Security > Analysis and Malware Removal
"GFI Software Anti MalWare Service has stopped working"
<< < (3/4) > >>
Corrine:
Hi, Sojourner.
Regarding WinZip Registry Optimizer, Windows is a closed source system. Developers of registry cleaners do not have the core code of Windows and are not working on definitive information, but rather they are going on past knowledge and experience. Automatic cleaners will usually have to do some guesswork.
Modifying registry keys incorrectly can cause Windows instability, or make Windows unbootable. No registry cleaner is completely safe and the potential is ever present to cause more problems than they claim to fix.
Registry cleaners cannot distinguish between good and bad. If you run a registry cleaner, it will delete all those keys which are obsolete and sitting idle; but in reality, those keys may well be needed by some programs or windows at a later time.
If you run a registry cleaner and do not know precisely what you are doing, you will have problems down the road. There are no gains to be had from using a registry cleaner and the risk is great.
From Microsoft at Increase PC speed: Optimize your computer, help your PC run faster:
--- Quote ---Note: This article does not address or recommend tinkering with the registry files. Such activities can be detrimental to your computer and should only be attempted by properly trained professionals.
--- End quote ---
Also see Are registry cleaners necessary?
Should you at any time tinker with the registry, first create a backup. See Back up the registry
Is "Singing Bowls" part of the GK Chesterton collection? I note what appears to be registry issues there, which we'll take a look at with the next ComboFix run. We'll also take care of the left-over GFI software.
There was a previous log with deletions. Please post a copy of C:\ComboFix-quarantined-files.txt 2012-06-15 22:29 so I can see what ComboFix removed.
Sojourner:
Singing bowls is either a directory of MP3s or a play list. I have no idea why it would appear in the registry at all.
I'm not sure why you're telling me about registry cleaners - I've never voluntarily run a registry cleaner in my life. I cancelled whatever the thing was that shouldn't have been on my system as soon as I saw it going. (Started by an accidental double click when I noticed the extra icon on my desktop that didn't belong - what can I say, I have dexterity issues).
Here's the file requested
2012-06-15 21:41:04 . 2012-06-15 21:41:04 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Skytel.reg.dat
2012-06-15 21:41:04 . 2012-06-15 21:41:04 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Windows Defender.reg.dat
2012-06-15 21:40:55 . 2012-06-15 21:40:55 159 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-MUpdates.reg.dat
2012-06-15 21:29:36 . 2012-06-15 22:21:56 4,171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-06-15 21:16:42 . 2012-06-15 22:14:11 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2008-04-11 12:03:48 . 2008-04-11 12:03:48 562,688 ----a-w- C:\Qoobox\Quarantine\C\Install.exe.vir
And here's a file called ComboFix2.txt that was apparently from the first iteration that crashed
ComboFix 12-06-15.06 - Sojourner 06/15/2012 17:21:36.1.8 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6134.4867 [GMT -4:00]
Running from: c:\users\Sojourner\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-15 to 2012-06-15 )))))))))))))))))))))))))))))))
.
.
2012-06-15 21:33 . 2012-06-15 21:33 -------- d-----w- c:\users\Sojourner\AppData\Local\temp
2012-06-15 21:33 . 2012-06-15 21:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-15 21:02 . 2012-06-15 21:02 -------- d-----w- c:\users\Sojourner\.config
2012-06-15 20:47 . 2012-06-15 20:47 -------- d-----w- c:\programdata\GFI Software
2012-06-14 16:31 . 2012-06-14 16:31 -------- d-----w- c:\users\Sojourner\AppData\Roaming\Thunderbird
2012-06-14 16:31 . 2012-06-14 16:31 -------- d-----w- c:\users\Sojourner\AppData\Local\Thunderbird
2012-06-14 05:23 . 2012-06-14 13:26 -------- d-----w- c:\users\Sojourner\AppData\Roaming\Nico Mak Computing
2012-06-14 05:23 . 2011-11-10 14:33 18760 ----a-w- c:\windows\system32\roboot64.exe
2012-06-14 05:23 . 2012-06-14 13:27 -------- d-----w- c:\program files (x86)\WinZip Registry Optimizer
2012-06-14 05:20 . 2012-05-01 14:29 209920 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-14 05:20 . 2012-05-15 20:15 2767360 ----a-w- c:\windows\system32\win32k.sys
2012-06-11 10:04 . 2012-06-11 10:04 -------- d-----w- c:\program files (x86)\Dropbox
2012-06-09 16:21 . 2012-06-09 16:21 -------- d-----w- c:\program files (x86)\MSXML 4.0
2012-06-08 07:40 . 2012-06-08 07:40 -------- d-----w- c:\program files (x86)\Common Files\xing shared
2012-06-08 07:39 . 2012-06-08 07:39 129144 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nprpplugin.dll
2012-06-08 06:27 . 2012-06-08 06:30 -------- d-----w- c:\users\Sojourner\AppData\Local\adawarebp
2012-06-06 08:56 . 2012-06-06 08:56 955848 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-06 08:56 . 2012-06-06 08:56 -------- d-----w- c:\program files\Java
2012-06-03 07:07 . 2012-06-03 07:07 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-06-03 07:07 . 2012-06-03 07:06 772552 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-05-31 09:39 . 2012-05-31 09:39 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-08 07:39 . 2012-03-27 16:35 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
2012-06-08 07:39 . 2012-03-27 16:35 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2012-06-06 08:56 . 2011-05-12 20:37 839112 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-03 07:06 . 2011-05-12 20:37 687560 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-05-31 09:39 . 2011-05-13 18:41 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-19 00:56 . 2012-04-19 00:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-19 00:56 . 2012-04-19 00:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-04-03 08:22 . 2012-05-10 01:35 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-30 12:45 . 2012-05-10 01:36 1423744 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-20 23:34 . 2012-05-10 01:35 72576 ----a-w- c:\windows\system32\drivers\partmgr.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{2adefb8e-b923-35e6-86e2-2b7841f5d6a4}]
2009-11-08 14:55 297808 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Spotify Web Helper"="c:\users\Sojourner\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-14 932528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2011-03-22 74752]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\Media\Quicktime\QTTask.exe" [2012-04-19 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2012-06-08 296056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
.
c:\users\Sojourner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Sojourner\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-6-6 27502520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-02-24 88576]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-29 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
2012-06-15 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 97792 ----a-w- c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 97792 ----a-w- c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 97792 ----a-w- c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 97792 ----a-w- c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-02-24 6975520]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 2244680]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 2206280]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Sojourner\AppData\Roaming\Mozilla\Firefox\Profiles\6ae0q1en.default\
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo
FF - prefs.js: browser.startup.homepage - hxxp://www.kingarthurflour.com/customerservice/promotions.html|http://www.jigidi.com/login.php|http://www.jigzone.com/|http://www.allexperts.com/expertx.cgi
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
------- File Associations -------
.
.reg=Regedit.Document
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-MUpdates - c:\users\Sojourner\AppData\Roaming\MCommon\MUpdates_new.exe
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
HKLM-Run-Skytel - c:\program files\Realtek\Audio\HDA\Skytel.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*a*9DÀ*<*ˆà�RtÐ?Rt demux: access='file' demux='' path='c:\users\Sojourner\Desktop\My Files\Music\Singing Bowls\100 15 E Master.mp3'*��þ„*��DÀ*�*€Ü�]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*a*9DÀ*<*ˆà�RtÐ?Rt demux: access='file' demux='' path='c:\users\Sojourner\Desktop\My Files\Music\Singing Bowls\100 15 E Master.mp3'*��þ„*��DÀ*�*€Ü�\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*a*·¬£^\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*w*a*9DÀ*<*ˆà�RtÐ?Rt demux: access='file' demux='' path='c:\users\Sojourner\Desktop\My Files\Music\Singing Bowls\100 15 E Master.mp3'*��þ„*��DÀ*�*€Ü�]
@Allowed: (Read) (RestrictedCode)
"0"=hex:43,3a,5c,55,73,65,72,73,5c,53,6f,6a,6f,75,72,6e,65,72,5c,44,65,73,6b,
74,6f,70,5c,4d,79,20,46,69,6c,65,73,5c,4d,75,73,69,63,5c,53,69,6e,67,69,6e,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-06-15 17:41:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-15 21:41
.
Pre-Run: 260,908,331,008 bytes free
Post-Run: 269,034,684,416 bytes free
.
- - End Of File - - C9E22B70B6833ABE7B93E91017F3CA3D
Sojourner:
BTW, the "GK Chesterton collection" is a bunch of mobi files originally sourced from Project Gutenberg - etext of 100 year old books, basically.
Sojourner:
BTW it occurs to me to wonder - about that "Singing Bowls" file or directory or whatever - the MOG desktop application may be responsible for that. It's flash, and it may be leveraging one of the browsers to run. I'm trying to find out - have e-mailed MOG trying to find out just exactly what that thing is, since the only thing I can find is a 286 byte file called MOG with no extension. At any rate, I have a playlist on MOG called "Singing Bowls" which I frequently access - perhaps whatever you are seeing is an artifact of MOG...
Corrine:
Hi, Sojourner.
Since you don't use registry cleaners, it appears that "WinZip Registry Optimizer" was another uninvited install with something you did on June 14: 2012-06-14 05:23 . 2012-06-14 13:27 -------- d-----w- c:\program files (x86)\WinZip Registry Optimizer. We'll take care of that and the GFI left-overs.
As long as "Singing Bowls" is working correctly, I'm going to leave that entry alone. As you indicated it is related to MOG, the unicode in the log may be due to that.
Custom CFScript
Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
* Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:
--- Code: ---File::
C:\Windows\system32\DRIVERS\SBFWIM.sys
C:\Windows\system32\drivers\sbhips.sys
C:\Windows\system32\DRIVERS\sbwtis.sys
Driver::
SBFWIM.sys
sbhips.sys
sbwtis.sys
Folder::
c:\program files (x86)\WinZip Registry Optimizer
c:\programdata\GFI Software
--- End code ---
* Save this as CFScript.txt and place it on your desktop.
* Close any open browsers.
* Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.
* Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
* ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
* When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version