Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Smart Fortress 2012


  • Please log in to reply
18 replies to this topic

#1 doughersh

doughersh

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 02 May 2012 - 06:44 PM

Hello, my computer recently became infected with Smart Fortress 2012, and I immediately tried the guide given on this website. The FitExec file seemed to work in allowing me to download and run MbAM twice. The first time, it detected a few files,which I deleted, whereas the secod time, it detected no files. Parts of SM2012 still lingered, so I deleted the first registry entry in the self-help guide, but did no other deleting of files. My computer is usable, and the SM2012 shortcuts are deleted, but I still can't delete the actual program. Here is my DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 9.0.8112.16421
Run by Doug at 19:16:59 on 2012-05-02
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3885.2989 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Doug\Desktop\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://seedbed.com/
uDefault_Page_URL = hxxp://asus.msn.com
uInternet Settings,ProxyServer = proxy33.asbury.edu:8080
uInternet Settings,ProxyOverride = *.local;<local>
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: PodcastBHO Class: {65134fdf-f8a5-4b3d-91d9-cdf273cfd578} - C:\Program Files (x86)\Common Files\doubleTwist\IEPodcastPlugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [HLBackupScheduler] C:\Program Files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe
uRun: [uptfo] rundll32.exe "C:\Users\Doug\AppData\Local\Temp\uptfo.dll",CreateFontW
uRun: [Yqxoygqy] C:\Users\Doug\AppData\Roaming\Eradga\deafs.exe
uRun: [Sasueqy] C:\Users\Doug\AppData\Roaming\Guobha\beab.exe
mRun: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [Boingo Wi-Fi] "C:\Program Files (x86)\Boingo\Boingo Wi-Fi\Boingo.lnk"
mRun: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
mRun: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
mRun: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
mRun: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [x3watch] "C:\Program Files (x86)\X3watch\x3watch.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [VMM Mode Selection] C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\Users\Doug\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Doug\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Doug\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\FANCYS~1.LNK - C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_C4A2FC3E3722966204FDD8.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SRSPRE~1.LNK - C:\Windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
Trusted Zone: tellmemorecampus.com\start
Trusted Zone: tellmemorecampus.com\start
DPF: {57055870-7F19-46ED-B1DD-56004FBFCB9D} - hxxp://www.hipmediastore.com/HipDigitalDownloadManager.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
TCP: DhcpNameServer = 172.20.2.15 172.20.2.9 172.20.2.18 172.20.2.16
TCP: Interfaces\{33634265-16F0-4EE3-A57F-7C6978D68ECF} : DhcpNameServer = 172.20.2.15 172.20.2.9 172.20.2.18 172.20.2.16
TCP: Interfaces\{B206EE20-1974-451E-A632-099AC2B7E49B} : DhcpNameServer = 172.20.2.15 172.20.2.9 172.20.2.18 172.20.2.16
TCP: Interfaces\{B206EE20-1974-451E-A632-099AC2B7E49B}\1437265727970275962756C6563737 : DhcpNameServer = 172.20.2.15 172.20.2.9 172.20.2.18 172.20.2.16
TCP: Interfaces\{B206EE20-1974-451E-A632-099AC2B7E49B}\16474777966696 : DhcpNameServer = 10.128.58.129 64.134.255.2 64.134.255.10
TCP: Interfaces\{B206EE20-1974-451E-A632-099AC2B7E49B}\2457E67616C6F677130313 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{B206EE20-1974-451E-A632-099AC2B7E49B}\7574D4F57457563747 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B206EE20-1974-451E-A632-099AC2B7E49B}\7594E4F5731323 : DhcpNameServer = 192.168.254.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: PodcastBHO Class: {65134FDF-F8A5-4B3D-91D9-CDF273CFD578} - C:\Program Files (x86)\Common Files\doubleTwist\IEPodcastPlugin.dll
BHO-X64: dTPodcastBHO - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
BHO-X64: Google Dictionary Compression sdch: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
BHO-X64: Google Dictionary Compression sdch - No File
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun-x64: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun-x64: [Boingo Wi-Fi] "C:\Program Files (x86)\Boingo\Boingo Wi-Fi\Boingo.lnk"
mRun-x64: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
mRun-x64: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
mRun-x64: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
mRun-x64: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [x3watch] "C:\Program Files (x86)\X3watch\x3watch.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [VMM Mode Selection] C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 lullaby;lullaby;C:\Windows\system32\DRIVERS\lullaby.sys --> C:\Windows\system32\DRIVERS\lullaby.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\system32\DRIVERS\ETD.sys --> C:\Windows\system32\DRIVERS\ETD.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 JME;JMicron Ethernet Adapter NDIS6.20 Driver (Amd64 Bits);C:\Windows\system32\DRIVERS\JME.sys --> C:\Windows\system32\DRIVERS\JME.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
S2 AFBAgent;AFBAgent;"C:\Windows\system32\FBAgent.exe" --> C:\Windows\system32\FBAgent.exe [?]
S2 ASMMAP64;ASMMAP64;C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-7-2 15416]
S2 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-13 135664]
S2 iPodDrv;iPodDrv;\??\C:\Windows\system32\drivers\iPodDrv.sys --> C:\Windows\system32\drivers\iPodDrv.sys [?]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-5-2 654408]
S2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-7-13 2314240]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-17 253088]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2008-12-8 533344]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-13 135664]
S3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
S3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
S3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?]
S3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSG664.sys --> C:\Windows\system32\DRIVERS\SiSG664.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-05-02 20:56:25 457632 ----a-w- C:\FixExec64.com
2012-05-02 20:52:35 883616 ----a-w- C:\FixExec.com
2012-05-02 19:54:43 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-05-02 19:54:43 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-05-02 19:38:59 -------- d-----w- C:\Users\Doug\AppData\Roaming\Malwarebytes
2012-05-02 19:38:56 -------- d-----w- C:\ProgramData\Malwarebytes
2012-05-02 17:55:45 -------- d-----w- C:\ProgramData\B7E8586B000073A100039561B4EB2367
2012-05-02 17:46:36 -------- d-----w- C:\Users\Doug\AppData\Roaming\Ittui
2012-05-02 17:46:36 -------- d-----w- C:\Users\Doug\AppData\Roaming\Guobha
2012-05-02 17:46:36 -------- d-----w- C:\Users\Doug\AppData\Roaming\Adqeg
2012-05-02 17:46:33 -------- d-----w- C:\Users\Doug\AppData\Local\WAV
2012-05-02 17:46:26 -------- d-----w- C:\Users\Doug\AppData\Roaming\Soim
2012-05-02 17:46:26 -------- d-----w- C:\Users\Doug\AppData\Roaming\Eradga
2012-05-02 17:46:26 -------- d-----w- C:\Users\Doug\AppData\Roaming\Doapyf
2012-04-30 23:20:17 8917360 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BBDA3015-B7E9-4927-BF59-63E2F7EB2F97}\mpengine.dll
2012-04-29 11:29:29 8917360 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-29 11:29:17 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-04-23 12:06:50 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-04-23 12:06:49 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-04-23 12:06:49 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-04-23 12:02:45 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-23 12:02:44 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-23 12:02:44 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-23 12:02:42 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-23 12:02:42 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-04-23 12:02:42 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-23 12:02:42 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-17 22:51:20 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-05-02 17:49:44 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-21 00:44:12 98688 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2012-03-21 00:44:12 203888 ----a-w- C:\Windows\System32\drivers\MpFilter.sys
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-17 06:38:26 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-02-17 05:34:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-02-15 16:01:50 52736 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys
2012-02-15 16:01:50 4547944 ----a-w- C:\Windows\System32\usbaaplrc.dll
2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-02-07 15:02:40 1070352 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2012-02-03 04:34:34 3145728 ----a-w- C:\Windows\System32\win32k.sys
2009-04-08 17:31:56 106496 ----a-w- C:\Program Files (x86)\Common Files\CPInstallAction.dll
2008-08-12 04:45:20 155648 ----a-w- C:\Program Files (x86)\Common Files\MSIactionall.dll
.
============= FINISH: 19:18:48.70 ===============





Attached is my Attach log
I have no GMER log because I'm using 64-bit windows

Attached Files



BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:57 AM

Posted 02 May 2012 - 11:21 PM

Welcome to BleepingComputer, doughersh!

Please download RogueKiller

•When you get to the website, go to where it says:
(Download link) Lien de téléchargement: Posted Image
•Click the dark-blue button to download.
•Save to the Desktop

•Close all windows and browsers
•Windows Seven: Right-click and select 'Run as Administrator'
•Press: SCAN
•A report opens on the Desktop: RKreport.txt

Please copy/paste the RKreport.txt , and provide it in your reply.


Note:
If RogueKiller is blocked by the malware, try running it again.
If it still fails to run, right-click on the downloaded icon and select: Rename
Then, rename it to winlogon.exe and try again.

Old duck...


#3 doughersh

doughersh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 03 May 2012 - 07:53 AM

RogueKiller V7.4.2 [05/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Doug [Admin rights]
Mode: Scan -- Date: 05/03/2012 08:50:45

¤¤¤ Bad processes: 2 ¤¤¤
[SUSP PATH] beab.exe -- C:\Users\Doug\AppData\Roaming\Guobha\beab.exe -> KILLED [TermProc]
[SUSP PATH] deafs.exe -- C:\Users\Doug\AppData\Roaming\Eradga\deafs.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 11 ¤¤¤
[BLACKLIST DLL] HKCU\[...]\Run : uptfo (rundll32.exe "C:\Users\Doug\AppData\Local\Temp\uptfo.dll",CreateFontW) -> FOUND
[SUSP PATH] HKCU\[...]\Run : Yqxoygqy (C:\Users\Doug\AppData\Roaming\Eradga\deafs.exe) -> FOUND
[SUSP PATH] HKCU\[...]\Run : Sasueqy (C:\Users\Doug\AppData\Roaming\Guobha\beab.exe) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-21-628865786-584876710-3318370673-1000[...]\Run : uptfo (rundll32.exe "C:\Users\Doug\AppData\Local\Temp\uptfo.dll",CreateFontW) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-628865786-584876710-3318370673-1000[...]\Run : Yqxoygqy (C:\Users\Doug\AppData\Roaming\Eradga\deafs.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-628865786-584876710-3318370673-1000[...]\Run : Sasueqy (C:\Users\Doug\AppData\Roaming\Guobha\beab.exe) -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (proxy33.asbury.edu:8080) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS545032B9A300 +++++
--- User ---
[MBR] 9c74ec6845edc4dedb4f6b88d7719492
[BSP] b8e681ec20f3f51e484d81d4ade624cc : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 63 | Size: 20002 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 40965750 | Size: 76308 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 197246976 | Size: 208932 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:57 AM

Posted 03 May 2012 - 02:11 PM

Let's press on with RogueKiller...

•Please quit all programs
•Double-click the RogueKiller file to run the program
•Wait until the Prescan finishes

•On the RogueKiller console, click the Registry tab.
•Make sure the entries there are checked.
•Then, press the [Delete] button.
An RKreport (Mode: Delete) is created on the Desktop.
(The RKreport also opens using the Report button on the console.)

•Once again, at the RogueKiller console, press: SCAN
•A report opens on the Desktop: RKreport.txt (Mode: Scan)

In your reply, please provide the RKreport (Mode: Delete) created on the Desktop, as well as the RKreport.txt Mode: Scan.


There is a Proxy setting identified on the report. Is this from an educational institution you recognize:
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (proxy33.asbury.edu:8080) -> FOUND

Old duck...


#5 doughersh

doughersh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 03 May 2012 - 04:52 PM

After the prescan there were no registry entries either when I ran as administrator or normally, so I'm providing no Mode:Delete scan

RogueKiller V7.4.2 [05/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Doug [Admin rights]
Mode: Scan -- Date: 05/03/2012 17:48:47

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 11 ¤¤¤
[BLACKLIST DLL] HKCU\[...]\Run : uptfo (rundll32.exe "C:\Users\Doug\AppData\Local\Temp\uptfo.dll",CreateFontW) -> FOUND
[SUSP PATH] HKCU\[...]\Run : Yqxoygqy (C:\Users\Doug\AppData\Roaming\Eradga\deafs.exe) -> FOUND
[SUSP PATH] HKCU\[...]\Run : Sasueqy (C:\Users\Doug\AppData\Roaming\Guobha\beab.exe) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-21-628865786-584876710-3318370673-1000[...]\Run : uptfo (rundll32.exe "C:\Users\Doug\AppData\Local\Temp\uptfo.dll",CreateFontW) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-628865786-584876710-3318370673-1000[...]\Run : Yqxoygqy (C:\Users\Doug\AppData\Roaming\Eradga\deafs.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-628865786-584876710-3318370673-1000[...]\Run : Sasueqy (C:\Users\Doug\AppData\Roaming\Guobha\beab.exe) -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (proxy33.asbury.edu:8080) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS545032B9A300 +++++
--- User ---
[MBR] 9c74ec6845edc4dedb4f6b88d7719492
[BSP] b8e681ec20f3f51e484d81d4ade624cc : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 63 | Size: 20002 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 40965750 | Size: 76308 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 197246976 | Size: 208932 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt



Yes, the proxy is valid as an institutional proxy

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:57 AM

Posted 03 May 2012 - 05:00 PM

Let's try it this way:

After you close all windows and browsers
Right-click RogueKiller and select 'Run as Administrator'

Press: Scan, and let it run
Look in the Registry tab, and make sure the entries there are checked.
Press: Delete

See if you get an RKreport (Mode: Delete) now.

Please post the report.

Old duck...


#7 doughersh

doughersh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 04 May 2012 - 10:21 AM

RogueKiller V7.4.3 [05/04/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Doug [Admin rights]
Mode: Remove -- Date: 05/04/2012 11:20:30

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 8 ¤¤¤
[BLACKLIST DLL] HKCU\[...]\Run : uptfo (rundll32.exe "C:\Users\Doug\AppData\Local\Temp\uptfo.dll",CreateFontW) -> DELETED
[SUSP PATH] HKCU\[...]\Run : Yqxoygqy (C:\Users\Doug\AppData\Roaming\Eradga\deafs.exe) -> DELETED
[SUSP PATH] HKCU\[...]\Run : Sasueqy (C:\Users\Doug\AppData\Roaming\Guobha\beab.exe) -> DELETED
[PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> NOT REMOVED, USE PROXYFIX
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (proxy33.asbury.edu:8080) -> NOT REMOVED, USE PROXYFIX
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS545032B9A300 +++++
--- User ---
[MBR] 9c74ec6845edc4dedb4f6b88d7719492
[BSP] b8e681ec20f3f51e484d81d4ade624cc : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 63 | Size: 20002 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 40965750 | Size: 76308 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 197246976 | Size: 208932 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[5].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:57 AM

Posted 04 May 2012 - 02:23 PM

Please download an updated version of ComboFix

Save ComboFix.exe to the Desktop!!

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.

Note: For information on how to disable protective programs, refer to this link

Windows Seven: Right-click on ComboFix.exe and select 'Run as Administrator'

Click on Yes, to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply.


Notes:

1. Please do not mouse-click the ComboFix window while it is running. This action may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
3. CF disconnects your machine from the Internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
4. If ComboFix detects any Rootkit/Bootkit activity it gives a warning and prompts for a reboot. Please allow it to do so.
5. If ComboFix reboots due to a rootkit, the screen may stay black for several minutes on reboot. This is normal.
6. If after running ComboFix you receive any type of warning about Registry keys listed for deletion
when trying to open certain items, reboot the system and this will fix the issue. Those items will not be deleted.

Old duck...


#9 doughersh

doughersh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 04 May 2012 - 04:12 PM

ComboFix 12-05-04.03 - Doug 05/04/2012 16:45:21.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3885.2695 [GMT -4:00]
Running from: c:\users\Doug\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\esupport\eDriver\Software\ASUS\MultiFrame\XP32_Vista32_Vista64_Win7_32_Win7_64_1.0.0021\Desktop_.ini
c:\program files (x86)\Common Files\ASPG_icon.ico
c:\programdata\FullRemove.exe
c:\users\Doug\AppData\Local\Temp\uptfo.dll
c:\users\Doug\AppData\Roaming\Eradga
c:\users\Doug\AppData\Roaming\Eradga\deafs.exe
c:\users\Doug\AppData\Roaming\Guobha
c:\users\Doug\AppData\Roaming\Guobha\beab.exe
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
D:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-04-04 to 2012-05-04 )))))))))))))))))))))))))))))))
.
.
2012-05-02 20:56 . 2012-05-02 20:56 457632 ----a-w- C:\FixExec64.com
2012-05-02 20:52 . 2012-05-02 20:52 883616 ----a-w- C:\FixExec.com
2012-05-02 19:54 . 2012-05-02 19:54 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-02 19:54 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-02 19:38 . 2012-05-02 19:38 -------- d-----w- c:\users\Doug\AppData\Roaming\Malwarebytes
2012-05-02 19:38 . 2012-05-02 19:38 -------- d-----w- c:\programdata\Malwarebytes
2012-05-02 17:55 . 2012-05-02 17:55 -------- d-----w- c:\programdata\B7E8586B000073A100039561B4EB2367
2012-05-02 17:46 . 2012-05-03 12:48 -------- d-----w- c:\users\Doug\AppData\Roaming\Adqeg
2012-05-02 17:46 . 2012-05-02 17:46 -------- d-----w- c:\users\Doug\AppData\Roaming\Ittui
2012-05-02 17:46 . 2012-05-02 20:42 -------- d-----w- c:\users\Doug\AppData\Local\WAV
2012-05-02 17:46 . 2012-05-03 12:40 -------- d-----w- c:\users\Doug\AppData\Roaming\Doapyf
2012-05-02 17:46 . 2012-05-02 17:46 -------- d-----w- c:\users\Doug\AppData\Roaming\Soim
2012-04-23 12:06 . 2012-03-06 06:53 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-23 12:06 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-04-23 12:06 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-04-23 12:02 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-23 12:02 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-23 12:02 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-23 12:02 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-23 12:02 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-23 12:02 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-23 12:02 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-17 22:51 . 2012-05-02 17:49 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-17 22:51 . 2012-04-17 22:51 -------- d-----w- c:\windows\system32\Macromed
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-02 17:49 . 2011-06-19 13:46 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-17 06:38 . 2012-03-14 00:50 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 00:50 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 00:50 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 00:50 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 16:01 . 2012-02-15 16:01 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2012-02-15 16:01 . 2012-02-15 16:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-10 06:36 . 2012-03-14 00:51 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 00:51 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2009-04-08 17:31 . 2009-04-08 17:31 106496 ----a-w- c:\program files (x86)\Common Files\CPInstallAction.dll
2008-08-12 04:45 . 2008-08-12 04:45 155648 ----a-w- c:\program files (x86)\Common Files\MSIactionall.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 94208 ----a-w- c:\users\Doug\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 94208 ----a-w- c:\users\Doug\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 94208 ----a-w- c:\users\Doug\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"Boingo Wi-Fi"="c:\program files (x86)\Boingo\Boingo Wi-Fi\Boingo.lnk" [2010-07-13 2429]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2010-02-04 7350912]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2010-05-03 170624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2010-04-26 1597440]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"x3watch"="c:\program files (x86)\X3watch\x3watch.exe" [2011-02-14 303104]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\Doug\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Doug\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2012-3-22 1014112]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
FancyStart daemon.lnk - c:\windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_C4A2FC3E3722966204FDD8.exe [2010-7-13 12862]
SRS Premium Sound.lnk - c:\windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe [2010-7-13 156952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-13 135664]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 253088]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-13 135664]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 lullaby;lullaby;c:\windows\system32\DRIVERS\lullaby.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [x]
S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-03 15416]
S2 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
S2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-10-01 2314240]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
S3 JME;JMicron Ethernet Adapter NDIS6.20 Driver (Amd64 Bits);c:\windows\system32\DRIVERS\JME.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 17:49]
.
2012-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-13 10:31]
.
2012-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-13 10:31]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"
[HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]
2009-11-26 05:49 70656 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{64174815-8D98-4CE6-8646-4C039977D808}"
[HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]
2009-11-26 05:49 70656 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\Doug\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\Doug\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\Doug\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\Doug\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS WebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe" [2010-03-16 1754448]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://seedbed.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = proxy33.asbury.edu:8080
uInternet Settings,ProxyOverride = *.local;<local>
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: tellmemorecampus.com\start
Trusted Zone: tellmemorecampus.com\start
TCP: DhcpNameServer = 172.20.2.15 172.20.2.9 172.20.2.18 172.20.2.16
DPF: {57055870-7F19-46ED-B1DD-56004FBFCB9D} - hxxp://www.hipmediastore.com/HipDigitalDownloadManager.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-HLBackupScheduler - c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-ETDWare - c:\program files (x86)\Elantech\ETDCtrl.exe
HKLM-Run-Setwallpaper - c:\programdata\SetWallpaper.cmd
AddRemove-AuralogComponentsUninstall9.exe - c:\windows\system32\\Auralog\tmm\Uninstall\AuralogComponentsUninstall9.exe
AddRemove-K_Series_ScreenSaver_EN - c:\windows\system32\K_Series_ScreenSaver_EN.scr
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-628865786-584876710-3318370673-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AA0189F8-D941-0974-F137-2103BA7BCACE}*]
"hagncgmbkonggfmg"=hex:6a,61,61,67,68,6a,6f,64,64,61,68,6a,6f,6b,6f,63,61,63,
61,64,00,d4
"iammmbikppkmmncdcf"=hex:6a,61,61,67,68,6a,6f,64,64,61,68,6a,6f,6b,6f,63,61,63,
61,64,00,63
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\ASUS\ControlDeck\ControlDeck.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
.
**************************************************************************
.
Completion time: 2012-05-04 17:02:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-04 21:02
.
Pre-Run: 34,916,139,008 bytes free
Post-Run: 35,299,016,704 bytes free
.
- - End Of File - - 1A7710B944AF30B91C955DC2D2D13B25

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:57 AM

Posted 04 May 2012 - 09:37 PM

Please do the following:

Continue to disable (temporarily) all AntiVirus and AntiMalware programs so they do not interfere with the running of ComboFix.

1. Open Notepad ('Start' > 'R', type: notepad Click: OK)
2. Copy/paste the text inside the code box below to Notepad:

KILLALL::

Folder::
c:\programdata\B7E8586B000073A100039561B4EB2367
c:\users\Doug\AppData\Roaming\Adqeg
c:\users\Doug\AppData\Roaming\Ittui
c:\users\Doug\AppData\Roaming\Doapyf
c:\users\Doug\AppData\Roaming\Soim

ClearJavaCache::


3. In Notepad:
Click File > Save as..., and save to the Desktop
In the File Name box, type: CFScript.txt
Click: Save

4. Close all open windows so that you are at the Desktop.

5. Referring to the picture below, using your mouse (left button), ...drag... CFScript.txt and drop over ComboFix.exe

Posted Image

6. Do not mouse-click the ComboFix window while it is running. It may cause CF to stall.

7. When finished, the log produced is located at C:\ComboFix.txt

Please post the new ComboFix.txt in your reply.

Old duck...


#11 doughersh

doughersh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 04 May 2012 - 10:30 PM

ComboFix 12-05-04.03 - Doug 05/04/2012 22:59:05.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3885.2552 [GMT -4:00]
Running from: c:\users\Doug\Desktop\ComboFix.exe
Command switches used :: c:\users\Doug\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\B7E8586B000073A100039561B4EB2367
c:\programdata\B7E8586B000073A100039561B4EB2367\B7E8586B000073A100039561B4EB2367
c:\programdata\B7E8586B000073A100039561B4EB2367\B7E8586B000073A100039561B4EB2367.exe
c:\users\Doug\AppData\Roaming\Adqeg
c:\users\Doug\AppData\Roaming\Adqeg\axfi.kun
c:\users\Doug\AppData\Roaming\Doapyf
c:\users\Doug\AppData\Roaming\Doapyf\woid.uct
c:\users\Doug\AppData\Roaming\Ittui
c:\users\Doug\AppData\Roaming\Ittui\cyqa.oqx
c:\users\Doug\AppData\Roaming\Soim
c:\users\Doug\AppData\Roaming\Soim\luud.uqb
.
.
((((((((((((((((((((((((( Files Created from 2012-04-05 to 2012-05-05 )))))))))))))))))))))))))))))))
.
.
2012-05-05 03:11 . 2012-05-05 03:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-02 20:56 . 2012-05-02 20:56 457632 ----a-w- C:\FixExec64.com
2012-05-02 20:52 . 2012-05-02 20:52 883616 ----a-w- C:\FixExec.com
2012-05-02 19:54 . 2012-05-02 19:54 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-02 19:54 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-02 19:38 . 2012-05-02 19:38 -------- d-----w- c:\users\Doug\AppData\Roaming\Malwarebytes
2012-05-02 19:38 . 2012-05-02 19:38 -------- d-----w- c:\programdata\Malwarebytes
2012-05-02 17:46 . 2012-05-02 20:42 -------- d-----w- c:\users\Doug\AppData\Local\WAV
2012-04-23 12:06 . 2012-03-06 06:53 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-23 12:06 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-04-23 12:06 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-04-23 12:02 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-23 12:02 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-23 12:02 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-23 12:02 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-23 12:02 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-23 12:02 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-23 12:02 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-17 22:51 . 2012-05-02 17:49 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-17 22:51 . 2012-04-17 22:51 -------- d-----w- c:\windows\system32\Macromed
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-02 17:49 . 2011-06-19 13:46 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-17 06:38 . 2012-03-14 00:50 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 00:50 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 00:50 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 00:50 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 16:01 . 2012-02-15 16:01 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2012-02-15 16:01 . 2012-02-15 16:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-10 06:36 . 2012-03-14 00:51 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 00:51 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2009-04-08 17:31 . 2009-04-08 17:31 106496 ----a-w- c:\program files (x86)\Common Files\CPInstallAction.dll
2008-08-12 04:45 . 2008-08-12 04:45 155648 ----a-w- c:\program files (x86)\Common Files\MSIactionall.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-04_20.55.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-13 10:50 . 2012-05-04 21:10 37142 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-05-05 02:56 33394 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-10-07 07:02 . 2012-05-03 19:27 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-10-07 07:02 . 2012-05-05 02:59 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-10-07 07:02 . 2012-05-03 19:27 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-10-07 07:02 . 2012-05-05 02:59 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-05-03 19:27 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-05-05 02:59 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2012-05-04 21:06 91120 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2010-10-18 14:55 . 2012-05-05 02:56 9858 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-628865786-584876710-3318370673-1000_UserData.bin
- 2012-05-04 20:54 . 2012-05-04 20:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-05-05 03:12 . 2012-05-05 03:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-05-04 20:54 . 2012-05-04 20:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-05-05 03:12 . 2012-05-05 03:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-10-06 17:57 . 2012-05-05 02:41 247788 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
- 2009-07-14 05:01 . 2012-05-04 20:54 389632 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-05-05 03:11 389632 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-05-02 22:35 . 2012-05-04 21:08 802220 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-628865786-584876710-3318370673-1000-12288.dat
+ 2010-07-13 10:55 . 2012-05-05 03:11 2102040 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2010-07-13 10:55 . 2012-05-04 20:54 2102040 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-08-26 18:57 . 2012-05-05 02:54 2092328 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-628865786-584876710-3318370673-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 94208 ----a-w- c:\users\Doug\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 94208 ----a-w- c:\users\Doug\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 94208 ----a-w- c:\users\Doug\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"Boingo Wi-Fi"="c:\program files (x86)\Boingo\Boingo Wi-Fi\Boingo.lnk" [2010-07-13 2429]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2010-02-04 7350912]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2010-05-03 170624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2010-04-26 1597440]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"x3watch"="c:\program files (x86)\X3watch\x3watch.exe" [2011-02-14 303104]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\Doug\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Doug\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2012-3-22 1014112]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
FancyStart daemon.lnk - c:\windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_C4A2FC3E3722966204FDD8.exe [2010-7-13 12862]
SRS Premium Sound.lnk - c:\windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe [2010-7-13 156952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-13 135664]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 253088]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-13 135664]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 lullaby;lullaby;c:\windows\system32\DRIVERS\lullaby.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [x]
S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-03 15416]
S2 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
S2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-10-01 2314240]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
S3 JME;JMicron Ethernet Adapter NDIS6.20 Driver (Amd64 Bits);c:\windows\system32\DRIVERS\JME.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 17:49]
.
2012-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-13 10:31]
.
2012-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-13 10:31]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"
[HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]
2009-11-26 05:49 70656 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{64174815-8D98-4CE6-8646-4C039977D808}"
[HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]
2009-11-26 05:49 70656 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\Doug\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\Doug\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\Doug\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\Doug\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDWare"="c:\program files (x86)\Elantech\ETDCtrl.exe" [BU]
"ASUS WebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe" [2010-03-16 1754448]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
"Setwallpaper"="c:\programdata\SetWallpaper.cmd" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://seedbed.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = proxy33.asbury.edu:8080
uInternet Settings,ProxyOverride = *.local;<local>
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: tellmemorecampus.com\start
Trusted Zone: tellmemorecampus.com\start
DPF: {57055870-7F19-46ED-B1DD-56004FBFCB9D} - hxxp://www.hipmediastore.com/HipDigitalDownloadManager.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Smart Fortress 2012 - c:\programdata\B7E8586B000073A100039561B4EB2367\B7E8586B000073A100039561B4EB2367.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-628865786-584876710-3318370673-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AA0189F8-D941-0974-F137-2103BA7BCACE}*]
"hagncgmbkonggfmg"=hex:6a,61,61,67,68,6a,6f,64,64,61,68,6a,6f,6b,6f,63,61,63,
61,64,00,d4
"iammmbikppkmmncdcf"=hex:6a,61,61,67,68,6a,6f,64,64,61,68,6a,6f,6b,6f,63,61,63,
61,64,00,63
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\ASUS\ControlDeck\ControlDeck.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
.
**************************************************************************
.
Completion time: 2012-05-04 23:26:19 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-05 03:26
ComboFix2.txt 2012-05-04 21:02
.
Pre-Run: 35,042,308,096 bytes free
Post-Run: 35,029,651,456 bytes free
.
- - End Of File - - E83C0DC7399C02389C3D7C18D59AA92D

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:57 AM

Posted 06 May 2012 - 09:43 PM

Are you still having malware problems?

Also, please run RogueKiller once again, and just do a Scan.

Then post the RKreport.txt Mode: Scan in your reply.

Old duck...


#13 doughersh

doughersh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 07 May 2012 - 06:31 PM

I don't see any evidence of an infection anymore, so I guess its eliminated. Thanks, I greatly appreciate the help!

RogueKiller V7.4.3 [05/04/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Doug [Admin rights]
Mode: Scan -- Date: 05/07/2012 19:25:12

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 1 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (proxy33.asbury.edu:8080) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS545032B9A300 +++++
--- User ---
[MBR] 9c74ec6845edc4dedb4f6b88d7719492
[BSP] b8e681ec20f3f51e484d81d4ade624cc : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 63 | Size: 20002 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 40965750 | Size: 76308 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 197246976 | Size: 208932 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[6].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;
RKreport[6].txt

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:57 AM

Posted 08 May 2012 - 05:36 PM

:thumbup2:

Try using the computer for a couple of days, and see how it goes.

Will get back to you on Thursday 11 May, or Friday 12 May. However, if you experience any malware problems, post back right away!

Old duck...


#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:57 AM

Posted 15 May 2012 - 07:54 PM

My apology for the delay!

If you are no longer having malware problems, let's do this final check:

Please download Security Check

Save it to the Desktop.
Double-click SecurityCheck.exe and follow the onscreen instructions (on the black screen)
When done, a Notepad document opens automatically: checkup.txt

Please post the contents of checkup.txt in your reply.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users