 Disk 0 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 11
11:57:14.146 Disk 0 MBR read successfully
11:57:14.148 Disk 0 MBR scan
11:57:14.154 Disk 0 unknown MBR code
11:57:14.156 Disk 0 Partition 1 00 EE GPT 2097151 MB offset 1
11:57:14.163 Disk 0 scanning C:\windows\system32\drivers
11:57:14.166 Service scanning
11:57:14.703 Modules scanning
11:57:14.705 Disk 0 trace - called modules:
11:57:14.709 ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
11:57:14.713 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8008212060]
11:57:14.716 3 CLASSPNP.SYS[fffff880019b743f] -> nt!IofCallDriver -> [0xfffffa80073e3ac0]
11:57:14.721 5 amd_xata.sys[fffff88001140d00] -> nt!IofCallDriver -> \Device\0000005b[0xfffffa80073e0540]
11:57:14.802 AVAST engine scan C:\windows
11:57:14.806 AVAST engine scan C:\windows\system32
11:57:14.810 AVAST engine scan C:\windows\system32\drivers
11:57:15.148 AVAST engine scan C:\Users\Ian
11:57:15.152 AVAST engine scan C:\ProgramData
11:57:15.838 Scan finished successfully
11:57:45.040 Disk 0 MBR has been saved successfully to "C:\Users\Ian\Desktop\MBR.dat"
11:57:45.046 The log file has been saved successfully to "C:\Users\Ian\Desktop\aswMBR.txt"
I have been doing some digging while waiting for your reply. There seems to be some tie up between coin-miner.exe and mineamillion.exe.
Both files are in the same directory and both have a file date 3 days apart. Both files are shown as processes in Task Manager. I can remove coin-miner.exe from the process list by first ending mineamillion.exe and then ending coin-miner. I then reconnect my internet and the computer appears to run normally.
By using Sbybot to untick mineamillion.exe from the start up list I can get the computer to boot up with neither file appearing in the Task Manager and the computer appears to run normally after I reconnect the internet.
Thanks
shelf life
2013-05-05, 17:27
hi Ianola,
If you still need help simply reply back.
Yes please, still need help.
Further to my previous post re coin-miner.exe and mineamillion.exe which both appeared in a directory ...Roaming\mining\ I now have appearing in a ...Roaming\minings\ directory two other files mining.exe and SluiAgree.exe which exhibit the same characteristics as coin-miner.exe and mineamillion.exe.
Thanks.
shelf life
2013-05-08, 04:12
Ok to start get a copy of Malwarebytes and run it. If you already have it we will do something else:
Please download the free version of Malwarebytes (http://www.malwarebytes.org/products/) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click *Remove Selected.*
*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
NOTE: The free version must be updated manually.
I cannot get Malwarebytes to install and run. During installation I get a message saying that /rules.ref is corrupted. If I ignore it the programme wont run from the desktop icon. The error message says create process failed code2 unable to access file ....mbam.exe If I locate the file using explorer and try to run it I get a similar message. I have tried uninstalling the programme and reinstalling it but get the same result.
What next?
shelf life
2013-05-09, 03:48
We will get another download to use. Its called Roguekiller;
Download:
http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe
To your desktop. Double click to start
For Vista or W7, right-click and select run as Admin
A Prescan will start automatically. When its done click the scan button.
Once the scan is done a report.txt will be on your desktop.
Exit Rougekiller by going to File>Quit.
copy/paste the RKreport[1] saved to your DeskTop in your reply.
Got this one to work, log below.
Thanks
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Ian [Admin rights]
Mode : Scan -- Date : 05/09/2013 12:07:54
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 12 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Olympus DSS (C:\ProgramData\AppleDev0\hemxccape.exe) [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2542283634-4230272488-366954266-1000[...]\Run : Olympus DSS (C:\ProgramData\AppleDev0\hemxccape.exe) [-] -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\Run : Olympus DSS (C:\ProgramData\AppleDev0\hemxccape.exe) [-] -> FOUND
[TASK][SUSP PATH] Windows Update Check - 0x0D1402B8 : C:\ProgramData\AppleDev0\hemxccape.exe /task [-] -> FOUND
[IFEO] HKLM\[...]\hijackthis.exe : Debugger (ztjte_.exe) -> FOUND
[IFEO] HKLM\[...]\housecalllauncher.exe : Debugger (snmsv_.exe) -> FOUND
[IFEO] HKLM\[...]\mbam.exe : Debugger (lbzn_.exe) -> FOUND
[IFEO] HKLM\[...]\mbamgui.exe : Debugger (zpye_.exe) -> FOUND
[IFEO] HKLM\[...]\rstrui.exe : Debugger (hwxte_.exe) -> FOUND
[IFEO] HKLM\[...]\spybotsd.exe : Debugger (sqznf_.exe) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: Hitachi HDS721010CLA630 SATA Disk Device +++++
--- User ---
[MBR] 7ea6776ce30ed65c89245604c4cf65de
[BSP] 2ad7cfb62b21220d239f28779ec69b71 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: USB Disk +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1]_S_05092013_02d1207.txt >>
RKreport[1]_S_05092013_02d1207.txt
shelf life
2013-05-09, 23:20
ok. Good. Now run Roguekiller again like you did before and after the prescan is finished this time click on the delete button to remove the items under the Registry tab that you posted below. Machine will reboot. After a restart try running Malwarebytes after checking for updates first.
Ran Rougekiller ok and got Malwarebytes to run and update ok. Had to do a scan after the prescan to populate the Registry tab and a manual restart.
Ran Malwarebytes as per your original post. Log below.
I am still starting/restarting computer with the internet disconnected at my router. I also have files ....Roaming\mining\mineamillion.exe and ....Roaming\Minings\Mining.exe unticked in autorun tab in Spybot tools.
Thanks
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.05.09.07
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16540
Ian :: IAN-HP [administrator]
10/05/2013 9:50:24 AM
mbam-log-2013-05-10 (09-50-24).txt
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 397578
Time elapsed: 48 minute(s), 41 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 7
HKCU\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe (Security.Hijack) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 4
C:\$RECYCLE.BIN\S-1-5-21-2542283634-4230272488-366954266-1000\$RZDGN5I.exe (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Users\Ian\AppData\Roaming\Mining\coin-miner.exe (Trojan.BitMiner) -> Quarantined and deleted successfully.
C:\Users\Ian\AppData\Roaming\Minings\SluiAgree.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
C:\Users\Ian\AppData\Roaming\local.exe (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
shelf life
2013-05-11, 02:26
ok. Good. We will get one more download to use. Its called Combofix. There is a guide to read first which will explain how to download, save and start it. Read through the guide then apply the directions on your own machine. Post the Combofix log in your reply.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Big Big problem. Am sending this post from another computer.
Ran Combofix as per instructions. During process computer was rebooted and then log file created. Now no programmes will run. Get error message "Illegal operation attempted on a registary key that has been marked for deletion". Some system type programms will run including Control Panel. Checked for restore points and am informed that none exist. After computer rebooteded as previously mentioned a quick defrag programme ran which is normal for the computer. This programme runs before the log in is requested. I have obtained the Combofix log file via a network connection and have attached it below.
Help please. Thanks.
ComboFix 13-05-10.03 - Ian 11/05/2013 11:48:17.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.8119.5668 [GMT 10:00]
Running from: c:\users\Ian\Desktop\ComboFix.exe
AV: Total Defense Anti-Virus *Enabled/Updated* {57B5C44D-AAB5-DBC9-741B-542BE5A132EA}
SP: Total Defense Anti-Virus *Enabled/Updated* {ECD425A9-8C8F-D447-4EAB-6F599E267857}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\AppleDev0\hemxccape.exe
c:\programdata\AppleDev0 . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2013-04-11 to 2013-05-11 )))))))))))))))))))))))))))))))
.
.
2013-05-11 02:01 . 2013-05-11 02:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-11 01:55 . 2013-05-11 02:04 -------- d-sh--w- c:\programdata\AppleDev0
2013-05-11 01:41 . 2013-05-11 01:41 16712 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2013-05-09 23:46 . 2013-05-09 23:46 -------- d-----w- c:\users\Ian\AppData\Roaming\Malwarebytes
2013-05-09 23:22 . 2013-05-09 23:22 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-05-09 23:22 . 2013-04-04 04:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-08 02:30 . 2013-05-08 02:30 -------- d-----w- c:\programdata\Malwarebytes
2013-04-29 01:32 . 2013-04-29 01:32 -------- d-----w- c:\program files (x86)\ERUNT
2013-04-27 12:13 . 2013-04-29 13:37 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-04-27 12:13 . 2009-01-25 02:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-04-27 12:13 . 2013-04-27 12:13 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-04-27 12:11 . 2013-04-27 12:11 -------- d-----w- c:\users\Ian\AppData\Local\Programs
2013-04-27 08:33 . 2013-05-10 23:17 -------- d-----w- c:\users\Ian\AppData\Roaming\Mining
2013-04-25 12:33 . 2011-12-26 11:37 90608 ----a-w- c:\windows\system32\drivers\CLVirtualDrive.sys
2013-04-24 23:34 . 2013-04-24 23:34 -------- d-----w- c:\program files\WinRAR
2013-04-24 21:47 . 2013-04-27 08:45 -------- d-----w- c:\users\Ian\AppData\Roaming\.minecraft
2013-04-23 23:20 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-23 13:05 . 2013-04-23 13:05 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-04-23 13:05 . 2013-04-03 19:35 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-04-23 13:03 . 2013-04-23 13:03 -------- d-----w- c:\programdata\McAfee
2013-04-13 07:18 . 2013-04-13 07:18 -------- d-----w- c:\program files (x86)\Common Files\Skype
2013-04-12 02:52 . 2013-04-12 02:52 -------- d-----w- c:\users\Ian\AppData\Local\Power2Go8
2013-04-12 01:52 . 2013-04-12 01:52 -------- d-----w- c:\program files (x86)\Common Files\CyberLink
2013-04-12 00:24 . 2013-04-12 00:24 26520 ----a-w- c:\program files (x86)\Mozilla Firefox\plugin-hang-ui.exe
2013-04-11 03:52 . 2013-01-24 06:01 223752 ----a-w- c:\windows\system32\drivers\fvevol.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-11 02:04 . 2011-03-29 01:36 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-11 02:04 . 2013-01-14 12:15 15712 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-04-16 12:28 . 2012-06-19 03:42 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-16 12:28 . 2012-06-19 03:42 691592 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-04-11 03:54 . 2013-01-13 00:11 72702784 ----a-w- c:\windows\system32\MRT.exe
2013-03-31 08:32 . 2013-03-31 08:32 82600 ----a-w- c:\windows\system32\drivers\amd_sata.sys
2013-03-31 08:32 . 2013-03-31 08:32 42664 ----a-w- c:\windows\system32\drivers\amd_xata.sys
2013-03-23 01:18 . 2013-03-23 01:18 6202880 ----a-w- c:\windows\SysWow64\atiumdag.dll
2013-03-23 01:18 . 2013-03-23 01:18 5005824 ----a-w- c:\windows\SysWow64\atiumdva.dll
2013-03-23 01:18 . 2013-03-23 01:18 1960448 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2013-03-23 01:18 . 2013-03-23 01:18 1053184 ----a-w- c:\windows\system32\atiumd6v.dll
2013-03-23 01:18 . 2012-04-25 16:31 41984 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2013-03-23 01:18 . 2012-04-09 02:19 64000 ----a-w- c:\windows\system32\coinst.dll
2013-03-23 01:18 . 2012-04-09 01:56 4516352 ----a-w- c:\windows\system32\atiumd6a.dll
2013-03-23 01:18 . 2012-04-09 01:30 54784 ----a-w- c:\windows\system32\atiuxp64.dll
2013-03-23 01:18 . 2013-03-23 01:18 120320 ----a-w- c:\windows\system32\atitmm64.dll
2013-03-23 01:18 . 2012-04-25 16:31 32256 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2013-03-23 01:18 . 2012-04-09 01:44 7431168 ----a-w- c:\windows\system32\atiumd64.dll
2013-03-23 01:18 . 2012-04-09 01:30 44544 ----a-w- c:\windows\system32\atiu9p64.dll
2013-03-23 01:18 . 2013-03-23 01:18 56832 ----a-w- c:\windows\SysWow64\atimpc32.dll
2013-03-23 01:18 . 2013-03-23 01:18 56832 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2013-03-23 01:18 . 2013-03-23 01:18 56320 ----a-w- c:\windows\system32\atimpc64.dll
2013-03-23 01:18 . 2013-03-23 01:18 56320 ----a-w- c:\windows\system32\amdpcom64.dll
2013-03-23 01:18 . 2013-03-23 01:18 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2013-03-23 01:18 . 2013-03-23 01:18 503296 ----a-w- c:\windows\system32\atieclxx.exe
2013-03-23 01:18 . 2013-03-23 01:18 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2013-03-23 01:18 . 2013-03-23 01:18 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2013-03-23 01:18 . 2013-03-23 01:18 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2013-03-23 01:18 . 2013-03-23 01:18 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2013-03-23 01:18 . 2013-03-23 01:18 41984 ----a-w- c:\windows\system32\atig6txx.dll
2013-03-23 01:18 . 2013-03-23 01:18 339456 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2013-03-23 01:18 . 2013-03-23 01:18 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll
2013-03-23 01:18 . 2013-03-23 01:18 26181632 ----a-w- c:\windows\system32\atio6axx.dll
2013-03-23 01:18 . 2013-03-23 01:18 236544 ----a-w- c:\windows\system32\atiesrxx.exe
2013-03-23 01:18 . 2013-03-23 01:18 21504 ----a-w- c:\windows\system32\atimuixx.dll
2013-03-23 01:18 . 2013-03-23 01:18 19753472 ----a-w- c:\windows\SysWow64\atioglxx.dll
2013-03-23 01:18 . 2013-03-23 01:18 17408 ----a-w- c:\windows\system32\atig6pxx.dll
2013-03-23 01:18 . 2013-03-23 01:18 16096768 ----a-w- c:\windows\system32\aticaldd64.dll
2013-03-23 01:18 . 2013-03-23 01:18 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2013-03-23 01:18 . 2013-03-23 01:18 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2013-03-23 01:18 . 2013-03-23 01:18 13770752 ----a-w- c:\windows\SysWow64\aticaldd.dll
2013-03-23 01:18 . 2013-03-23 01:18 11172864 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2013-03-23 01:18 . 2013-03-23 01:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2013-03-23 01:18 . 2013-03-23 01:18 514560 ----a-w- c:\windows\system32\atiadlxx.dll
2013-03-23 01:18 . 2013-03-23 01:18 360448 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2013-03-23 01:18 . 2013-03-23 01:18 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2013-03-23 01:18 . 2012-04-25 17:56 909312 ----a-w- c:\windows\SysWow64\aticfx32.dll
2013-03-23 01:18 . 2012-04-25 17:47 6798848 ----a-w- c:\windows\SysWow64\atidxx32.dll
2013-03-23 01:18 . 2012-04-09 02:39 1067520 ----a-w- c:\windows\system32\aticfx64.dll
2013-03-23 01:18 . 2012-04-09 02:14 7476736 ----a-w- c:\windows\system32\atidxx64.dll
2013-03-19 06:04 . 2013-04-11 00:28 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 05:46 . 2013-04-11 00:28 43520 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 05:04 . 2013-04-11 00:28 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-11 00:28 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47 . 2013-04-11 00:28 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:06 . 2013-04-11 00:28 112640 ----a-w- c:\windows\system32\smss.exe
2013-03-12 22:53 . 2013-01-12 12:12 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-12 22:53 . 2013-01-12 12:12 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-01 03:36 . 2013-04-11 00:28 3153408 ----a-w- c:\windows\system32\win32k.sys
2013-02-12 05:45 . 2013-03-23 12:00 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-23 12:00 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45 . 2013-03-23 12:00 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-03-23 12:00 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48 . 2013-03-23 12:00 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-23 12:00 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-02-12 04:12 . 2013-03-20 22:43 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress8"="c:\program files (x86)\CyberLink\Power2Go8\Power2GoExpress8.exe" [2013-03-05 1711168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"CLVirtualDrive"="c:\program files (x86)\CyberLink\Power2Go8\VirtualDrive.exe" [2013-03-05 492096]
.
c:\users\Ian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 3.4.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
"TaskbarNoNotification"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2011-02-24 03:33 79368 ----a-w- c:\windows\System32\UmxWNP.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0\0sdnclean64.exe
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2012-09-27 86528]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-02-28 161384]
R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe [2012-02-14 240408]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys [2013-05-11 15712]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-01-13 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 amd_sata;amd_sata;c:\windows\system32\drivers\amd_sata.sys [2013-03-31 82600]
S0 amd_xata;amd_xata;c:\windows\system32\drivers\amd_xata.sys [2013-03-31 42664]
S0 KmxAMRT;KmxAMRT;c:\windows\system32\DRIVERS\KmxAMRT.sys [2011-10-27 182352]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2008-06-15 55024]
S1 CLVirtualDrive;CLVirtualDrive;c:\windows\system32\DRIVERS\CLVirtualDrive.sys [2011-12-26 90608]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2011-10-26 113744]
S1 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2011-09-06 365136]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-05 169312]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2013-03-23 236544]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-09-13 361984]
S2 AODDriver4.2.0;AODDriver4.2.0;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-04-08 57472]
S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.362.0\BBSvc.exe [2012-02-14 193816]
S2 CAAMSvc;CAAMSvc;c:\program files\Total Defense\Internet Security Suite\Anti-Virus\caamsvc.exe [2012-03-01 293704]
S2 CalendarSynchService;CalendarSynchService;c:\program files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe [2011-08-16 16384]
S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\Total Defense\Internet Security Suite\ccschedulersvc.exe [2012-08-18 288336]
S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-02-17 682040]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 OODefragAgent;O&O Defrag;c:\program files\OO Software\Defrag\oodag.exe [2012-11-30 3293552]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe [2012-04-04 1134584]
S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\CyberLink\Shared files\RichVideo64.exe [2012-12-21 390672]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-11-13 1103392]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-11-13 1369624]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-11-13 168384]
S2 UmxEngine;TM Engine;c:\program files\CA\SharedComponents\TMEngine\UmxEngine.exe [2011-04-04 920656]
S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys [2000-01-01 106664]
S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys [2000-01-01 226984]
S3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [2000-01-01 51712]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2000-01-01 96896]
S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2000-01-01 75888]
S3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2012-04-12 104048]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2000-01-01 50800]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2000-01-01 57512]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-19 12:28]
.
2013-05-11 c:\windows\Tasks\DriverUpdate Startup.job
- c:\program files (x86)\DriverUpdate\DriverUpdate.exe [2012-12-03 02:57]
.
2013-05-11 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\programdata\HP Photo Creations\Communicator.exe [2011-11-18 10:11]
.
2013-05-11 c:\windows\Tasks\HPCeeScheduleForIan.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 11:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BeatsOSDApp"="c:\program files\IDT\WDM\beats64.exe" [2012-04-26 37888]
"HPSYSDRV"="c:\program files (x86)\Hewlett-Packard\HP Odometer\HPSYSDRV.EXE" [2008-11-20 62768]
"cctray"="c:\program files\Total Defense\Internet Security Suite\casc.exe" [2012-08-18 2711120]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2000-01-01 324096]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2012-04-24 1425408]
"OODefragTray"="c:\program files\OO Software\Defrag\oodtray.exe" [2012-11-30 4000112]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Ian\AppData\Roaming\Mozilla\Firefox\Profiles\a7s0e0u1.default\
FF - ExtSQL: !HIDDEN! 2013-01-12 21:30; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Olympus DSS - c:\programdata\AppleDev0\hemxccape.exe
Wow6432Node-HKLM-Run-NWEReboot - (no file)
Wow6432Node-HKLM-Run-Olympus DSS - c:\programdata\AppleDev0\hemxccape.exe
Notify-SDWinLogon - SDWinLogon.dll
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
HKLM_Wow6432Node-ActiveSetup-{438363A8-F486-4C37-834C-4955773CB3D3} - msiexec
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2542283634-4230272488-366954266-1000_Classes\CLSID\{61B1A75C-BE76-5B4E-BBD7-B296509F128F}]
@Denied: (A 4) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG15.00.00.01PROFESSIONAL"="A7662F5BB48C24DCEE8CCACDC765F3AA482A0B8411667C9BF2059619FB183CC742327427C4A03AD53C409412A049D2E2CBA7781B75603048790E63CD9AE3392A3C5E9D38B77B235AD9AA486FA3CA0A81D3E43D6F6186992A655B00B820E7CA881195C8D3D6E4AC9FC4748C14E9BCBD33FEA6A6B15F58D77F16EE862FA6722C5582387797EF15C9F2BC796C8190E7BA36AEE7E9E9FDCAB01F3080F25E4EC3381C935A0D7251BA8E3049C9D409B906EF5F8AD49CEFCF4509EE98F924C2B912F1F80CC2D428D178B54B32AA19578BC56E94FBCFBCF2EB23EEECFCF860B01285FC1E79ED7B50C7E31EC70415EE672ECBEE52B0FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D1407FEBC9E127BECC74CA9C6AECB7A5D1407A9C6AECB7A5D140759CED4A8DF1FFD764BDB6C5C253B362EFEC26A1293609C80343EB5D457A593F36E87C6C1ED83D6421F6A73362EB6F28E12E4068027A5031EB8DCA5A9C75DBD283CDF0D49E3195FB7E1F7976E77E1CD16BF8B15954A33234BBED3F3AC5838FBACF4DBBA2F101792F8C5914FC5DC4C378955EE90820790089251A43EA2DCD68AE901E330E83357866FAEA9E1822B28B67455A847FDD6E94C3CADB3775020FD3B8DFAC627ED0456DE49B3186C6EA8CD69A4F4B85944AC8F20DA47C7E785DB967385B2B52B3CAD375877A216DFD689367D2B9D833E136975C8BEC40F288D442FAB082CC51CD4CCBFBEAEFC42808C7A01B55EECCEBEAC67B21E7F0098283FFDF5F10C1E702CBA74D9F5E8759E68E71AF1E959B448F9D871830C7908D9AAF09FC1E6CD7492E47629927262F51203BEFAED85F9797C60E0C749144B9F2A46FD390A41CD4E6E2396661C419C1A6712F2A4820863766138159F854857BC476547CA6DC850802992AA9ACD7E5DB2CCA9E1125C8378974D9AC61FE052C5895147AFC72CDADC114D3B47269FDDACC3D333F432CF21677E7A764D6329EF01E5CA7E9E1BA9E8BF3CC5F285DFB0235707736A9367539A9B028A8C02FC4BED39639E728021F0F90AF1E4658211C12C716886E12B0A813FC7AA7F73C5EEDDB3DF4818DDC3ABAD240FD4E1925D78BAE4CB084A7C2F649973E2364114F83117B8AD8FE7CE5D7E3117E63CD34E3BC823CF043BE2F394B6FD2DA6151BAD84B0D2871EE7A1A7C3537014EDB5B9414528AA83F289D4D3D3B1367911EEBC5051CC12C26EB3BE20F356846EC37EF266A82EA22BBD300C7F6CFDECF5E41CB8E24ED9F71DA30A1C436D2AA911CD0B478C946B8003C62056A95EB5705627AA089E6E9ECC6003B4F7EE3262C079B3835F58BE60DE5FB7FCE45CB0E8B462A2DA04122959FB66993278D5CB895038E04248425F847BA5FE1FD0F2EC1A50F36623EC1D77B816A235B4A480C41BFEF1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Cyberlink\MediaEspresso\DeviceDetector\DeviceDetector.exe
c:\program files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe
.
**************************************************************************
.
Completion time: 2013-05-11 12:18:20 - machine was rebooted
ComboFix-quarantined-files.txt 2013-05-11 02:18
.
Pre-Run: 867,428,749,312 bytes free
Post-Run: 870,000,234,496 bytes free
.
- - End Of File - - C3886809C66FFAE866102E039B82D7D4
Big Big problem. Am sending this post from another computer.
Ran Combofix as per instructions. During process computer was rebooted and then log file created. Now no programmes will run. Get error message "Illegal operation attempted on a registary key that has been marked for deletion". Some system type programmes will run including Control Panel. Checked for restore points and am informed that none exist. After computer rebooteded as previously mentioned a quick defrag programme ran which is normal for the computer. This programme runs before the log in is requested. I have obtained the Combofix log file via a network connection and have attached it below.
Help please. Thanks.
ComboFix 13-05-10.03 - Ian 11/05/2013 11:48:17.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.8119.5668 [GMT 10:00]
Running from: c:\users\Ian\Desktop\ComboFix.exe
AV: Total Defense Anti-Virus *Enabled/Updated* {57B5C44D-AAB5-DBC9-741B-542BE5A132EA}
SP: Total Defense Anti-Virus *Enabled/Updated* {ECD425A9-8C8F-D447-4EAB-6F599E267857}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\AppleDev0\hemxccape.exe
c:\programdata\AppleDev0 . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2013-04-11 to 2013-05-11 )))))))))))))))))))))))))))))))
.
.
2013-05-11 02:01 . 2013-05-11 02:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-11 01:55 . 2013-05-11 02:04 -------- d-sh--w- c:\programdata\AppleDev0
2013-05-11 01:41 . 2013-05-11 01:41 16712 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2013-05-09 23:46 . 2013-05-09 23:46 -------- d-----w- c:\users\Ian\AppData\Roaming\Malwarebytes
2013-05-09 23:22 . 2013-05-09 23:22 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-05-09 23:22 . 2013-04-04 04:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-08 02:30 . 2013-05-08 02:30 -------- d-----w- c:\programdata\Malwarebytes
2013-04-29 01:32 . 2013-04-29 01:32 -------- d-----w- c:\program files (x86)\ERUNT
2013-04-27 12:13 . 2013-04-29 13:37 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-04-27 12:13 . 2009-01-25 02:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-04-27 12:13 . 2013-04-27 12:13 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-04-27 12:11 . 2013-04-27 12:11 -------- d-----w- c:\users\Ian\AppData\Local\Programs
2013-04-27 08:33 . 2013-05-10 23:17 -------- d-----w- c:\users\Ian\AppData\Roaming\Mining
2013-04-25 12:33 . 2011-12-26 11:37 90608 ----a-w- c:\windows\system32\drivers\CLVirtualDrive.sys
2013-04-24 23:34 . 2013-04-24 23:34 -------- d-----w- c:\program files\WinRAR
2013-04-24 21:47 . 2013-04-27 08:45 -------- d-----w- c:\users\Ian\AppData\Roaming\.minecraft
2013-04-23 23:20 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-23 13:05 . 2013-04-23 13:05 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-04-23 13:05 . 2013-04-03 19:35 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-04-23 13:03 . 2013-04-23 13:03 -------- d-----w- c:\programdata\McAfee
2013-04-13 07:18 . 2013-04-13 07:18 -------- d-----w- c:\program files (x86)\Common Files\Skype
2013-04-12 02:52 . 2013-04-12 02:52 -------- d-----w- c:\users\Ian\AppData\Local\Power2Go8
2013-04-12 01:52 . 2013-04-12 01:52 -------- d-----w- c:\program files (x86)\Common Files\CyberLink
2013-04-12 00:24 . 2013-04-12 00:24 26520 ----a-w- c:\program files (x86)\Mozilla Firefox\plugin-hang-ui.exe
2013-04-11 03:52 . 2013-01-24 06:01 223752 ----a-w- c:\windows\system32\drivers\fvevol.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-11 02:04 . 2011-03-29 01:36 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-11 02:04 . 2013-01-14 12:15 15712 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-04-16 12:28 . 2012-06-19 03:42 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-16 12:28 . 2012-06-19 03:42 691592 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-04-11 03:54 . 2013-01-13 00:11 72702784 ----a-w- c:\windows\system32\MRT.exe
2013-03-31 08:32 . 2013-03-31 08:32 82600 ----a-w- c:\windows\system32\drivers\amd_sata.sys
2013-03-31 08:32 . 2013-03-31 08:32 42664 ----a-w- c:\windows\system32\drivers\amd_xata.sys
2013-03-23 01:18 . 2013-03-23 01:18 6202880 ----a-w- c:\windows\SysWow64\atiumdag.dll
2013-03-23 01:18 . 2013-03-23 01:18 5005824 ----a-w- c:\windows\SysWow64\atiumdva.dll
2013-03-23 01:18 . 2013-03-23 01:18 1960448 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2013-03-23 01:18 . 2013-03-23 01:18 1053184 ----a-w- c:\windows\system32\atiumd6v.dll
2013-03-23 01:18 . 2012-04-25 16:31 41984 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2013-03-23 01:18 . 2012-04-09 02:19 64000 ----a-w- c:\windows\system32\coinst.dll
2013-03-23 01:18 . 2012-04-09 01:56 4516352 ----a-w- c:\windows\system32\atiumd6a.dll
2013-03-23 01:18 . 2012-04-09 01:30 54784 ----a-w- c:\windows\system32\atiuxp64.dll
2013-03-23 01:18 . 2013-03-23 01:18 120320 ----a-w- c:\windows\system32\atitmm64.dll
2013-03-23 01:18 . 2012-04-25 16:31 32256 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2013-03-23 01:18 . 2012-04-09 01:44 7431168 ----a-w- c:\windows\system32\atiumd64.dll
2013-03-23 01:18 . 2012-04-09 01:30 44544 ----a-w- c:\windows\system32\atiu9p64.dll
2013-03-23 01:18 . 2013-03-23 01:18 56832 ----a-w- c:\windows\SysWow64\atimpc32.dll
2013-03-23 01:18 . 2013-03-23 01:18 56832 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2013-03-23 01:18 . 2013-03-23 01:18 56320 ----a-w- c:\windows\system32\atimpc64.dll
2013-03-23 01:18 . 2013-03-23 01:18 56320 ----a-w- c:\windows\system32\amdpcom64.dll
2013-03-23 01:18 . 2013-03-23 01:18 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2013-03-23 01:18 . 2013-03-23 01:18 503296 ----a-w- c:\windows\system32\atieclxx.exe
2013-03-23 01:18 . 2013-03-23 01:18 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2013-03-23 01:18 . 2013-03-23 01:18 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2013-03-23 01:18 . 2013-03-23 01:18 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2013-03-23 01:18 . 2013-03-23 01:18 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2013-03-23 01:18 . 2013-03-23 01:18 41984 ----a-w- c:\windows\system32\atig6txx.dll
2013-03-23 01:18 . 2013-03-23 01:18 339456 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2013-03-23 01:18 . 2013-03-23 01:18 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll
2013-03-23 01:18 . 2013-03-23 01:18 26181632 ----a-w- c:\windows\system32\atio6axx.dll
2013-03-23 01:18 . 2013-03-23 01:18 236544 ----a-w- c:\windows\system32\atiesrxx.exe
2013-03-23 01:18 . 2013-03-23 01:18 21504 ----a-w- c:\windows\system32\atimuixx.dll
2013-03-23 01:18 . 2013-03-23 01:18 19753472 ----a-w- c:\windows\SysWow64\atioglxx.dll
2013-03-23 01:18 . 2013-03-23 01:18 17408 ----a-w- c:\windows\system32\atig6pxx.dll
2013-03-23 01:18 . 2013-03-23 01:18 16096768 ----a-w- c:\windows\system32\aticaldd64.dll
2013-03-23 01:18 . 2013-03-23 01:18 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2013-03-23 01:18 . 2013-03-23 01:18 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2013-03-23 01:18 . 2013-03-23 01:18 13770752 ----a-w- c:\windows\SysWow64\aticaldd.dll
2013-03-23 01:18 . 2013-03-23 01:18 11172864 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2013-03-23 01:18 . 2013-03-23 01:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2013-03-23 01:18 . 2013-03-23 01:18 514560 ----a-w- c:\windows\system32\atiadlxx.dll
2013-03-23 01:18 . 2013-03-23 01:18 360448 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2013-03-23 01:18 . 2013-03-23 01:18 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2013-03-23 01:18 . 2012-04-25 17:56 909312 ----a-w- c:\windows\SysWow64\aticfx32.dll
2013-03-23 01:18 . 2012-04-25 17:47 6798848 ----a-w- c:\windows\SysWow64\atidxx32.dll
2013-03-23 01:18 . 2012-04-09 02:39 1067520 ----a-w- c:\windows\system32\aticfx64.dll
2013-03-23 01:18 . 2012-04-09 02:14 7476736 ----a-w- c:\windows\system32\atidxx64.dll
2013-03-19 06:04 . 2013-04-11 00:28 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 05:46 . 2013-04-11 00:28 43520 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 05:04 . 2013-04-11 00:28 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-11 00:28 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47 . 2013-04-11 00:28 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:06 . 2013-04-11 00:28 112640 ----a-w- c:\windows\system32\smss.exe
2013-03-12 22:53 . 2013-01-12 12:12 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-12 22:53 . 2013-01-12 12:12 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-01 03:36 . 2013-04-11 00:28 3153408 ----a-w- c:\windows\system32\win32k.sys
2013-02-12 05:45 . 2013-03-23 12:00 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-23 12:00 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45 . 2013-03-23 12:00 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-03-23 12:00 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48 . 2013-03-23 12:00 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-23 12:00 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-02-12 04:12 . 2013-03-20 22:43 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress8"="c:\program files (x86)\CyberLink\Power2Go8\Power2GoExpress8.exe" [2013-03-05 1711168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"CLVirtualDrive"="c:\program files (x86)\CyberLink\Power2Go8\VirtualDrive.exe" [2013-03-05 492096]
.
c:\users\Ian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 3.4.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
"TaskbarNoNotification"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2011-02-24 03:33 79368 ----a-w- c:\windows\System32\UmxWNP.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0\0sdnclean64.exe
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2012-09-27 86528]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-02-28 161384]
R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe [2012-02-14 240408]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys [2013-05-11 15712]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-01-13 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 amd_sata;amd_sata;c:\windows\system32\drivers\amd_sata.sys [2013-03-31 82600]
S0 amd_xata;amd_xata;c:\windows\system32\drivers\amd_xata.sys [2013-03-31 42664]
S0 KmxAMRT;KmxAMRT;c:\windows\system32\DRIVERS\KmxAMRT.sys [2011-10-27 182352]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2008-06-15 55024]
S1 CLVirtualDrive;CLVirtualDrive;c:\windows\system32\DRIVERS\CLVirtualDrive.sys [2011-12-26 90608]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2011-10-26 113744]
S1 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2011-09-06 365136]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-05 169312]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2013-03-23 236544]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-09-13 361984]
S2 AODDriver4.2.0;AODDriver4.2.0;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-04-08 57472]
S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.362.0\BBSvc.exe [2012-02-14 193816]
S2 CAAMSvc;CAAMSvc;c:\program files\Total Defense\Internet Security Suite\Anti-Virus\caamsvc.exe [2012-03-01 293704]
S2 CalendarSynchService;CalendarSynchService;c:\program files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe [2011-08-16 16384]
S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\Total Defense\Internet Security Suite\ccschedulersvc.exe [2012-08-18 288336]
S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-02-17 682040]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 OODefragAgent;O&O Defrag;c:\program files\OO Software\Defrag\oodag.exe [2012-11-30 3293552]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe [2012-04-04 1134584]
S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\CyberLink\Shared files\RichVideo64.exe [2012-12-21 390672]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-11-13 1103392]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-11-13 1369624]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-11-13 168384]
S2 UmxEngine;TM Engine;c:\program files\CA\SharedComponents\TMEngine\UmxEngine.exe [2011-04-04 920656]
S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys [2000-01-01 106664]
S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys [2000-01-01 226984]
S3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [2000-01-01 51712]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2000-01-01 96896]
S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2000-01-01 75888]
S3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2012-04-12 104048]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2000-01-01 50800]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2000-01-01 57512]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-19 12:28]
.
2013-05-11 c:\windows\Tasks\DriverUpdate Startup.job
- c:\program files (x86)\DriverUpdate\DriverUpdate.exe [2012-12-03 02:57]
.
2013-05-11 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\programdata\HP Photo Creations\Communicator.exe [2011-11-18 10:11]
.
2013-05-11 c:\windows\Tasks\HPCeeScheduleForIan.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 11:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BeatsOSDApp"="c:\program files\IDT\WDM\beats64.exe" [2012-04-26 37888]
"HPSYSDRV"="c:\program files (x86)\Hewlett-Packard\HP Odometer\HPSYSDRV.EXE" [2008-11-20 62768]
"cctray"="c:\program files\Total Defense\Internet Security Suite\casc.exe" [2012-08-18 2711120]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2000-01-01 324096]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2012-04-24 1425408]
"OODefragTray"="c:\program files\OO Software\Defrag\oodtray.exe" [2012-11-30 4000112]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Ian\AppData\Roaming\Mozilla\Firefox\Profiles\a7s0e0u1.default\
FF - ExtSQL: !HIDDEN! 2013-01-12 21:30; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Olympus DSS - c:\programdata\AppleDev0\hemxccape.exe
Wow6432Node-HKLM-Run-NWEReboot - (no file)
Wow6432Node-HKLM-Run-Olympus DSS - c:\programdata\AppleDev0\hemxccape.exe
Notify-SDWinLogon - SDWinLogon.dll
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
HKLM_Wow6432Node-ActiveSetup-{438363A8-F486-4C37-834C-4955773CB3D3} - msiexec
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2542283634-4230272488-366954266-1000_Classes\CLSID\{61B1A75C-BE76-5B4E-BBD7-B296509F128F}]
@Denied: (A 4) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG15.00.00.01PROFESSIONAL"="A7662F5BB48C24DCEE8CCACDC765F3AA482A0B8411667C9BF2059619FB183CC742327427C4A03AD53C409412A049D2E2CBA7781B75603048790E63CD9AE3392A3C5E9D38B77B235AD9AA486FA3CA0A81D3E43D6F6186992A655B00B820E7CA881195C8D3D6E4AC9FC4748C14E9BCBD33FEA6A6B15F58D77F16EE862FA6722C5582387797EF15C9F2BC796C8190E7BA36AEE7E9E9FDCAB01F3080F25E4EC3381C935A0D7251BA8E3049C9D409B906EF5F8AD49CEFCF4509EE98F924C2B912F1F80CC2D428D178B54B32AA19578BC56E94FBCFBCF2EB23EEECFCF860B01285FC1E79ED7B50C7E31EC70415EE672ECBEE52B0FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D1407FEBC9E127BECC74CA9C6AECB7A5D1407A9C6AECB7A5D140759CED4A8DF1FFD764BDB6C5C253B362EFEC26A1293609C80343EB5D457A593F36E87C6C1ED83D6421F6A73362EB6F28E12E4068027A5031EB8DCA5A9C75DBD283CDF0D49E3195FB7E1F7976E77E1CD16BF8B15954A33234BBED3F3AC5838FBACF4DBBA2F101792F8C5914FC5DC4C378955EE90820790089251A43EA2DCD68AE901E330E83357866FAEA9E1822B28B67455A847FDD6E94C3CADB3775020FD3B8DFAC627ED0456DE49B3186C6EA8CD69A4F4B85944AC8F20DA47C7E785DB967385B2B52B3CAD375877A216DFD689367D2B9D833E136975C8BEC40F288D442FAB082CC51CD4CCBFBEAEFC42808C7A01B55EECCEBEAC67B21E7F0098283FFDF5F10C1E702CBA74D9F5E8759E68E71AF1E959B448F9D871830C7908D9AAF09FC1E6CD7492E47629927262F51203BEFAED85F9797C60E0C749144B9F2A46FD390A41CD4E6E2396661C419C1A6712F2A4820863766138159F854857BC476547CA6DC850802992AA9ACD7E5DB2CCA9E1125C8378974D9AC61FE052C5895147AFC72CDADC114D3B47269FDDACC3D333F432CF21677E7A764D6329EF01E5CA7E9E1BA9E8BF3CC5F285DFB0235707736A9367539A9B028A8C02FC4BED39639E728021F0F90AF1E4658211C12C716886E12B0A813FC7AA7F73C5EEDDB3DF4818DDC3ABAD240FD4E1925D78BAE4CB084A7C2F649973E2364114F83117B8AD8FE7CE5D7E3117E63CD34E3BC823CF043BE2F394B6FD2DA6151BAD84B0D2871EE7A1A7C3537014EDB5B9414528AA83F289D4D3D3B1367911EEBC5051CC12C26EB3BE20F356846EC37EF266A82EA22BBD300C7F6CFDECF5E41CB8E24ED9F71DA30A1C436D2AA911CD0B478C946B8003C62056A95EB5705627AA089E6E9ECC6003B4F7EE3262C079B3835F58BE60DE5FB7FCE45CB0E8B462A2DA04122959FB66993278D5CB895038E04248425F847BA5FE1FD0F2EC1A50F36623EC1D77B816A235B4A480C41BFEF1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Cyberlink\MediaEspresso\DeviceDetector\DeviceDetector.exe
c:\program files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe
.
**************************************************************************
.
Completion time: 2013-05-11 12:18:20 - machine was rebooted
ComboFix-quarantined-files.txt 2013-05-11 02:18
.
Pre-Run: 867,428,749,312 bytes free
Post-Run: 870,000,234,496 bytes free
.
- - End Of File - - C3886809C66FFAE866102E039B82D7D4
Sorry, last post re combofix done twice. Did not realise that I should have gone to second page.
shelf life
2013-05-11, 15:18
Reboot your machine and see if the message ("Illegal operation attempted on a registry...) still appears afterwards.
Have rebooted machine and can now run programmes as normal. :bigthumb: Bit of a releaf, thought I was in for a reload windows job. Still starting with internet disconnected.
Thanks
shelf life
2013-05-12, 03:12
Go ahead and start it up like you normally would. So it will have connectivity. you should be good to go.
Started up ok with the internet connected. So far so good. Will try it out for a couple of days and then hopefully make a final post.
There are two auto run entries in the startup list in Spybot Tools. C:\Users\Ian\AppData\Roaming\Mining\mini.exe and ....Roaming\Minings\mineamillion.exe. As previously mentioned I unticked these two file to allow me to use the computer. Can I use the Delete button in the Auto Run tab to remove them?
Thanks.
shelf life
2013-05-12, 19:35
Good.
Can I use the Delete button in the Auto Run tab to remove them?
Iam not familiar with Spybot so guessing I would say go ahead and do it. Can't hurt. You can also, using explorer delete the two folders if present:
C:\Users\Ian\AppData\Roaming\Mining
C:\Users\Ian\AppData\Roaming\Minings
Computer now appears to be back to normal as I have had no indications of the original problem for several days now. The two Roaming files and the two entries in the start up list have been removed.
Shelf life, I don't know who you are or where you are from but its people like you, who give of your time and knowledge to help others, that make the internet and indeed the world a better place. Thank you very much for your time and effort. :thanks::thanks:
Ian
shelf life
2013-05-16, 01:08
ok Ianola, thanks. Glad to help. Few things you can do:
You can delete aswmbr.exe and Roguekiller icons from your desktop as well as there logs.
Combofix can be removed by clicking the start button and in the search field typing: combofix /uninstall
note the space after the x and before the /.
Theres also info on how to uninstall combofix with some pictures:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remember the free version of Malwarebytes must be updated manually and a scan started manually.
And Last:
---------------------------------------------------------------------------------------------------------
No software can think for you. Help yourself. In no special order:
1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature.
Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here. ( http://secunia.com/vulnerability_scanning/online/)
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software are installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this.
3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.
4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing tricks. (http://www.fraud.org/tips/internet/phishing.htm)
5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?
7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista, Windows 7 and Windows 8 attempts to address.
8) Install and understand the *limitations* of a software firewall.
9) Your browser risks: The why and how (http://www.cert.org/tech_tips/securing_browser/) to secure your browser for safer surfing. Consider disabling Java (http://disablejava.com/) in your browser.
10) Warez, cracks, keygens etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Do you really trust the source of the file?
More info/tips with pictures, link below
Happy Safe Surfing.