1. #1
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,868

    Infected with Sirefef :(

    Hello all you security folks :)

    I am currently in need of assistance myself. I would greatly appreciate any and all help. I am currently on holiday, and this is my laptop rather than my normal computer. Can you please note that I do not have access to Windows disks or any blank media for the next two weeks (but I do have a memory stick). Sorry about that.

    I was browsing on three highly reputable forums, two of which display advertisments, and suddenly out of the blue a fake AV was screaming at me. Anyway, it was pretty standard fare, and I have managed to remove it using standard tools, but I would appreciate any help confirming that I am actually clean. My computer is operating perfectly fine at the moment. I will outline the steps I have taken below, and then post the DDS and security check logs in a separate post.

    First, I tried to see what was and wasn't blocked. All .exe files were broken, and there was a blacklist of bad file names. This was easily defeated by renaming to whatever.scr. My installed MBAM and MSE were crippled.

    The internet also had a blacklist, but a very poor one (e.g. geekstogo.com was blocked, but itxassociates.com wasn't, etc. etc.).

    The Desktop icon created showed that the malware originated from a ProgramData directory, and the %Temp% directory. Manually emptied all that I could from both of these.

    The malware was still killing based on window titles and the key component I won't mention publicly (I don't understand why anti-malware tool authors do that. It is utterly rediculous. I hope that they realise that this allows me (and I am extremely unskilled) to bypass the Malwarebytes Chameleon and almost any other tool in 4 lines of code. And it is so easily preventable.)

    Anyway, the main process was still running, so I opened up a special programming/debugging tool, and started manipulating memory until the process crashed. At last it had gone! I seized my opportunity to delete the rest of the %Temp% and ProgramData malware.

    I still couldn't download MBAM from the official website, but I got it from the bleepingcomputer.com mirror (what a shoddy blacklist!). Gave it a whirl (quick scan), and it removed some remnants:

    Code:
    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.orgDatabase version: v2012.07.29.02
    Windows Vista Service Pack 2 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Richard :: RICHARD-LAPTOP [administrator]
    29/07/2012 07:52:43
    mbam-log-2012-07-29 (07-52-43).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 211741
    Time elapsed: 3 minute(s), 56 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 1
    HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.
    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Viiwylka (Trojan.Agent) -> Data: C:\Users\Richard\AppData\Roaming\Qyeqt\seiq.exe -> Quarantined and deleted successfully.
    Registry Data Items Detected: 4
    HKCU\SOFTWARE\Policies\Microsoft\Windows\System|DisableCMD (PUM.Hijack.CMDPrompt) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    Folders Detected: 1
    C:\Users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.
    Files Detected: 6
    C:\Users\Richard\AppData\Roaming\Qyeqt\seiq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\$RECYCLE.BIN\S-1-5-21-2788916113-3204535740-887933417-1000\$R6UZIV0.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\$RECYCLE.BIN\S-1-5-21-2788916113-3204535740-887933417-1000\$R7XXO06.tmp (Trojan.Midhos) -> Quarantined and deleted successfully.
    C:\$RECYCLE.BIN\S-1-5-21-2788916113-3204535740-887933417-1000\$RNKTWOM.exe (Spyware.Zeus) -> Quarantined and deleted successfully.
    C:\WINDOWS\Installer\{63c3d2d2-1d22-1ae6-14dc-9744f38ab1dc}\n (Trojan.Sirefef) -> Quarantined and deleted successfully.
    C:\Users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.
    (end)
    A second quick scan came up clean. Suddenly, the internet and everything else started working again. Excellent! Repaired a bunch of deleted services (MSE, Windows Update, BITS, Windows Modules Installer), and that fixed most other problems. Gave it a reboot just to make sure...not so.

    Now I started getting "Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now." messages. MBAM quick scan still came up clean, so I gave my newly repaired MSE a go. It deleted some more remnants:

    C:\WINDOWS\Installer\{63c3d2d2-1d22-1ae6-14dc-9744f38ab1dc}\U\800000cb.@
    C:\WINDOWS\Installer\{63c3d2d2-1d22-1ae6-14dc-9744f38ab1dc}\U\80000000.@


    More worryingly, it detected an infected services.exe which it couldn't disinfect. So...I whipped out my Windows Update and SFC knowledge, and performed a manual replacement out of WinSxS. Pended all the replacement and hard link repairs over a reboot, restarted, and voila, a hole in one!

    Finally, MSE came back clean.

    Now, my computer is working perfectly. I have managed to delete and disinfect all that I have found (even if I did use some slightly unorthodox methods at times!), and have managed to repair all collateral damage. However, I wonder whether you think there might be more fragments I have yet to find? I would greatly appreciate all opinions on that. I will post my DDS and Security Check logs in a second post below.

    In conclusion, I used MBAM, MSE, some Windows Update tools, and a debugging tool, I tried but failed to use OTL, RKill, and Rogue Killer, and I didn't use anything but those.

    Thank you very much,

    Richard


    • Ad Bot

      advertising
      Beep.

        
       

  2. #2
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,868

    Re: Infected with Sirefef :(

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421
    Run by Richard at 19:34:25 on 2012-07-29
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.4060.2099 [GMT 1:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\STacSV64.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Ati2evxx.exe
    C:\Program Files\Dell\DellDock\DockLogin.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe
    C:\Windows\system32\svchost.exe -k apphost
    C:\Windows\system32\CISVC.EXE
    C:\Windows\system32\inetsrv\inetinfo.exe
    C:\Windows\System32\svchost.exe -k ipripsvc
    C:\Windows\System32\svchost.exe -k LPDService
    C:\Windows\system32\mqsvc.exe
    c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
    C:\Windows\System32\tcpsvcs.exe
    C:\Windows\System32\snmp.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k iissvcs
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\mqtgsvc.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
    C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe
    c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Users\Richard\AppData\Local\Akamai\netsession_win.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
    C:\Program Files (x86)\Unlocker\UnlockerAssistant.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Users\Richard\AppData\Local\Akamai\netsession_win.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    C:\Windows\splwow64.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Settings,ProxyOverride = <local>
    mWinlogon: Userinit=userinit.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    uRun: [Akamai NetSession Interface] "C:\Users\Richard\AppData\Local\Akamai\netsession_win.exe"
    uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    mRun: [UnlockerAssistant] "C:\Program Files (x86)\Unlocker\UnlockerAssistant.exe"
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    Trusted Zone: microsoft.com
    Trusted Zone: update.microsoft.com
    Trusted Zone: windowsupdate.microsoft.com
    Trusted Zone: windowsupdates.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{03D847D1-E253-4CC6-96F0-14E7351F2DB5} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{62286AAD-A142-4926-922E-68F20E5D90EB} : DhcpNameServer = 88.82.13.12 88.82.13.12
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun-x64: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    mRun-x64: [UnlockerAssistant] "C:\Program Files (x86)\Unlocker\UnlockerAssistant.exe"
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 DSFKSVCS;Kernel Services for DSF;C:\Windows\system32\DRIVERS\dsfksvcs.sys --> C:\Windows\system32\DRIVERS\dsfksvcs.sys [?]
    R0 dsfroot;root enumerated bus driver;C:\Windows\system32\DRIVERS\dsfroot.sys --> C:\Windows\system32\DRIVERS\dsfroot.sys [?]
    R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R1 VBoxDrv;VirtualBox Service;C:\Windows\system32\DRIVERS\VBoxDrv.sys --> C:\Windows\system32\DRIVERS\VBoxDrv.sys [?]
    R1 VBoxUSBMon;VirtualBox USB Monitor Driver;C:\Windows\system32\DRIVERS\VBoxUSBMon.sys --> C:\Windows\system32\DRIVERS\VBoxUSBMon.sys [?]
    R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe --> C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe [?]
    R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
    R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    R2 iprip;RIP Listener;C:\Windows\System32\svchost.exe -k ipripsvc [2008-1-21 21504]
    R2 VmbService;Vodafone Mobile Broadband Service;C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [2010-12-31 9216]
    R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
    R3 huawei_enumerator;huawei_enumerator;C:\Windows\system32\DRIVERS\ew_jubusenum.sys --> C:\Windows\system32\DRIVERS\ew_jubusenum.sys [?]
    R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
    R3 NETw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw5v64.sys --> C:\Windows\system32\DRIVERS\NETw5v64.sys [?]
    R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;C:\Windows\system32\DRIVERS\OA008Ufd.sys --> C:\Windows\system32\DRIVERS\OA008Ufd.sys [?]
    R3 OA008Vid;Creative Camera OA008 Function Driver;C:\Windows\system32\DRIVERS\OA008Vid.sys --> C:\Windows\system32\DRIVERS\OA008Vid.sys [?]
    R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    R3 VBoxNetFlt;VirtualBox Bridged Networking Service;C:\Windows\system32\DRIVERS\VBoxNetFlt.sys --> C:\Windows\system32\DRIVERS\VBoxNetFlt.sys [?]
    R3 vodafone_K3805-z_dc_enum;vodafone_K3805-z_dc_enum;C:\Windows\system32\DRIVERS\vodafone_K3805-z_dc_enum.sys --> C:\Windows\system32\DRIVERS\vodafone_K3805-z_dc_enum.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-8-7 136176]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-17 250056]
    S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\Windows\system32\DRIVERS\ew_hwusbdev.sys --> C:\Windows\system32\DRIVERS\ew_hwusbdev.sys [?]
    S3 ew_usbenumfilter;huawei_CompositeFilter;C:\Windows\system32\DRIVERS\ew_usbenumfilter.sys --> C:\Windows\system32\DRIVERS\ew_usbenumfilter.sys [?]
    S3 ewusbnet;HUAWEI USB-NDIS miniport;C:\Windows\system32\DRIVERS\ewusbnet.sys --> C:\Windows\system32\DRIVERS\ewusbnet.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-8-7 136176]
    S3 HRMCFGSPC;DSF General Configuration Space Redirection Module;C:\Windows\system32\DRIVERS\HRMCFGSPC.SYS --> C:\Windows\system32\DRIVERS\HRMCFGSPC.SYS [?]
    S3 HRMINTS;DSF Interrupt Redirection Module;C:\Windows\system32\DRIVERS\HRMINTS.SYS --> C:\Windows\system32\DRIVERS\HRMINTS.SYS [?]
    S3 HRMPORTS;DSF IO Port Redirection Module;C:\Windows\system32\DRIVERS\HRMPORTS.SYS --> C:\Windows\system32\DRIVERS\HRMPORTS.SYS [?]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
    S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
    S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2012-4-10 25072]
    S3 PerfHost;Performance Counter DLL Host;C:\WINDOWS\SysWOW64\perfhost.exe [2008-1-21 19968]
    S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;C:\Windows\system32\DRIVERS\VBoxNetAdp.sys --> C:\Windows\system32\DRIVERS\VBoxNetAdp.sys [?]
    S3 WMSvc;Web Management Service;C:\Windows\system32\inetsrv\wmsvc.exe --> C:\Windows\system32\inetsrv\wmsvc.exe [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
    S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2011-4-5 89920]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]
    S4 RsFx0105;RsFx0105 Driver;C:\Windows\system32\DRIVERS\RsFx0105.sys --> C:\Windows\system32\DRIVERS\RsFx0105.sys [?]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-9-22 431464]
    .
    =============== File Associations ===============
    .
    JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
    .
    =============== Created Last 30 ================
    .
    2012-07-29 17:13:09 384512 ----a-w- C:\Windows\System32\services.exe.F484E0945A62B69A
    2012-07-29 12:17:20 384512 ----a-w- C:\Windows\System32\services.exe.7129A6EF3E84AA18
    2012-07-29 11:53:05 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8E5D36A6-15D4-40A2-9192-D39FA4FF2F04}\offreg.dll
    2012-07-29 11:51:48 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8E5D36A6-15D4-40A2-9192-D39FA4FF2F04}\mpengine.dll
    2012-07-29 11:15:46 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{50D74B56-A9A9-4DD6-891C-D6F38F2FFD1A}\gapaengine.dll
    2012-07-29 10:33:20 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-07-29 10:22:12 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
    2012-07-29 10:22:06 -------- d-----w- C:\Program Files\Microsoft Security Client
    2012-07-29 06:49:44 -------- d-----w- C:\Users\Richard\AppData\Roaming\Malwarebytes
    2012-07-29 06:49:33 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-07-29 06:49:32 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-07-29 06:49:32 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-07-28 19:56:01 -------- d-----w- C:\Users\Richard\AppData\Roaming\Xubepi
    2012-07-28 19:56:01 -------- d-----w- C:\Users\Richard\AppData\Roaming\Qyeqt
    2012-07-28 19:56:01 -------- d-----w- C:\Users\Richard\AppData\Roaming\Nuba
    2012-07-20 14:35:58 387584 ----a-w- C:\Program Files (x86)\Internet Explorer\jsdbgui.dll
    2012-07-20 14:35:57 887296 ----a-w- C:\Program Files\Internet Explorer\iedvtool.dll
    2012-07-20 14:35:57 678912 ----a-w- C:\Program Files (x86)\Internet Explorer\iedvtool.dll
    2012-07-20 14:35:57 499200 ----a-w- C:\Program Files\Internet Explorer\jsdbgui.dll
    2012-07-20 14:35:12 2769408 ----a-w- C:\Windows\System32\win32k.sys
    2012-07-20 14:20:33 974848 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
    2012-07-20 14:20:31 708608 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
    2012-07-20 14:20:25 1797120 ----a-w- C:\Windows\System32\msxml6.dll
    2012-07-20 14:20:24 1869824 ----a-w- C:\Windows\System32\msxml3.dll
    2012-07-20 14:20:24 1401856 ----a-w- C:\Windows\SysWow64\msxml6.dll
    2012-07-20 14:20:23 1248768 ----a-w- C:\Windows\SysWow64\msxml3.dll
    2012-07-20 14:19:32 516480 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
    2012-07-20 14:19:32 347136 ----a-w- C:\Windows\System32\schannel.dll
    2012-07-20 14:19:32 254464 ----a-w- C:\Windows\System32\ncrypt.dll
    2012-07-20 14:19:31 77312 ----a-w- C:\Windows\SysWow64\secur32.dll
    2012-07-20 14:19:31 278528 ----a-w- C:\Windows\SysWow64\schannel.dll
    2012-07-20 14:19:31 204288 ----a-w- C:\Windows\SysWow64\ncrypt.dll
    2012-06-30 08:26:20 289656 ----a-w- C:\Users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\x86\axNative.dll
    2012-06-30 08:26:19 359800 ----a-w- C:\Users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\x64\axNative.dll
    2012-06-30 08:26:18 12616 ----a-w- C:\Users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\en\Microsoft.Web.Delegation.resources.dll
    2012-06-30 08:26:17 91976 ----a-w- C:\Users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\Microsoft.Web.Delegation.dll
    2012-06-30 08:26:15 116552 ----a-w- C:\Users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\en\Microsoft.Web.Deployment.resources.dll
    2012-06-30 08:26:13 1218376 ----a-w- C:\Users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\Microsoft.Web.Deployment.dll
    2012-06-30 08:25:17 143360 ----a-w- C:\Users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Web.Management.PHP.Client_1.0.3.0_8175de49a9aec91d\Web.Management.PHP.Client.dll
    2012-06-30 08:25:16 603976 ----a-w- C:\Users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\Microsoft.Web.Deployment.UI.Client.dll
    2012-06-30 08:25:15 300880 ----a-w- C:\Users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Management.DatabaseManager.Client_1.0.1.0_31bf3856ad364e35\Microsoft.Web.Management.DatabaseManager.Client.dll
    2012-06-30 08:25:13 547608 ----a-w- C:\Users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Management.Rewrite.Client_7.2.2.1_31bf3856ad364e35\Microsoft.Web.Management.Rewrite.Client.dll
    2012-06-30 08:25:12 512000 ----a-w- C:\Users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Management.AspnetClient_7.5.0.0_31bf3856ad364e35\Microsoft.Web.Management.AspnetClient.dll
    2012-06-30 08:25:10 1716224 ----a-w- C:\Users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Management.IisClient_7.5.0.0_31bf3856ad364e35\Microsoft.Web.Management.IisClient.dll
    2012-06-30 08:14:11 -------- d-----w- C:\Program Files\Microsoft
    2012-06-30 07:49:34 2622464 ----a-w- C:\Windows\System32\wucltux.dll
    2012-06-30 07:49:10 99840 ----a-w- C:\Windows\System32\wudriver.dll
    2012-06-30 07:49:10 88576 ----a-w- C:\Windows\SysWow64\wudriver.dll
    2012-06-30 07:48:56 36864 ----a-w- C:\Windows\System32\wuapp.exe
    2012-06-30 07:48:56 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe
    2012-06-30 07:48:56 186752 ----a-w- C:\Windows\System32\wuwebv.dll
    2012-06-30 07:48:56 171904 ----a-w- C:\Windows\SysWow64\wuwebv.dll
    .
    ==================== Find3M ====================
    .
    2012-07-28 18:16:43 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-28 18:16:43 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-06-14 12:50:21 310728 ----a-w- C:\Windows\System32\drivers\atksgt.sys
    2012-06-14 12:50:20 42696 ----a-w- C:\Windows\System32\drivers\lirsgt.sys
    2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll
    2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-05-31 11:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe
    2012-05-22 13:26:10 224088 ----a-w- C:\Windows\System32\drivers\VBoxDrv.sys
    2012-05-22 13:26:10 147288 ----a-w- C:\Windows\System32\drivers\VBoxNetAdp.sys
    2012-05-22 13:26:10 130904 ----a-w- C:\Windows\System32\drivers\VBoxUSBMon.sys
    2012-05-22 13:25:40 320856 ----a-w- C:\Windows\System32\VBoxNetFltNobj.dll
    2012-05-22 13:25:40 166232 ----a-w- C:\Windows\System32\drivers\VBoxNetFlt.sys
    2012-05-01 14:29:44 209920 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
    .
    ============= FINISH: 19:35:58.64 ===============

  3. #3
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,868

    Re: Infected with Sirefef :(

    lol. You can see from this log how many programs I require just to perform the extremely simple programming for jcgriff2's BSOD app!

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 27/07/2009 12:05:56
    System Uptime: 29/07/2012 18:14:29 (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0C234M
    Processor: Pentium(R) Dual-Core CPU T4200 @ 2.00GHz | U2E1 | 1200/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 283 GiB total, 98.918 GiB free.
    D: is FIXED (NTFS) - 15 GiB total, 5.467 GiB free.
    E: is CDROM ()
    G: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: VirtualBox Host-Only Ethernet Adapter
    Device ID: ROOT\NET\0000
    Manufacturer: Oracle Corporation
    Name: VirtualBox Host-Only Ethernet Adapter
    PNP Device ID: ROOT\NET\0000
    Service: VBoxNetAdp
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Reader 9.5.1
    Advanced Audio FX Engine
    Akamai NetSession Interface
    Anno 1701
    ATI Catalyst Control Center
    audiosamples
    AVR Jungo USB
    AVR QTouch Studio
    AVR Studio 5.0
    avstreamsamples
    avstreamtools_ia64fre
    avstreamtools_x64fre
    avstreamtools_x86fre
    biometricsamples
    biometrictools_x64fre
    biometrictools_x86fre
    bluetoothsamples
    bluetoothtools_ia64fre
    bluetoothtools_x64fre
    bluetoothtools_x86fre
    buildsamples
    buildtools_ia64fre
    buildtools_x64fre
    buildtools_x86fre
    bussamples
    cancelsample
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Russian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    ccc-core-static
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    chkinftool_x86fre
    Choice Guard
    Command & Conquer The First Decade
    Crystal Reports for Visual Studio
    debugfiles_win7
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Dell Video Chat
    Dell Webcam Central
    dfx_ia64fre
    dfx_x64fre
    dfx_x86fre
    displaysamples
    Dotfuscator Software Services - Community Edition
    drvtools_ia64fre
    drvtools_x64fre
    drvtools_x86fre
    DSF-KitSetup
    dsfsamples
    Emperor: Rise of the Middle Kingdom
    eventsample
    evntdrvsample
    fireflysample
    generalsamples
    generaltools_ia64fre
    generaltools_x64fre
    generaltools_x86fre
    Google Earth
    Google Update Helper
    headers
    hid_inputsamples
    hidsampleinput
    hidsamples
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Microsoft Document Explorer 2008 (KB953196)
    Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2522890)
    Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2529927)
    Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2542054)
    Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2548139)
    Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2549864)
    Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2635973)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2280741)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2284668)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2295689)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2420513)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2452649)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2455033)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2485545)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982517)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982721)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB983233)
    IDA Pro Free v5.0
    ifssamples
    imagingtools_ia64fre
    imagingtools_x64fre
    imagingtools_x86fre
    infsample_ia64fre
    infsample_x64fre
    infsample_x86fre
    installhelp
    ioctlsample
    irsamples
    Java(TM) 6 Update 26
    Kodu Game Lab
    libs_ia64fre
    libs_x64fre
    libs_x86fre
    Malwarebytes Anti-Malware version 1.62.0.1300
    Microsoft .NET Framework 4 Multi-Targeting Pack
    Microsoft Application Error Reporting
    Microsoft ASP.NET MVC 2
    Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
    Microsoft CCR and DSS Runtime 2008 R3
    Microsoft DirectX SDK (June 2010)
    Microsoft Document Explorer 2008
    Microsoft FxCop 1.36
    Microsoft FxCop 10.0
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Games for Windows Marketplace
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Robotics Developer Studio 2008 R3
    Microsoft Silverlight
    Microsoft Silverlight 3 SDK
    Microsoft Silverlight 4 SDK
    Microsoft Small Basic v0.9
    Microsoft SQL Server 2008 Browser
    Microsoft SQL Server 2008 R2 Data-Tier Application Framework
    Microsoft SQL Server 2008 R2 Data-Tier Application Project
    Microsoft SQL Server 2008 R2 Management Objects
    Microsoft SQL Server 2008 R2 Transact-SQL Language Service
    Microsoft SQL Server Compact 3.5 SP2 ENU
    Microsoft SQL Server Database Publishing Wizard 1.4
    Microsoft SQL Server System CLR Types
    Microsoft Sync Framework SDK v1.0 SP1
    Microsoft Visual C++ Compilers 2010 Standard - enu - x86
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Visual C++ 2010 x86 Runtime - 10.0.40219
    Microsoft Visual F# 2.0 Runtime
    Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
    Microsoft Visual Studio 2010 Professional - ENU
    Microsoft Visual Studio 2010 Service Pack 1
    Microsoft Visual Studio 2010 SharePoint Developer Tools
    Microsoft Visual Studio 2010 Shell (Isolated) - ENU
    Microsoft Visual Studio Macro Tools
    Microsoft Windows Driver Kit 7.1.0.7600
    Microsoft Windows Driver Kit Documentation 7600.091201
    Microsoft XNA Framework Redistributable 2.0
    Microsoft XNA Framework Redistributable 3.1
    Microsoft XNA Framework Redistributable 4.0
    Microsoft XNA Game Studio 4.0
    Microsoft XNA Game Studio 4.0 (ARP entry)
    Microsoft XNA Game Studio 4.0 (Redists)
    Microsoft XNA Game Studio 4.0 (Shared Components)
    Microsoft XNA Game Studio 4.0 (Visual Studio)
    Microsoft XNA Game Studio 4.0 (XnaLiveProxy)
    Microsoft XNA Game Studio 4.0 Documentation
    Microsoft XNA Game Studio Platform Tools
    modemtools
    MsiVal2
    networklibraries_ia64fre
    networklibraries_x64fre
    networklibraries_x86fre
    networksamples
    NVIDIA GAME System Software 2.8.1
    oacr_x86fre
    offreg_ia64fre
    offreg_x64fre
    offreg_x86fre
    Orca
    pcidrvsample
    pfd_ia64fre
    pfd_x64fre
    pfd_x86fre
    pnpportssample
    pnptools_ia64fre
    pnptools_x64fre
    pnptools_x86fre
    portiosample
    powermanagement_ia64fre
    powermanagement_x64fre
    powermanagement_x86fre
    printsamples
    printtools_ia64fre
    printtools_x64fre
    printtools_x86fre
    readme
    sdv
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition
    Security Update for Microsoft InfoPath 2010 (KB2553322) 32-Bit Edition
    Security Update for Microsoft InfoPath 2010 (KB2553431) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553091)
    Security Update for Microsoft Office 2010 (KB2553096)
    Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
    Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
    Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
    Security Update for Microsoft Visio Viewer 2010 (KB2597981) 32-Bit Edition
    Security Update for Microsoft Visual Studio 2010 Professional - ENU (KB2644980)
    Security Update for Microsoft Visual Studio 2010 Professional - ENU (KB2645410)
    Security Update for Microsoft Visual Studio Macro Tools (KB2669970)
    sensorsamples
    setupsamples
    setuptools_ia64fre
    setuptools_x64fre
    setuptools_x86fre
    sideshowsamples
    Skins
    Skype™ 5.10
    smartcardsamples
    Spelling Dictionaries Support For Adobe Reader 9
    Spotify
    storagesamples
    streammediasamples
    StyleCop 4.7.27.0
    swtuner
    toastermetadatapackagesample
    toastersample
    toolindex
    tools_ia64fre
    tools_x64fre
    tools_x86fre
    tracingtool_ia64fre
    tracingtool_x64fre
    tracingtool_x86fre
    umdfsamples
    Unlocker 1.9.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2553065)
    Update for Microsoft Office 2010 (KB2553092)
    Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
    Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
    Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
    usbsamples
    VirtualCloneDrive
    vistalibs_ia64fre
    vistalibs_x64fre
    vistalibs_x86fre
    Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
    VLC media player 1.1.11
    Vodafone Mobile Broadband
    WCF RIA Services V1.0 SP1
    wcoinstallers
    wdftools_ia64fre
    wdftools_x64fre
    wdftools_x86fre
    wdtfbinaries_ia64fre
    wdtfbinaries_x64fre
    wdtfbinaries_x86fre
    Windows Live Sync
    Windows Live Upload Tool
    Windows SDK IntellisenseNFX
    wmisamples
    wnetlibs_ia64fre
    wnetlibs_x64fre
    wnetlibs_x86fre
    wpdsamples
    wpdtools_ia64fre
    wpdtools_x64fre
    wpdtools_x86fre
    wsdtool_ia64fre
    wsdtool_x64fre
    wsdtool_x86fre
    wxplibs_x86fre
    .
    ==== Event Viewer Messages From Past Week ========
    .
    29/07/2012 18:16:37, Error: Service Control Manager [7023] - The Base Filtering Engine service terminated with the following error: Access is denied.
    29/07/2012 18:16:37, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
    29/07/2012 18:16:37, Error: Service Control Manager [7001] - The IPsec Policy Agent service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
    29/07/2012 18:16:37, Error: Service Control Manager [7001] - The IKE and AuthIP IPsec Keying Modules service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
    29/07/2012 18:14:58, Error: EventLog [6008] - The previous system shutdown at 18:12:15 on 29/07/2012 was unexpected.
    29/07/2012 18:13:09, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:712 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.8601.0, NIS: 0.0.0.0
    29/07/2012 18:12:00, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: dsfroot ElbyCDIO MpFilter spldr VBoxDrv VBoxUSBMon Wanarpv6
    29/07/2012 18:12:00, Error: Service Control Manager [7001] - The TCP/IP Print Server service depends on the Print Spooler service which failed to start because of the following error: The dependency service or group failed to start.
    29/07/2012 18:12:00, Error: Service Control Manager [7001] - The Net.Msmq Listener Adapter service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.
    29/07/2012 18:12:00, Error: Service Control Manager [7001] - The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.
    29/07/2012 18:12:00, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    29/07/2012 18:11:35, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    29/07/2012 18:11:26, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    29/07/2012 18:11:18, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    29/07/2012 18:11:17, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    29/07/2012 18:11:08, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    29/07/2012 18:10:41, Error: EventLog [6008] - The previous system shutdown at 18:07:56 on 29/07/2012 was unexpected.
    29/07/2012 18:08:06, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:748 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 18:05:03, Error: EventLog [6008] - The previous system shutdown at 13:48:55 on 29/07/2012 was unexpected.
    29/07/2012 13:49:53, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:748 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 13:49:53, Error: Microsoft-Windows-WMPNSS-Service [14346] - A new media server was not initialized because RegisterRunningDevice() encountered error '0x8007051b'. Restart your computer, and then restart the WMPNetworkSvc service.
    29/07/2012 13:46:05, Error: EventLog [6008] - The previous system shutdown at 13:43:39 on 29/07/2012 was unexpected.
    29/07/2012 13:44:15, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:748 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 13:42:46, Error: EventLog [6008] - The previous system shutdown at 13:40:17 on 29/07/2012 was unexpected.
    29/07/2012 13:40:58, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:748 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 13:39:24, Error: EventLog [6008] - The previous system shutdown at 13:36:52 on 29/07/2012 was unexpected.
    29/07/2012 13:37:31, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:752 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 13:35:59, Error: EventLog [6008] - The previous system shutdown at 13:33:29 on 29/07/2012 was unexpected.
    29/07/2012 13:34:08, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:748 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 13:32:36, Error: EventLog [6008] - The previous system shutdown at 13:30:11 on 29/07/2012 was unexpected.
    29/07/2012 13:30:48, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:748 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 13:29:18, Error: EventLog [6008] - The previous system shutdown at 13:26:45 on 29/07/2012 was unexpected.
    29/07/2012 13:27:30, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:728 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 13:25:52, Error: EventLog [6008] - The previous system shutdown at 13:23:25 on 29/07/2012 was unexpected.
    29/07/2012 13:24:05, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:748 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 13:22:34, Error: EventLog [6008] - The previous system shutdown at 13:20:05 on 29/07/2012 was unexpected.
    29/07/2012 13:20:43, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:756 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 13:19:12, Error: EventLog [6008] - The previous system shutdown at 13:16:40 on 29/07/2012 was unexpected.
    29/07/2012 13:17:20, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:752 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 13:15:48, Error: EventLog [6008] - The previous system shutdown at 13:13:17 on 29/07/2012 was unexpected.
    29/07/2012 13:14:00, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:752 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 13:12:24, Error: EventLog [6008] - The previous system shutdown at 13:10:28 on 29/07/2012 was unexpected.
    29/07/2012 13:10:35, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:752 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 13:08:36, Error: EventLog [6008] - The previous system shutdown at 13:06:15 on 29/07/2012 was unexpected.
    29/07/2012 13:06:46, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:712 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 13:04:05, Error: EventLog [6008] - The previous system shutdown at 13:01:57 on 29/07/2012 was unexpected.
    29/07/2012 13:02:07, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:752 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 13:00:12, Error: EventLog [6008] - The previous system shutdown at 12:58:04 on 29/07/2012 was unexpected.
    29/07/2012 12:58:13, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:756 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 12:56:13, Error: EventLog [6008] - The previous system shutdown at 12:53:50 on 29/07/2012 was unexpected.
    29/07/2012 12:56:03, Error: ACPI [13] - : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.
    29/07/2012 12:54:19, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...tid=2147655285 Name: Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\WINDOWS\System32\services.exe;file:_C:\WINDOWS\System32\services.exe->731;process:_pid:748 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.925.0, AS: 1.131.925.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
    29/07/2012 12:40:47, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
    29/07/2012 12:14:46, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Download Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee2 Error description: The operation timed out
    29/07/2012 12:14:46, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Download Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee2 Error description: The operation timed out
    29/07/2012 12:14:46, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Download Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee2 Error description: The operation timed out
    29/07/2012 12:14:46, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Download Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee2 Error description: The operation timed out
    29/07/2012 12:14:46, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Download Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee2 Error description: The operation timed out
    29/07/2012 11:33:22, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: Richard-Laptop\Richard Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070714 Error description: The specified image file did not contain a resource section.
    29/07/2012 11:33:22, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: Richard-Laptop\Richard Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070714 Error description: The specified image file did not contain a resource section.
    29/07/2012 11:33:22, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: Richard-Laptop\Richard Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070714 Error description: The specified image file did not contain a resource section.
    29/07/2012 11:33:22, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: Richard-Laptop\Richard Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070714 Error description: The specified image file did not contain a resource section.
    29/07/2012 11:32:17, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
    29/07/2012 11:32:02, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Download Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: Richard-Laptop\Richard Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee2 Error description: The operation timed out
    29/07/2012 11:32:02, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Download Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: Richard-Laptop\Richard Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee2 Error description: The operation timed out
    29/07/2012 11:32:02, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Download Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: Richard-Laptop\Richard Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee2 Error description: The operation timed out
    29/07/2012 11:32:02, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Download Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: Richard-Laptop\Richard Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee2 Error description: The operation timed out
    29/07/2012 11:25:26, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Download Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee2 Error description: The operation timed out
    29/07/2012 11:25:26, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Download Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee2 Error description: The operation timed out
    29/07/2012 11:25:26, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Download Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee2 Error description: The operation timed out
    29/07/2012 11:25:26, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Download Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee2 Error description: The operation timed out
    29/07/2012 11:25:26, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Download Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee2 Error description: The operation timed out
    29/07/2012 11:23:23, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
    29/07/2012 11:22:56, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
    29/07/2012 11:07:53, Error: Microsoft-Windows-WMPNSS-Service [14325] - Service 'WMPNetworkSvc' did not start correctly because QueryService encountered error '0x80070424'. In Windows Media Player, turn off media sharing, and then turn it back on.
    29/07/2012 11:07:01, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    29/07/2012 11:07:01, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    29/07/2012 11:07:01, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    29/07/2012 07:37:34, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
    29/07/2012 07:37:34, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    29/07/2012 07:37:27, Error: Service Control Manager [7034] - The SNMP Service service terminated unexpectedly. It has done this 3 time(s).
    29/07/2012 07:37:27, Error: Service Control Manager [7034] - The Message Queuing service terminated unexpectedly. It has done this 3 time(s).
    29/07/2012 07:37:27, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Vodafone Mobile Broadband Service service to connect.
    29/07/2012 07:37:27, Error: Service Control Manager [7001] - The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The operation completed successfully.
    29/07/2012 07:37:26, Error: Service Control Manager [7034] - The Message Queuing service terminated unexpectedly. It has done this 2 time(s).
    29/07/2012 07:37:26, Error: Service Control Manager [7001] - The Net.Msmq Listener Adapter service depends on the Message Queuing service which failed to start because of the following error: The operation completed successfully.
    29/07/2012 07:37:25, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Net.Tcp Port Sharing Service service to connect.
    29/07/2012 07:37:25, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Net.Pipe Listener Adapter service to connect.
    29/07/2012 07:37:25, Error: Service Control Manager [7001] - The Net.Tcp Listener Adapter service depends on the Net.Tcp Port Sharing Service service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
    29/07/2012 07:37:25, Error: Service Control Manager [7000] - The Net.Tcp Port Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    29/07/2012 07:37:25, Error: Service Control Manager [7000] - The Net.Pipe Listener Adapter service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    29/07/2012 07:37:24, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Google Update Service (gupdate) service to connect.
    29/07/2012 07:37:24, Error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    29/07/2012 07:37:21, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
    29/07/2012 07:37:21, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X64 service to connect.
    29/07/2012 07:36:25, Error: Service Control Manager [7031] - The Vodafone Mobile Broadband Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    29/07/2012 07:36:25, Error: Service Control Manager [7031] - The SNMP Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    29/07/2012 07:35:39, Error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
    29/07/2012 07:35:39, Error: Service Control Manager [7034] - The SQL Server (SQLEXPRESS) service terminated unexpectedly. It has done this 1 time(s).
    29/07/2012 07:35:39, Error: Service Control Manager [7034] - The Skype Updater service terminated unexpectedly. It has done this 1 time(s).
    29/07/2012 07:35:39, Error: Service Control Manager [7034] - The Simple TCP/IP Services service terminated unexpectedly. It has done this 1 time(s).
    29/07/2012 07:35:39, Error: Service Control Manager [7034] - The Indexing Service service terminated unexpectedly. It has done this 1 time(s).
    29/07/2012 07:35:39, Error: Service Control Manager [7034] - The Dock Login Service service terminated unexpectedly. It has done this 1 time(s).
    29/07/2012 07:35:39, Error: Service Control Manager [7034] - The Audio Service service terminated unexpectedly. It has done this 1 time(s).
    29/07/2012 07:35:39, Error: Service Control Manager [7034] - The Ati External Event Utility service terminated unexpectedly. It has done this 1 time(s).
    29/07/2012 07:35:39, Error: Service Control Manager [7034] - The Andrea ST Filters Service service terminated unexpectedly. It has done this 1 time(s).
    29/07/2012 07:35:39, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
    29/07/2012 07:35:39, Error: Service Control Manager [7031] - The Vodafone Mobile Broadband Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    29/07/2012 07:35:39, Error: Service Control Manager [7031] - The SNMP Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    29/07/2012 07:35:39, Error: Service Control Manager [7031] - The Net.Tcp Port Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    29/07/2012 07:35:39, Error: Service Control Manager [7031] - The Net.Tcp Listener Adapter service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    29/07/2012 07:35:39, Error: Service Control Manager [7031] - The Net.Pipe Listener Adapter service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    29/07/2012 07:35:39, Error: Service Control Manager [7031] - The Net.Msmq Listener Adapter service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    29/07/2012 07:35:39, Error: Service Control Manager [7031] - The Message Queuing Triggers service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    29/07/2012 07:35:39, Error: Service Control Manager [7031] - The Message Queuing service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    29/07/2012 07:35:39, Error: Service Control Manager [7031] - The IIS Admin Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Run the configured recovery program.
    29/07/2012 07:35:39, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Live ID Sign-in Assistant service to connect.
    29/07/2012 07:35:39, Error: Service Control Manager [7000] - The Windows Live ID Sign-in Assistant service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    29/07/2012 07:35:24, Error: Microsoft-Windows-WAS [5175] - The listener adapter serving the 'net.tcp' protocol disconnected unexpectedly.
    29/07/2012 07:35:24, Error: Microsoft-Windows-WAS [5175] - The listener adapter serving the 'net.pipe' protocol disconnected unexpectedly.
    29/07/2012 07:35:24, Error: Microsoft-Windows-WAS [5175] - The listener adapter serving the 'net.msmq' protocol disconnected unexpectedly.
    29/07/2012 07:35:24, Error: Microsoft-Windows-WAS [5175] - The listener adapter serving the 'msmq.formatname' protocol disconnected unexpectedly.
    29/07/2012 07:34:05, Error: EventLog [6008] - The previous system shutdown at 07:26:09 on 29/07/2012 was unexpected.
    29/07/2012 07:26:08, Error: Service Control Manager [7034] - The Net.Pipe Listener Adapter service terminated unexpectedly. It has done this 3 time(s).
    29/07/2012 07:21:08, Error: Service Control Manager [7031] - The Net.Tcp Port Sharing Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
    29/07/2012 07:21:08, Error: Service Control Manager [7031] - The Net.Pipe Listener Adapter service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
    29/07/2012 07:21:07, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Message Queuing service to connect.
    29/07/2012 07:21:07, Error: Service Control Manager [7001] - The Net.Msmq Listener Adapter service depends on the Message Queuing service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
    29/07/2012 07:21:07, Error: Service Control Manager [7000] - The Message Queuing service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    29/07/2012 07:20:04, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the SNMP Service service to connect.
    29/07/2012 07:20:04, Error: Service Control Manager [7000] - The SNMP Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    29/07/2012 07:18:17, Error: EventLog [6008] - The previous system shutdown at 07:15:25 on 29/07/2012 was unexpected.
    28/07/2012 21:00:20, Error: Service Control Manager [7001] - The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
    28/07/2012 20:58:19, Error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 4.0.0.0 service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    28/07/2012 20:58:19, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Presentation Foundation Font Cache 4.0.0.0 service to connect.
    28/07/2012 20:58:19, Error: Service Control Manager [7000] - The Windows Presentation Foundation Font Cache 4.0.0.0 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    28/07/2012 20:58:18, Error: Service Control Manager [7034] - The Office Software Protection Platform service terminated unexpectedly. It has done this 1 time(s).
    28/07/2012 20:58:18, Error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 4.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    28/07/2012 20:58:18, Error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    28/07/2012 20:58:18, Error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    28/07/2012 20:58:18, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Presentation Foundation Font Cache 3.0.0.0 service to connect.
    28/07/2012 20:58:18, Error: Service Control Manager [7000] - The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    28/07/2012 20:56:18, Error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    28/07/2012 11:33:56, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.163.60.114 for the Network Card with network address 001E101F50A4 has been denied by the DHCP server 10.141.215.170 (The DHCP Server sent a DHCPNACK message).
    28/07/2012 11:28:47, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.337.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    28/07/2012 11:28:47, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.337.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    28/07/2012 11:28:47, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.337.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    28/07/2012 11:28:47, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.337.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    28/07/2012 11:28:46, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.337.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    28/07/2012 11:28:46, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.337.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    28/07/2012 11:28:46, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.337.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    28/07/2012 11:28:46, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.337.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    28/07/2012 11:28:46, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.337.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    28/07/2012 11:25:57, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.180.37.238 for the Network Card with network address 001E101F50A4 has been denied by the DHCP server 10.163.60.113 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================

  4. #4
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,868

    Re: Infected with Sirefef :(

    I will try to get these sorted out. The problem arises because I only use this laptop occasionally, when I am away from home. I last turned it on with an internet connection to update from ~4 months ago. This is probably the cause of my infection

    Results of screen317's Security Check version 0.99.43
    Windows Vista Service Pack 2 x64 (UAC is disabled!)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.62.0.1300
    Java(TM) 6 Update 26
    Java version out of Date!
    Adobe Reader 9 Adobe Reader out of Date!
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 4 % Defragment your hard drive soon!
    ````````````````````End of Log``````````````````````
    Last edited by niemiro; 07-29-2012 at 02:46 PM. Reason: Wrong log

  5. #5
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,888

    Re: Infected with Sirefef :(

    Hi, niemiro.

    Other than it was a System32 trojan dropper, I'm not sure where "Sirefef" came from. That said, Live Security Platinum is indeed a nasty rogue. I helped someone clean their system from that rogue this past week -- the steps were much easier than what you followed.

    I would like to see the attach.txt. In addition, particularly since you are away from home, let's go the full route to ensure everything has been removed.

    (Edit Note: I see you were busy posting the logs while I was reviewing your comments and the first log. :) )


    Please follow these instructions carefully.

    Download ComboFix from the following location: Link 1

    !!! IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.

      Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications.
    • If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
    • Double-click ComboFix.exe on your desktop and follow the prompts.
    • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Click "Yes" to continue scanning for malware.
    • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next.
    Last edited by Corrine; 07-29-2012 at 03:44 PM.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  6. #6
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,868

    Re: Infected with Sirefef :(

    Thank you very much for your help, Corrine.

    MSE reported these two fragments:

    C:\WINDOWS\Installer\{63c3d2d2-1d22-1ae6-14dc-9744f38ab1dc}\U\800000cb.@
    C:\WINDOWS\Installer\{63c3d2d2-1d22-1ae6-14dc-9744f38ab1dc}\U\80000000.@


    as Sirefef.W and Sirefef.AB.

    We posted at the same time. Please find attach.txt and SecurityCheck logs above.

    ComboFix 12-07-29.02 - Richard 29/07/2012 20:32:18.1.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.4060.1852 [GMT 1:00]
    Running from: c:\users\Richard\Downloads\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\PCDr\5907\Downloads\246b20c1-8ea9-4148-a34e-d03c8a1d5a76.dll
    c:\programdata\PCDr\5907\Downloads\27e5bc9a-105f-4d7f-8352-e6ef1c8933dd.dll
    c:\programdata\PCDr\5907\Downloads\a2192d8a-3d73-4ff7-be9b-02134f41db63.dll
    c:\users\Public\Anno1701_Patch104_UK.exe
    c:\users\Richard\AppData\Roaming\Nuba
    c:\users\Richard\AppData\Roaming\Nuba\entoc.boe
    c:\users\Richard\AppData\Roaming\Xubepi
    c:\users\Richard\AppData\Roaming\Xubepi\obix.obt
    c:\windows\Installer\{63c3d2d2-1d22-1ae6-14dc-9744f38ab1dc}\@
    c:\windows\Installer\{63c3d2d2-1d22-1ae6-14dc-9744f38ab1dc}\U\00000001.@
    D:\AUTORUN.INF
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-29 19:42 . 2012-07-29 19:45 -------- d-----w- c:\users\Richard\AppData\Local\temp
    2012-07-29 19:42 . 2012-07-29 19:42 -------- d-----w- c:\users\Hugo\AppData\Local\temp
    2012-07-29 19:42 . 2012-07-29 19:42 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-29 17:13 . 2012-07-29 17:13 384512 ----a-w- c:\windows\system32\services.exe.F484E0945A62B69A
    2012-07-29 12:17 . 2012-07-29 12:17 384512 ----a-w- c:\windows\system32\services.exe.7129A6EF3E84AA18
    2012-07-29 11:51 . 2012-07-16 01:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8E5D36A6-15D4-40A2-9192-D39FA4FF2F04}\mpengine.dll
    2012-07-29 11:15 . 2012-02-09 13:17 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{50D74B56-A9A9-4DD6-891C-D6F38F2FFD1A}\gapaengine.dll
    2012-07-29 10:33 . 2012-02-09 13:17 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-07-29 10:22 . 2012-07-29 10:22 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-07-29 10:22 . 2012-07-29 10:22 -------- d-----w- c:\program files\Microsoft Security Client
    2012-07-29 06:49 . 2012-07-29 06:49 -------- d-----w- c:\users\Richard\AppData\Roaming\Malwarebytes
    2012-07-29 06:49 . 2012-07-29 06:49 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-29 06:49 . 2012-07-29 06:49 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-07-29 06:49 . 2012-07-03 12:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-28 19:56 . 2012-07-29 06:58 -------- d-----w- c:\users\Richard\AppData\Roaming\Qyeqt
    2012-07-20 14:35 . 2012-06-02 12:00 818688 ----a-w- c:\windows\system32\jscript.dll
    2012-07-20 14:35 . 2012-06-02 08:26 387584 ----a-w- c:\program files (x86)\Internet Explorer\jsdbgui.dll
    2012-07-20 14:35 . 2012-06-02 12:07 887296 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
    2012-07-20 14:35 . 2012-06-02 12:06 499200 ----a-w- c:\program files\Internet Explorer\jsdbgui.dll
    2012-07-20 14:35 . 2012-06-02 08:27 678912 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll
    2012-07-20 14:35 . 2012-06-02 12:49 17807360 ----a-w- c:\windows\system32\mshtml.dll
    2012-07-20 14:35 . 2012-06-02 12:17 10924032 ----a-w- c:\windows\system32\ieframe.dll
    2012-07-20 14:35 . 2012-06-13 13:58 2769408 ----a-w- c:\windows\system32\win32k.sys
    2012-07-20 14:20 . 2012-06-05 16:22 974848 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2012-07-20 14:20 . 2012-06-05 16:47 708608 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
    2012-07-20 14:20 . 2012-06-05 16:22 1797120 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-20 14:20 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\SysWow64\msxml6.dll
    2012-07-20 14:20 . 2012-06-05 16:22 1869824 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-20 14:20 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
    2012-07-20 14:19 . 2012-06-04 15:29 516480 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-07-20 14:19 . 2012-06-02 00:22 347136 ----a-w- c:\windows\system32\schannel.dll
    2012-07-20 14:19 . 2012-06-02 00:22 254464 ----a-w- c:\windows\system32\ncrypt.dll
    2012-07-20 14:19 . 2012-06-02 00:05 77312 ----a-w- c:\windows\SysWow64\secur32.dll
    2012-07-20 14:19 . 2012-06-02 00:04 278528 ----a-w- c:\windows\SysWow64\schannel.dll
    2012-07-20 14:19 . 2012-06-02 00:03 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll
    2012-07-20 14:19 . 2012-06-08 17:59 12899840 ----a-w- c:\windows\system32\shell32.dll
    2012-06-30 08:26 . 2012-06-30 08:26 289656 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\x86\axNative.dll
    2012-06-30 08:26 . 2012-06-30 08:26 359800 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\x64\axNative.dll
    2012-06-30 08:26 . 2012-06-30 08:25 12616 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\en\Microsoft.Web.Delegation.resources.dll
    2012-06-30 08:26 . 2012-06-30 08:25 91976 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\Microsoft.Web.Delegation.dll
    2012-06-30 08:26 . 2012-06-30 08:25 116552 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\en\Microsoft.Web.Deployment.resources.dll
    2012-06-30 08:26 . 2012-06-30 08:25 1218376 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\Microsoft.Web.Deployment.dll
    2012-06-30 08:25 . 2012-06-30 08:24 143360 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Web.Management.PHP.Client_1.0.3.0_8175de49a9aec91d\Web.Management.PHP.Client.dll
    2012-06-30 08:25 . 2012-06-30 08:24 603976 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\Microsoft.Web.Deployment.UI.Client.dll
    2012-06-30 08:25 . 2012-06-30 08:24 300880 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Management.DatabaseManager.Client_1.0.1.0_31bf3856ad364e35\Microsoft.Web.Management.DatabaseManager.Client.dll
    2012-06-30 08:25 . 2012-06-30 08:24 547608 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Management.Rewrite.Client_7.2.2.1_31bf3856ad364e35\Microsoft.Web.Management.Rewrite.Client.dll
    2012-06-30 08:25 . 2012-06-30 08:24 512000 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Management.AspnetClient_7.5.0.0_31bf3856ad364e35\Microsoft.Web.Management.AspnetClient.dll
    2012-06-30 08:25 . 2012-06-30 08:24 1716224 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Management.IisClient_7.5.0.0_31bf3856ad364e35\Microsoft.Web.Management.IisClient.dll
    2012-06-30 08:14 . 2012-06-30 08:14 -------- d-----w- c:\program files\Microsoft
    2012-06-30 07:49 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-30 07:49 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-30 07:49 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-30 07:49 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-30 07:49 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-30 07:49 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-30 07:49 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-30 07:48 . 2012-06-02 14:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-30 07:48 . 2012-06-02 14:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-28 18:16 . 2012-04-17 17:25 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-28 18:16 . 2011-10-16 10:36 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-20 14:40 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
    2012-06-14 12:50 . 2012-06-11 12:22 310728 ----a-w- c:\windows\system32\drivers\atksgt.sys
    2012-06-14 12:50 . 2012-06-11 12:21 42696 ----a-w- c:\windows\system32\drivers\lirsgt.sys
    2012-06-02 22:19 . 2012-06-30 07:49 35864 ----a-w- c:\windows\SysWow64\wups.dll
    2012-06-02 22:19 . 2012-06-30 07:49 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
    2012-06-02 22:12 . 2012-06-30 07:49 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
    2012-06-02 14:19 . 2012-06-30 07:48 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
    2012-06-02 14:12 . 2012-06-30 07:48 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
    2012-06-02 07:23 . 2011-04-05 12:55 2382080 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
    2012-06-01 09:04 . 2011-04-05 12:55 18368 ----a-w- c:\programdata\Microsoft\VSA\9.0\1033\ResourceCache.dll
    2012-05-31 11:25 . 2011-04-05 07:19 279656 ------w- c:\windows\system32\MpSigStub.exe
    2012-05-22 13:26 . 2012-06-03 14:51 224088 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
    2012-05-22 13:26 . 2012-06-03 14:50 130904 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
    2012-05-22 13:26 . 2012-05-22 13:26 147288 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
    2012-05-22 13:25 . 2012-05-22 13:25 320856 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
    2012-05-22 13:25 . 2012-05-22 13:25 166232 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
    2012-05-01 14:29 . 2012-06-14 08:35 209920 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Akamai NetSession Interface"="c:\users\Richard\AppData\Local\Akamai\netsession_win.exe" [2012-05-26 4327744]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
    "VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "UnlockerAssistant"="c:\program files (x86)\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    .
    c:\users\Hugo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-28 250056]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe [2009-03-19 89600]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-29 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 18:16]
    .
    2012-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-07 06:41]
    .
    2012-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-07 06:41]
    .
    2012-07-29 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 07:16]
    .
    2012-07-29 c:\windows\Tasks\SystemToolsDailyTest.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 07:16]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-11-25 1657128]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.co.uk/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
    Trusted Zone: microsoft.com
    Trusted Zone: update.microsoft.com
    Trusted Zone: windowsupdate.microsoft.com
    Trusted Zone: windowsupdates.com
    TCP: DhcpNameServer = 192.168.1.1
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
    Wow6432Node-HKLM-Run-DellSupportCenter - c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe
    HKLM-Run-SysTrayApp - c:\program files (x86)\IDT\WDM\sttray64.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DSFKSVCS\MofImagePath]
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
    "ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Dell\DellDock\DockLogin.exe
    c:\program files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-29 20:54:43 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-29 19:54
    .
    Pre-Run: 121,896,206,336 bytes free
    Post-Run: 122,573,959,168 bytes free
    .
    - - End Of File - - C955502C3127492FDE8FF3E192619CE9

  7. #7
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,888

    Re: Infected with Sirefef :(

    Hi, niermiro.

    Yup. I saw the other logs and edited my reply.

    Personally, I would not allow any programs in the Trusted Zone. When you add a Web site to the Trusted Sites zone, the security level is set to Low. After all, even well known sites, including Microsoft, can be the victim of an SQL injection, hidden scripts, and more.

    If you elect to remove the entries from the Trusted Zone, please do the following:
    • Launch Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab.
    • Click Trusted Sites, and then click Sites.
    • Click the site you want to delete, and then click Remove.


    Trusted Zone: microsoft.com
    Trusted Zone: update.microsoft.com
    Trusted Zone: windowsupdate.microsoft.com
    Trusted Zone: windowsupdates.com


    Next, let's get Java and Adobe products updated. Then, any remnants can be cleaned up with ComboFix.

    Java:

    Please uninstall Java(TM) 6 Update 26. Also, delete the jinstall-1_6_0_26-windows-i586.cab files from your download folder. Then go to Java SE Downloads and install Java JRE 7u5. Be mindful of pre-checked options as they are not needed for Java to work.

    Adobe:
    The current version of Adobe Reader is 10.1.3. I recommend the FTP download site: ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.1.3/ since there are no unnecessary add-ons included.

    After that has been completed, please do the following:

    Custom CFScript
    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      c:\windows\system32\services.exe.F484E0945A62B69A
      c:\windows\system32\services.exe.7129A6EF3E84AA18
      
      RegLock::
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    • Save this as CFScript.txt and place it on your desktop.
    • Close any open browsers
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.




    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
    Patrick says thanks for this.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  8. #8
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,868

    Re: Infected with Sirefef :(

    Hello Corrine :)

    Thank you very much for your continued assistance here.

    I have removed all from the Trusted Zone, although two were automatically re-added as soon as I attempted to run Windows Update.

    I have removed all old versions of Java, and have re-installed the latest. I have also updated Adobe Reader. I could, however, not find jinstall-1_6_0_26-windows-i586.cab anywhere. Is this step important?

    I also re-ran ComboFix as instructed. Thanks again for your help here.

    ComboFix 12-08-10.02 - Richard 12/08/2012 8:52.3.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.4060.2065 [GMT 1:00]
    Running from: c:\users\Richard\Desktop\Combo_Fix.exe
    Command switches used :: c:\users\Richard\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\windows\system32\services.exe.7129A6EF3E84AA18"
    "c:\windows\system32\services.exe.F484E0945A62B69A"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\PCDr\5907\Downloads\140239b3-d59a-46fa-b856-17682a46cb44.dll
    c:\programdata\PCDr\5907\Downloads\f0fc9c9c-10ba-435b-8365-dadb523644ff.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-12 to 2012-08-12 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-12 08:02 . 2012-08-12 08:02 -------- d-----w- c:\users\Richard\AppData\Local\temp
    2012-08-12 08:02 . 2012-08-12 08:02 -------- d-----w- c:\users\Hugo\AppData\Local\temp
    2012-08-12 08:02 . 2012-08-12 08:02 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-12 07:20 . 2012-08-12 07:20 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{22DD5B47-A857-4CA8-A08A-045D71DE8EE4}\offreg.dll
    2012-08-12 07:18 . 2012-08-12 07:18 -------- d-----w- c:\program files (x86)\Common Files\Adobe
    2012-08-12 07:11 . 2012-08-12 07:10 839152 ----a-w- c:\windows\system32\deployJava1.dll
    2012-08-12 07:11 . 2012-08-12 07:11 268784 ----a-w- c:\windows\system32\javaws.exe
    2012-08-12 07:11 . 2012-08-12 07:10 955888 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-08-12 07:11 . 2012-08-12 07:11 189424 ----a-w- c:\windows\system32\javaw.exe
    2012-08-12 07:11 . 2012-08-12 07:11 188912 ----a-w- c:\windows\system32\java.exe
    2012-08-12 07:10 . 2012-08-12 07:10 -------- d-----w- c:\program files\Java
    2012-08-12 07:06 . 2012-07-16 01:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{22DD5B47-A857-4CA8-A08A-045D71DE8EE4}\mpengine.dll
    2012-08-11 09:44 . 2012-07-16 01:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-08-09 18:40 . 2012-08-09 19:41 -------- d-----w- C:\symbols
    2012-08-09 18:36 . 2012-08-09 18:36 -------- d-----w- c:\users\Richard\SysnativeBSODApps
    2012-08-05 18:56 . 2012-08-05 18:56 -------- d-----w- c:\program files (x86)\XN Resource Editor
    2012-07-31 06:56 . 2012-07-31 06:56 -------- d-----w- c:\program files (x86)\boost - Copy
    2012-07-30 17:49 . 2012-07-30 17:49 -------- d-----w- c:\program files (x86)\boost
    2012-07-30 06:45 . 2012-07-30 06:45 -------- d-----w- c:\users\Richard\_jcgriff2_
    2012-07-29 17:13 . 2012-07-29 17:13 384512 ----a-w- c:\windows\system32\services.exe.F484E0945A62B69A
    2012-07-29 12:17 . 2012-07-29 12:17 384512 ----a-w- c:\windows\system32\services.exe.7129A6EF3E84AA18
    2012-07-29 11:15 . 2012-02-09 13:17 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{50D74B56-A9A9-4DD6-891C-D6F38F2FFD1A}\gapaengine.dll
    2012-07-29 10:33 . 2012-02-09 13:17 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-07-29 10:22 . 2012-07-29 10:22 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-07-29 10:22 . 2012-07-29 10:22 -------- d-----w- c:\program files\Microsoft Security Client
    2012-07-29 06:49 . 2012-07-29 06:49 -------- d-----w- c:\users\Richard\AppData\Roaming\Malwarebytes
    2012-07-29 06:49 . 2012-07-29 06:49 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-29 06:49 . 2012-07-29 06:49 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-07-29 06:49 . 2012-07-03 12:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-28 19:56 . 2012-07-29 06:58 -------- d-----w- c:\users\Richard\AppData\Roaming\Qyeqt
    2012-07-20 14:35 . 2012-06-02 12:00 818688 ----a-w- c:\windows\system32\jscript.dll
    2012-07-20 14:35 . 2012-06-02 08:26 387584 ----a-w- c:\program files (x86)\Internet Explorer\jsdbgui.dll
    2012-07-20 14:35 . 2012-06-02 12:07 887296 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
    2012-07-20 14:35 . 2012-06-02 12:06 499200 ----a-w- c:\program files\Internet Explorer\jsdbgui.dll
    2012-07-20 14:35 . 2012-06-02 08:27 678912 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll
    2012-07-20 14:35 . 2012-06-02 12:49 17807360 ----a-w- c:\windows\system32\mshtml.dll
    2012-07-20 14:35 . 2012-06-02 12:17 10924032 ----a-w- c:\windows\system32\ieframe.dll
    2012-07-20 14:35 . 2012-06-13 13:58 2769408 ----a-w- c:\windows\system32\win32k.sys
    2012-07-20 14:20 . 2012-06-05 16:22 974848 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2012-07-20 14:20 . 2012-06-05 16:47 708608 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
    2012-07-20 14:20 . 2012-06-05 16:22 1797120 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-20 14:20 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\SysWow64\msxml6.dll
    2012-07-20 14:20 . 2012-06-05 16:22 1869824 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-20 14:20 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
    2012-07-20 14:19 . 2012-06-04 15:29 516480 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-07-20 14:19 . 2012-06-02 00:22 347136 ----a-w- c:\windows\system32\schannel.dll
    2012-07-20 14:19 . 2012-06-02 00:22 254464 ----a-w- c:\windows\system32\ncrypt.dll
    2012-07-20 14:19 . 2012-06-02 00:05 77312 ----a-w- c:\windows\SysWow64\secur32.dll
    2012-07-20 14:19 . 2012-06-02 00:04 278528 ----a-w- c:\windows\SysWow64\schannel.dll
    2012-07-20 14:19 . 2012-06-02 00:03 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll
    2012-07-20 14:19 . 2012-06-08 17:59 12899840 ----a-w- c:\windows\system32\shell32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-05 10:41 . 2009-08-18 10:24 19720 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-08-05 07:22 . 2012-04-17 17:25 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-08-05 07:22 . 2011-10-16 10:36 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-20 14:40 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
    2012-06-30 08:26 . 2012-06-30 08:26 289656 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\x86\axNative.dll
    2012-06-30 08:26 . 2012-06-30 08:26 359800 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\x64\axNative.dll
    2012-06-30 08:25 . 2012-06-30 08:26 12616 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\en\Microsoft.Web.Delegation.resources.dll
    2012-06-30 08:25 . 2012-06-30 08:26 91976 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\Microsoft.Web.Delegation.dll
    2012-06-30 08:25 . 2012-06-30 08:26 116552 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\en\Microsoft.Web.Deployment.resources.dll
    2012-06-30 08:25 . 2012-06-30 08:26 1218376 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\Microsoft.Web.Deployment.dll
    2012-06-30 08:24 . 2012-06-30 08:25 143360 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Web.Management.PHP.Client_1.0.3.0_8175de49a9aec91d\Web.Management.PHP.Client.dll
    2012-06-30 08:24 . 2012-06-30 08:25 603976 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Deployment.UI.Client_8.0.0.0_31bf3856ad364e35\Microsoft.Web.Deployment.UI.Client.dll
    2012-06-30 08:24 . 2012-06-30 08:25 300880 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Management.DatabaseManager.Client_1.0.1.0_31bf3856ad364e35\Microsoft.Web.Management.DatabaseManager.Client.dll
    2012-06-30 08:24 . 2012-06-30 08:25 547608 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Management.Rewrite.Client_7.2.2.1_31bf3856ad364e35\Microsoft.Web.Management.Rewrite.Client.dll
    2012-06-30 08:24 . 2012-06-30 08:25 512000 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Management.AspnetClient_7.5.0.0_31bf3856ad364e35\Microsoft.Web.Management.AspnetClient.dll
    2012-06-30 08:24 . 2012-06-30 08:25 1716224 ----a-w- c:\users\Richard\AppData\Roaming\Microsoft\WebManagement\7.0.0.0\Modules\Microsoft.Web.Management.IisClient_7.5.0.0_31bf3856ad364e35\Microsoft.Web.Management.IisClient.dll
    2012-06-14 12:50 . 2012-06-11 12:22 310728 ----a-w- c:\windows\system32\drivers\atksgt.sys
    2012-06-14 12:50 . 2012-06-11 12:21 42696 ----a-w- c:\windows\system32\drivers\lirsgt.sys
    2012-06-02 22:19 . 2012-06-30 07:49 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-30 07:49 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-30 07:49 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-30 07:49 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-30 07:49 35864 ----a-w- c:\windows\SysWow64\wups.dll
    2012-06-02 22:19 . 2012-06-30 07:49 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-30 07:49 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
    2012-06-02 22:15 . 2012-06-30 07:49 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-30 07:49 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 22:12 . 2012-06-30 07:49 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
    2012-06-02 14:19 . 2012-06-30 07:48 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 14:19 . 2012-06-30 07:48 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
    2012-06-02 14:15 . 2012-06-30 07:48 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-02 14:12 . 2012-06-30 07:48 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
    2012-06-02 07:23 . 2011-04-05 12:55 2382080 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
    2012-06-01 09:04 . 2011-04-05 12:55 18368 ----a-w- c:\programdata\Microsoft\VSA\9.0\1033\ResourceCache.dll
    2012-05-31 11:25 . 2011-04-05 07:19 279656 ------w- c:\windows\system32\MpSigStub.exe
    2012-05-22 13:26 . 2012-06-03 14:51 224088 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
    2012-05-22 13:26 . 2012-06-03 14:50 130904 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
    2012-05-22 13:26 . 2012-05-22 13:26 147288 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
    2012-05-22 13:25 . 2012-05-22 13:25 320856 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
    2012-05-22 13:25 . 2012-05-22 13:25 166232 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-07-29_19.45.34 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 03:20 . 2012-08-05 07:21 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-01-21 03:20 . 2011-04-05 11:28 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:20 . 2012-08-05 07:21 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-01-21 03:20 . 2011-04-05 11:28 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-08-05 07:21 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-01-21 03:20 . 2011-04-05 11:28 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-04-05 11:00 . 2009-10-01 00:51 75264 c:\windows\system32\WpdMtpUS.dll
    + 2011-04-05 11:00 . 2009-10-01 00:51 37376 c:\windows\system32\WpdConns.dll
    + 2008-01-21 02:23 . 2012-08-12 06:49 60642 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 15:45 . 2012-08-12 06:49 84814 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2011-04-04 17:52 . 2012-08-12 06:49 14124 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2788916113-3204535740-887933417-1000_UserData.bin
    + 2011-04-05 11:00 . 2009-10-01 00:51 46592 c:\windows\system32\drivers\WpdUsb.sys
    + 2011-04-04 18:56 . 2006-11-02 11:19 49664 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
    - 2011-04-04 18:56 . 2012-07-29 19:48 49664 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 73624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\wow_helper.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\ViewerPS.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\reader_sl.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 88992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlr.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\eula.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 64952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\armsvc.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrotextextractor.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32Info.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 63912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acroiehelpershim.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroIEHelper.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\Acrofx32.dll
    + 2011-04-05 11:23 . 2012-07-30 17:24 3306 c:\windows\system32\WDI\ERCQueuedResolutions.dat
    - 2011-04-05 11:23 . 2012-06-30 13:56 3306 c:\windows\system32\WDI\ERCQueuedResolutions.dat
    + 2012-07-30 12:16 . 2012-07-30 12:16 9560 c:\windows\system32\networklist\icons\{B0F92B7D-D433-425C-AFFA-9679A36AA39D}_48.bin
    + 2012-07-30 12:16 . 2012-07-30 12:16 4280 c:\windows\system32\networklist\icons\{B0F92B7D-D433-425C-AFFA-9679A36AA39D}_32.bin
    + 2012-07-30 12:16 . 2012-07-30 12:16 2456 c:\windows\system32\networklist\icons\{B0F92B7D-D433-425C-AFFA-9679A36AA39D}_24.bin
    + 2012-08-07 11:30 . 2012-08-07 11:30 9560 c:\windows\system32\networklist\icons\{11C79D01-43AE-4D08-B29A-703F9A23C6D0}_48.bin
    + 2012-08-07 11:30 . 2012-08-07 11:30 4280 c:\windows\system32\networklist\icons\{11C79D01-43AE-4D08-B29A-703F9A23C6D0}_32.bin
    + 2012-08-07 11:30 . 2012-08-07 11:30 2456 c:\windows\system32\networklist\icons\{11C79D01-43AE-4D08-B29A-703F9A23C6D0}_24.bin
    - 2012-07-29 19:44 . 2012-07-29 19:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-12 06:42 . 2012-08-12 06:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-07-29 19:44 . 2012-07-29 19:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-08-12 06:42 . 2012-08-12 06:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-05-01 08:36 . 2012-05-01 08:36 140376 c:\windows\SysWOW64\MicrosoftUpdateCatalogWebControl.dll
    + 2012-08-05 07:22 . 2012-08-05 07:22 686792 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.exe
    + 2012-08-05 07:22 . 2012-08-05 07:22 466632 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.dll
    + 2012-04-17 17:25 . 2012-08-05 07:22 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    - 2012-04-17 17:25 . 2012-07-28 18:16 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    + 2011-04-05 11:00 . 2009-10-01 00:51 295936 c:\windows\system32\WpdMtp.dll
    + 2011-04-17 15:03 . 2012-08-11 09:33 245350 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2006-11-02 12:46 . 2012-08-05 19:18 787104 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-08-05 19:18 175470 c:\windows\system32\perfc009.dat
    + 2012-08-05 07:21 . 2012-08-05 07:21 417992 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_270_ActiveX.exe
    + 2012-08-05 07:21 . 2012-08-05 07:21 513224 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_270_ActiveX.dll
    - 2011-04-04 17:48 . 2012-07-29 18:59 131072 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-04-04 17:48 . 2012-08-12 06:44 131072 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-04-05 20:09 . 2012-05-31 13:33 411484 c:\windows\ServiceProfiles\LocalService\AppData\Local\WPFFontCache_v0400-System.dat
    + 2011-04-05 20:09 . 2012-08-09 20:15 411484 c:\windows\ServiceProfiles\LocalService\AppData\Local\WPFFontCache_v0400-System.dat
    + 2012-06-04 19:46 . 2012-08-10 08:15 435448 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    - 2012-06-04 19:46 . 2012-07-29 08:04 435448 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    + 2011-04-05 07:02 . 2012-08-11 20:46 397372 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-04-05 07:02 . 2012-07-29 19:43 397372 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2012-08-12 07:10 . 2012-08-12 07:10 888832 c:\windows\Installer\11d6cc.msi
    + 2011-06-06 11:55 . 2011-06-06 11:55 249232 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\sqlite.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 394136 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\pdfshell.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 183696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\nppdf32.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AiodLite.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 937920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\adobearm.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 102808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRdIF.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 755088 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroPDF.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 296344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrobroker.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\a3dutils.dll
    + 2012-08-05 16:39 . 2012-08-05 16:39 163328 c:\windows\erdnt\05-08-2012\ERDNT.EXE
    + 2012-08-05 16:39 . 2012-08-05 16:39 217088 c:\windows\erdnt\05-08-2012-2\Users\00000002\NTUSER.DAT
    + 2012-08-05 16:39 . 2012-08-05 16:39 356352 c:\windows\erdnt\05-08-2012-2\Users\00000001\NTUSER.DAT
    + 2012-08-05 16:39 . 2012-08-05 16:39 163328 c:\windows\erdnt\05-08-2012-2\ERDNT.EXE
    + 2011-04-05 11:00 . 2009-10-01 00:51 1195008 c:\windows\system32\drivers\UMDF\WpdMtpDr.dll
    + 2011-04-04 17:48 . 2012-08-12 06:44 2342912 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2011-04-04 17:48 . 2012-07-29 18:59 2342912 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2011-04-04 17:48 . 2012-07-29 18:59 1327104 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-04-04 17:48 . 2012-08-12 06:44 1327104 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-04-05 20:09 . 2012-08-09 20:15 3771584 c:\windows\ServiceProfiles\LocalService\AppData\Local\WPFFontCache_v0400-S-1-5-21-2788916113-3204535740-887933417-1000-12288.dat
    - 2011-04-05 20:09 . 2012-05-31 13:33 3771584 c:\windows\ServiceProfiles\LocalService\AppData\Local\WPFFontCache_v0400-S-1-5-21-2788916113-3204535740-887933417-1000-12288.dat
    + 2012-08-12 07:19 . 2012-08-12 07:19 2295808 c:\windows\Installer\11d8b2.msi
    + 2011-06-06 11:55 . 2011-06-06 11:55 2215312 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\rt3d.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 1189004 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JSByteCodeWin.bin
    + 2011-06-06 11:55 . 2011-06-06 11:55 6543768 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\authplay.dll
    + 2011-06-06 11:55 . 2011-06-06 11:55 1240992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AdobeCollabSync.exe
    + 2011-06-06 11:55 . 2011-06-06 11:55 1480600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.exe
    + 2012-08-05 16:39 . 2012-08-05 16:39 4608000 c:\windows\erdnt\05-08-2012\Users\00000002\UsrClass.dat
    + 2012-08-05 16:39 . 2012-08-05 16:39 8732672 c:\windows\erdnt\05-08-2012\Users\00000001\NTUSER.DAT
    + 2012-08-05 16:39 . 2012-08-05 16:39 4608000 c:\windows\erdnt\05-08-2012-2\Users\00000004\UsrClass.dat
    + 2012-08-05 16:39 . 2012-08-05 16:39 8732672 c:\windows\erdnt\05-08-2012-2\Users\00000003\NTUSER.DAT
    + 2011-04-05 11:05 . 2012-08-11 20:46 27728480 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2788916113-3204535740-887933417-1000-12288.dat
    + 2012-04-04 11:17 . 2012-04-04 11:17 16613376 c:\windows\Installer\11d8b3.msp
    + 2011-06-06 11:55 . 2011-06-06 11:55 24731544 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Akamai NetSession Interface"="c:\users\Richard\AppData\Local\Akamai\netsession_win.exe" [2012-05-26 4327744]
    "WMPNSCFG"="c:\program files (x86)\Windows Media Player\WMPNSCFG.exe" [BU]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
    "VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "UnlockerAssistant"="c:\program files (x86)\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    .
    c:\users\Hugo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-05 250056]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe [2009-03-19 89600]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-12 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 07:22]
    .
    2012-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-07 06:41]
    .
    2012-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-07 06:41]
    .
    2012-07-29 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 07:16]
    .
    2012-08-12 c:\windows\Tasks\SystemToolsDailyTest.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 07:16]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-11-25 1657128]
    "SysTrayApp"="c:\program files (x86)\IDT\WDM\sttray64.exe" [BU]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.co.uk/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
    Trusted Zone: update.microsoft.com
    Trusted Zone: windowsupdate.microsoft.com
    TCP: DhcpNameServer = 192.168.0.1
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DSFKSVCS\MofImagePath]
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
    "ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2012-08-12 09:07:55
    ComboFix-quarantined-files.txt 2012-08-12 08:07
    ComboFix2.txt 2012-07-29 19:54
    .
    Pre-Run: 101,803,151,360 bytes free
    Post-Run: 102,079,614,976 bytes free
    .
    - - End Of File - - 9AE86D2BAC189933C2E3A0BC875FCFCA

  9. #9
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,888

    Re: Infected with Sirefef :(

    Hi, niermiro.

    No, don't worry about the java .cab file. However, expect to update Adobe Reader again soon as Adobe will be releasing critical security updates for Adobe Reader and Acrobat on Patch Tuesday, August 14.

    I'd like you to do an online scan but please wait until you have returned home and have a normal connection again. Then, please go here to run an ESET on-line scan.

    Notes:

    ✱ It is easiest if you use Internet explorer for this scan.
    ✱ If you use an alternate browser, it will be necessary to download the ESET Smart Installer, esetsmartinstaller_enu.exe, when prompted, then double-click to install. Vista/Windows 7 users, select Run as Administrator.
    ✱ Temporarily disable your antivirus and anti-malware security applications during the scan. This can usually be accomplished by a right-click on the icon in the System Tray. If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: [url=http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html[/url].

    • Select the option YES, I accept the Terms of Use then click:
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    • Now click on Advanced Settings and select the following:
      Scan for potentially unwanted applications
      Scan for potentially unsafe applications
      Enable Anti-Stealth Technology
    • Click the Start button:
    • The virus signature database... will begin to download. Be patient. This make take some time depending on your Internet connection.
    • When the signatures have completed downloading, the Online Scan will begin automatically.
    • Do not touch either the mouse or keyboard during the scan. Otherwise it may stall.
    • When the scan is completed, make sure you copy the log file and, if you wish, select Uninstall application on close.
    • Click the Finish button,
    • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    • Copy and paste that log as a reply to this topic.


    Note: Do not forget to re-enable your antivirus and anti-malware software after the scan is complete!


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  10. #10
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,868

    Re: Infected with Sirefef :(

    Thank you very much for your continued assistance.

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner64.ocx - registred OK
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=2a806ae48b7de84cb6b65090ff53abbf
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2012-08-13 07:12:58
    # local_time=2012-08-13 08:12:58 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=1033
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=5892 16776574 100 45 143975682 182380969 0 0
    # compatibility_mode=8192 67108863 100 0 385 385 0 0
    # scanned=294725
    # found=1
    # cleaned=0
    # scan_time=28115
    C:\Users\Richard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\f604794-2362fe81 a variant of Win32/Kryptik.AJHU trojan (unable to clean) 00000000000000000000000000000000 I

  11. #11
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,888

    Re: Infected with Sirefef :(

    Java is such a pain. To clear the Java cache, please follow the instructions at How do I clear the Java cache?.

    Other than the many months ongoing BSOD issues, is your computer back to normal?


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  12. #12
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,868

    Re: Infected with Sirefef :(

    I have cleared my Java cache :)

    Thank you so, so much for your help here, Corrine. My computer is back to normal now (this is my laptop, and it is in excellent condition - my desktop and its BSOD are another story!)

    Thanks again for your help.

  13. #13
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,888

    Re: Infected with Sirefef :(

    Excellent!

    Please do the following to implement cleanup procedures and also to reset System Restore points:

    Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

    ComboFix /Uninstall

    [size=11pt]Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.
    [/size]

    Reminder: Today is "Patch Tuesday". Microsoft Security Updates have been sent to the release channel.

    Adobe has also released the update to Adobe Reader. I recommend using the FTP site as it doesn't include any unneeded extras: ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.1.4/

    There was also an Adobe Flash Player update, originally posted as merely addressing crash issues and subsequently updated to include Critical updates:




    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  14. #14
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,868

    Re: Infected with Sirefef :(

    Combofix has been uninstalled, and I am currently ensuring everything is fully up to date.

Similar Threads

  1. Believed to have been infected with a virus....
    By Jack.Kirkby in forum Security Arena
    Replies: 11
    Last Post: 06-07-2013, 01:37 PM
  2. Replies: 0
    Last Post: 02-08-2013, 10:05 PM
  3. Infected with Zero Access Trojan
    By truth in forum Security Arena
    Replies: 23
    Last Post: 02-06-2013, 06:37 PM
  4. Can a router be infected with malware?
    By JMH in forum News You Can Use
    Replies: 0
    Last Post: 12-25-2012, 09:04 PM
  5. When Your PC is Likely Infected
    By JMH in forum Security News
    Replies: 0
    Last Post: 08-31-2012, 04:41 AM

Log in

Log in