Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Ransom


  • This topic is locked This topic is locked
10 replies to this topic

#1 bberger2

bberger2

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 19 November 2012 - 08:44 AM

Hello,

I am running Windows 7on an HP computer. Friday, I had an issue where I clicked a website and control of my computer was lost to an FBI hijack virus that showed the entire screen as a message and demanded a $200 ransom. I was able to start the computer in safe mode and get malwarebytes installed, run a scan, and regain access to my computer via normal startup (log below). After reading this post, http://www.computerhope.com/forum/index.php?topic=133003.0, I ran combofix (log below). Now IE8 and most programs have to be run as administrator and I am getting the error "C:\program files\internet explorer\iexplorer.exe Illegal operation attempted on a registry key that has been marked for deletion." every time I try to open something. I'm not sure what the issue is but I know the original malwarebytes scan found an issue with HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsLoad, so I'm guessing it's related. Please let me know how to proceed so that the problem is permanently fixed.


Thanks,
Brandon


------------------MALWAREBYTES--------------------
Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.16.09

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Brandon Berger :: ABR6 [administrator]

Protection: Disabled

11/16/2012 2:42:44 PM
mbam-log-2012-11-16 (14-42-44).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 309252
Time elapsed: 15 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SonyAgent (Trojan.Lameshield) -> Data: C:\Windows\Temp\temp59.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Micrcsoft Updater (Trojan.Ransom) -> Data: "c:\users\brandon berger\appdata\local\temp\tmp7b6e30cc\setex.exe" -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\BRANDO~1\LOCALS~1\Temp\msbfuwyv.scr -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Data: C:\Users\BRANDO~1\LOCALS~1\Temp\msbfuwyv.scr -> Delete on reboot.

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Bad: (C:\Users\BRANDO~1\LOCALS~1\Temp\msbfuwyv.scr) Good: () -> Delete on reboot.

Folders Detected: 0
(No malicious items detected)

Files Detected: 16
C:\Windows\Temp\temp59.exe (Trojan.Lameshield) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\tmp7b6e30cc\setex.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\Local Settings\Temp\msbfuwyv.scr (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\$RECYCLE.BIN\S-1-5-21-1899921444-1046565913-4080722315-1001\$34a487373f866d82b8646ff531a9996d\n (Trojan.0Access) -> Delete on reboot.
C:\$RECYCLE.BIN\S-1-5-21-1899921444-1046565913-4080722315-1001\$34a487373f866d82b8646ff531a9996d\U\00000001.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\$RECYCLE.BIN\S-1-5-21-1899921444-1046565913-4080722315-1001\$34a487373f866d82b8646ff531a9996d\U\80000000.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\$RECYCLE.BIN\S-1-5-21-1899921444-1046565913-4080722315-1001\$34a487373f866d82b8646ff531a9996d\U\800000cb.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Derivix\KeyGen.exe (Hacktool.Gen) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\0000f047.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\04d132db.exe (Trojan.0Access) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\04d1a81a.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\D264.tmp (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\msbfuwyv.scr (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\msimg32.dll (Trojan.0Access) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\msvyosq.com (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Roaming\C2D8A5\C2D8A5.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

(end)
--------------------------------------

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.17.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Brandon Berger :: ABR6 [administrator]

Protection: Enabled

11/19/2012 7:28:59 AM
mbam-log-2012-11-19 (07-28-59).txt

Scan type: Flash scan
Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Registry | File System | P2P
Objects scanned: 167149
Time elapsed: 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\BRANDO~1\LOCALS~1\Temp\msbfuwyv.scr -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Data: C:\Users\BRANDO~1\LOCALS~1\Temp\msbfuwyv.scr -> Delete on reboot.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
-----------------------------------

2012/11/16 15:00:21 -0500 ABR6 (null) MESSAGE Executing scheduled update: Daily
2012/11/16 15:00:21 -0500 ABR6 (null) ERROR Scheduled update failed: Host not found failed with error code 0
2012/11/16 15:00:34 -0500 ABR6 Brandon Berger MESSAGE Starting protection
2012/11/16 15:00:34 -0500 ABR6 Brandon Berger MESSAGE Protection started successfully
2012/11/16 15:00:34 -0500 ABR6 Brandon Berger MESSAGE Starting IP protection
2012/11/16 15:00:35 -0500 ABR6 Brandon Berger MESSAGE IP Protection started successfully
2012/11/16 15:00:51 -0500 ABR6 Brandon Berger DETECTION C:\Users\Brandon Berger\AppData\Local\Temp\tmp45672668\setex.exe Trojan.Ransom QUARANTINE
----------------------------
2012/11/17 11:17:42 -0500 ABR6 Brandon Berger MESSAGE Executing scheduled update: Daily
2012/11/17 11:17:47 -0500 ABR6 Brandon Berger MESSAGE Scheduled update executed successfully: database updated from version v2012.11.16.09 to version v2012.11.17.03
2012/11/17 11:17:47 -0500 ABR6 Brandon Berger MESSAGE Starting database refresh
2012/11/17 11:17:47 -0500 ABR6 Brandon Berger MESSAGE Stopping IP protection
2012/11/17 11:17:47 -0500 ABR6 Brandon Berger MESSAGE IP Protection stopped successfully
2012/11/17 11:17:48 -0500 ABR6 Brandon Berger MESSAGE Database refreshed successfully
2012/11/17 11:17:48 -0500 ABR6 Brandon Berger MESSAGE Starting IP protection
2012/11/17 11:17:48 -0500 ABR6 Brandon Berger MESSAGE IP Protection started successfully
------------------------------------
2012/11/19 07:27:56 -0500 ABR6 Brandon Berger DETECTION C:\Users\Brandon Berger\AppData\Local\Temp\tmp4a347af7\setex.exe Trojan.Ransom QUARANTINE
2012/11/19 07:28:03 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57892, Process: ygdui.exe)
2012/11/19 07:28:11 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57894, Process: ygdui.exe)
2012/11/19 07:28:19 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57897, Process: ygdui.exe)
2012/11/19 07:28:19 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57899, Process: ygdui.exe)
2012/11/19 07:28:27 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57901, Process: ygdui.exe)
2012/11/19 07:28:35 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57903, Process: ygdui.exe)
2012/11/19 07:28:35 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57905, Process: ygdui.exe)
2012/11/19 07:31:47 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57991, Process: ygdui.exe)
2012/11/19 07:31:55 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57999, Process: ygdui.exe)
2012/11/19 07:31:55 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58001, Process: ygdui.exe)
2012/11/19 07:32:03 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58002, Process: ygdui.exe)
2012/11/19 07:32:03 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58003, Process: ygdui.exe)
2012/11/19 07:36:36 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58301, Process: ygdui.exe)
2012/11/19 07:36:44 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58303, Process: ygdui.exe)
2012/11/19 07:36:52 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58305, Process: ygdui.exe)
2012/11/19 07:36:52 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58307, Process: ygdui.exe)
2012/11/19 07:37:00 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58309, Process: ygdui.exe)
2012/11/19 07:38:04 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58352, Process: ygdui.exe)
2012/11/19 07:38:12 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58353, Process: ygdui.exe)
2012/11/19 07:38:20 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58356, Process: ygdui.exe)
2012/11/19 07:38:20 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58358, Process: ygdui.exe)
2012/11/19 07:38:28 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58359, Process: ygdui.exe)
2012/11/19 07:44:29 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58404, Process: ygdui.exe)
2012/11/19 07:44:29 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58405, Process: ygdui.exe)
2012/11/19 07:44:37 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58406, Process: ygdui.exe)
2012/11/19 07:44:45 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58407, Process: ygdui.exe)
2012/11/19 07:44:45 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58408, Process: ygdui.exe)
2012/11/19 07:45:01 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58410, Process: ygdui.exe)
2012/11/19 07:45:01 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58412, Process: ygdui.exe)
2012/11/19 07:45:09 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58414, Process: ygdui.exe)
2012/11/19 07:45:18 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58416, Process: ygdui.exe)
2012/11/19 07:45:18 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58418, Process: ygdui.exe)
2012/11/19 07:51:01 -0500 ABR6 Brandon Berger MESSAGE Stopping protection
2012/11/19 07:51:01 -0500 ABR6 Brandon Berger MESSAGE Protection stopped successfully
2012/11/19 07:51:01 -0500 ABR6 Brandon Berger MESSAGE Stopping IP protection
2012/11/19 07:51:01 -0500 ABR6 Brandon Berger MESSAGE IP Protection stopped successfully
2012/11/19 08:02:37 -0500 ABR6 Brandon Berger MESSAGE Starting IP protection
2012/11/19 08:02:38 -0500 ABR6 Brandon Berger MESSAGE IP Protection started successfully
2012/11/19 08:02:38 -0500 ABR6 Brandon Berger MESSAGE Starting protection
2012/11/19 08:02:38 -0500 ABR6 Brandon Berger MESSAGE Protection started successfully

-------------END--------------------------------------


----COMBOFIX----------------
ComboFix 12-11-16.02 - Brandon Berger 11/19/2012 7:51.1.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12246.9749 [GMT -5:00]
Running from: c:\users\Brandon Berger\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Thumbs.db
c:\users\Brandon Berger\AppData\Local\Microsoft\Windows\Temporary Internet Files\{084D85CB-B75C-473F-A068-64CED5971E7F}.xps
c:\users\Brandon Berger\AppData\Roaming\Awfe
c:\users\Brandon Berger\AppData\Roaming\Awfe\ygdui.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-19 to 2012-11-19 )))))))))))))))))))))))))))))))
.
.
2012-11-19 12:53 . 2012-11-19 12:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-19 12:46 . 2012-11-19 12:46 -------- d-----w- c:\users\Brandon Berger\AppData\Local\WinZip
2012-11-19 12:42 . 2012-09-25 04:16 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-11-16 19:42 . 2012-11-16 19:42 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Malwarebytes
2012-11-16 19:42 . 2012-11-16 19:42 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-16 19:42 . 2012-11-16 19:42 -------- d-----w- c:\programdata\Malwarebytes
2012-11-16 19:42 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-16 19:07 . 2012-11-19 12:31 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Raukqu
2012-11-16 19:07 . 2012-11-16 19:07 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Opveby
2012-11-16 12:58 . 2012-11-16 12:59 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Bloomberg
2012-11-16 07:41 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2BCFA0AF-29AC-492D-A8AF-3BE0A51E4B67}\mpengine.dll
2012-11-16 03:44 . 2012-11-16 20:17 -------- d-----w- c:\users\Brandon Berger\AppData\Local\Bloomberg
2012-11-15 21:52 . 2012-11-15 21:52 -------- d-----w- c:\program files\Microsoft Mouse and Keyboard Center
2012-11-15 20:04 . 2010-06-03 15:18 75776 ----a-w- c:\windows\system32\drivers\ATTchWDF.sys
2012-11-15 20:04 . 2009-06-12 19:11 1331200 ----a-w- c:\windows\SysWow64\ATCPanel.cpl
2012-11-15 20:04 . 2008-10-10 18:47 164864 ----a-w- c:\windows\SysWow64\drivers\UNWISE.EXE
2012-11-15 20:03 . 2012-11-15 20:08 -------- d-----w- C:\blp
2012-11-14 08:04 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-11-14 08:04 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-11-14 08:04 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2012-11-14 08:04 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-11-14 08:00 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-11-14 08:00 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-11-14 08:00 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-11-14 08:00 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-11-14 08:00 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe
2012-11-14 08:00 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll
2012-11-14 08:00 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-11-13 15:13 . 2012-11-13 15:13 -------- d-----w- c:\program files (x86)\MimGateway
2012-11-13 15:13 . 2012-11-13 15:13 -------- d-----w- c:\program files (x86)\Pivot Solutions
2012-11-13 14:53 . 2012-11-15 20:54 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\MimGateway
2012-11-13 14:53 . 2012-11-13 14:53 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Pivot Solutions
2012-11-13 13:13 . 2012-11-13 15:12 -------- d-----w- c:\windows\system32\appmgmt
2012-11-12 14:30 . 2012-11-14 08:01 66395536 ----a-w- c:\windows\system32\MRT.exe
2012-11-06 13:05 . 2012-11-06 13:05 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-11-06 13:05 . 2012-11-06 13:05 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-06 13:05 . 2012-11-06 13:05 -------- d-----w- c:\windows\system32\Macromed
2012-11-05 16:00 . 2012-11-05 16:00 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\webex
2012-11-05 15:35 . 2012-11-05 15:35 -------- d-----w- c:\users\Brandon Berger\AppData\Local\ElevatedDiagnostics
2012-11-05 13:35 . 2012-11-05 13:35 -------- d-----w- c:\users\Brandon Berger\AppData\Local\Diagnostics
2012-11-02 20:38 . 2012-11-02 20:38 862664 ----a-w- c:\windows\SysWow64\msvcr110.dll
2012-11-02 20:38 . 2012-11-02 20:38 828872 ----a-w- c:\windows\system32\msvcr110.dll
2012-11-02 20:38 . 2012-11-02 20:38 661448 ----a-w- c:\windows\system32\msvcp110.dll
2012-11-02 20:38 . 2012-11-02 20:38 534480 ----a-w- c:\windows\SysWow64\msvcp110.dll
2012-11-02 20:38 . 2012-11-02 20:38 50856 ----a-w- c:\windows\system32\drivers\point64.sys
2012-11-02 20:38 . 2012-11-02 20:38 354264 ----a-w- c:\windows\system32\vccorlib110.dll
2012-11-02 20:38 . 2012-11-02 20:38 251864 ----a-w- c:\windows\SysWow64\vccorlib110.dll
2012-11-02 02:52 . 2012-11-02 02:52 75928 ----a-w- c:\windows\system32\drivers\dc3d.sys
2012-11-02 02:52 . 2012-11-02 02:52 1795952 ----a-w- c:\windows\system32\WdfCoInstaller01011.dll
2012-10-24 16:48 . 2012-10-24 16:49 -------- d-----w- C:\Derivix installers
2012-10-24 16:41 . 2012-10-24 16:41 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Derivix Corp
2012-10-24 16:41 . 2012-10-24 16:41 -------- d-----w- c:\users\Brandon Berger\AppData\Local\Derivix_Corp
2012-10-24 16:33 . 2012-11-16 19:58 -------- d-----w- c:\program files (x86)\Derivix
2012-10-24 16:26 . 2012-11-05 12:47 -------- d-----w- c:\users\Brandon Berger\AppData\Local\LogMeIn Rescue Applet
2012-10-23 13:36 . 2012-10-23 13:36 -------- d-----w- c:\program files (x86)\WEX
2012-10-22 17:12 . 2012-10-29 09:06 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\DDS
2012-10-22 17:12 . 2012-10-22 17:12 -------- d-----w- c:\program files (x86)\Egar
2012-10-22 17:12 . 2008-06-11 20:02 658432 ----a-w- c:\windows\SysWow64\mscomct2.ocx
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-17 07:14 . 2012-10-17 07:14 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-10-17 07:14 . 2012-10-17 07:14 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-10-17 07:14 . 2012-10-17 07:14 89088 ----a-w- c:\windows\system32\ie4uinit.exe
2012-10-17 07:14 . 2012-10-17 07:14 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-10-17 07:14 . 2012-10-17 07:14 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-10-17 07:14 . 2012-10-17 07:14 82432 ----a-w- c:\windows\system32\icardie.dll
2012-10-17 07:14 . 2012-10-17 07:14 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-10-17 07:14 . 2012-10-17 07:14 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-10-17 07:14 . 2012-10-17 07:14 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-10-17 07:14 . 2012-10-17 07:14 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-10-17 07:14 . 2012-10-17 07:14 65024 ----a-w- c:\windows\system32\pngfilt.dll
2012-10-17 07:14 . 2012-10-17 07:14 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-10-17 07:14 . 2012-10-17 07:14 55296 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-10-17 07:14 . 2012-10-17 07:14 534528 ----a-w- c:\windows\system32\ieapfltr.dll
2012-10-17 07:14 . 2012-10-17 07:14 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-10-17 07:14 . 2012-10-17 07:14 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-10-17 07:14 . 2012-10-17 07:14 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-10-17 07:14 . 2012-10-17 07:14 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2012-10-17 07:14 . 2012-10-17 07:14 448512 ----a-w- c:\windows\system32\html.iec
2012-10-17 07:14 . 2012-10-17 07:14 403248 ----a-w- c:\windows\system32\iedkcs32.dll
2012-10-17 07:14 . 2012-10-17 07:14 39936 ----a-w- c:\windows\system32\iernonce.dll
2012-10-17 07:14 . 2012-10-17 07:14 3695416 ----a-w- c:\windows\system32\ieapfltr.dat
2012-10-17 07:14 . 2012-10-17 07:14 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-10-17 07:14 . 2012-10-17 07:14 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-10-17 07:14 . 2012-10-17 07:14 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-10-17 07:14 . 2012-10-17 07:14 282112 ----a-w- c:\windows\system32\dxtrans.dll
2012-10-17 07:14 . 2012-10-17 07:14 267776 ----a-w- c:\windows\system32\ieaksie.dll
2012-10-17 07:14 . 2012-10-17 07:14 249344 ----a-w- c:\windows\system32\webcheck.dll
2012-10-17 07:14 . 2012-10-17 07:14 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-10-17 07:14 . 2012-10-17 07:14 222208 ----a-w- c:\windows\system32\msls31.dll
2012-10-17 07:14 . 2012-10-17 07:14 197120 ----a-w- c:\windows\system32\msrating.dll
2012-10-17 07:14 . 2012-10-17 07:14 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-10-17 07:14 . 2012-10-17 07:14 163840 ----a-w- c:\windows\system32\ieakui.dll
2012-10-17 07:14 . 2012-10-17 07:14 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-10-17 07:14 . 2012-10-17 07:14 160256 ----a-w- c:\windows\system32\wextract.exe
2012-10-17 07:14 . 2012-10-17 07:14 160256 ----a-w- c:\windows\system32\ieakeng.dll
2012-10-17 07:14 . 2012-10-17 07:14 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-10-17 07:14 . 2012-10-17 07:14 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-10-17 07:14 . 2012-10-17 07:14 149504 ----a-w- c:\windows\system32\occache.dll
2012-10-17 07:14 . 2012-10-17 07:14 145920 ----a-w- c:\windows\system32\iepeers.dll
2012-10-17 07:14 . 2012-10-17 07:14 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-10-17 07:14 . 2012-10-17 07:14 12288 ----a-w- c:\windows\system32\mshta.exe
2012-10-17 07:14 . 2012-10-17 07:14 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-10-17 07:14 . 2012-10-17 07:14 114176 ----a-w- c:\windows\system32\admparse.dll
2012-10-17 07:14 . 2012-10-17 07:14 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-10-17 07:14 . 2012-10-17 07:14 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-10-17 07:14 . 2012-10-17 07:14 10752 ----a-w- c:\windows\system32\msfeedssync.exe
2012-10-17 07:14 . 2012-10-17 07:14 103936 ----a-w- c:\windows\system32\inseng.dll
2012-10-17 07:14 . 2012-10-17 07:14 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-10-15 21:35 . 2012-10-15 21:35 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-10-15 21:35 . 2012-10-15 21:35 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-10-13 01:16 . 2012-10-13 01:16 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-10-13 01:16 . 2012-10-13 01:16 902656 ----a-w- c:\windows\system32\d2d1.dll
2012-10-13 01:16 . 2012-10-13 01:16 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-10-13 01:16 . 2012-10-13 01:16 1139200 ----a-w- c:\windows\system32\FntCache.dll
2012-10-13 01:16 . 2012-10-13 01:16 800256 ----a-w- c:\windows\system32\usp10.dll
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINTAM.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINMAL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINDEV.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINBEN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINTAM.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINORI.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINMAR.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINMAL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINKAN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINHIN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINDEV.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINBEN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINTEL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINPUN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINORI.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINMAR.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINKAN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINHIN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINGUJ.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINEN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINBE2.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINBE1.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINASA.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINTEL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINPUN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINGUJ.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINBE2.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINBE1.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINASA.DLL
2012-10-13 01:16 . 2012-10-13 01:16 626176 ----a-w- c:\windows\SysWow64\usp10.dll
2012-10-13 01:16 . 2012-10-13 01:16 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2012-10-13 01:16 . 2012-10-13 01:16 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2012-10-13 01:16 . 2012-10-13 01:16 70656 ----a-w- c:\windows\SysWow64\fontsub.dll
2012-10-13 01:16 . 2012-10-13 01:16 100864 ----a-w- c:\windows\system32\fontsub.dll
2012-10-13 01:15 . 2012-10-13 01:15 961024 ----a-w- c:\windows\system32\CPFilters.dll
2012-10-13 01:15 . 2012-10-13 01:15 850944 ----a-w- c:\windows\SysWow64\sbe.dll
2012-10-13 01:15 . 2012-10-13 01:15 642048 ----a-w- c:\windows\SysWow64\CPFilters.dll
2012-10-13 01:15 . 2012-10-13 01:15 259072 ----a-w- c:\windows\system32\mpg2splt.ax
2012-10-13 01:15 . 2012-10-13 01:15 199680 ----a-w- c:\windows\SysWow64\mpg2splt.ax
2012-10-13 01:15 . 2012-10-13 01:15 1118720 ----a-w- c:\windows\system32\sbe.dll
2012-10-13 01:14 . 2012-10-13 01:14 359624 ----a-w- c:\windows\system32\drivers\vpcvmm.sys
2012-10-13 01:14 . 2012-10-13 01:14 95232 ----a-w- c:\windows\system32\drivers\vpcusb.sys
2012-10-13 01:14 . 2012-10-13 01:14 936448 ----a-w- c:\windows\system32\vmsal.exe
2012-10-13 01:14 . 2012-10-13 01:14 793600 ----a-w- c:\windows\SysWow64\vmsal.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CLRHost"="c:\blp\API\Office Tools\bbxlcmd.exe" [2012-09-18 273920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IMSS"="c:\program files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2011-01-17 112152]
"PDF Complete"="c:\program files (x86)\PDF Complete\pdfsty.exe" [2010-10-22 895512]
"File Sanitizer"="c:\program files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2011-03-23 12277760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2011-03-24 18:33 75320 ----a-w- c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-17 2656280]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv64.sys [2011-03-17 64312]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\SysWOW64\flcdlock.exe [2011-03-24 464440]
R3 HP ProtectTools Service;HP ProtectTools Service;c:\program files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2011-03-15 30776]
R3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM52x64.sys [2010-08-13 339728]
R3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP52X64.sys [2010-08-13 65808]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-10-17 1255736]
S0 MfeEpePc;MfeEpePc; ■

S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2010-08-06 681528]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2011-03-23 320512]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 165032]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]
S2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [2011-03-29 1318912]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe [2010-10-22 1121304]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-02 382824]
S2 XobniService;XobniService;c:\program files (x86)\Xobni\XobniService.exe [2011-02-23 56040]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2012-11-02 75928]
S3 FLMckUsb;AuthenTec TruePrint USB Driver for AES 3400, 3500, and 4000 Fingerprint Sensors;c:\windows\system32\DRIVERS\ATTchWDF.sys [2010-06-03 75776]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 25928]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-11-02 50856]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-06 13:05]
.
2012-11-19 c:\windows\Tasks\HPCeeScheduleForBrandon Berger.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-30 11660904]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"MfeEpePcMonitor"="c:\program files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe" [2011-03-29 200704]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-10-11 2041192]
"IntelliType Pro"="c:\program files\Microsoft Mouse and Keyboard Center\itype.exe" [2012-11-02 1464944]
"IntelliPoint"="c:\program files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2012-11-02 2076272]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Olrox - c:\users\Brandon Berger\AppData\Roaming\Awfe\ygdui.exe
Wow6432Node-HKCU-Run-svñhîst - c:\users\Brandon Berger\appdata\local\temp\0000f047.exe
AddRemove-Bloomberg Keyboard v11.1 - c:\windows\System32\drivers\UNWISE.EXE
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-11-19 07:56:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-19 12:56
.
Pre-Run: 682,990,952,448 bytes free
Post-Run: 682,896,424,960 bytes free
.
- - End Of File - - EDCAA5E4F8CFB238976FA8571250BDA6
---------------------END------------------------------

Edited by bloopie, 19 November 2012 - 09:12 AM.
Mod Edit: Moved to MRT forum. ~bloopie


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:40 PM

Posted 19 November 2012 - 05:47 PM

reboot the computer and that message should go away


re-run ComboFix and allow it to update if it asks to do so, post the fresh log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 bberger2

bberger2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 20 November 2012 - 07:59 AM

The messages are gone after a reboot. Please see the re-run combofix log below. Let me know how to proceed.

ComboFix 12-11-20.02 - Brandon Berger 11/20/2012 7:52.2.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12246.10399 [GMT -5:00]
Running from: c:\users\Brandon Berger\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-20 to 2012-11-20 )))))))))))))))))))))))))))))))
.
.
2012-11-20 12:55 . 2012-11-20 12:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-19 13:11 . 2012-11-19 13:11 289768 ----a-w- c:\windows\system32\javaws.exe
2012-11-19 13:11 . 2012-11-19 13:11 916456 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-19 13:11 . 2012-11-19 13:11 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-11-19 13:11 . 2012-11-19 13:11 189416 ----a-w- c:\windows\system32\javaw.exe
2012-11-19 13:11 . 2012-11-19 13:11 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2012-11-19 13:11 . 2012-11-19 13:11 188904 ----a-w- c:\windows\system32\java.exe
2012-11-19 13:11 . 2012-11-19 13:11 -------- d-----w- c:\program files\Java
2012-11-19 13:03 . 2012-11-19 13:03 -------- d-----w- c:\program files (x86)\AuthenTec
2012-11-19 12:46 . 2012-11-19 12:46 -------- d-----w- c:\users\Brandon Berger\AppData\Local\WinZip
2012-11-19 12:42 . 2012-09-25 04:16 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-11-16 19:42 . 2012-11-16 19:42 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Malwarebytes
2012-11-16 19:42 . 2012-11-16 19:42 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-16 19:42 . 2012-11-16 19:42 -------- d-----w- c:\programdata\Malwarebytes
2012-11-16 19:42 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-16 19:07 . 2012-11-19 12:31 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Raukqu
2012-11-16 19:07 . 2012-11-16 19:07 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Opveby
2012-11-16 12:58 . 2012-11-16 12:59 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Bloomberg
2012-11-16 07:41 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2BCFA0AF-29AC-492D-A8AF-3BE0A51E4B67}\mpengine.dll
2012-11-16 03:44 . 2012-11-20 12:44 -------- d-----w- c:\users\Brandon Berger\AppData\Local\Bloomberg
2012-11-15 21:52 . 2012-11-15 21:52 -------- d-----w- c:\program files\Microsoft Mouse and Keyboard Center
2012-11-15 20:04 . 2010-06-03 15:18 75776 ----a-w- c:\windows\system32\drivers\ATTchWDF.sys
2012-11-15 20:04 . 2009-06-12 19:11 1331200 ----a-w- c:\windows\SysWow64\ATCPanel.cpl
2012-11-15 20:04 . 2008-10-10 18:47 164864 ----a-w- c:\windows\SysWow64\drivers\UNWISE.EXE
2012-11-15 20:03 . 2012-11-15 20:08 -------- d-----w- C:\blp
2012-11-14 08:04 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-11-14 08:04 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-11-14 08:04 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2012-11-14 08:04 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-11-14 08:00 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-11-14 08:00 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-11-14 08:00 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-11-14 08:00 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-11-14 08:00 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe
2012-11-14 08:00 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll
2012-11-14 08:00 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-11-13 15:13 . 2012-11-13 15:13 -------- d-----w- c:\program files (x86)\MimGateway
2012-11-13 15:13 . 2012-11-13 15:13 -------- d-----w- c:\program files (x86)\Pivot Solutions
2012-11-13 14:53 . 2012-11-15 20:54 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\MimGateway
2012-11-13 14:53 . 2012-11-13 14:53 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Pivot Solutions
2012-11-13 13:13 . 2012-11-13 15:12 -------- d-----w- c:\windows\system32\appmgmt
2012-11-12 14:30 . 2012-11-14 08:01 66395536 ----a-w- c:\windows\system32\MRT.exe
2012-11-06 13:05 . 2012-11-06 13:05 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-11-06 13:05 . 2012-11-06 13:05 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-06 13:05 . 2012-11-06 13:05 -------- d-----w- c:\windows\system32\Macromed
2012-11-05 16:00 . 2012-11-05 16:00 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\webex
2012-11-05 15:35 . 2012-11-05 15:35 -------- d-----w- c:\users\Brandon Berger\AppData\Local\ElevatedDiagnostics
2012-11-05 13:35 . 2012-11-05 13:35 -------- d-----w- c:\users\Brandon Berger\AppData\Local\Diagnostics
2012-11-02 20:38 . 2012-11-02 20:38 862664 ----a-w- c:\windows\SysWow64\msvcr110.dll
2012-11-02 20:38 . 2012-11-02 20:38 828872 ----a-w- c:\windows\system32\msvcr110.dll
2012-11-02 20:38 . 2012-11-02 20:38 661448 ----a-w- c:\windows\system32\msvcp110.dll
2012-11-02 20:38 . 2012-11-02 20:38 534480 ----a-w- c:\windows\SysWow64\msvcp110.dll
2012-11-02 20:38 . 2012-11-02 20:38 50856 ----a-w- c:\windows\system32\drivers\point64.sys
2012-11-02 20:38 . 2012-11-02 20:38 354264 ----a-w- c:\windows\system32\vccorlib110.dll
2012-11-02 20:38 . 2012-11-02 20:38 251864 ----a-w- c:\windows\SysWow64\vccorlib110.dll
2012-11-02 02:52 . 2012-11-02 02:52 75928 ----a-w- c:\windows\system32\drivers\dc3d.sys
2012-11-02 02:52 . 2012-11-02 02:52 1795952 ----a-w- c:\windows\system32\WdfCoInstaller01011.dll
2012-10-24 16:48 . 2012-10-24 16:49 -------- d-----w- C:\Derivix installers
2012-10-24 16:41 . 2012-10-24 16:41 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Derivix Corp
2012-10-24 16:41 . 2012-10-24 16:41 -------- d-----w- c:\users\Brandon Berger\AppData\Local\Derivix_Corp
2012-10-24 16:33 . 2012-11-16 19:58 -------- d-----w- c:\program files (x86)\Derivix
2012-10-24 16:26 . 2012-11-05 12:47 -------- d-----w- c:\users\Brandon Berger\AppData\Local\LogMeIn Rescue Applet
2012-10-23 13:36 . 2012-10-23 13:36 -------- d-----w- c:\program files (x86)\WEX
2012-10-22 17:12 . 2012-10-29 09:06 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\DDS
2012-10-22 17:12 . 2012-10-22 17:12 -------- d-----w- c:\program files (x86)\Egar
2012-10-22 17:12 . 2008-06-11 20:02 658432 ----a-w- c:\windows\SysWow64\mscomct2.ocx
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-17 07:14 . 2012-10-17 07:14 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-10-17 07:14 . 2012-10-17 07:14 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-10-17 07:14 . 2012-10-17 07:14 89088 ----a-w- c:\windows\system32\ie4uinit.exe
2012-10-17 07:14 . 2012-10-17 07:14 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-10-17 07:14 . 2012-10-17 07:14 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-10-17 07:14 . 2012-10-17 07:14 82432 ----a-w- c:\windows\system32\icardie.dll
2012-10-17 07:14 . 2012-10-17 07:14 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-10-17 07:14 . 2012-10-17 07:14 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-10-17 07:14 . 2012-10-17 07:14 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-10-17 07:14 . 2012-10-17 07:14 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-10-17 07:14 . 2012-10-17 07:14 65024 ----a-w- c:\windows\system32\pngfilt.dll
2012-10-17 07:14 . 2012-10-17 07:14 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-10-17 07:14 . 2012-10-17 07:14 55296 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-10-17 07:14 . 2012-10-17 07:14 534528 ----a-w- c:\windows\system32\ieapfltr.dll
2012-10-17 07:14 . 2012-10-17 07:14 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-10-17 07:14 . 2012-10-17 07:14 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-10-17 07:14 . 2012-10-17 07:14 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-10-17 07:14 . 2012-10-17 07:14 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2012-10-17 07:14 . 2012-10-17 07:14 448512 ----a-w- c:\windows\system32\html.iec
2012-10-17 07:14 . 2012-10-17 07:14 403248 ----a-w- c:\windows\system32\iedkcs32.dll
2012-10-17 07:14 . 2012-10-17 07:14 39936 ----a-w- c:\windows\system32\iernonce.dll
2012-10-17 07:14 . 2012-10-17 07:14 3695416 ----a-w- c:\windows\system32\ieapfltr.dat
2012-10-17 07:14 . 2012-10-17 07:14 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-10-17 07:14 . 2012-10-17 07:14 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-10-17 07:14 . 2012-10-17 07:14 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-10-17 07:14 . 2012-10-17 07:14 282112 ----a-w- c:\windows\system32\dxtrans.dll
2012-10-17 07:14 . 2012-10-17 07:14 267776 ----a-w- c:\windows\system32\ieaksie.dll
2012-10-17 07:14 . 2012-10-17 07:14 249344 ----a-w- c:\windows\system32\webcheck.dll
2012-10-17 07:14 . 2012-10-17 07:14 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-10-17 07:14 . 2012-10-17 07:14 222208 ----a-w- c:\windows\system32\msls31.dll
2012-10-17 07:14 . 2012-10-17 07:14 197120 ----a-w- c:\windows\system32\msrating.dll
2012-10-17 07:14 . 2012-10-17 07:14 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-10-17 07:14 . 2012-10-17 07:14 163840 ----a-w- c:\windows\system32\ieakui.dll
2012-10-17 07:14 . 2012-10-17 07:14 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-10-17 07:14 . 2012-10-17 07:14 160256 ----a-w- c:\windows\system32\wextract.exe
2012-10-17 07:14 . 2012-10-17 07:14 160256 ----a-w- c:\windows\system32\ieakeng.dll
2012-10-17 07:14 . 2012-10-17 07:14 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-10-17 07:14 . 2012-10-17 07:14 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-10-17 07:14 . 2012-10-17 07:14 149504 ----a-w- c:\windows\system32\occache.dll
2012-10-17 07:14 . 2012-10-17 07:14 145920 ----a-w- c:\windows\system32\iepeers.dll
2012-10-17 07:14 . 2012-10-17 07:14 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-10-17 07:14 . 2012-10-17 07:14 12288 ----a-w- c:\windows\system32\mshta.exe
2012-10-17 07:14 . 2012-10-17 07:14 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-10-17 07:14 . 2012-10-17 07:14 114176 ----a-w- c:\windows\system32\admparse.dll
2012-10-17 07:14 . 2012-10-17 07:14 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-10-17 07:14 . 2012-10-17 07:14 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-10-17 07:14 . 2012-10-17 07:14 10752 ----a-w- c:\windows\system32\msfeedssync.exe
2012-10-17 07:14 . 2012-10-17 07:14 103936 ----a-w- c:\windows\system32\inseng.dll
2012-10-17 07:14 . 2012-10-17 07:14 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-10-15 21:35 . 2012-10-15 21:35 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-10-15 21:35 . 2012-10-15 21:35 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-10-13 01:16 . 2012-10-13 01:16 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-10-13 01:16 . 2012-10-13 01:16 902656 ----a-w- c:\windows\system32\d2d1.dll
2012-10-13 01:16 . 2012-10-13 01:16 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-10-13 01:16 . 2012-10-13 01:16 1139200 ----a-w- c:\windows\system32\FntCache.dll
2012-10-13 01:16 . 2012-10-13 01:16 800256 ----a-w- c:\windows\system32\usp10.dll
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINTAM.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINMAL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINDEV.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINBEN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINTAM.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINORI.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINMAR.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINMAL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINKAN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINHIN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINDEV.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINBEN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINTEL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINPUN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINORI.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINMAR.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINKAN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINHIN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINGUJ.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINEN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINBE2.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINBE1.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINASA.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINTEL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINPUN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINGUJ.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINBE2.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINBE1.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINASA.DLL
2012-10-13 01:16 . 2012-10-13 01:16 626176 ----a-w- c:\windows\SysWow64\usp10.dll
2012-10-13 01:16 . 2012-10-13 01:16 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2012-10-13 01:16 . 2012-10-13 01:16 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2012-10-13 01:16 . 2012-10-13 01:16 70656 ----a-w- c:\windows\SysWow64\fontsub.dll
2012-10-13 01:16 . 2012-10-13 01:16 100864 ----a-w- c:\windows\system32\fontsub.dll
2012-10-13 01:15 . 2012-10-13 01:15 961024 ----a-w- c:\windows\system32\CPFilters.dll
2012-10-13 01:15 . 2012-10-13 01:15 850944 ----a-w- c:\windows\SysWow64\sbe.dll
2012-10-13 01:15 . 2012-10-13 01:15 642048 ----a-w- c:\windows\SysWow64\CPFilters.dll
2012-10-13 01:15 . 2012-10-13 01:15 259072 ----a-w- c:\windows\system32\mpg2splt.ax
2012-10-13 01:15 . 2012-10-13 01:15 199680 ----a-w- c:\windows\SysWow64\mpg2splt.ax
2012-10-13 01:15 . 2012-10-13 01:15 1118720 ----a-w- c:\windows\system32\sbe.dll
2012-10-13 01:14 . 2012-10-13 01:14 359624 ----a-w- c:\windows\system32\drivers\vpcvmm.sys
2012-10-13 01:14 . 2012-10-13 01:14 95232 ----a-w- c:\windows\system32\drivers\vpcusb.sys
2012-10-13 01:14 . 2012-10-13 01:14 936448 ----a-w- c:\windows\system32\vmsal.exe
2012-10-13 01:14 . 2012-10-13 01:14 793600 ----a-w- c:\windows\SysWow64\vmsal.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CLRHost"="c:\blp\API\Office Tools\bbxlcmd.exe" [2012-09-18 273920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IMSS"="c:\program files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2011-01-17 112152]
"PDF Complete"="c:\program files (x86)\PDF Complete\pdfsty.exe" [2010-10-22 895512]
"File Sanitizer"="c:\program files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2011-03-23 12277760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2011-03-24 18:33 75320 ----a-w- c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv64.sys [2011-03-17 64312]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2012-11-02 75928]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\SysWOW64\flcdlock.exe [2011-03-24 464440]
R3 HP ProtectTools Service;HP ProtectTools Service;c:\program files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2011-03-15 30776]
R3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM52x64.sys [2010-08-13 339728]
R3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP52X64.sys [2010-08-13 65808]
R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-11-02 50856]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-10-17 1255736]
S0 MfeEpePc;MfeEpePc; [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2010-08-06 681528]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2011-03-23 320512]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 165032]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]
S2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [2011-03-29 1318912]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe [2010-10-22 1121304]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-02 382824]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-17 2656280]
S2 XobniService;XobniService;c:\program files (x86)\Xobni\XobniService.exe [2011-02-23 56040]
S3 FLMckUsb;AuthenTec TruePrint USB Driver for AES 3400, 3500, and 4000 Fingerprint Sensors;c:\windows\system32\DRIVERS\ATTchWDF.sys [2010-06-03 75776]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 25928]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-06 13:05]
.
2012-11-19 c:\windows\Tasks\HPCeeScheduleForBrandon Berger.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-30 11660904]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"MfeEpePcMonitor"="c:\program files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe" [2011-03-29 200704]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-10-11 2041192]
"IntelliType Pro"="c:\program files\Microsoft Mouse and Keyboard Center\itype.exe" [2012-11-02 1464944]
"IntelliPoint"="c:\program files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2012-11-02 2076272]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Bloomberg Keyboard v11.1 - c:\windows\System32\drivers\UNWISE.EXE
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-20 07:57:16
ComboFix-quarantined-files.txt 2012-11-20 12:57
ComboFix2.txt 2012-11-19 12:56
.
Pre-Run: 683,303,661,568 bytes free
Post-Run: 683,168,198,656 bytes free
.
- - End Of File - - AF3E237D80F6CD2ACC77836A1286ED3C

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:40 PM

Posted 20 November 2012 - 06:40 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
c:\users\Brandon Berger\AppData\Roaming\Raukqu
c:\users\Brandon Berger\AppData\Roaming\Opveby
	
DirLook::
c:\users\Brandon Berger\AppData\Roaming\Bloomberg
c:\users\Brandon Berger\AppData\Local\Bloomberg

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 bberger2

bberger2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 21 November 2012 - 08:49 AM

Completed, please see the log files below/attached screenshot.

--------------COMBOFIX------------------------------
ComboFix 12-11-21.01 - Brandon Berger 11/21/2012 7:51.3.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12246.9679 [GMT -5:00]
Running from: c:\users\Brandon Berger\Desktop\ComboFix.exe
Command switches used :: c:\users\Brandon Berger\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Brandon Berger\AppData\Roaming\Opveby
c:\users\Brandon Berger\AppData\Roaming\Opveby\vuvy.iws
c:\users\Brandon Berger\AppData\Roaming\Raukqu
c:\users\Brandon Berger\AppData\Roaming\Raukqu\paze.tmp
c:\users\Brandon Berger\AppData\Roaming\Raukqu\paze.ywx
.
.
((((((((((((((((((((((((( Files Created from 2012-10-21 to 2012-11-21 )))))))))))))))))))))))))))))))
.
.
2012-11-21 12:53 . 2012-11-21 12:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-21 10:37 . 2012-11-21 10:37 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1D19BCEC-67FB-4BB1-BAE2-0F5A73EFF46A}\offreg.dll
2012-11-20 14:24 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1D19BCEC-67FB-4BB1-BAE2-0F5A73EFF46A}\mpengine.dll
2012-11-19 13:11 . 2012-11-19 13:11 289768 ----a-w- c:\windows\system32\javaws.exe
2012-11-19 13:11 . 2012-11-19 13:11 916456 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-19 13:11 . 2012-11-19 13:11 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-11-19 13:11 . 2012-11-19 13:11 189416 ----a-w- c:\windows\system32\javaw.exe
2012-11-19 13:11 . 2012-11-19 13:11 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2012-11-19 13:11 . 2012-11-19 13:11 188904 ----a-w- c:\windows\system32\java.exe
2012-11-19 13:11 . 2012-11-19 13:11 -------- d-----w- c:\program files\Java
2012-11-19 13:03 . 2012-11-19 13:03 -------- d-----w- c:\program files (x86)\AuthenTec
2012-11-19 12:46 . 2012-11-19 12:46 -------- d-----w- c:\users\Brandon Berger\AppData\Local\WinZip
2012-11-19 12:42 . 2012-09-25 04:16 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-11-16 19:42 . 2012-11-16 19:42 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Malwarebytes
2012-11-16 19:42 . 2012-11-16 19:42 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-16 19:42 . 2012-11-16 19:42 -------- d-----w- c:\programdata\Malwarebytes
2012-11-16 19:42 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-16 12:58 . 2012-11-16 12:59 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Bloomberg
2012-11-16 03:44 . 2012-11-21 04:53 -------- d-----w- c:\users\Brandon Berger\AppData\Local\Bloomberg
2012-11-15 21:52 . 2012-11-15 21:52 -------- d-----w- c:\program files\Microsoft Mouse and Keyboard Center
2012-11-15 20:04 . 2010-06-03 15:18 75776 ----a-w- c:\windows\system32\drivers\ATTchWDF.sys
2012-11-15 20:04 . 2009-06-12 19:11 1331200 ----a-w- c:\windows\SysWow64\ATCPanel.cpl
2012-11-15 20:04 . 2008-10-10 18:47 164864 ----a-w- c:\windows\SysWow64\drivers\UNWISE.EXE
2012-11-15 20:03 . 2012-11-15 20:08 -------- d-----w- C:\blp
2012-11-14 08:04 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-11-14 08:04 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-11-14 08:04 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2012-11-14 08:04 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-11-14 08:00 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-11-14 08:00 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-11-14 08:00 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-11-14 08:00 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-11-14 08:00 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe
2012-11-14 08:00 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll
2012-11-14 08:00 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-11-13 15:13 . 2012-11-13 15:13 -------- d-----w- c:\program files (x86)\MimGateway
2012-11-13 15:13 . 2012-11-13 15:13 -------- d-----w- c:\program files (x86)\Pivot Solutions
2012-11-13 14:53 . 2012-11-15 20:54 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\MimGateway
2012-11-13 14:53 . 2012-11-13 14:53 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Pivot Solutions
2012-11-13 13:13 . 2012-11-13 15:12 -------- d-----w- c:\windows\system32\appmgmt
2012-11-12 14:30 . 2012-11-14 08:01 66395536 ----a-w- c:\windows\system32\MRT.exe
2012-11-06 13:05 . 2012-11-06 13:05 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-11-06 13:05 . 2012-11-06 13:05 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-06 13:05 . 2012-11-06 13:05 -------- d-----w- c:\windows\system32\Macromed
2012-11-05 16:00 . 2012-11-05 16:00 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\webex
2012-11-05 15:35 . 2012-11-05 15:35 -------- d-----w- c:\users\Brandon Berger\AppData\Local\ElevatedDiagnostics
2012-11-05 13:35 . 2012-11-05 13:35 -------- d-----w- c:\users\Brandon Berger\AppData\Local\Diagnostics
2012-11-02 20:38 . 2012-11-02 20:38 862664 ----a-w- c:\windows\SysWow64\msvcr110.dll
2012-11-02 20:38 . 2012-11-02 20:38 828872 ----a-w- c:\windows\system32\msvcr110.dll
2012-11-02 20:38 . 2012-11-02 20:38 661448 ----a-w- c:\windows\system32\msvcp110.dll
2012-11-02 20:38 . 2012-11-02 20:38 534480 ----a-w- c:\windows\SysWow64\msvcp110.dll
2012-11-02 20:38 . 2012-11-02 20:38 50856 ----a-w- c:\windows\system32\drivers\point64.sys
2012-11-02 20:38 . 2012-11-02 20:38 354264 ----a-w- c:\windows\system32\vccorlib110.dll
2012-11-02 20:38 . 2012-11-02 20:38 251864 ----a-w- c:\windows\SysWow64\vccorlib110.dll
2012-11-02 02:52 . 2012-11-02 02:52 75928 ----a-w- c:\windows\system32\drivers\dc3d.sys
2012-11-02 02:52 . 2012-11-02 02:52 1795952 ----a-w- c:\windows\system32\WdfCoInstaller01011.dll
2012-10-24 16:48 . 2012-10-24 16:49 -------- d-----w- C:\Derivix installers
2012-10-24 16:41 . 2012-10-24 16:41 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Derivix Corp
2012-10-24 16:41 . 2012-10-24 16:41 -------- d-----w- c:\users\Brandon Berger\AppData\Local\Derivix_Corp
2012-10-24 16:33 . 2012-11-16 19:58 -------- d-----w- c:\program files (x86)\Derivix
2012-10-24 16:26 . 2012-11-05 12:47 -------- d-----w- c:\users\Brandon Berger\AppData\Local\LogMeIn Rescue Applet
2012-10-23 13:36 . 2012-10-23 13:36 -------- d-----w- c:\program files (x86)\WEX
2012-10-22 17:12 . 2012-10-29 09:06 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\DDS
2012-10-22 17:12 . 2012-10-22 17:12 -------- d-----w- c:\program files (x86)\Egar
2012-10-22 17:12 . 2008-06-11 20:02 658432 ----a-w- c:\windows\SysWow64\mscomct2.ocx
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-17 07:14 . 2012-10-17 07:14 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-10-17 07:14 . 2012-10-17 07:14 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-10-17 07:14 . 2012-10-17 07:14 89088 ----a-w- c:\windows\system32\ie4uinit.exe
2012-10-17 07:14 . 2012-10-17 07:14 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-10-17 07:14 . 2012-10-17 07:14 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-10-17 07:14 . 2012-10-17 07:14 82432 ----a-w- c:\windows\system32\icardie.dll
2012-10-17 07:14 . 2012-10-17 07:14 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-10-17 07:14 . 2012-10-17 07:14 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-10-17 07:14 . 2012-10-17 07:14 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-10-17 07:14 . 2012-10-17 07:14 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-10-17 07:14 . 2012-10-17 07:14 65024 ----a-w- c:\windows\system32\pngfilt.dll
2012-10-17 07:14 . 2012-10-17 07:14 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-10-17 07:14 . 2012-10-17 07:14 55296 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-10-17 07:14 . 2012-10-17 07:14 534528 ----a-w- c:\windows\system32\ieapfltr.dll
2012-10-17 07:14 . 2012-10-17 07:14 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-10-17 07:14 . 2012-10-17 07:14 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-10-17 07:14 . 2012-10-17 07:14 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-10-17 07:14 . 2012-10-17 07:14 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2012-10-17 07:14 . 2012-10-17 07:14 448512 ----a-w- c:\windows\system32\html.iec
2012-10-17 07:14 . 2012-10-17 07:14 403248 ----a-w- c:\windows\system32\iedkcs32.dll
2012-10-17 07:14 . 2012-10-17 07:14 39936 ----a-w- c:\windows\system32\iernonce.dll
2012-10-17 07:14 . 2012-10-17 07:14 3695416 ----a-w- c:\windows\system32\ieapfltr.dat
2012-10-17 07:14 . 2012-10-17 07:14 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-10-17 07:14 . 2012-10-17 07:14 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-10-17 07:14 . 2012-10-17 07:14 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-10-17 07:14 . 2012-10-17 07:14 282112 ----a-w- c:\windows\system32\dxtrans.dll
2012-10-17 07:14 . 2012-10-17 07:14 267776 ----a-w- c:\windows\system32\ieaksie.dll
2012-10-17 07:14 . 2012-10-17 07:14 249344 ----a-w- c:\windows\system32\webcheck.dll
2012-10-17 07:14 . 2012-10-17 07:14 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-10-17 07:14 . 2012-10-17 07:14 222208 ----a-w- c:\windows\system32\msls31.dll
2012-10-17 07:14 . 2012-10-17 07:14 197120 ----a-w- c:\windows\system32\msrating.dll
2012-10-17 07:14 . 2012-10-17 07:14 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-10-17 07:14 . 2012-10-17 07:14 163840 ----a-w- c:\windows\system32\ieakui.dll
2012-10-17 07:14 . 2012-10-17 07:14 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-10-17 07:14 . 2012-10-17 07:14 160256 ----a-w- c:\windows\system32\wextract.exe
2012-10-17 07:14 . 2012-10-17 07:14 160256 ----a-w- c:\windows\system32\ieakeng.dll
2012-10-17 07:14 . 2012-10-17 07:14 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-10-17 07:14 . 2012-10-17 07:14 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-10-17 07:14 . 2012-10-17 07:14 149504 ----a-w- c:\windows\system32\occache.dll
2012-10-17 07:14 . 2012-10-17 07:14 145920 ----a-w- c:\windows\system32\iepeers.dll
2012-10-17 07:14 . 2012-10-17 07:14 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-10-17 07:14 . 2012-10-17 07:14 12288 ----a-w- c:\windows\system32\mshta.exe
2012-10-17 07:14 . 2012-10-17 07:14 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-10-17 07:14 . 2012-10-17 07:14 114176 ----a-w- c:\windows\system32\admparse.dll
2012-10-17 07:14 . 2012-10-17 07:14 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-10-17 07:14 . 2012-10-17 07:14 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-10-17 07:14 . 2012-10-17 07:14 10752 ----a-w- c:\windows\system32\msfeedssync.exe
2012-10-17 07:14 . 2012-10-17 07:14 103936 ----a-w- c:\windows\system32\inseng.dll
2012-10-17 07:14 . 2012-10-17 07:14 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-10-15 21:35 . 2012-10-15 21:35 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-10-15 21:35 . 2012-10-15 21:35 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-10-13 01:16 . 2012-10-13 01:16 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-10-13 01:16 . 2012-10-13 01:16 902656 ----a-w- c:\windows\system32\d2d1.dll
2012-10-13 01:16 . 2012-10-13 01:16 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-10-13 01:16 . 2012-10-13 01:16 1139200 ----a-w- c:\windows\system32\FntCache.dll
2012-10-13 01:16 . 2012-10-13 01:16 800256 ----a-w- c:\windows\system32\usp10.dll
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINTAM.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINMAL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINDEV.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINBEN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINTAM.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINORI.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINMAR.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINMAL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINKAN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINHIN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINDEV.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINBEN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINTEL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINPUN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINORI.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINMAR.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINKAN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINHIN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINGUJ.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINEN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINBE2.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINBE1.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINASA.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINTEL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINPUN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINGUJ.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINBE2.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINBE1.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINASA.DLL
2012-10-13 01:16 . 2012-10-13 01:16 626176 ----a-w- c:\windows\SysWow64\usp10.dll
2012-10-13 01:16 . 2012-10-13 01:16 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2012-10-13 01:16 . 2012-10-13 01:16 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2012-10-13 01:16 . 2012-10-13 01:16 70656 ----a-w- c:\windows\SysWow64\fontsub.dll
2012-10-13 01:16 . 2012-10-13 01:16 100864 ----a-w- c:\windows\system32\fontsub.dll
2012-10-13 01:15 . 2012-10-13 01:15 961024 ----a-w- c:\windows\system32\CPFilters.dll
2012-10-13 01:15 . 2012-10-13 01:15 850944 ----a-w- c:\windows\SysWow64\sbe.dll
2012-10-13 01:15 . 2012-10-13 01:15 642048 ----a-w- c:\windows\SysWow64\CPFilters.dll
2012-10-13 01:15 . 2012-10-13 01:15 259072 ----a-w- c:\windows\system32\mpg2splt.ax
2012-10-13 01:15 . 2012-10-13 01:15 199680 ----a-w- c:\windows\SysWow64\mpg2splt.ax
2012-10-13 01:15 . 2012-10-13 01:15 1118720 ----a-w- c:\windows\system32\sbe.dll
2012-10-13 01:14 . 2012-10-13 01:14 359624 ----a-w- c:\windows\system32\drivers\vpcvmm.sys
2012-10-13 01:14 . 2012-10-13 01:14 95232 ----a-w- c:\windows\system32\drivers\vpcusb.sys
2012-10-13 01:14 . 2012-10-13 01:14 936448 ----a-w- c:\windows\system32\vmsal.exe
2012-10-13 01:14 . 2012-10-13 01:14 793600 ----a-w- c:\windows\SysWow64\vmsal.exe
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Brandon Berger\AppData\Local\Bloomberg ----
.
2012-11-16 12:35 . 2012-11-20 13:03 2048 ----a-w- c:\users\Brandon Berger\AppData\Local\Bloomberg\blpuserpreferences.db
2012-11-16 03:44 . 2012-11-21 04:53 23602176 ----a-w- c:\users\Brandon Berger\AppData\Local\Bloomberg\blppersist.db
.
---- Directory of c:\users\Brandon Berger\AppData\Roaming\Bloomberg ----
.
2012-11-16 12:59 . 2012-11-20 13:17 3144 ----a-w- c:\users\Brandon Berger\AppData\Roaming\Bloomberg\bbcommcfgrsp.cache
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CLRHost"="c:\blp\API\Office Tools\bbxlcmd.exe" [2012-09-18 273920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IMSS"="c:\program files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2011-01-17 112152]
"PDF Complete"="c:\program files (x86)\PDF Complete\pdfsty.exe" [2010-10-22 895512]
"File Sanitizer"="c:\program files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2011-03-23 12277760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2011-03-24 18:33 75320 ----a-w- c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv64.sys [2011-03-17 64312]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2012-11-02 75928]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\SysWOW64\flcdlock.exe [2011-03-24 464440]
R3 HP ProtectTools Service;HP ProtectTools Service;c:\program files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2011-03-15 30776]
R3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM52x64.sys [2010-08-13 339728]
R3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP52X64.sys [2010-08-13 65808]
R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-11-02 50856]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-10-17 1255736]
S0 MfeEpePc;MfeEpePc; [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2010-08-06 681528]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2011-03-23 320512]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 165032]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]
S2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [2011-03-29 1318912]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe [2010-10-22 1121304]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-02 382824]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-17 2656280]
S2 XobniService;XobniService;c:\program files (x86)\Xobni\XobniService.exe [2011-02-23 56040]
S3 FLMckUsb;AuthenTec TruePrint USB Driver for AES 3400, 3500, and 4000 Fingerprint Sensors;c:\windows\system32\DRIVERS\ATTchWDF.sys [2010-06-03 75776]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 25928]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-06 13:05]
.
2012-11-19 c:\windows\Tasks\HPCeeScheduleForBrandon Berger.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-30 11660904]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"MfeEpePcMonitor"="c:\program files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe" [2011-03-29 200704]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-10-11 2041192]
"IntelliType Pro"="c:\program files\Microsoft Mouse and Keyboard Center\itype.exe" [2012-11-02 1464944]
"IntelliPoint"="c:\program files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2012-11-02 2076272]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Bloomberg Keyboard v11.1 - c:\windows\System32\drivers\UNWISE.EXE
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-21 07:54:13
ComboFix-quarantined-files.txt 2012-11-21 12:54
ComboFix2.txt 2012-11-20 12:57
ComboFix3.txt 2012-11-19 12:56
.
Pre-Run: 682,531,368,960 bytes free
Post-Run: 682,536,075,264 bytes free
.
- - End Of File - - 4480FEC350323E0138AD4DEFACCD02E4
-----------------------END---------------------------------------

-----------------------ADWCleaner--------------------------------
# AdwCleaner v2.008 - Logfile created 11/21/2012 at 07:56:43
# Updated 17/11/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : Brandon Berger - ABR6
# Boot Mode : Normal
# Running from : C:\Users\Brandon Berger\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [872 octets] - [21/11/2012 07:56:43]

########## EOF - C:\AdwCleaner[S1].txt - [931 octets] ##########
--------------------------END---------------------------------------

-----------------------MBAM-----------------------------------------
Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.21.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Brandon Berger :: ABR6 [administrator]

Protection: Disabled

11/21/2012 7:59:04 AM
mbam-log-2012-11-21 (07-59-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 203745
Time elapsed: 1 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
---------------------------------END----------------------------------

I ran the ESET scanner initially and got the attached screenshot that there was nothing found. I ran it a second time immediately after to make sure that there was no issue and it returned the following list of infected files.

C:\Qoobox\Quarantine\C\Users\Brandon Berger\AppData\Roaming\Awfe\ygdui.exe.vir Win32/Spy.Zbot.AAO trojan

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:40 PM

Posted 21 November 2012 - 06:43 PM

that file is in the ComboFix quarantine folder which will be deleted when we uninstall Combofix when we are done

please do the following:

  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

NEXT

Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 bberger2

bberger2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 23 November 2012 - 09:05 AM

The computer seems to be working fine. Prior to our working on it the original virus was being blocked by MBAM when it occasionally tried to open webpages. It is currently not doing that and I have seen no sign of the virus since. Please find the two logs below, let me know how to proceed.

----------------------MINI TOOL BOX--------------------------------
MiniToolBox by Farbar Version: 10-11-2012 02
Ran by Brandon Berger (administrator) on 23-11-2012 at 09:00:55
Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

Adobe Flash Player 11 ActiveX (Version: 11.4.402.287)
Adobe Reader XI (Version: 11.0.00)
Bloomberg API
Bloomberg Keyboard v11.1 (Version: v11.1)
Bloomberg Office Tools (32-bit)
Bloomberg PFM Upload Tool for Microsoft Excel
Bloomberg Professional Service
Bloomberg SFD Data Dictionary
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Derivix Support (Version: 6.3.374)
Derivix.3.8.2.15131 (remove only)
Device Access Manager for HP ProtectTools (Version: 6.0.0.11)
DirectX for Managed Code Update (Summer 2004) (Version: 9.02.2904)
Drive Encryption For HP ProtectTools (Version: 6.0.46.25033)
File Sanitizer For HP ProtectTools (Version: 6.0.0.10)
Hewlett-Packard ACLM.NET v1.1.2.0 (Version: 1.00.0000)
HP Auto (Version: 1.0.12494.3472)
HP Customer Experience Enhancements (Version: 6.0.1.7)
HP Odometer (Version: 2.10.0000)
HP ProtectTools Security Manager (Version: 6.02.918)
HP Setup (Version: 8.5.4489.3576)
HP Support Assistant (Version: 6.1.12.1)
HP Support Information (Version: 10.1.1000)
HP Vision Hardware Diagnostics (Version: 2.8.1.0)
Intel® Control Center (Version: 1.2.1.1007)
Intel® Identity Protection Technology 1.1.2.0 (Version: 1.1.2.0)
Intel® Management Engine Components (Version: 7.0.0.1144)
Intel® Network Connections 15.7.176.0 (Version: 15.7.176.0)
IVolatility SDK 2.1 (Version: 2.1)
Java 7 Update 9 (64-bit) (Version: 7.0.90)
Java 7 Update 9 (Version: 7.0.90)
Java Auto Updater (Version: 2.1.9.0)
Java™ 6 Update 35 (Version: 6.0.350)
Malwarebytes Anti-Malware version 1.65.1.1000 (Version: 1.65.1.1000)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Mouse and Keyboard Center (Version: 2.0.162.0)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Home and Student 2010 (Version: 14.0.6029.1000)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Single Image 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Silverlight (Version: 4.1.10329.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft_VC90_CRT_x86 (Version: 1.0.0)
MimGateway (Version: 6.8.3.4053)
NVIDIA 3D Vision Driver 306.97 (Version: 306.97)
NVIDIA Control Panel 306.97 (Version: 306.97)
NVIDIA Graphics Driver 306.97 (Version: 306.97)
NVIDIA Install Application (Version: 2.1002.85.551)
NVIDIA nView 136.53 (Version: 136.53)
NVIDIA Stereoscopic 3D Driver (Version: 7.17.13.0697)
PDF Complete Special Edition (Version: 4.0.14)
Pivot 360 (Version: 6.8.3.4053)
Pivot 360 API (Version: 6.8.3.4053)
Pivot 360 Market Monitor Addon (Version: 6.8.3.4053)
Pivot 360 Weather Derivatives Addon (Version: 6.8.3.4053)
Privacy Manager for HP ProtectTools (Version: 6.00.831)
Realtek High Definition Audio Driver (Version: 6.0.1.6257)
Recovery Manager (Version: 5.5.3621)
REDIPlus (Version: 1.0.0.880)
Theft Recovery for HP ProtectTools (Version: 6.0.0.33)
TWS Interoperability Components (Version: Interopability Components version 9.67)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553272) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2687277) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
VIP Access SDK (1.0.0.55) (Version: 1.0.0.55)
Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)
WinZip 15.0 (Version: 15.0.9411)
WTP (Version: 13.3.33.7)
Xobni (Version: 1.9.4.13197)

**** End of log ****

----------------------END------------------------------------------



----------------------FSS------------------------------------------
Farbar Service Scanner Version: 09-11-2012
Ran by Brandon Berger (administrator) on 23-11-2012 at 09:02:35
Running from "C:\Users\Brandon Berger\Desktop"
Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-11-13 18:43] - [2012-10-03 12:56] - 1914248 ____A (Microsoft Corporation) 37608401DFDB388CAF66917F6B2D6FB0

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****
----------------------END------------------------------------------

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:40 PM

Posted 23 November 2012 - 09:32 AM

We just have some housekeeping to do now,

Please do the following:


You can delete all the Farbar logs and programs from your desktop.

You should remove this old installation of Java - Java™ 6 Update 35 (Version: 6.0.350), as you have the latest version installed, you cn do so via Programs and Features



NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    PC Safety and Security--What Do I Need?.
  • Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 bberger2

bberger2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 26 November 2012 - 08:04 AM

Great, thanks for all of the help!

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:40 PM

Posted 26 November 2012 - 09:15 AM

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:40 PM

Posted 26 November 2012 - 09:15 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users