Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan/Agent.gzjh detected on malwarebytes.exe by Jiangmin on a VIrustotal scan + Win32:PUP-gen found on a hex editing program


  • This topic is locked This topic is locked
32 replies to this topic

#1 Xzinn

Xzinn

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 24 August 2012 - 09:15 AM

Hi,

I recently randomly selected some executables and uploaded them to Virus Total, which resulted in me discovering the PUP and Trojan I mentioned in the thread title. I regularly run Malwarebytes and update it daily, and always upload any executables/zip files I download from third party servers (especially freeware) to Virus Total for a scan, as well as being careful as to what freeware I download. As far as I know I use a secure network at home, do not have autorun enabled (nor do use flash drives on this computer in the first place). I also do not browse any dodgy sites and occasionally run a script disabler on any websites that have lots of ads on them. In spite of all of this, I haven't really noticed any issues I've seen with viruses in the past, and Malwarebytes doesn't pick anything up (not that that means anything anymore). Thanks in advance.

Edit: Something I forgot to mention, I don't get audio on flash videos such as from youtube.

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.8169.6353 [GMT 1:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Hotkey\PowerBiosServer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Hotkey\Hotkey.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\Robbie\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Users\Robbie\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Robbie\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Robbie\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Robbie\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Users\Robbie\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Robbie\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Robbie\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
uRun: [Google Update] "C:\Users\Robbie\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\Hotkey.lnk - C:\Program Files (x86)\Hotkey\Hotkey.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{6B135F99-66D6-47D3-9F7A-CF9BF7FE6028} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{D4727A8F-9A00-4290-A187-0CD477D1DC64} : DhcpNameServer = 208.67.222.222 208.67.220.220
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
.
============= SERVICES / DRIVERS ===============
.
P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-7-4 8704]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-6-23 13592]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-6-23 655944]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-7-9 1262400]
R2 PowerBiosServer;PowerBiosServer;C:\Program Files (x86)\Hotkey\PowerBiosServer.exe [2011-2-15 33792]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-6-23 2656280]
R3 itecir;ITECIR Infrared Receiver;C:\Windows\system32\DRIVERS\itecir.sys --> C:\Windows\system32\DRIVERS\itecir.sys [?]
R3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?]
R3 JME;JMicron Ethernet Adapter NDIS6.20 Driver (Amd64 Bits);C:\Windows\system32\DRIVERS\JME.sys --> C:\Windows\system32\DRIVERS\JME.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-7-20 250056]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-10-19 340240]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-21 22:35:04 294912 ----a-w- C:\Windows\System32\browserchoice.exe
2012-08-21 22:34:34 -------- d-----w- C:\Windows\SysWow64\Wat
2012-08-21 22:34:34 -------- d-----w- C:\Windows\System32\Wat
2012-08-21 17:39:50 9309624 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B1FD8987-5421-49F8-8845-B9A99405D515}\mpengine.dll
2012-08-19 17:52:35 -------- d-----w- C:\Users\Robbie\AppData\Roaming\.techniclauncher
2012-08-18 18:51:28 -------- d-----w- C:\Program Files\CPUID
2012-08-15 13:36:25 503808 ----a-w- C:\Windows\System32\srcore.dll
2012-08-15 13:36:25 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2012-08-15 13:35:33 751104 ----a-w- C:\Windows\System32\win32spl.dll
2012-08-15 13:35:33 67072 ----a-w- C:\Windows\splwow64.exe
2012-08-15 13:35:33 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2012-08-15 13:35:33 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2012-08-15 13:30:05 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-08-15 13:30:05 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-08-15 13:30:05 136704 ----a-w- C:\Windows\System32\browser.dll
2012-08-15 13:29:57 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-08-15 13:29:14 956928 ----a-w- C:\Windows\System32\localspl.dll
2012-07-27 19:06:27 -------- d-----w- C:\Users\Robbie\AppData\Roaming\.minecraft
2012-07-26 18:41:28 -------- d-----w- C:\Users\Robbie\AppData\Roaming\My Games
2012-07-26 18:11:55 -------- d-----w- C:\Program Files (x86)\Firaxis Games
2012-07-26 18:11:39 63488 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ISBEW64.exe
2012-07-26 18:11:38 753664 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2012-07-26 18:11:38 69714 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2012-07-26 18:11:38 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2012-07-26 18:11:38 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2012-07-26 18:11:38 184320 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2012-07-26 18:11:36 331908 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2012-07-26 18:11:36 200836 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
.
==================== Find3M ====================
.
2012-08-14 18:39:30 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-14 18:39:30 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-19 10:46:22 189248 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2012-07-19 10:46:20 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2012-07-09 13:50:22 955840 ----a-w- C:\Windows\System32\npDeployJava1.dll
2012-07-09 13:50:22 839096 ----a-w- C:\Windows\System32\deployJava1.dll
2012-07-03 12:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 14:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 14:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-05-31 11:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 14:20:36.74 ===============

Attached Files


Edited by Xzinn, 24 August 2012 - 10:12 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 28 August 2012 - 09:28 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

Please post the logs for my review.

Please let me know what problem persists.

#3 Xzinn

Xzinn
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 28 August 2012 - 01:16 PM

Combofix:

ComboFix 12-08-28.02 - Robbie 28/08/2012 19:00:47.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.8169.6598 [GMT 1:00]
Running from: c:\users\Robbie\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-28 )))))))))))))))))))))))))))))))
.
.
2012-08-28 18:02 . 2012-08-28 18:02 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-08-28 18:02 . 2012-08-28 18:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-28 11:54 . 2012-08-01 22:58 9309624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6CFC1885-62AB-45C6-9D6E-7CBE7E99E444}\mpengine.dll
2012-08-26 17:06 . 2012-08-26 17:06 -------- d-----w- c:\program files (x86)\ESET
2012-08-26 11:13 . 2012-08-28 18:03 -------- d-----w- c:\users\Robbie\AppData\Local\LogMeIn Hamachi
2012-08-26 11:13 . 2012-08-26 11:13 -------- d-----w- c:\program files (x86)\LogMeIn Hamachi
2012-08-25 13:47 . 2012-08-26 22:17 -------- d-----w- c:\users\Robbie\AppData\Roaming\Skype
2012-08-25 13:47 . 2012-08-25 13:47 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-08-25 13:47 . 2012-08-25 13:47 -------- d-----r- c:\program files (x86)\Skype
2012-08-25 13:47 . 2012-08-25 13:47 -------- d-----w- c:\programdata\Skype
2012-08-25 12:29 . 2012-08-25 12:32 -------- d-----w- c:\users\Robbie\AppData\Roaming\Notepad++
2012-08-25 12:29 . 2012-08-25 12:29 -------- d-----w- c:\program files (x86)\Notepad++
2012-08-24 15:11 . 2012-08-24 15:11 -------- d-----w- c:\users\Robbie\AppData\Local\ElevatedDiagnostics
2012-08-21 22:35 . 2010-02-23 08:16 294912 ----a-w- c:\windows\system32\browserchoice.exe
2012-08-21 22:34 . 2012-08-21 22:34 -------- d-----w- c:\windows\SysWow64\Wat
2012-08-21 22:34 . 2012-08-21 22:34 -------- d-----w- c:\windows\system32\Wat
2012-08-21 15:23 . 2012-08-21 15:23 -------- d-----w- c:\program files (x86)\Microsoft.NET
2012-08-19 17:52 . 2012-08-28 12:21 -------- d-----w- c:\users\Robbie\AppData\Roaming\.techniclauncher
2012-08-18 18:51 . 2012-08-18 18:51 -------- d-----w- c:\program files\CPUID
2012-08-15 13:36 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll
2012-08-15 13:36 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2012-08-15 13:35 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll
2012-08-15 13:35 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-15 13:35 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2012-08-15 13:35 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2012-08-15 13:30 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-08-15 13:30 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
2012-08-15 13:30 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
2012-08-15 13:30 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-08-15 13:29 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 13:29 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 16:09 . 2012-06-24 19:29 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-08-14 18:39 . 2012-07-20 09:09 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-14 18:39 . 2012-07-04 12:45 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-19 10:46 . 2012-07-19 10:46 189248 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-07-19 10:46 . 2012-07-19 10:46 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-07-09 13:50 . 2012-07-09 13:50 955840 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-09 13:50 . 2012-07-09 13:50 839096 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-09 13:50 . 2012-07-09 13:50 268720 ----a-w- c:\windows\system32\javaws.exe
2012-07-09 13:50 . 2012-07-09 13:50 189360 ----a-w- c:\windows\system32\javaw.exe
2012-07-09 13:50 . 2012-07-09 13:50 188840 ----a-w- c:\windows\system32\java.exe
2012-06-24 19:27 . 2012-06-24 19:27 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-06-24 19:27 . 2012-06-24 19:27 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-06-24 19:27 . 2012-06-24 19:27 89088 ----a-w- c:\windows\system32\ie4uinit.exe
2012-06-24 19:27 . 2012-06-24 19:27 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-06-24 19:27 . 2012-06-24 19:27 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-06-24 19:27 . 2012-06-24 19:27 82432 ----a-w- c:\windows\system32\icardie.dll
2012-06-24 19:27 . 2012-06-24 19:27 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-06-24 19:27 . 2012-06-24 19:27 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-06-24 19:27 . 2012-06-24 19:27 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-06-24 19:27 . 2012-06-24 19:27 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-06-24 19:27 . 2012-06-24 19:27 697344 ----a-w- c:\windows\system32\msfeeds.dll
2012-06-24 19:27 . 2012-06-24 19:27 65024 ----a-w- c:\windows\system32\pngfilt.dll
2012-06-24 19:27 . 2012-06-24 19:27 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-06-24 19:27 . 2012-06-24 19:27 603648 ----a-w- c:\windows\system32\vbscript.dll
2012-06-24 19:27 . 2012-06-24 19:27 55296 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-06-24 19:27 . 2012-06-24 19:27 534528 ----a-w- c:\windows\system32\ieapfltr.dll
2012-06-24 19:27 . 2012-06-24 19:27 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-06-24 19:27 . 2012-06-24 19:27 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-06-24 19:27 . 2012-06-24 19:27 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-06-24 19:27 . 2012-06-24 19:27 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2012-06-24 19:27 . 2012-06-24 19:27 448512 ----a-w- c:\windows\system32\html.iec
2012-06-24 19:27 . 2012-06-24 19:27 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-06-24 19:27 . 2012-06-24 19:27 403248 ----a-w- c:\windows\system32\iedkcs32.dll
2012-06-24 19:27 . 2012-06-24 19:27 39936 ----a-w- c:\windows\system32\iernonce.dll
2012-06-24 19:27 . 2012-06-24 19:27 3695416 ----a-w- c:\windows\system32\ieapfltr.dat
2012-06-24 19:27 . 2012-06-24 19:27 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-06-24 19:27 . 2012-06-24 19:27 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-06-24 19:27 . 2012-06-24 19:27 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-06-24 19:27 . 2012-06-24 19:27 282112 ----a-w- c:\windows\system32\dxtrans.dll
2012-06-24 19:27 . 2012-06-24 19:27 267776 ----a-w- c:\windows\system32\ieaksie.dll
2012-06-24 19:27 . 2012-06-24 19:27 249344 ----a-w- c:\windows\system32\webcheck.dll
2012-06-24 19:27 . 2012-06-24 19:27 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-06-24 19:27 . 2012-06-24 19:27 222208 ----a-w- c:\windows\system32\msls31.dll
2012-06-24 19:27 . 2012-06-24 19:27 197120 ----a-w- c:\windows\system32\msrating.dll
2012-06-24 19:27 . 2012-06-24 19:27 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-06-24 19:27 . 2012-06-24 19:27 163840 ----a-w- c:\windows\system32\ieakui.dll
2012-06-24 19:27 . 2012-06-24 19:27 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-06-24 19:27 . 2012-06-24 19:27 160256 ----a-w- c:\windows\system32\wextract.exe
2012-06-24 19:27 . 2012-06-24 19:27 160256 ----a-w- c:\windows\system32\ieakeng.dll
2012-06-24 19:27 . 2012-06-24 19:27 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-06-24 19:27 . 2012-06-24 19:27 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-06-24 19:27 . 2012-06-24 19:27 149504 ----a-w- c:\windows\system32\occache.dll
2012-06-24 19:27 . 2012-06-24 19:27 145920 ----a-w- c:\windows\system32\iepeers.dll
2012-06-24 19:27 . 2012-06-24 19:27 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-06-24 19:27 . 2012-06-24 19:27 12288 ----a-w- c:\windows\system32\mshta.exe
2012-06-24 19:27 . 2012-06-24 19:27 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-06-24 19:27 . 2012-06-24 19:27 114176 ----a-w- c:\windows\system32\admparse.dll
2012-06-24 19:27 . 2012-06-24 19:27 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-06-24 19:27 . 2012-06-24 19:27 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-06-24 19:27 . 2012-06-24 19:27 10752 ----a-w- c:\windows\system32\msfeedssync.exe
2012-06-24 19:27 . 2012-06-24 19:27 103936 ----a-w- c:\windows\system32\inseng.dll
2012-06-24 19:27 . 2012-06-24 19:27 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-06-09 05:43 . 2012-07-11 14:55 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 06:06 . 2012-07-11 14:55 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-11 14:55 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-11 14:55 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-11 14:55 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-11 14:55 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-11 14:55 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-06-02 22:19 . 2012-06-23 14:41 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 14:41 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-23 14:41 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 14:41 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 14:41 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-23 14:41 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-23 14:41 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 14:19 . 2012-06-23 14:41 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 14:15 . 2012-06-23 14:41 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 05:50 . 2012-07-11 14:55 458704 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 05:48 . 2012-07-11 14:55 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:48 . 2012-07-11 14:55 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:45 . 2012-07-11 14:55 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:44 . 2012-07-11 14:55 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 04:40 . 2012-07-11 14:55 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:40 . 2012-07-11 14:55 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:39 . 2012-07-11 14:55 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:34 . 2012-07-11 14:55 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2012-05-31 11:25 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-08-14 1353080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-04-29 284440]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-07 1987976]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Hotkey.lnk - c:\program files (x86)\Hotkey\Hotkey.exe [2011-2-16 3077120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-04-29 13592]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-14 250056]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2010-10-19 340240]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-08-21 1255736]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-02-07 2343816]
S2 PowerBiosServer;PowerBiosServer;c:\program files (x86)\Hotkey\PowerBiosServer.exe [2011-02-15 33792]
S2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2010-07-13 69736]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2011-06-22 174680]
S3 JME;JMicron Ethernet Adapter NDIS6.20 Driver (Amd64 Bits);c:\windows\system32\DRIVERS\JME.sys [2011-01-14 132624]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-19 56344]
S3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [2010-10-18 8153088]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-11-19 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-11-19 181248]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-20 18:39]
.
2012-08-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1747116624-2150148926-3377438100-1000Core.job
- c:\users\Robbie\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-23 14:43]
.
2012-08-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1747116624-2150148926-3377438100-1000UA.job
- c:\users\Robbie\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-23 14:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-02-11 11776104]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-10-19 1931024]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 825184]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-BattlEye A2 Free - c:\program files (x86)\steam\steamapps\common\arma 2 freeBattlEye\UnInstallBE.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.9"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9e.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9e.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@="IFlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2012-08-28 19:05:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-28 18:05
.
Pre-Run: 319,566,671,872 bytes free
Post-Run: 319,627,403,264 bytes free
.
- - End Of File - - 88EE5BA9F4645E57EF91D69D3309A3C0

checkup.txt :


Results of screen317's Security Check version 0.99.48
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
JavaFX 2.1.1
Java™ 7 Update 5
Java version out of Date!
Adobe Flash Player 11.3.300.271 Flash Player out of Date!
Google Chrome 21.0.1180.79
Google Chrome 21.0.1180.83
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 23% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

Adwcleaner :


# AdwCleaner v1.801 - Logfile created 08/28/2012 at 19:10:42
# Updated 14/08/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Robbie - ROBBIE-PC
# Boot Mode : Normal
# Running from : C:\Users\Robbie\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Registre - GUID] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v21.0.1180.83

File : C:\Users\Robbie\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found : "description": "The fastest way to search the web.",

*************************

AdwCleaner[R1].txt - [751 octets] - [28/08/2012 19:10:42]

########## EOF - C:\AdwCleaner[R1].txt - [878 octets] ##########

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 29 August 2012 - 06:57 AM

Nothing suspicious was found.

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 7 Update 5


===

Critical vulnerabilities have been identified in Adobe Flash Player v11.3.300.264 and earlier versions... being exploited in the wild in active targeted attacks...

Get the latest Flash Player

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===

Please let me know what problem persists.

#5 Xzinn

Xzinn
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 29 August 2012 - 03:29 PM

The website you recommended actually says that I have the most recent version of java, and I do not use any browsers other than chrome (which has "built in" Flash player, which I don't have the ability to update as far as I know).

I have since deleted the version of Malwarebytes that supposedly had the virus on it, as well as Cheat Engine which I no longer need. I will try re-downloading Malwarebytes and will see if it is clean. Thank you for your help, are there any specific utilities you would recommend I use to reduce the risk of an infection? I was wondering for example if it would be worth getting some third party firewall software capable of blocking outbound processes (which I'm told that the default windows firewall does not do), for when I am using routers without a firewall. Also, am I good to un-install the utilities you instructed me to use?

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 30 August 2012 - 10:18 AM

I do not use any browsers other than chrome (which has "built in" Flash player, which I don't have the ability to update as far as I know).

Correct.

===

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

I was wondering for example if it would be worth getting some third party firewall software capable of blocking outbound processes


I do not see any virus protrection on your logs. Follow some of the recommendations on the Prevention site.
I tend to go with one Manufacture for the Virus and Firewall. If something goes wrong the you only have one Co. to blame.


Surf Safely, and Think Prevention!

#7 Xzinn

Xzinn
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 01 September 2012 - 05:22 AM

I have re-installed Malwarebytes and the exe file is still detected as a Trojan by jiangmin on Virus Total. I downloaded it from the Malwarebytes site, so is it just a false positive? Or is it possible that there is something that keeps infecting it whenever I download it?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 01 September 2012 - 07:13 AM

I have re-installed Malwarebytes and the exe file is still detected as a Trojan by jiangmin on Virus Total. I downloaded it from the Malwarebytes site


Can you post the results from Virus Total.

#9 Xzinn

Xzinn
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 01 September 2012 - 11:54 AM

I don't know if I can post anything more helpful than the list of software that scanned it, but I can tell you that Jiangmin was the only one that detected it. The virus name is in the title.

#10 Xzinn

Xzinn
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 01 September 2012 - 12:04 PM

Copy+Pasted results:

AhnLab-V3

-

20120831



AntiVir

-

20120901



Antiy-AVL

-

20120831



Avast

-

20120901



AVG

-

20120901



BitDefender

-

20120901



ByteHero

-

20120830



CAT-QuickHeal

-

20120901



ClamAV

-

20120828



Commtouch

-

20120901



Comodo

-

20120901



DrWeb

-

20120901



Emsisoft

-

20120901



eSafe

-

20120830



ESET-NOD32

-

20120831



F-Prot

-

20120831



F-Secure

-

20120901



Fortinet

-

20120830



GData

-

20120901



Ikarus

-

20120901



Jiangmin

Trojan/Agent.gzjh

20120901



K7AntiVirus

-

20120831



Kaspersky

-

20120901



McAfee

-

20120901



McAfee-GW-Edition

-

20120901



Microsoft

-

20120901



Norman

-

20120831



nProtect

-

20120901



Panda

-

20120901



PCTools

-

20120901



Rising

-

20120831



Sophos

-

20120901



SUPERAntiSpyware

-

20120901



Symantec

-

20120901



TheHacker

-

20120830



TotalDefense

-

20120831



TrendMicro

-

20120901



TrendMicro-HouseCall

-

20120901



VBA32

-

20120901



VIPRE

-

20120901



ViRobot

-

20120901



VirusBuster

-

20120831

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 02 September 2012 - 08:14 AM

Nothing there.

Can you give me the link to Virus total scan.

#12 Xzinn

Xzinn
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 02 September 2012 - 03:47 PM

Here is the link:

https://www.virustotal.com/file/f24885b8fa4a29f06332ad38e93a431ad0231551140991a1af64a7334f00cb3b/analysis/1346618779/

And amongst the posted text, one of the lines a virus is pointed out (the one in the title). It's under the 6th hit if you search for jiangmin on this page.

Edited by Xzinn, 02 September 2012 - 03:49 PM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 03 September 2012 - 08:09 AM

Lets have a look.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


#14 Xzinn

Xzinn
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 03 September 2012 - 10:54 AM

It has not found anything. Have you got malwarebytes installed, and if so have you tried it on Virus Total?

#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 03 September 2012 - 01:04 PM

Lets check your version of the Malwarebytes.exe file.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    Malwarebytes.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users